Vous êtes sur la page 1sur 424

QRadar

Administration Guide

 
   

Release 7.0

October 2010

DO18102010-B

QRadar Administration Guide       Release 7.0 October 2010 DO18102010-B http://www.q1labs.com

http://www.q1labs.com

Q1 Labs Inc. 890 Winter Street Suite 230 Waltham, MA 02451 USA

Copyright © 2010 Q1 Labs, Inc. All rights reserved. Q1 Labs, the Q1 Labs logo, Total Security Intelligence, and QRadar are trademarks or registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks or registered trademarks of their respective holders. The specifications and information contained herein are subject to change without notice.

This Software, and all of the manuals and other written materials provided with the Software, is the property of Q1 Labs Inc. These rights are valid and protected in all media now existing or later developed, and use of the Software shall be governed and constrained by applicable U.S. copyright laws and international treaties. Unauthorized use of this Software will result in severe civil and criminal penalties, and will be prosecuted to the maximum extent under law.

Except as set forth in this Manual, users may not modify, adapt, translate, exhibit, publish, transmit, participate in the transfer or sale of, reproduce, create derivative works from, perform, display, reverse engineer, decompile or dissemble, or in any way exploit, the Software, in whole or in part. Unless explicitly provided to the contrary in this Manual, users may not remove, alter, or obscure in any way any proprietary rights notices (including copyright notices) of the Software or accompanying materials. Q1 Labs Inc. reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of Q1 Labs Inc. to provide notification of such revision or change. Q1 Labs Inc. provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms, or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. Specifications of the Software are subject to change without notice.

CONTENTS

ABOUT THIS GUIDE

Audience 1 Conventions 1 Technical Documentation

Contacting Customer Support

1

2

1 OVERVIEW

About the Interface

3

Using the Interface

4

Deploying Changes

5

Updating User Details

 

5

Resetting SIM

5

About High Availability

6

Monitoring QRadar Systems with SNMP

7

2 MANAGING USERS

Managing Roles Viewing Roles Creating a Role Editing a Role Deleting a Role

Managing User Accounts

9

9

10

15

16

Creating a User Account Editing a User Account Disabling a User Account

Authenticating Users

19

16

16

18

19

3 MANAGING THE SYSTEM

Managing Your License Keys Updating your License Key

23

24

Exporting Your License Key Information

Restarting a System

Shutting Down a System

Configuring Access Settings Configuring Firewall Access

26

26

27

27

25

Configuring Interface Roles

30

Changing Passwords Updating System Time

31

32

4 MANAGING HIGH AVAILABILITY

Before You Begin

HA Deployment Overview

38

HA Clustering

Data Storage Strategies Failovers 41

39

39

40

Adding an HA Cluster

42

Editing an HA Cluster

48

Removing an HA Host

50

Setting an HA Host Offline

51

Setting an HA Host Online Restoring a Failed Host

51

51

5 SETTING UP QRADAR

Creating Your Network Hierarchy Considerations 53 Defining Your Network Hierarchy

Scheduling Automatic Updates Scheduling Automatic Updates

53

58

54

59

Updating Your Files On-Demand

Configuring System Settings

63

62

Configuring System Notifications

70

Configuring the Console Settings

72

6 MANAGING AUTHORIZED SERVICES

Viewing Authorized Services

77

Adding an Authorized Service

78

Revoking Authorized Services

79

Configuring the Customer Support Service

Dismissing an Offense

Closing an Offense

Adding Notes to an Offense

79

80

80

79

7 MANAGING BACKUP AND RECOVERY

Managing Backup Archives

81

Viewing Backup Archives

81

Importing an Archive

Deleting a Backup Archive

82

83

Backing Up Your Information

84

Scheduling Your Backup

84

Initiating a Backup

87

Restoring on a System with the Same IP Address

88

Restoring to a System with a Different IP Address

90

8 USING THE DEPLOYMENT EDITOR

About the Deployment Editor

94

Accessing the Deployment Editor

Using the Editor

Building Your Deployment

Before you Begin

Viewing Deployment Editor Preferences

95

95

97

97

Building Your Event View Adding Components Connecting Components

98

100

102

Forwarding Normalized Events and Flows

Renaming Components Managing Your System View Setting Up Managed Hosts Using NAT with QRadar

107

108

108

114

Configuring a Managed Host

Assigning a Component to a Host

Configuring Host Context

118

120

119

98

104

Configuring an Accumulator

123

Configuring QRadar Components

124

Configuring a QFlow Collector

124

Configuring an Event Collector

130

Configuring an Event Processor

Configuring the Magistrate

135

132

Configuring an Off-site Source

135

Configuring an Off-site Target

136

9 MANAGING FLOW SOURCES

About Flow Sources NetFlow 140 sFlow 141 J-Flow 141 Packeteer 141

Flowlog File

142

139

Napatech Interface Managing Flow Sources Adding a Flow Source Editing a Flow Source

Napatech Interface Managing Flow Sources Adding a Flow Source Editing a Flow Source
Napatech Interface Managing Flow Sources Adding a Flow Source Editing a Flow Source
Napatech Interface Managing Flow Sources Adding a Flow Source Editing a Flow Source

142

142

142

145

Enabling/Disabling a Flow Source

Deleting a Flow Source

147

146

Managing Flow Source Aliases

147

Adding a Flow Source Alias

148

Editing a Flow Source Alias

148

Deleting a Flow Source Alias

149

10 CONFIGURING REMOTE NETWORKS AND SERVICES

Managing Remote Networks

151

Default Remote Network Groups

152

Adding a Remote Networks Object

152

Editing a Remote Networks Object

153

Managing Remote Services

155

 

Default Remote Service Groups Adding a Remote Services Object

155

156

Editing a Remote Services Object

157

Using Best Practices

159

11 CONFIGURING RULES

 
 

