5.5 QRadar Custom Properties
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Welcome back to the Cybrary course
00:00
in Building your Infosec Lab.
00:00
I'm your Host and Instructor, Kevin Hernandez.
00:00
Last lesson, we integrated PFSense logs into
00:00
QRadar and created it as a universal DSM log source.
00:00
In today's lesson, we're actually going to start
00:00
creating custom properties for
00:00
our PFSense logs within QRadar. Now let's get started.
00:00
Last we left off, we basically integrated
00:00
PFSense logs through QRadar, we had;
00:00
a status, system logs, settings right here.
00:00
Even though we incorporated these logs into QRadar,
00:00
we have to do it manually through the universal log
00:00
DSM as is seen on the screen.
00:00
Now, even though we integrated these,
00:00
one of the issues is that it is not properly formatted.
00:00
The reason we have to create either
00:00
a universal DSM for PFSense,
00:00
[LAUGHTER] I know,
00:00
scramble of words, or
00:00
we have to create custom variables.
00:00
Now, let's go ahead and pause it right here.
00:00
We pause the capture from QRadar,
00:00
hitting the pause button on the top right corner.
00:00
Now, we're going to open
00:00
a PFSense event such as this one, there we go.
00:00
As you could see, we have
00:00
the information here but not much to do.
00:00
As I mentioned in the last videos,
00:00
we can create a new DSM
00:00
or we can actually extract variables from here.
00:00
Let's go ahead and show you the extract properties or
00:00
create custom variables for this option first.
00:00
Let's go to status.
00:00
Let's go down here to logs in right here,
00:00
and here are the system logs.
00:00
Now obviously, you'd have system
00:00
and we also have a firewall,
00:00
which is the ones we're looking at.
00:00
One good thing we're going to do here is,
00:00
we're actually going to take a small screenshot of
00:00
this and then compare it to what we have here.
00:00
Also do a side by side if you like.
00:00
I come here and shrink this a little,
00:00
and then come here,
00:00
and put them side by side.
00:00
That can also work,
00:00
it's up to preference.
00:00
Here, we have the date or time,
00:00
we have the rule alert, pretty sure that's what it is,
00:00
and then you can see there's
00:00
several values such as filter,
00:00
Log 5, several values,
00:00
interfaces, match, block.
00:00
In here, if I expand it a little,
00:00
you can actually see some of this information.
00:00
However, it's not in exact order,
00:00
so you got to be aware of that when
00:00
trying to match one to one the information.
00:00
Let's go back and see the other one.
00:00
Now one thing you can do,
00:00
you can right-click here,
00:00
you can say, filter unlock source is PFSense,
00:00
and let's add the last 15 minutes.
00:00
There we go, we have a lot more data to play with.
00:00
Here we are, 120.
00:00
Let's try to find this event in there.
00:00
Once I went to dynamic view, instead of normal view,
00:00
I was able to find 12052,
00:00
15215 right here, the port 44193.
00:00
Sorry, not sure what I did there.
00:00
[LAUGHTER] Let go ahead and search for it,
00:00
here we go, 44193 and you have the port here.
00:00
You can see the 3260
00:00
right here and you can get a general idea now,
00:00
what is what, and this is what we really wanted to do.
00:00
Let's go ahead and copy this over here,
00:00
and now let's do, extract
00:00
property. Let's wait for it to load.
00:00
I want to do is create custom barrels for these,
00:00
just to show you how we can do a couple
00:00
of them regarding QRadar.
00:00
We're going to do extraction base.
00:00
Test field is for our
00:00
[inaudible] is going to be in this case,
00:00
you can see actually pasted it in here,
00:00
so we don't have to do too much.
00:00
Now here's where comes the exact new property.
00:00
This case, we can create one
00:00
called source IP, which is 120.
00:00
You can call it source IP,
00:00
maybe actually add a PFSense.
00:00
The reason I like to do PFSense source
00:00
IP is because that way,
00:00
if you try to use source IP for something else,
00:00
you don't overwrite your source IP for everything else.
00:00
For me, you can say this is the source IP for PFSense.
00:00
Let's scroll down a little.
00:00
I'm going to actually increase
00:00
the size of this a little so it fits.
00:00
I guess it's a universal DSM lock search,
00:00
you can actually attach it to PFSense itself.
