[vc_row][vc_column][vc_wp_text]
[xyz-ips snippet=”metadatatitle”]
[/vc_wp_text][vc_empty_space][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]
The topic of this blog post is the introduction of the Hybrid Hunter open source security information and event management (SIEM) and threat hunter platform, and the integration of the included Zeek (Bro) logs into IBM QRadar, by creating a custom Device Support Module (DSM). The versions used for the presentation are Hybrid Hunter 2.1.0 RC2 and QRadar 7.3.2. In this blog post, we do not cover the Hybrid Hunter installation process, the related installation documentation is available via the link.
[/vc_column_text][vc_empty_space][vc_single_image image=”31091″ img_size=”full”][vc_empty_space][vc_column_text]
SIEM collects log entries and events of different systems and system components in a single interface in order to be able to generate an alarm based on the set rules, as well as to provide the amount of data required for post-alarm event investigation.
Threat hunting is designed to prevent an alert, as the essence of the process is to draw attention to a potential vulnerability before the problem occurs. The successful application of threat hunting methods requires several factors to be considered, of which the collection, indexing, and searchability of available logs play a significant role. There are several tools available within the platform for searching the logs, but perhaps the most useful one of these is available under the “Hunt” menu on the home interface – but let’s not jump so far, and start at the beginning.
GENERAL INFORMATION
Hybrid Hunter is based on the open source SIEM of Security Onion, in addition to the tools found in Security Onion (Zeek (Bro), Suricata / Snort, Kibana, etc.), many more can be added during installation, like Grafana, TheHive, CyberChef, Fleet, Cortex, Navigator, and Playbook aswell.
Grafana is an interface similar to Kibana, as it allows you to run queries, visualize data, and set alarms. Grafana monitors and visualizes system status to provide a comprehensive view of Hybrid Hunter status, such as CPU, disk, and memory usage. For more information on Grafana, see its official documentation.
[/vc_column_text][vc_empty_space][vc_single_image image=”31092″ img_size=”full”][vc_empty_space][vc_column_text]
CyberChef is an interface where you can perform a variety of operations, from simple (such as XOR) to complex (such as AES or DES encryption). This interface is also available separately on the Internet, however, its integration into Hybrid Hunter helps centralize information.
Navigator (like CyberChef) is based on an open source project available on the Internet that has been integrated into Hybrid Hunter. Navigator presents the attack techniques of the MITRE ATT&CK framework in an interactive interface. Here the user can customize the interface by adding layers. They make it easy to search for types of attacks that can be associated with a particular malware or APT group, as well as visualize the current level of protection by checking coverage.
TheHive is an open source Security Orchestration, Automation and Response (SOAR) system that receives alerts for scenarios defined in the Playbook. This platform can be used to automatically respond to alarms. Detailed documentation for TheHive is available here, and a description of the Playbook is available through this link.
Fleet is also a monitoring tool that runs predefined queries at specified intervals and then stores the results in a predefined location. Pre-written queries are added to the interface during installation, but you can add additional queries.
Cortex is a platform developed by the developers of TheHive Project, created to combine the data of a given monitored domain, IP, file, hash on a platform to facilitate later analysis. The documentation for the platform is available here.
One of the most useful innovations found in the platform is available through the “Hunt” menu item. This allows the user to choose from predefined queries that allow them to search through different logs by selecting from a drop-down list without gaining proficiency in the platform’s own query language, Onion Query Language.
[/vc_column_text][vc_empty_space][vc_single_image image=”31093″ img_size=”full”][vc_empty_space][vc_column_text]
After the selected search, we can expand our query and narrow the results by clicking on the magnifying glass with a “+” next to the given result. With this feature, you can easily perform threat hunting methods and filter events related to alarms.
[/vc_column_text][vc_single_image image=”31094″ img_size=”full”][vc_empty_space][vc_column_text]
INTEGRATING ZEEK (BRO) LOGS INTO IBM QRADAR
Zeek (Bro) is an open source network monitoring tool found by default in Hybrid Hunter. Its advantage is that it classifies network traffic into predefined categories. A more detailed description of these categories and the fields in the logs can be found here.