Viewing Rules

162

Creating a Custom Rule

165

Creating an Anomaly Detection Rule

176

Managing Rules

185

Enabling/Disabling Rules

186

Editing a Rule

186

Copying a Rule

186

Deleting a Rule

187

Grouping Rules

187

Viewing Groups

188

188

Creating a Group

Editing a Group

189

Copying an Item to Another Group(s)

Deleting an Item from a Group Assigning an Item to a Group

192

192

Editing Building Blocks

192

190

12 DISCOVERING SERVERS

13 FORWARDING SYSLOG DATA

Adding a Syslog Destination

197

Editing a Syslog Destination

198

Delete a Syslog Destination

199

A Q1 LABS MIB

B ENTERPRISE TEMPLATE

Default Rules

Default Building Blocks

213

232

Host Profile Tests

268

IP/Port Tests

Event Property Tests

Common Property Tests

270

271

274

Log Source Tests

275

Function - Sequence Tests

276

Function - Counter Tests

285

Function - Simple Tests

289

Date/Time Tests

289

Network Property Tests

289

Function - Negative Tests

290

Flow Rule Tests

291

Host Profile Tests

291

IP/Port Tests

293

Flow Property Tests

294

Common Property Tests

301

Function - Sequence Tests

302

Function - Counters Tests

310

Function - Simple Tests

314

Date/Time Tests

314

Network Property Tests

314

Function - Negative Tests

316

Common Rule Tests

316

Host Profile Tests

317

IP/Port Tests

319

Common Property Tests

320

Functions - Sequence Tests Function - Counter Tests

331

323

Function - Simple Tests

335

Date/Time Tests

335

Network Property Tests

335

Functions Negative Tests

337

Offense Rule Tests IP/Port Tests Function Tests Date/Time Tests

338

Log Source Tests

Offense Property Tests

Anomaly Detection Rule Tests

337

338

338

339

339

343

Anomaly Rule Tests

343

Behavioral Rule Tests

345

Threshold Rule Tests

347

D VIEWING AUDIT LOGS

Logged Actions

349

E EVENT CATEGORIES

High-Level Event Categories Recon 357 DoS 358 Authentication 360 Access 366 Exploit 368 Malware 369

Suspicious Activity System 373 Policy 377 CRE 378 Potential Exploit

SIM Audit

VIS Host Discovery Application 380 Audit 401 Risk 402

370

378

379

380

356

F CONFIGURING FLOW FORWARDING FROM PRE-7.0 OFF-SITE FLOW SOURCES

Configuring Flow Forwarding from pre-7.0 Off-site Flow Sources

405

Adding a QRadar 7.0 Off-Site Target to a Pre-7.0 Off-Site Flow Source

Creating a Pre-7.0 0ff-Site Flow Source

407

Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources

Removing the Pre-7.0 Off-Site Flow Source

Reconnecting the Off-site Target

Adding the Off-site Source

409

410

409

405

409

INDEX

ABOUT THIS GUIDE

The QRadar Administration Guide provides you with information for managing QRadar functionality requiring administrative access.

Audience

This guide is intended for the system administrator responsible for setting up QRadar in your network. This guide assumes that you have QRadar administrative access and a knowledge of your corporate network and networking technologies.

Conventions

Table 1 lists conventions that are used throughout this guide.

Table 1 Icons

Icon

Type

Description

Information note Information that describes important features or instructions.

Information note

Information that describes important features or instructions.

Caution Information that alerts you to potential loss of data or potential damage to an

Caution

Information that alerts you to potential loss of data or potential damage to an application, system, device, or network.

Warning Information that alerts you to potential personal injury.

Warning

Information that alerts you to potential personal injury.

Technical

You can access technical documentation, technical notes, and release notes directly from the Qmmunity web site at https://qmmunity.q1labs.com/. Once you access the Qmmunity web site, locate the product and software release for which you require documentation.

Documentation

Your comments are important to us. Please send your e-mail comments about this guide or any of the Q1 Labs documentation to:

documentation@q1labs.com.

Include the following information with your comments:

Document title

Page number

QRadar Administration Guide

2

ABOUT THIS GUIDE

Contacting

Customer Support

To help resolve any issues that you may encounter when installing or maintaining QRadar, you can contact Customer Support as follows:

Log a support request 24/7: https://qmmunity.q1labs.com/support/

To request a new Qmmunity and Self-Service support account, send your request to welcomecenter@q1labs.com. You must provide your invoice number to process your account.

Telephone assistance: 1.866.377.7000.

Forums: Access our Qmmunity Forums to benefit from our customer experiences.

QRadar Administration Guide

1

OVERVIEW

This chapter provides an overview of QRadar administrative functionality including:

About the Interface

Using the Interface

Deploying Changes

Resetting SIM

Updating User Details

About High Availability

Monitoring QRadar Systems with SNMP

About the Interface

You must have administrative privileges to access administrative functions. To access administrative functions, click the Admin tab in the QRadar interface. The Admin tab provides access to the following functions:

Manage users. See Chapter 2 Managing Users.

Manage your network settings. See Chapter 3 Managing the System.

Manage high availability. See Chapter 4 Managing High Availability.

Manage QRadar settings. See Chapter 5 Setting Up QRadar.

Manage authorized services. See Chapter 6 Managing Authorized Services

Backup and recover your data. See Chapter 7 Managing Backup and Recovery.

Manage your deployment views. See Chapter 8 Using the Deployment Editor.

Manage flow sources. See Chapter 9 Managing Flow Sources.

Configure remote networks and remote services. See Chapter 10 Configuring Remote Networks and Services.

Configure rules. See Chapter 11 Configuring Rules.

Discover servers. See Chapter 12 Discovering Servers.

Configure syslog forwarding. See Chapter 13 Forwarding Syslog Data.

QRadar Administration Guide

4

OVERVIEW

Managing vulnerability scanners. For more information, see the Managing Vulnerability Assessment Guide.

Configure plug-ins. For more information, see the associated documentation.

Configure the QRadar Risk Manager. For more information, see the QRadar Risk Manager Users Guide.

