IBM QRadar Advanced Configuration

This topic describes the following configuration:

Create custom correlation notification email templates

The IntSights app provides a custom template for Threat Command correlation email. Follow these steps to add a custom email template.

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Create a new temporary directory to edit copies of the default files.
  3. To copy the files that are stored in the custom_alerts directory to the temporary directory, type the following command:

cp /store/configservices/staging/globalconfig/templates/custom_alerts/*.* <directory_name>

Where <directory_name> is the name of the temporary directory that you created.

  1. Confirm that the files were copied successfully:
    1. To list the files in the directory, type ls -lah
    2. Verify that the alert-config.xml file is listed.
  2. Open the alert-config.xml file for editing.
  3. Copy and paste the provided email template from “XML Template for Email” in the alert-config.xml file in the “<templates>” XML tag.
  • (Note: Make sure the indentation and spaces are appropriate). An image is attached below for reference, to see what the alert-config.xml file should look like after adding the template.

temporary placeholder

  1. Save and close the alert-config.xml file.
  2. Type “cd ..” to move out of the directory and then run the below command.
  3. Validate the changes by typing the following command.
  • /opt/qradar/bin/runCustAlertValidator.sh <directory_name>

Where <directory_name> is the name of the temporary directory that you created.

If the script validates the changes successfully, the following message is displayed: “File alert-config.xml was deployed successfully to staging!”

  1. Deploy the changes in QRadar.
    1. Log in to QRadar.
    2. Navigate to the Admin tab.
    3. Click Advanced, and then Deploy Full Configuration.

For more information, see: https://www.ibm.com/docs/en/qsip/7.4?topic=notifications-configuring-event-flow-custom-email

Users can modify this email template file to receive any extra fields in the email. Follow steps of Add new fields to an email template.

Add email templates to rules

After successfully adding a custom template, follow the below steps to use the created email template.

  1. In the Log Acitivity tab, click Rules.
  2. Find the “IntSights Correlation Alert” rule, and open it.

temporary placeholder

  1. Click Next and in the rule response select the checkbox with email and add the email address to which you wish to receive emails.
  • Make sure that in templates “IntSights Email Template” is selected.

temporary placeholder

  1. The selected “notify” checkbox is for receiving the notifications on the QRadar console at the right top corner.
  2. Make sure that in Response Limiter the checkbox is unselected, as it will limit the number of responses users get with the rule. If users add a limit, then it will send only that number of emails/notifications in the provided time.

temporary placeholder

  1. Now save the rule and enable it. To enable the rule, click the Action tab and then click Enable/Disable.

temporary placeholder

Check IBM QRadar app logs

Users can go inside the application docker container. In the docker container user can see logs.

  • Follow steps for accessing the docker container of the IntSights App.
  • cd /opt/app-root/store/log (For navigating to log directory)
  • ls (For getting list of all logs files)
FileDescription
app.logContains logs of configuration page and Dashboard(except IOC Overview dashboard), Manual Whitelisting, Investigate
indicators_data_collection.log- ioc_IpAddresses_data_collection.log- ioc_Domains_data_collection.log- ioc_Emails_data_collection.log- ioc_Hashes_data_collection.log- ioc_Urls_data_collection.logLogs for data collection of IOCs from Threat Command
ioc_correlation.logLogs for correlation of Threat Command  IOCs with QRadar events
ioc_whitelisting.logLogs for whitelisting of an IOC
dashboard_population.logLogs for fetching IOC Overview dashboard data

Add new fields to an email template

  1. First, check if the new field you want to add exists or not. To check perform the following steps:
    1. Click the Admin tab.
    2. Click Custom Event Properties.
    3. Search for your property.
  2. If the property exists, double-click it to open the property.
  3. Make sure the checkbox for “Enable for use in Rules, Forwarding Profiles, and Search Indexing ” is selected, otherwise users won’t receive the property in Email.

temporary placeholder

  1. Add the following text in the email template (alert-config.xml) file under the <body> tag:

<Label> : ${body.CustomProperty("<property-name>”)}

Example: To add “Property 1” in the email, add the folloing line in the alert-config.xml file under <body> tag.