00:00
Event name, we can actually
00:00
jump into that later on, but right now,
00:00
I'm going to show you how to use
00:00
a simple regex to read this data.
00:00
Now, if you taking my course in
00:00
regex you already should be a
00:00
little bit familiarized with this.
00:00
Otherwise, I'm going to do
00:00
a little quick intro about it, not too complex.
00:00
Now you can see you do have the bracket,
00:00
now if you want to get the date,
00:00
we can actually start from left to right
00:00
or we can actually
00:00
start with the IP, like I already stated.
00:00
The problem if we start here is that,
00:00
we have to create
00:00
this portion on a regex for all of these,
00:00
and it's a lot of information to be honest with you.
00:00
So what we can do is we can start instead around here.
00:00
The reason I say we can start around
00:00
here is because it's not that hard,
00:00
or we can actually use this colon.
00:00
The reason I mentioned the colon because it is
00:00
the last colon there is and therefore,
00:00
it shouldn't be that hard to play around with.
00:00
Let's start with that colon,
00:00
and it's been detected. [OVERLAPPING]
00:00
>> A little bit bigger.
00:00
>> No, I can see. You can see there's 1,
00:00
2, 3, different colons.
00:00
Now the difference is, you see carefully here,
00:00
this one has a space afterwards,
00:00
so we're going to use that to a regex.
00:00
There we go, we're starting right.
00:00
Now there could be a digit or not, so in this case,
00:00
what I'm going to do is
00:00
>> we're going to create a wildcard.
00:00
>> We're going to say, could or cannot be there,
00:00
and then we're going to do a comma,
00:00
with a wildcard, it can or cannot be there.
00:00
I'm actually going to repeat this several
00:00
times until we get to everyone.
00:00
Then here for example,
00:00
you have digits, so this is /d plus,
00:00
so you cover all those numbers,
00:00
then you do another comma,
00:00
in this case it's a word,
00:00
because it's the interface so you can do /w plus.
00:00
You're actually going to repeat this
00:00
same one several times now.
00:00
You can see it's going to be a little bit long,
00:00
but it's going to be okay.
00:00
[NOISE] There, right?
00:00
Now period.
00:00
[NOISE]
00:00
>> Slash w plus slash comma.
00:00
Then you can say [NOISE] value or no value
00:00
slash digit plus two,
00:00
plus comma, slash digit plus,
00:00
[LAUGHTER] slash digit plus comma.
00:00
Then you are going to keep repeating
00:00
these until we get to the point where we want to reach.
00:00
Slash W plus,
00:00
you can see once we go to the DSM,
00:00
it might be a little bit or a lot cleaner,
00:00
>> you'll be happy then.
00:00
>> Comma, slash w plus for
00:00
TCP comma slash d plus,
00:00
another comma and here is where we
00:00
actually going to have to source IP.
00:00
Here is where we do the capture group.
00:00
Now, before you do the capture group,
00:00
one of the things I am going to recommend is to write
00:00
the whole thing up to maybe here, the destination port.
00:00
The reason I say that is,
00:00
you can then use the same regex
00:00
for everything you are [LAUGHTER] going to do.
00:00
Instead of having to rewrite everything again and mess
00:00
up because you forgot where the
00:00
>> proper capture groups is.
00:00
>> Now, for the IP addresses itself,
00:00
it's very regex specifically for it.
00:00
>> I am actually going to open my notepad for that.
00:00
Now for IPs.
00:00
What you want to do is you are going to have
00:00
one digit from one to three digits.
00:00
You are going to have a period.
00:00
This is basically a destruct for an IP.
00:00
And you have got that four times,
00:00
not only for periods
00:00
and if you just copy and paste this in there.
00:00
Hopefully it should work. There we go.
00:00
Then you do another comma and you
00:00
>> paste another of those.
00:00
>> Another comma. There is one port another comma.
00:00
There is the other port. Let's leave at here for now.
00:00
This is going to be our regex.
00:00
>> What if you are going to say okay, But
00:00
didn't you just said,
00:00
Why not do one
00:00
regex itself for everything
00:00
instead of searching for this.
00:00
You could do that and if you want to do that,
00:00
what you have to do is then,
00:00
instead of starting from here,
00:00
you will start with this bracket and then do slash
00:00
w plus sign space or
00:00
no space slash d 1-2 space or no space and slash
00:00
d colon slash D2 colon slash
00:00
>> E2 space, and then the word.