Manage log sources. For more information, see the Log Sources Users Guide.

All configuration updates using the Admin tab are saved to a staging area. Once all changes are complete, you can deploy the configuration changes or all configuration settings to the remainder of your deployment.

Using the Interface

The Admin tab provides several tab and menu options that allow you to configure QRadar including:

System Configuration - Provides access to administrative functionality, such as user management, automatic updates, license key, network hierarchy, system notifications, authorized services, backup and recovery, and Console configuration.

Data Sources - Provides access to vulnerability scanners, log source management, custom event and flow properties, and flow sources.

Remote Networks and Services Configuration - Provides access to QRadar remote networks and services.

Plugins - Provides access to plug-in components, such as the plug-in for the QRadar Risk Manager. This option only appears if there are plug-ins installed on your Console.

The Admin tab also includes several menu options including:

Table 2-1 Admin Tab Menu Options

Menu Option

Sub-Menu

Description

Deployment Editor

Opens the deployment editor interface. For more information, see

Chapter 8 Using the Deployment Editor.

Deploy Changes

Deploys any configuration changes from the current session to your deployment.

Advanced

Clean SIM Model

Resets the SIM module. See

 

Resetting SIM.

 

Deploy Full

Deploys all changes.

Configuration

QRadar Administration Guide

Deploying Changes

5

Deploying Changes

Once you update your configuration settings using the Admin tab, you must save those changes to the staging area. You must either manually deploy all changes using the Deploy Changes button or, upon exit, a window appears prompting you to deploy changes before you exit. All deployed changes are then applied throughout your deployment.

Using the Admin tab menu, you can deploy changes as follows:

Advanced > Deploy Full Configuration - Deploys all configuration settings to your deployment.

Deploy Changes - Deploys any configuration changes from the current session to your deployment.

Updating User

Details

You can access your administrative user details through the main QRadar

interface. To access your user information, click Preferences . The User Details window appears. You can update your administrative user details, if required.

can update your adm inistrative user details, if required. Note: For information about the pop-up notifications,
can update your adm inistrative user details, if required. Note: For information about the pop-up notifications,

Note: For information about the pop-up notifications, see the QRadar Users Guide.

Resetting SIM

Using the Admin tab, you can reset the SIM module, which allows you to remove all offenses, source IP address, and destination IP address information from the database and the disk. This option is useful after tuning your deployment to avoid receiving any additional false positive information.

To reset the SIM module:

Step 1

Click the Admin tab.

Step 2

From the Advanced menu, select Clean SIM Model.

The Reset SIM Data Module window appears.

QRadar Administration Guide

6

OVERVIEW

6 O VERVIEW Step 3 Read the information in the window. Step 4 Select one of

Step 3

Read the information in the window.

Step 4

Select one of the following options:

Soft Clean - Closes all offenses in the database. If you select the Soft Clean option, you can also select the Deactivate all offenses check box.

Hard Clean - Purges all current and historical SIM data including offenses, source IP addresses, and destination IP addresses.

Step 5

If you want to continue, select the Are you sure you want to reset the data model? check box.

Step 6

Click Proceed.

A

message appears indicating that the SIM reset process has started. This

process may take several minutes, depending on the amount of data in your system.

Step 7

Click Close.

Step 8

Once the SIM reset process is complete, reset your browser.

Once the SIM reset process is complete, reset your browser. Note: If you attempt to navigate

Note: If you attempt to navigate to other areas of the user interface during the SIM reset process, an error message appears.

About High

The High Availability (HA) feature ensures availability of QRadar data in the event

Availability

of

a hardware or network failure. Each HA cluster consists of a primary host and a

standby secondary host. The secondary host maintains the same data as the primary host by either replicating the data on the primary host or accessing a shared external storage. At regular intervals, every 10 seconds by default, the

secondary host sends a heartbeat ping to the primary host to detect hardware or network failure. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host.

QRadar Administration Guide

Monitoring QRadar Systems with SNMP

7

Monitoring QRadar Systems with SNMP 7 Note: HA is not supported in an IPv6 environment. For

Note: HA is not supported in an IPv6 environment.

For more information about managing HA clusters, see Chapter 4 Managing High Availability.

Monitoring QRadar Systems with SNMP

QRadar supports the monitoring of our appliances through SNMP polling. QRadar uses the Net-SNMP agent, which supports a variety of system resource monitoring MIBs that can be polled by Network Management solutions for the monitoring and alerting of system resources. For more information on Net-SNMP, refer to Net-SNMP documentation.

QRadar Administration Guide

2 MANAGING USERS

You can add or remove user accounts for all users that you want to access QRadar. Each user is associated with a role, which determines the privileges the user has to functionality and information within QRadar. You can also restrict or allow access to areas of the network.

This chapter provides information on managing QRadar users including:

Managing Roles

Managing User Accounts

Authenticating Users

Managing Roles

You must create a role before you can create user accounts. By default, QRadar provides a default administrative role, which provides access to all areas of QRadar. A user that is assigned administrative privileges (including the default administrative role) cannot edit their own account. Another administrative user must make any desired changes.

Using the Admin tab, you can:

View existing user roles. See Viewing Roles.

Create a role. See Creating a Role.

Edit a role. See Editing a Role.

Delete a role. See Deleting a Role.

Viewing Roles

To view roles:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

In the User Management section, click the User Roles icon.

The Manage Roles window appears.

QRadar Administration Guide

10MANAGING USERS

10 M ANAGING U SERS The Manage Roles window provides the following information: Table 3-1 Manage

The Manage Roles window provides the following information:

Table 3-1 Manage Roles Parameters

Parameter

Description

Role

Specifies the defined user role.

Log Sources

Specifies the log sources you want this role to access. This allows you to restrict or grant access for users assigned to the role to view logs, events, and offense data received from assigned security and network log sources or log source groups.

For non-administrative users, this column indicates a link that allows an administrative user to edit the permissions for the role. For more information on editing a user role, see

Editing a Role.