To integrate into QRadar, we must first pass the Zeek (Bro) logs processed by Hybrid Hunter. To do this, we use the syslog-ng tool. The syslog-ng.conf file must be modified in Hybrid Hunter, in which case the path to the Zeek (Bro) logs must be specified as the log source and the access to QRadar as well, which includes the IP address and port. It is important to pay special attention to maintaining the correct syntax when modifying syslog-ng.conf, as it rewards the slightest deviation with an error message and malfunction. The image below shows how to modify the syslog-ng.conf file with the recorded log sources and QRadar as the destination.
[/vc_column_text][vc_empty_space][vc_single_image image=”31095″ img_size=”full”][vc_empty_space][vc_column_text]
Defining these alone is not enough, separate data must be linked within syslog-ng.conf to send the logs. The image below shows how to achieve this:
[/vc_column_text][vc_empty_space][vc_single_image image=”31096″ img_size=”full”][vc_empty_space][vc_column_text]
After modifying syslog-ng.conf, you must restart the service with the “systemctl restart syslog-ng.service” command. If you made a syntax error while modifying the file, you will see an error message. You will not receive any message if you have successfully made the changes to the configuration file. With the restart of the service, we are done with the log integration from the Hybrid Hunter side.
Logs transmitted from Hybrid Hunter appear as “Unknown event” under the Log Activity menu item in the QRadar interface, as QRadar does not have the DSM required to recognize the logs by default. After selecting one of these logs, right-click and select “View in DSM Editor”.
Next to Log Source Type, click the “Change” button and then click “Create New” in the “Select Log Source Type” pop-up window.
[/vc_column_text][vc_empty_space][vc_single_image image=”31097″ img_size=”full”][vc_empty_space][vc_column_text]
After entering the name, save the DSM and use regex to extract the data corresponding to the fields from the raw log under the “Properties” tab. You can see an example of this in the image below:
[/vc_column_text][vc_empty_space][vc_single_image image=”31098″ img_size=”full”][vc_empty_space][vc_column_text]
It is important to parse the “Event Category” and “Event ID” fields from the log because these will be needed to recognize the events. After extracting this information, you can create an “Event Mapping” related to the event by clicking on the “+” sign under the “Event Mappings” tab. Here, make sure that the “Event Category” and “Event ID” extracted from the log using regex match.
[/vc_column_text][vc_empty_space][vc_single_image image=”31099″ img_size=”full”][vc_empty_space][vc_column_text]
In order to create it, we also need to specify the QID record. Since this type of event is not in QRadar by default, it must also be created by clicking the “Create New QID Record” button. When creating the QID, you must specify the one you just created as the “Log Source Type,” and then select the “High Level Category” and the “Low Level Category” from the drop-down list according to the current log. Once the QID is created, it must be added to “Event Mapping” and then created by clicking on the “Create” button. A separate “Event Mapping” must be created within the DSM for each different Zeek (Bro) event type.
Once you are done setting up the DSM, you will also need to create a “Log Source”. To do this, click on the “Log Sources” option under the QRadar “Admin” tab.
[/vc_column_text][vc_empty_space][vc_single_image image=”31100″ img_size=”full”][vc_empty_space][vc_column_text]
In the pop-up window, select the “Add” option. What you need to pay attention to when adding a log source is to select the DSM we created from the drop-down list under “Log Source Type”. Another crucial point is setting the “Log Source Identifier”. You must enter an IP address or hostname here. In the present example, this will be the “securityonion” hostname because this field follows the timestamp in the logs. The name and description of the log source can be selected as desired. The image below shows the settings required to record the log source.
[/vc_column_text][vc_empty_space][vc_single_image image=”31101″ img_size=”full”][vc_empty_space][vc_column_text]
To apply the created changes, click “Deploy Changes” on the “Admin” tab.
In this blog post, we learnt about the Hybrid Hunter platform and the process of integrating the Zeek (Bro) logs into IBM QRadar. To recognize logs, DSM is created for other log sources based on the method described here, so we hope that the time spent reading will be recouped with the knowledge found here.
[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_wp_text][xyz-ips snippet=”metadatatime”]
[/vc_wp_text][/vc_column][/vc_row]