00:00
>> The way that will work is [NOISE] as such.
00:00
>> Then you are going to say slash w3 space,
00:00
slash D2 [NOISE] space
00:00
slash D2 [NOISE] colon.
00:00
>> I'm actually going to have to copy this two more times.
00:00
D2, D2,
00:00
this is a space and slash w plus slash colon.
00:00
If you copy this right in the beginning,
00:00
and hopefully I don't break in up to here.
00:00
It should now see everything.
00:00
Let's see. Let me copy this first.
00:00
[NOISE] Stretch it so I
00:00
can see everything it should be from here on.
00:00
Let me paste it again,
00:00
delete this and their in theory.
00:00
Let's test this and if it doesn't work,
00:00
it is because we messed up the beginning.
00:00
[LAUGHTER]
00:00
>> There we go.
00:00
>> Nicely, Let's delete [NOISE] these.
00:00
>> Okay, so we got three.
00:00
>> We have got a space, the two digits,
00:00
we have got a space,
00:00
we got two digits.
00:00
We got a colon, you have two digits,
00:00
a colon we have got two digits. You got a space.
00:00
We have a word, we have a colon,
00:00
we got a space. Let's do the following.
00:00
I think this is a problem here.
00:00
If we do this in
00:00
theory and you can
00:00
see why I wanted to start with
00:00
a colon and not the beginning.
00:00
>> Let's rewrite this finally so you can test it
00:00
[NOISE] You can see
00:00
we have got to type exactly the same three.
00:00
Three, space,
00:00
two, space,
00:00
two [NOISE]
00:00
colon two
00:00
[LAUGHTER] colon two
00:00
space word colon space.
00:00
>> Copy this and put it right here,
00:00
which is where we had the other one
00:00
[NOISE] You can see we actually have an error here.
00:00
I forgot to break the digit.
00:00
That is the error I typed. I apologize for that.
00:00
Well now we know if we actually do it like
00:00
this and then copy this and paste it here.
00:00
There we go, covers everything.
00:00
If you really want to add
00:00
the other numbers in the beginning,
00:00
you can actually do.
00:00
[NOISE]
00:00
>> I'll say one through four, and there we go.
00:00
That's how Regit works.
00:00
Now, we haven't actually captured a field,
00:00
and that's where we're going to go to now,
00:00
and we set IP, and we're
00:00
going to source IP, which is going to be this one.
00:00
In this case, let's go back here to the Radix RAM.
00:00
We're going to look for this area right
00:00
here and you start a captured group after the comma.
00:00
Which is right here,
00:00
right after the comma, before the digits.
00:00
So open the parentheses and go to
00:00
the last portion and
00:00
close the parentheses, which is a captured group.
00:00
You can see in the top,
00:00
it's already being highlighted.
00:00
That's how you know it's going to work.
00:00
Have you test yes,
00:00
it matches. Then hit save.
00:00
Copy this real quick before we hit
00:00
save in there, hit save.
00:00
Now you have a source IP right there.
00:00
If you see it, now,
00:00
it's going to add the ballot right here in the top.
00:00
That's a lot of work, how to do
00:00
that manually for each field.
00:00
Yeah, but technically already did the hard work.
00:00
As you come here and I apologize,
00:00
it's so big now it's just like
00:00
wasn't able to see the screen earlier.
00:00
But then destination IP
00:00
and what I'm going to do is literally
00:00
type radix in there and you
00:00
can see it's capturing that group.
00:00
You already know where to search.
00:00
Here's that first parentheses.
00:00
Here's the other part of it
00:00
and you can actually have both if you prefer,
00:00
and just change to capture group.
00:00
I'll show you how to do that in a second.
00:00
Sorry, that's in a wrong place.
00:00
Make sure it's before the symbol.
00:00
There, just missing one of the digits.
00:00
So let's go back and that's why it's so good to do
00:00
this here like that and
00:00
you can see there it's destination IP.
00:00
We're going to test.
00:00
Now you see it's matches and okay,
00:00
and save and now we have destination IP.
00:00
It appears, and this is
00:00
the whole thing I'm just mentioning earlier you have
00:00
to pfSense destination IP
00:00
and that's because otherwise it will overwrite
00:00
other destination IPs and once you load it,
00:00
you can see it right here as well.
00:00
Now, I just mentioned and you can actually modify it,
00:00
so you can come here at the radix
00:00
again and then expand this so I can see more.