To view the list of log sources that have been assigned to this role, move your mouse over the text in the Log Sources column.

Associated Users

Specifies the users associated with this role.

Action

Allows you to edit or delete the user role.

Creating a Role

To create a role:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

Step 3

The System Configuration panel appears. Click the User Roles icon.

Step 4

The Manage User Roles window appears. Click Create Role. The Manage Role Permissions window appears.

QRadar Administration Guide

Managing Roles

11

Managing Roles 11 S t e p 5 Enter values for the parameters. You must select

Step 5 Enter values for the parameters. You must select at least one permission to proceed.

Table 3-2

Create Roles Parameters

Parameter

Description

Role Name

Specify the name of the role. The name can be up to 15 characters in length and must only contain integers and letters.

QRadar Administration Guide

12MANAGING USERS

Table 3-2

Create Roles Parameters (continued)

Parameter

Description

Admin

Select the check box if you want to grant this user administrative access to the QRadar interface. Within the administrator role, you can grant additional access to the following:

Administrator Manager - Select this check box if you want to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected.

System Administrator - Select this check box if you want to allow users access to all areas of QRadar. Users with this access are not able to edit other administrator accounts.

Remote Networks and Services Configuration- Select this check box if you want to allow users the ability to configure remote networks and services in the Admin interface.

Offenses

Select the check box if you want to grant this user access to Offenses interface. Within the Offenses interface functionality, you can grant additional access to the following:

Customized Rule Creation - Select the check box if you want to allow users to create custom rules.

Assign Offenses to Users - Select the check box if you want to allow users to assign offenses to other users.

For more information on the Offenses interface, see the QRadar Users Guide.

Log Activity

Select the check box if you want this user to have access to the Log Activity interface. Within the Log Activity role, you can also grant users additional access to the following:

Event Search Restrictions Override - Select the check box if you want to allow users the ability to override event search restrictions.

Manage Time Series - Select the check box if you want to allows users the ability to configure and view time series data charts.

Customized Rule Creation - Select the check box if you want to allow users to create rules using the Log Activity interface.

User Defined Event Properties - Select the check box if you want to allow users the ability to create user-defined event properties.

For more information on the Log Activity interface, see the QRadar Users Guide.

QRadar Administration Guide

Table 3-2

Create Roles Parameters (continued)

Managing Roles

13

Parameter

Description

Assets

Select the check box if you want to grant this user access to Asset Management functionality. Within the Asset Management functionality, you can grant additional access to the following:

Remove Vulnerabilities - Select the check box if you want to allows user to remove vulnerabilities from assets.

Server Discovery - Select the check box if you want to allow users the ability to discover servers.

View VA Data - Select the check box if you want to allow users access to vulnerability assessment data.

Perform VA Scans - Select the check box if you want to allows users to perform vulnerability assessment scans.

Network Activity

Select the check box if you want to grant this user access to Network Activity functionality. Within the Network Activity functionality, you can grant additional access to the following:

View Flow Content - Select the check box if you want to allow users access to data accessed through the View Flow function.

Manage Time Series - Select the check box if you want to allows users the ability to configure and view time series data charts.

Customized Rule Creation - Select the check box if you want to allow users to create rules using the Log Activity interface.

User Defined Flow Properties - Select the check box if you want to allow users the ability to create user-defined flow properties.

For more information, see the QRadar Users Guide.

Reports

Select the check box if you want to grant this user access to Reporting functionality. Within the Reporting functionality, you can grant users additional access to the following:

Maintain Templates - Select the check box if you want to allow users to maintain reporting templates.

Distribute Reports via Email - Select the check box if you want to allow users to distribute reports through e-mail.

For more information, see the QRadar Users Guide.

IP Right Click Menu Extensions

Select the check box if you want to grant this user access to options added to the right mouse button (right-click) menu.

Risks

This option is only available if the QRadar Risk Manager is activated. Select the check box if you want to grant users access to QRadar Risk Manager functionality.

For more information, see the QRadar Risk Manager Users Guide.

14MANAGING USERS

Step 6

Click Next.

Step 7

Choose one of the following options:

a If you selected a role that includes Log Activity permissions, go to Step 8.

b If you selected a role that does not include Log Activity permissions, go to Step

10.

The Add Log Sources to User Role window appears.

Step 10 . The Add Log Sources to User Role window appears. Step 8 Select log

Step 8

10 . The Add Log Sources to User Role window appears. Step 8 Select log sources

Select log sources you want to add to the user role:

a Using the Log Source Group drop-down list box, select a log source group.

b From the Log Source list, locate and select the log source(s) you want user assigned to this role to have access.

Hint: You can add an entire log source group by clicking the

Source Group section. You can also select multiple log sources by holding the

CTRL key while you select each log source you want to add.

c Click the

The selected log source(s) moves to the Selected Log Source Objects field.

source(s) moves to the Selected Log Source Objects field. icon in the Log icon . Step

icon in the Log

to the Selected Log Source Objects field. icon in the Log icon . Step 9 Click

icon.

Step 9

Click Next.

A confirmation message appears.

Step 10

Click Return.

Step 11

Close the Manage Roles window.

The Admin tab appears.

Step 12

From the Admin tab menu toolbar, click Deploy Changes.

QRadar Administration Guide

Managing Roles

15

Editing a Role

To edit a role:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

In the User Management section, click the User Roles icon.

The Manage Role window appears.

Step 4

For the role you want to edit, click the edit

Step 4 For the role you want to edit, click the edit icon.

icon.

The Manage Role Permissions window appears.

Step 5

Update the permissions (see Table 3-2), as necessary.

Step 6

Click Next.

Step 7

Choose one of the following options:

a If you are editing a role that includes the Events permissions role, go to Step 8.

b If you are editing a role that does not include Events permissions, go to Step

11.

The Add Log Sources to User Role window appears.

