QRadar Domains and Tenants - OpenMic - October 2018 PDF
QRadar Domains and Tenants - OpenMic - October 2018 PDF
QRadar Domains and Tenants - OpenMic - October 2018 PDF
A discussion about domains and tenants, how it works, when to contact support,
tips and other helpful information for QRadar administrators.
https://ibm.biz/JoinQRadarOpenMic
Please Note:
IBM’s statements regarding its plans, directions, and intent are subject to
change or withdrawal without notice at IBM’s sole discretion.
2 IBM Security
Announcements
• QRadar 7.3.1 Patch 6 Interim Fix 02 was just released. This update
resolved four issues reported by administrators.
• The QRadar Risk Manager team released a new adapter bundle.
̶ F5 BIG-IP version support increased to version 13.1.
̶ Palo Alto PAN-OS version support increased to version 8.1.
̶ Check Point HTTPS adapter now supports discovery and backup via Domain Management Server.
• A new script was posted to IBM Fix Central for an error related to a
manifest issue that some users are hitting.
If customers continue to experience this issue error message, they should try to
run a manual auto updates after October 25 and if you continue to have issues,
then post in the forums (https://ibm.biz/qradarforums) or open a case so we can
review (https://ibm.com/mysupport).
• The November Open Mic topic is User Behavior Analytics v3.0.
3 IBM Security
Let’s talk about domains and tenants
• About domains
• Where are domains used in QRadar?
• Where does domain tagging occur?
About domains in QRadar A
Domain tags in QRadar are added to events as
they come through the event pipeline. The tags
themselves are meta data added to the original Yellow Division Blue Division
event as the data is processed in the event 10.10.0.0/16 10.10.20.0/24
192.168.5.0/24 192.168.0.0/16
pipeline.
5 IBM Security
Where are domains used in QRadar? Where are domains not available currently?
6 IBM Security
Where does domain tagging occurs in the event pipeline?
Parsing
• Is it a known event?
Traffic analysis • How to parse it?
Domain A Domain B Default
Device Support Module • Apply extensions?
Log Source Extensions • Obfuscate the data?
• Are there custom
Obfuscation properties?
• QRadar
All-in-One
Custom Properties • What domain tags
(31xx/21xx)
ecs-ec-ingress are required?
• Event Collector Domain Tagging - Domain A
(15xx)
- Domain B
• Event Processor ecs-ec
(16xx)
- Default (undefined)
• Flow Processor Coalescing
(17xx) ecs-ep
• Combination
Event/Flow
Processor magistrate Routing Rules
(18xx)
7 IBM Security
Precedence Order for Evaluating Domain Criteria (Events)
2. Log Source Log source defined but value does not match
n/a
3. Log Source Group
n/a
4. Event Collector
A B C
1. Network Hierarchy
10 IBM Security
Domain Support - Assets
Domains are now present throughout QRadar SIEM and can be utilized in the following areas
1. Network Hierarch
2. Assets
Assets are created based on domain values derived from
- Events
- Flows, or
- Scan data
11 IBM Security
Domain Support - Searches
Domains are now present throughout QRadar SIEM and can be utilized in the following areas
1. Network Hierarchy
2. Assets
3. Searches
12 IBM Security
Input Sources for domain classification
• Events
• Custom Event Properties
• Log Sources
• Log Source Groups
• Event Collectors
• Flows
• Scanners
Domain Definition – Events – Based on Custom Event Property
14 IBM Security
Domain Definition – Events – Based on Log Source
15 IBM Security
Domain Definition – Events – Based on Log Source Group
16 IBM Security
Domain Definition – Events – Based on Event Collector
17 IBM Security
Input Sources for domain classification
• Events
• Custom Event Properties
• Log Sources
• Log Source Groups
• Event Collectors
• Flows
• Scanners
Domain Definition – Flows – Based on Flow Source
19 IBM Security
Input Sources for domain classification
• Events
• Custom Event Properties
• Log Sources
• Log Source Groups
• Event Collectors
• Flows
• Scanners
Domain Definition – Vulnerabilities – Based on Scanner
21 IBM Security
Example: Import Scan Results from Nessus
22 IBM Security
Domain rules
Host Profiler
Custom
• QRadar ecs-ec-ingress Rules Engine
All-in-One
(31xx/21xx)
ecs-ec Storage & Indexing
• Event Processor
(16xx)
ecs-ep
• Flow Processor Host Profiler
(17xx)
magistrate
• Combination
Event/Flow Processor Realtime Streaming
(18xx)
24 IBM Security
Rules - Domain Unaware Rules
Apply (Rule name) on events which are detected by the Local system
and when BB:GenericAuthentication match at least 5 times in 5 minutes
25 IBM Security
Rules - Single Domain Rules
Apply (Rule name) on events which are detected by the Local system
and when BB:GenericAuthentication match at least 5 times in 5 minutes
and when the domain is one of the following Domain B
3
Default Realtime Streaming
26 IBM Security
Rules - Multiple Domain Rules
Apply (Rule name) on events which are detected by the Local system
and when BB:GenericAuthentication match at least 5 times in 5 minutes
and when the domain is one of the following Domain A, Domain B
27 IBM Security
Rules - Shared Data Rules
Apply (Rule name) on events which are detected by the Local system
and when B BB:GenericAuthentication match at least 5 times in 5 minutes
and when the domain is one of the following Shared data
28 IBM Security
Tenants
• About tenants
• Creating tenants
• Assigning tenants
• Retention buckets for tenants
About Multi Tenancy in QRadar
Tenant are subsets of a domain in QRadar and
allow specific controls for the tenants within the
assigned domain. Yellow Bank Blue Bank
• Manage network hierarchy for a tenant
• Apply license restrictions
• Create retention areas for specific tenant data
QRadar appliance
30 IBM Security
Tenant Management: About custom properties
Can tenants create custom properties, should they?