Property 1 : ${body.CustomProperty("Property 1")}

  1. Follow the steps mentioned in the link below to deploy this email template.

XML email template

<template>

<templatename>IntSights Email Template</templatename>

<templatetype>event</templatetype>

<active>true</active>

<filename></filename>

<subject>QRadar Correlation Alert: IntSights App for QRadar</subject>

<body>

Details of Correlated IOC:

Rule Name: $

IOC Value: ${body.CustomProperty("IOC Value")}

IOC Type: ${body.CustomProperty("IoC Type")}

IOC Severity: ${body.CustomProperty("IoC Severity")}

Matched Log Sources: ${body.CustomProperty("Matched Log Sources")}

IOC Match Count: ${body.CustomProperty("IoC Match Count")}

Last Seen Time: ${body.CustomProperty("Last Seen Date")}

IOC Tags: ${body.CustomProperty("IoC Tags")}

Related Malware: ${body.CustomProperty("Related Malware")}

Threat Actors: ${body.CustomProperty("Related Threat Actors")}

Reporting Feeds: ${body.CustomProperty("Reporting Feeds")}

</body>

<from></from>

<to></to>

<cc></cc>

<bcc></bcc>

</template>

Add filters in rules

Users can modify the rule for receiving emails and notifications based on specific conditions. Refer to the below example.

In this example, we will notify the users only when the severity of the correlated IOC is High. Follow the below steps for modifying the rule.

  1. In the Log Activity tab, click Rules.
  2. Find the rule in which you want to add a filter for severity, and open it. For example, IntSights Correlation Alert.
  3. When the rule wizard opens, in the search filter, search “when any of these properties match this regular expression”.

temporary placeholder

  1. Add this rule filter and click on these properties  and select IOC severity (Custom)  in the pop-up.

  2. Now click this regular expression and type a regular expression as below (without the quotation marks):

    1. To receive mail only for High severity, type  “High”
    2. To receive mail for multiple severities, type “High|Medium” (or “Low|Medium”, etc.)

  3. Click Finish and enable the rule.

NOTE: As we have to write regular expressions in this filter, type carefully as any spelling mistake could result in rules not being triggered.

Configure retirement policy

Users can change the time after which a reference set will be retired. By default the data retiring times are:

  • File hash - 180 days
  • Domain - 90 days
  • Email - 90 days
  • URL - 60 days
  • IP address - 14 days

To change the retiring time follow below steps:

  1. From the Admin tab, select Reference Set Management.
  2. Click the reference set to change.
  3. Click Edit.
  4. Under Time to Leave of elements, change the time.
  5. Click Submit.

Uninstall the IBM QRadar app

To uninstall the application, the user needs to perform the following steps.

  1. From the Admin tab, select Extension Management.
  2. Select IntSights App For QRadar application.
  3. Click Uninstall.

NOTE:

  • When uninstalling the app:
    • All the Custom Event Properties and Dashboards will be removed.
    • Only the log sources which are provided in the bundle will get uninstalled (i.e. IntSights Log Source).
    • Removal of reference sets, Log source type, Log source extension, DSM event mappings (including QIDs) is not supported by QRadar yet.
  • To remove IntSights App for QRadar’s reference sets, navigate to Admin -> Reference Set Management -> Select a reference set from the following list.:
    • IntSights_IOC_IpAddresses
    • IntSights_IOC_Domains
    • IntSights_IOC_Hashes
    • IntSights_IOC_Emails
    • IntSights_IOC_Urls

Click Delete. A prompt will open up, click the “Delete” button. (Note: Make sure no rules are associated with the reference set)

Repeat for each reference set.

  • To remove IntSights App for QRadar’s event mappings, navigate to Admin -> DSM Editor -> Select the “IntSights” log source type and click the “Select” button -> “Event Mappings” tab -> Select each event mapping and click the delete icon.
  • To remove IntSights App for QRadar’s log source type, navigate to Admin -> DSM Editor -> Select the log source type to be deleted in the pop-up menu in this case “IntSights”, and click on the delete icon.