Step 11 . The Add Log Sources to User Role window appears. Step 8 Update log

Step 8

Update log source permissions, as desired:

 

a To remove a log source permission, select the log source(s) in the Selected Log Source Objects field that you want to remove. Click Remove Selected Devices.

b To add a log source permission, select an object you want to add from the left panel.

Step 9

Repeat for all log sources you want to edit for this role.

Step 10

Click Next.

Step 11

Click Return.

Step 12

Click Save.

QRadar Administration Guide

16MANAGING USERS

Step 13

Close the Manage User Roles window.

The Admin tab appears.

Step 14

From the Admin tab menu, click Deploy Changes.

Deleting a Role

To delete a role:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

In the User Management section, click the User Roles icon.

The Manage Roles window appears.

Step 4

For the role you want to delete, click the delete icon.

A confirmation window appears.

Step 5

Click Ok.

Step 6

From the Admin tab menu, click Deploy Changes.

Managing User Accounts

You can create a QRadar user account, which allows a user to access selected network components using the QRadar interface. You can also create multiple accounts for your system that include administrative privileges. Only the main administrative account can create accounts that have administrative privileges.

You can create and edit user accounts to access QRadar including:

Creating a User Account

Editing a User Account

Disabling a User Account

Creating a User Account

To create an account for a QRadar user:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the Users icon.

The Manage Users window appears.

Step 4

In the Manage Users area, click Add.

The User Details window appears.

QRadar Administration Guide

Managing User Accounts

17

Managing User Accounts 17 S t e p 5 Enter values for the following parameters: Table

Step 5

Enter values for the following parameters:

Table 3-3

User Details Parameters

Parameter

Description

Username

Specify a username for the new user. The username must not include spaces or special characters.

Password

Specify a password for the user to gain access. The password must be at least five characters in length.

Confirm Password

Re-enter the password for confirmation.

Email Address

Specify the user’s e-mail address.

Role

Using the drop-down list box, select the role you want this user to assume. For information on roles, see Managing Roles. If you select Admin, this process is complete.

Step 6

Click Next. Choose one of the following options:

Step 7

a If you select Admin as the user role, go to Step 10.

b If you select a non-administrative user role, go to Step 8. The Selected Network Objects window appears.

QRadar Administration Guide

18MANAGING USERS

18 M ANAGING U SERS Step 8 From the menu tree, select the network objects you

Step 8

From the menu tree, select the network objects you want this user to be able to monitor.

The selected network objects appear in the Selected Network Object panel.

Step 9

Click Finish.

Step 10

Close the Manage Users window.

The Admin interface appears.

Editing a User Account

To edit a user account:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the Users icon.

The Manage Users window appears.

Step 4

In the Manage Users area, click the user account you want to edit.

The User Details window appears.

Step 5

Update values (see Table 3-3), as necessary.

Step 6

Click Next.

If you are editing a non-administrative user account, the Selected Network Objects window appears. If you are editing an administrative user account, go to Step 10.

Step 7

From the menu tree, select the network objects you want this user to access.

The selected network objects appear in the Selected Network Object panel.

QRadar Administration Guide

Authenticating Users

19

Step 8

For all network objects you want to remove access, select the object from the Selected Network Objects panel. Click Remove.

Step 9

Click Finish.

Step 10

Close the Manage Users window.

Disabling a User Account

The Admin tab appears.

To disable a user account:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the Users icon.

The Manage Users window appears.

Step 4

In the Manage Users area, click the user account you want to disable.

The User Details window appears.

Step 5

In the Role drop-down list box, select Disabled.

Step 6

Click Next.

Step 7

Close the Manage Users window.

The Admin tab appears. This user no longer has access to the QRadar interface. If this user attempts to log in to QRadar, the following message appears: This account has been disabled.

After you delete a user, items such as saved searches, reports, and assigned offenses, will remain associated with the deleted user.

Authenticating

You can configure authentication to validate QRadar users and passwords.

Users

QRadar supports the following user authentication types:

System Authentication - Users are authenticated locally by QRadar. This is the default authentication type.

RADIUS Authentication - Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server. When a user attempts to log in, QRadar encrypts the password only, and forwards the username and password to the RADIUS server for authentication.

TACACS Authentication - Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to log in, QRadar encrypts the username and password, and forwards this information to the TACACS server for authentication.

LDAP/ Active Directory - Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server using Kerberos.

QRadar Administration Guide

20MANAGING USERS

If you want to configure RADIUS, TACACS, or LDAP/Active Directory as the authentication type, you must:

Configure the authentication server before you configure authentication in QRadar.

Make sure the server has the appropriate user accounts and privilege levels to communicate with QRadar. See your server documentation for more information.

Make sure the time of the authentication server is synchronized with the time of the QRadar server. For more information on setting QRadar time, see Chapter 5 Setting Up QRadar.

Make sure all users have appropriate user accounts and roles in QRadar to allow authentication with the third-party servers.

Once authentication is configured and a user enters an invalid username and password combination, a message appears indicating the login was invalid. If the user attempts to access the system multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again. For more information on configuring Console settings for authentication, see Chapter 5 Setting Up QRadar - Configuring the Console Settings.

An administrative user can access QRadar through a third-party authentication module or by using the local QRadar Admin password. The QRadar Admin password still functions if you have setup and activated a third-party authentication module, however, you can not change the QRadar Admin password while the authentication module is active. If you want to change the QRadar admin password, you need to temporarily disable the third-party authentication module, reset the password, and then reconfigure the third-party authentication module.

To configure authentication:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the Authentication icon.

The Authentication window appears.

Authentication icon. The Authentication window appears. Step 4 From the Authentication Module drop-down list

Step 4

From the Authentication Module drop-down list box, select the authentication type you want to configure.

Step 5

Configure the selected authentication type:

QRadar Administration Guide

Authenticating Users

21

a If you selected System Authentication, go to Step 6.

b If you selected RADIUS Authentication, enter values for the following parameters:

Table 3-4

RADIUS Parameters

Parameter

Description

RADIUS Server

Specify the hostname or IP address of the RADIUS server.

RADIUS Port

Specify the port of the RADIUS server.