A Delegated administrators can create custom
properties; however they cannot select
Parse in advance for rules, reports,
and searches’.
Why?
This is intentional as improperly written or
very complex custom properties can impact
the overall pipeline for all users. Tenants
should not create issues for other tenants that
happen to share an appliance.
31 IBM Security
Tenant Management: Create new tenants
Creating a tenant does not require a deploy in QRadar.
If a tenant goes too far above license or the queue is full due to processing overload
the event can be dropped. This information is logged:
[Tenant:<tenantID>:<tenantName>] Event dropped while attempting to add to Tenant
Event Throttle queue. The Tenant Event Throttle queue is full.
32 IBM Security
Tenant Management: Assign domains to tenants
33 IBM Security
Tenant Management: Define Retention Periods
Each tenant can have separate retention buckets
• Retention buckets for tenants are stored in
/store/ariel/events/payloads/aux/<tenantID>/
/store/ariel/events/records/aux/<tenantID>/
36 IBM Security
Domains and Security Profiles
Users are assigned to domains through Security Profiles
Assigned Domains
• Add a list of domains
A user of this profile will have access to
these domains.
All Domains
• Can see all active domains within the
system, as well as the default domain
and any domains that were previously
deleted across the entire system
• They will also be able to see all domains
that will be created in the future
37 IBM Security
The user role for tenants is delegated administration
38 IBM Security
User Details screen
• When defining the user you assign a
tenant to the user
39 IBM Security
Delegated administrators see a reduced set of admin applications
Tenant administrator icon list
NOTE: Visibility of tab is dictated by the permissions provided in the Security Profile. In this example, the
user does not have the Reports, Vulnerabilities tabs enabled.
40 IBM Security
Defining access rights in a multi domain environment
TIP: Rules can be viewed, modified, or disabled by any user who has both the Maintain Custom
Rules and View Custom Rules permissions, regardless of which domain that user belongs to.
When sending events or flows to another QRadar environment, all domain information is removed
as the domain tags are meta data in QRadar and not part of the initial payload. If you forward
events events and flows belong to the default domain in the receiving system.
41 IBM Security
Questions?
Domain & Tenant Questions
Question 1
I have Domain A, which has Windows Server 192.168.100.100
I have Domain B, which has Linux Server 192.168.100.100.
My building block BB:HostDefinition: Windows Servers is configured with 192.168.100.100
Answer: Yes, until Server Discovery in QRadar is domain aware, you probably need a custom
property to define when this data belongs to either the Windows Server or the Linux server. This is
something on our road map at the moment to all Server Discovery to support domains.
Question 2
What is the maximum number of tenants for a QRadar deployment?
Answer: There is no hard limit, but how much will work depends on the environment specifics
(and possibly the license capacity you have at hand if you are assigning event or flow rates to
each tenant). We test up to 150 tenants when we validate QRadar builds before release.
43 IBM Security
Domain & Tenant Questions (Continued)
Question 3
We want to a domain in the reference set, for example: https://www.microsoft.com. Can we add the wild
card entries like * .microsoft.com or https://www.microsoft.* to refer the entire domain and
it’s sub domains?
Answer: No, wildcard entries are not supported. Data contained within the extended URL can fill
references sets with unique values due to the variability and volume of URL data. Typically, it is best to
create a property that matches the root or header domains and expand on those requirements as needed.
Question 4
Does QRadar has the ability to export and import configurations based on the per domains segregations?
In an MSSP deployment, I want to only restore a configurations backup only for a single client to another
QRadar instance is that possible?
Question 5
Does the User Behavior Analytics app support multi tenancy?
Answer: No, multi tenancy is not supported currently is any QRadar application. This functionality is
being looked at to be added in a future release.
44 IBM Security
Domain & Tenant Questions (Continued)
Question 6
Can I have log sources with same log source identifier and log source type?
Answer: The only way to have two log sources of the same type and same Log Source Identifier is if
they are using different protocol types.
In an overlapping IP scenario, the system does not end up with two log sources. What really happens
is that one log source with (for example) Log Source Identifier=10.10.10.10 ends up actually collecting
logs from two different physical machines, each with IP address 10.10.10.10. Each individual event
can be tagged with a domain, and in the case of a shared log source situation like this, the separation
is done using custom properties.
If there is some field in the events that can be used to differentiate between events for domain A
versus events for domain B, then you could create a custom property to capture this field's value for
the log source type in question, then assign particular values of that property to each domain. So all
events get linked to a single log source which is domain-agnostic, but each event received by that log
source is tagged for either domain A or domain B based on the value of the custom property
45 IBM Security
Domain & Tenant Questions (Continued)
Question 7
Is there a way to create an advanced search (AQL) to get the EPS rate for each specific tenant?
Answer: We do not keep track of EPS rates on a per-tenant basis by default at this time. If you
wanted to create a query to track EPS data, it would be a big query where you are counting domains
over time, but it should be possible to do. We are looking in to this question to provide an answer and
an example query. We’ll likely take this follow-up to the forums to answer.
Question 8
If I want to use an advanced query to find a domain, is there a way to do so without using the domain
ID?
Answer: Yes, you need to use DOMAINNAME(domainid) instead of just domainid in your advanced
search. The DOMAINNAME function will look up the name for you and can be used with matches,
imatches, like, ilike, etc.
Question 9
Is there a way to query the lack of a domain in an advanced search parameter?
Yes, if you wanted to audit for data that is not assigned to a domain, you could use use
'NULL' AS Domain in your advanced search query to help locate this data.
46 IBM Security
THANK YOU
FOLLOW US ON:
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informati onal purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.