5.2 Custom Properties Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
6 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Welcome back to the Cybrary course
00:00
in building your Infosec lab.
00:00
I'm your host and Instructor, Kevin Hernandez.
00:00
Last lesson we intruded PF Sense locks into
00:00
Qradar and created it as a universal DSM lock source.
00:00
In today's lesson, we're actually going to
00:00
start creating custom properties for
00:00
PF Sense locks within Qradar. Now let's get started.
00:00
Last we left off, we basically integrated
00:00
PF sense locks through Qradar.
00:00
We had a status system
00:00
locks settings right here.
00:00
Even though we incorporated dislocks into Qradar,
00:00
we have to do it manually through the universal log
00:00
DSM as seen on the screen.
00:00
Now, even though we integrated these,
00:00
one of the issues is that it is not properly formatted.
00:00
The reason we have to create
00:00
either a universal DSM for PF Sense.
00:00
I know scrambled words.
00:00
Or we have to create custom variables.
00:00
Now, let's go ahead and pause it right here.
00:00
We pause the capture from Qradar
00:00
in the Pause button on the top right corner.
00:00
Now we're going to open PF Sense
00:00
>> event such as this one.
00:00
>> There we go.
00:00
>> As you can see we have the information here,
00:00
>> but not much to do.
00:00
Now as I mentioned in the last videos,
00:00
we can create a new DSM.
00:00
Or we can actually extract variables from here.
00:00
Let's go ahead and show you the extract properties or
00:00
create custom variables for this option first.
00:00
Let's go to Status.
00:00
Let's go down here to Logs again, right here.
00:00
Here are the system locks.
00:00
Now obviously you would have system,
00:00
and we also have a firewall,
00:00
which is the ones we're looking at.
00:00
One of the thing we're going do here
00:00
is we're actually going to take
00:00
a small screenshot of this
00:00
and then compare it to what we have here.
00:00
Now, you can also do a side-by-side if you like.
00:00
I come here and shrink this a little,
00:00
and I come here, I put them side-by-side,
00:00
and I can also work up to preference.
00:00
Here we have the date or time, we have the rule alert.
00:00
Pretty sure that's what it is.
00:00
Then you can see there are
00:00
several values such as filter log five.
00:00
Several values, interfaces match block.
00:00
In here, if I expand it a little,
00:00
we can actually see some of this information.
00:00
However, it's not in a set order,
00:00
so you got to be aware of that when
00:00
trying to match one-to-one the information.
00:00
Let's go back and see the other one.
00:00
Now one thing you can do, you can right-click here
00:00
and say filter on locks first is PF Sense,
00:00
unless add the last 15 minutes.
00:00
There we go, we have a lot more data to play with.
00:00
Here we are, 120.
00:00
Let's try to find these events in there.
00:00
Once I went to Dynamic view,
00:00
it's normal view, I was able to find 120,
00:00
52, 152,
00:00
15, right here,
00:00
the port for 4193.
00:00
[LAUGHTER] Let me go
00:00
ahead and say 4193.
00:00
You have the port view.
00:00
You can see that 30-80 here,
00:00
and you'll see that 30-60 right here.
00:00
You can get a general idea now, what is one.
00:00
This is what we really wanted to do.
00:00
Let's go ahead and copy this over here.
00:00
I want us to extract property.
00:00
>> Let's wait for it to load.
00:00
>> What I do is create cost some barrels for these,
00:00
just to show you how we can do a couple
00:00
of them regarding Qradar.
00:00
We're going to do extraction base.
00:00
Test-file is for our payloads,
00:00
is going to be in this case,
00:00
you can see actually pasted it in here.
00:00
We don't have to do too much.
00:00
Now here comes the exact and your property.
00:00
This case, we can create one
00:00
called source IP, which is 120.
00:00
You can call it source IP.
00:00
Maybe actually add a PF Sense.
00:00
The reason I like to do PF Sense source IP,
00:00
is because that way if you try to
00:00
use source IP [LAUGHTER] for something else,
00:00
you don't overwrite your search PI for everything else.
00:00
From here you can say, this is
00:00
the source IP for PF Sense,
00:00
I'll scroll down a little.
00:00
I'm going to actually criss
00:00
aside this a little so it fits,
00:00
and you can see it's a universal DSM lock search.
00:00
You can actually attach it to PF Sense itself.
00:00
Event name, we can actually jump into that later on.
00:00
But right now I'm going to show you how to use
00:00
simple RedRex to read this data.
00:00
Now, if you take in my course and RedRex,
00:00
you already should be a little
00:00
bit familiarized with this.
00:00
Otherwise, I'm going to do
00:00
a little quick intro about it.
00:00
Not too complex.
00:00
Now you can see you do have the bracket.
00:00
Now, if you want to get the date,
00:00
we can actually start from left to right,
00:00
or we can actually
00:00
start with the IP, like I already stated.
00:00
The problem if we start here is I want to have to
00:00
create disproportional underatics for all of these.
00:00
It's a lot of information to be honest with you.
00:00
What we can do is we can start instead around here.
00:00
The reason I say we can start around
00:00
here is because it's not that hard,
00:00
or we can actually use this colon.
00:00
The reason I mentioned a colon because
00:00
it is the last colon there is,
00:00
and therefore it shouldn't be that
00:00
hard to play around with.
00:00
Let's start with that colon.
00:00
It's been detected, followed by,
00:00
let's say [OVERLAPPING] Now I can see.
00:00
You can see there's one,
00:00
two, three different colons.
00:00
Now the difference is, if you can see carefully here.
00:00
This one has a space afterwards,
00:00
so we're going to use that to our RedRex
00:00
>> and there we go.
00:00
>> We're starting right. Now,
00:00
there could be a digit or not.
00:00
In this case, what I'm going to do is we're going
00:00
to create a wildcard.
00:00
We're going to say Qradar cannot be there.
00:00
Then we're going do a comma,
00:00
with wildcard cannot be there.
00:00
We're actually going to repeat this several
00:00
times until we get to everyone.
00:00
Then here for example, you have digits.
00:00
This is slash d plus,
00:00
so you cover all those numbers,
00:00
then you do another comma.
00:00
In this case it's a word.
00:00
Because it's the interface,
00:00
so you can do slash w, plus.
00:00
You are actually going to repeat this
00:00
same one several times now,
00:00
and you can see it's going to be a little bit long,
00:00
but it's going to be okay.
00:00
Now, period [NOISE]
00:00
slash w
00:00
plus slash comma.
00:00
Then you can say value or no value slash
00:00
digit plus comma,
00:00
slash digit plus, comma.
00:00
[LAUGHTER] We are going to
00:00
keep repeating these again
00:00
until we get to the point where we want to reach.
00:00
Slash w plus.
00:00
You can see once we go to the DSM,
00:00
it might be a little bit or a lot cleaner.
00:00
You'll be happy then. Slash w plus for
00:00
TCP comma slash d plus another comma,
00:00
and here's where we actually
00:00
>> going to have to source IP.
00:00
>> Here's where we do the capture group.
00:00
Now, before you do the capture group,
00:00
one of the things I'm going to recommend is for write
00:00
the whole thing up to maybe here, the destination port.
00:00
The reason I say that
00:00
is you can then
00:00
use the same RedRex for
00:00
everything [LAUGHTER] if you're going to do,
00:00
instead of having to rewrite everything again and mess
00:00
up because you forgot where to
00:00
capture the proper capture groups is.
00:00
Now this seems like a good place
00:00
to take a short break. See you soon.
Up Next