Authentication

Specify the type of authentication you want to perform. The options are:

Type

CHAP (Challenge Handshake Authentication Protocol) - Establishes a Point-to-Point Protocol (PPP) connection between the user and the server.

MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations.

ARAP (Apple Remote Access Protocol) - Establishes authentication for AppleTalk network traffic.

PAP (Password Authentication Protocol) - Sends clear text between the user and the server.

Shared Secret

Specify the shared secret that QRadar uses to encrypt RADIUS passwords for transmission to the RADIUS server.

c If you selected TACACS Authentication, enter values for the following parameters:

Table 3-5

TACACS Parameters

Parameter

Description

TACACS Server

Specify the hostname or IP address of the TACACS server.

TACACS Port

Specify the port of the TACACS server.

Authentication

Specify the type of authentication you want to perform. The options are:

Type

ASCII

PAP (Password Authentication Protocol) - Sends clear text between the user and the server.

CHAP (Challenge Handshake Authentication Protocol) - Establishes a PPP connection between the user and the server.

MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations.

MSCHAP2 - (Microsoft Challenge Handshake Authentication Protocol version 2)- Authenticates remote Windows workstations using mutual authentication.

EAPMD5 (Extensible Authentication Protocol using MD5 Protocol) - Uses MD5 to establish a PPP connection.

QRadar Administration Guide

22MANAGING USERS

Table 3-5

TACACS Parameters (continued)

Parameter

Description

Shared Secret

Specify the shared secret that QRadar uses to encrypt TACACS passwords for transmission to the TACACS server.

d If you selected LDAP/ Active Directory, enter values for the following parameters:

Table 3-6

LDAP/ Active Directory Parameters

Parameter

Description

Server URL

Specify the URL used to connect to the LDAP server. For example, ldap://<host>:<port>

LDAP Context

Specify the LDAP context you want to use, for example,

DC=Q1LABS,DC=INC.

LDAP Domain

Specify the domain you want to use, for example q1labs.inc.

Step 6 Click Save.

QRadar Administration Guide

3 MANAGING THE SYSTEM

This chapter provides information for managing your system including:

Managing Your License Keys

Restarting a System

Shutting Down a System

Configuring Access Settings

Managing Your License Keys

For your QRadar Console, a default license key provides you access to the interface for 5 weeks. You must manage your license key using the System and License Management window, which you can access using the Admin tab. This window provides the status of the license key for each system (host) in your deployment including:

Valid - The license key is valid.

Expired - The license key has expired. To update your license key, see Updating your License Key.

Override Console License - This host is using the Console license key. You can use the Console key or apply a license key for this system. If you want to use the Console license for any system in your deployment, click Revert to Console in the Manage License window. The license for that system will default to the Console license key.

A license key allows a certain number of log sources to be configured in your system. If you exceed the limit of configured logs sources, as established by the license key, an error message appears in the interface. To extend the number of log sources allowed, contact your sales representative.

This section provides information on managing your license keys including:

Updating your License Key

Exporting Your License Key Information

QRadar Administration Guide

24

MANAGING THE SYSTEM

Updating your

For your QRadar Console, a default license key provides you with access to the

License Key

interface for 5 weeks. Choose one of the following options for assistance with your license key:

For a new or updated license key, contact your local sales representative.

For all other technical issues, contact Q1 Labs Customer Support.

If you log in to QRadar and your Console license key has expired, you are automatically directed to the System and License Management window. You must update the license key before you can continue. However, if one of your non-Console systems includes an expired license key, a message appears when you log in indicating a system requires a new license key. You must navigate to the System and License Management window to update that license key.

To update your license key:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the System and License Management icon.

The System and License Management window appears providing a list of all hosts in your deployment.

appears providing a list of all hosts in your deployment. Step 4 Select the host for

Step 4

Select the host for which you want to view the license key.

Step 5

From the Actions menu, select Manage License.

The Current License Details window appears providing the current license key limits. If you want to obtain additional licensing capabilities, please contact your sales representative.

QRadar Administration Guide

Managing Your License Keys

25

Managing Your License Keys 25 S t e p 6 Click Browse beside the New License

Step 6

Click Browse beside the New License Key File field and locate the license key.

Step 7

Once you locate and select the license key, click Open.

The Current License Details window appears.

Step 8

Click Save.

Step 9

In the System and License Management window, click Deploy License Key.

Note: If you want to revert back to the previous lic ense key, click Revert

Note: If you want to revert back to the previous license key, click Revert to Deployed. If you revert to the license key used by the QRadar Console system, click Revert to Console.

The license key information is updated in your deployment.

Exporting Your

To export your license key information for all systems in your deployment:

License Key

Information

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

QRadar Administration Guide

26

MANAGING THE SYSTEM

The System Configuration panel appears.

 

Step 3

Click the System and License Management icon.

 

The System and License Management window appears providing a list of all hosts in your deployment.

appears providing a list of all hosts in your deployment.   Step 4 Select the system
 

Step 4

Select the system that includes the license you want to export.

Step 5

From the Actions menu, select Export Licenses.

 

The export window appears.

 

Step 6

Select one of the following options:

 

Open with - Opens the license key data with the selected application.

Save File - Allows you to save the file to your desktop.

 

Step 7

Click OK.

Restarting a

To restart a QRadar system:

System

 

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

 

The System Configuration panel appears.

 

Step 3

Click the System and License Management icon.

 

The System and License Management window appears.

 

Step 4

Select the system you want to restart.

Step 5

From the Actions menu, select Restart System.

Step 5 From the Actions menu, select Restart System . Note: Data collection stops while the

Note: Data collection stops while the system is shutting down and restarting.

Shutting Down a System

To shutdown a QRadar system:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the System and License Management icon.

The System and License Management window appears.

QRadar Administration Guide

Configuring Access Settings

27

Step 4

Select the system you want to shut down.

Step 5

From the Actions menu, select Shutdown.

Note: Data collection stops while the system is shutting down.

Note: Data collection stops while the system is shutting down.

Configuring

Access Settings

The System and License Management window provides access to the web-based system administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes:

Firewall access. See Configuring Firewall Access.

Update your host set-up. See Updating Your Host Set-up.

Configure the interface roles for a host. See Configuring Interface Roles.

Change password to a host. See Changing Passwords.

Update the system time. See Updating System Time.

Configuring Firewall Access

You can configure local firewall access to enable communications between devices and QRadar. Also, you can define access to the web-based system administration interface.

To enable QRadar managed hosts to access specific devices or interfaces:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the System and License Management icon.

The System and License Management window appears.

Step 4

Select the host for which you want to configure firewall access settings.

Step 5

From the Actions menu, select Manage System.

Step 6

Log in to the System Administration interface. The default is:

in to the System Administration interface. The default is: Step 7 Username: root Password: <your root

Step 7

Username: root

Password: <your root password>

Note: The username and password are case sensitive.

From the menu, select Managed Host Config > Local Firewall.

QRadar Administration Guide

28

MANAGING THE SYSTEM

The Local Firewall window appears.

M ANAGING THE S YSTEM The Local Firewall window appears. Step 8 Step 9 In the

Step 8

THE S YSTEM The Local Firewall window appears. Step 8 Step 9 In the Device Access

Step 9

In the Device Access box, you must include any QRadar systems you want to have access to this managed host. Only managed hosts listed will have access. For example, if you only enter one IP address, only that one IP address will be granted access to the managed host. All other managed hosts are blocked.

To configure access:

a In the IP Address field, enter the IP address of the managed host you want to have access.

b From the Protocol list box, select the protocol you want to enable access for the specified IP address and port:

- UDP - Allows UDP traffic.

- TCP - Allows TCP traffic.

- Any - Allows any traffic.

c In the Port field, enter the port on which you want to enable communications.

Note: If you change your External Flow Source Monitoring Port parameter in the QFlow Configuration, you must also update your firewall access configuration.

d Click Allow.

In the System Administration Web Control box, enter the IP address(es) of managed host(s) that you want to allow access to the web-based system

QRadar Administration Guide

Configuring Access Settings

29

administration interface in the IP Address field. Only IP addresses listed will have access to the interface. If you leave the field blank, all IP addresses will have access. Click Allow.

Note: Make sure you include the IP address of your client deskto p you want to Make sure you include the IP address of your client desktop you want to use to access the interface. Failing to do so may affect connectivity.

Step 10

Click Apply Access Controls.

Step 11

Wait for the interface to refresh before continuing.

Updating Your Host Set-up

You can use the web-based system administration interface to configure the mail server you want QRadar to use and the global password for QRadar configuration:

To configure your host set-up:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the System and License Management icon.

The System and License Management window appears.

Step 4

Select the host for which you want to update your host setup settings.

Step 5

From the Actions menu, select Manage System.

Step 6

Log in to the System Administration interface. The default is:

in to the System Administration interface. The default is: Username: root Password: <your root password>

Username: root

Password: <your root password>

Note: The username and password are case sensitive.

Step 7 From the menu, select Managed Host Config > QRadar Setup. The QRadar Setup
Step 7
From the menu, select Managed Host Config > QRadar Setup.
The QRadar Setup window appears.
Step 8
In the Mail Server field, specify the address for the mail server you want QRadar
to use. QRadar uses this mail server to distribute alerts and event messages. To
use the mail server provided with QRadar, enter localhost.

QRadar Administration Guide

30

MANAGING THE SYSTEM

Step 9

30 M ANAGING THE S YSTEM Step 9 Step 10 Configuring Interface Roles In the Enter

Step 10

Configuring Interface Roles

In the Enter the global configuration password, enter the password you want to use to access the host. Confirm the entered password.

Note: The global configuration password does not accept special characters. The global configuration password must be the same throughout your deployment. If you edit this password, you must also edit the global configuration password on all systems in your deployment.

Click Apply Configuration.

You can assign specific roles to the network interfaces on each managed host.

To assign roles:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the System and License Management icon.

The System and License Management window appears.

Step 4

Select the host for which you want to configure interface role settings.

Step 5

From the Actions menu, select Manage System.

Step 6

Log in to the System Administration interface. The default is:

in to the System Administra tion interface. The default is: Step 7 Username: root Password: <your

Step 7

the System Administra tion interface. The default is: Step 7 Username: root Password: <your root password>

Username: root

Password: <your root password>

Note: The username and password are case sensitive.

From the menu, select Managed Host Config > Network Interfaces.

The Network Interfaces window appears with a list of each interface on your managed host.

Note: For assistance with determining the appropriate role for each interface, contact Q1 Labs Customer Support.

QRadar Administration Guide

Configuring Access Settings

31

Configuring Access Settings 31 S t e p 8 For each interface listed, select the role

Step 8

For each interface listed, select the role you want to assign to the interface using the Role list box.

Step 9

Click Save Configuration.

Step 10

Wait for the interface to refresh before continuing.

Changing Passwords

To change the passwords:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the System and License Management icon.

The System and License Management window appears.

Step 4

Select the host for which you want to configure interface role settings.

Step 5

From the Actions menu, select Manage System.

Step 6

Log in to the System Administration interface. The default is:

in to the System Administration interface. The default is: Step 7 Username: root Password: <your root

Step 7

Username: root

Password: <your root password>

Note: The username and password are case sensitive.

From the menu, select Managed Host Config > Root Password.

The Root Passwords window appears.

QRadar Administration Guide

32

MANAGING THE SYSTEM

32 M ANAGING THE S YSTEM Step 8 Update the passwords: Note: Make sure you record

Step 8

Update the passwords:

Note: Make sure you record the entered values. The root password does not accept the following Make sure you record the entered values. The root password does not accept the following special characters: apostrophe (‘), dollar sign ($), exclamation mark (!).

Step 9

Updating System Time

New Root Password - Specify the root password necessary to access the web-based system administration interface.

Confirm New Root Password - Re-enter the password for confirmation.

Click Update Password.

You are able to change the time for the following options:

System time

Hardware time

Time Zone

Time Server

Note: All system time changes must be made within the System Time window. You must change All system time changes must be made within the System Time window. You must change the system time information on the host operating the Console only. The change is then distributed to all managed hosts in your deployment.

You can configure time for your system using one of the following methods:

Configuring Your Time Server Using RDATE

Manually Configuring Time Settings For Your System

Configuring Your Time Server Using RDATE

To update the time settings using RDATE:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the System and License Management icon.

The System and License Management window appears.

Step 4

Select the host for which you want to configure system time settings.

QRadar Administration Guide

Configuring Access Settings

33

Step 5

From the Actions menu, select Manage System.

Step 6

Log in to the System Administration interface. The default is:

in to the System Administration interface. The default is: Username: root Password: <your root password>

Username: root

Password: <your root password>

Note: The username and password are case sensitive.

Step 7 From the menu, select Managed Host Config > System Time. The System Time
Step 7
From the menu, select Managed Host Config > System Time.
The System Time window appears.
Step 8
Configure the time zone:
a
Click Change time zone.
The Time Zone window appears.
b Using the Change timezone to drop-down list box, select the time zone in which
this managed host is located.
c Click Save.
Step 9
Configure the time server:

a Click Time server sync.

The Time Server window appears.

QRadar Administration Guide

34

MANAGING THE SYSTEM

34 M ANAGING THE S YSTEM b Configure the following parameters: Table 4-1 Time Server Parameters

b Configure the following parameters:

Table 4-1 Time Server Parameters

Parameter

Description

Timeserver hostnames or addresses

Specify the time server hostname or IP address.

Set hardware time too

Select the check box if you want to set the hardware time as well.

Synchronize on schedule?

Specify one of the following options:

No - Select the option if you do not want to synchronize the time. Go to c.

Yes - Select the option if you want to synchronize the time.

Simple Schedule

Specify if you want the time update to occur at a specific time. If not, select the Run at times selected below option.

Times and dates are selected below

Specify the time you want the time update to occur.

c Click Sync and Apply.

QRadar Administration Guide

Configuring Access Settings

35

Manually Configuring Time Settings For Your System

To update the time settings for your system:

Step 1

Click the Admin tab.

Step 2

In the navigation menu, click System Configuration.

The System Configuration panel appears.

Step 3

Click the System and License Management icon.

The System and License Management window appears.

Step 4

Select the host for which you want to configure system time settings.

Step 5

From the Actions menu, select Manage System.

Step 6

Log in to the System Administration interface. The default is:

Username: root

Password: <your root password>

Note: The username and password are case sensitive. The username and password are case sensitive.

Step 7

From the menu, select Managed Host Config > System Time.

The System Time window appears.

Caution: The time settings window is divided into two sections. You must save each setting before The time settings window is divided into two sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.

Step 8

Click Set time.

Step 9

Set the system time:

8 Click Set time . Step 9 Set the system time: a Choose one of the

a Choose one of the following options:

- In the System Time box, specify the current date and time you want to assign to the managed host.

- Click Set system time to hardware time.

b Click Apply.

The Hardware Time window appears.

QRadar Administration Guide

36

MANAGING THE SYSTEM

36 M ANAGING THE S YSTEM Step 10 Set the hardware time: a Choose one of

Step 10

Set the hardware time:

a Choose one of the following options:

- In the Hardware Time box, specify the current date and time you want to assign to the managed host.

- Click Set hardware time to system time.

b Click Save.

Step 11

Configure the time zone:

a Click Change time zone.

The Time Zone window appears.

a Click Change time zone . The Time Zone window appears. b Using the Change Timezone

b Using the Change Timezone To drop-down list box, select the time zone in which this managed host is located.

c Click Save.

QRadar Administration Guide

4 MANAGING HIGH AVAILABILITY

The High Availability (HA) feature ensures QRadar data remains available in the event of a hardware or network failure. To achieve HA, QRadar pairs a primary appliance with a secondary HA appliance to create an HA cluster. The HA cluster uses several monitoring functions, such as a heartbeat ping between the primary and secondary appliances, and network connectivity monitoring to other appliances in the QRadar deployment. The secondary host maintains the same data as the primary host by one of two methods: data synchronization between the primary and secondary appliances or shared external storage. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host.

Scenarios that cause failover include:

Network failure, as detected by network connectivity testing

Management interface failure on the primary host

Complete Redundant Array of Independent Disks (RAID) failure on the primary host

Power supply failure

Operating system malfunction that delays or stops the heartbeat ping

Note: Heartbeat messages do not moni tor specific QRadar processes. Heartbeat messages do not monitor specific QRadar processes.

Note: You can manually force a failover from a primary host to a secondary host. This You can manually force a failover from a primary host to a secondary host. This is useful for planned maintenance on the primary host. For more information about manually forcing a failover, see Setting an HA Host Offline.

This chapter provides information for configuring and managing HA, including:

Before You Begin

HA Deployment Overview

Adding an HA Cluster

Editing an HA Cluster

Setting an HA Host Offline

Setting an HA Host Online

Restoring a Failed Host

QRadar Administration Guide

38

MANAGING HIGH AVAILABILITY

Before You Begin

Before adding an HA cluster, confirm the following:

Note: For more information about HA concepts, such as HA clustering and data storage strategies, see For more information about HA concepts, such as HA clustering and data storage strategies, see HA Deployment Overview.

If you plan to enable disk replication (see Disk Synchronization), we require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps).

Virtual LAN (VLAN) routing, which divides a physical network into multiple subnets, is not recommended.

The secondary host is located on the same subnet as the primary host.

The new primary host IP address is set up on the same subnet.

The management interface only supports one Cluster Virtual IP address. Multihoming is not supported.

The secondary host you want to add must have a valid HA activation key.

The secondary host must use the same mana