00:00
There we go. Now we're going to do,
00:00
let's say source port right here.
00:00
I'm going to call it pfSense source port.
00:00
I'm going to show you how capture works here now.
00:00
So you have one parentheses here and you'll one
00:00
here and that's why
00:00
I was talking about that we can actually modify.
00:00
If we come here, we
00:00
actually added the wrong symbol, apologies.
00:00
I'm actually going to do this as well.
00:00
You can see marking this one.
00:00
However, if we change to capture
00:00
>> group to capture to two,
00:00
>> you can see it now captured
00:00
the source IP source port I
00:00
apologize and if you go to three,
00:00
it captures a destination port.
00:00
So you can see that you can
00:00
actually use the same rider can just change it
00:00
a little valley at the NSURL and it's
00:00
a good option as well to do this.
00:00
In this case, for example, I can copy it too,
00:00
because it's going to be the source port for pfSense,
00:00
hit safe and then you're going to literally come again.
00:00
It's going to be like a fast value at the rejects.
00:00
I call it pfSense destination port.
00:00
Then here you come to three.
00:00
Test is working and you're going to make
00:00
sure on the top it's
00:00
highlighted and this is itself highlighting.
00:00
I don't have any search functions as you can
00:00
see and then hit save.
00:00
Now you can see that you're
00:00
getting 1,2,3,4 different values.
00:00
The other thing, we got a search,
00:00
it's search for the action itself.
00:00
In this case the action being block.
00:00
Go back to the DSM.
00:00
Apologize a custom event, extract, expand it.
00:00
I'm going to do pfSense action.
00:00
In this case we can type the whole thing or no,
00:00
we're not going to use the whole thing
00:00
because technically we have to get up to here.
00:00
The last things curator process the
00:00
>> better in my opinion.
00:00
>> I can come up to here for example,
00:00
let's stop this and
00:00
see how much it attacks, and that's pretty good.
00:00
Let's remove two more just to be safe around here.
00:00
I like to leave the comma
00:00
in there S the last thing to the tag.
00:00
That way it's doesn't
00:00
keep searching for more information.
00:00
You have found the colon, that's it.
00:00
It's not going to be.
00:00
W plus is, there's a lot of character,
00:00
no stop into comma if there's a space even better
00:00
in many software do have
00:00
spaces when they're sending the SIS logs.
00:00
Now we'll use the space itself to
00:00
determine where a variable lens. Now we have it here.
00:00
We're going to add that capture group for right here.
00:00
[inaudible]
00:00
period for some reason [LAUGHTER] block,
00:00
test it detect it.
00:00
I know it's on the top, always detect it and hit save.
00:00
Now you should see the action source port,
00:00
destination port source, port source IP
00:00
and destination IP and a default domain.
00:00
This basically, it's a wrap
00:00
up for how to create custom properties.
00:00
Now, obviously if you go back to return to
00:00
event list and you come here,
00:00
you can now see you're now here.
00:00
It still says this.
00:00
But if you come to at its search.
00:00
Let's give it a second for it to load.
00:00
Let's take a little bit longer than a second.
00:00
[LAUGHTER] There we go.
00:00
We're going to do let just keep
00:00
>> it as is as five minutes.
00:00
>> Now here we're going to search for pfSense.
00:00
All of these variables are going to add in here.
00:00
I'm going to grab all of them and put them in
00:00
there and then grab all of them and move them up,
00:00
except one thing I do want to have,
00:00
and the top is the start time.
00:00
Let's hit search. You can
00:00
see now performed a search and here we go.
00:00
Here's itself how you can see
00:00
the curator data from at to pfSense.
00:00
So you can see, yes,
00:00
it's an action log from this source IP to
00:00
this destination port, source port, source IP.
00:00
Now if you don't like the order,
00:00
you can always come back and hit
00:00
search right in here you can then say,
00:00
okay, I want to see the source IP first.
00:00
Source IP followed by the source port,
00:00
let's say, followed by
00:00
the destination IP followed by the destination port.
00:00
To our don't want to see the action at
00:00
the beginning or the end will.
00:00
I wanted, it's the first thing we want to see.
00:00
So let's go with port and then search again.
00:00
Here you go, source IP, source port,
00:00
destination IP, destination port,
00:00
and name, lock sorts, et cetera.
00:00
You can see you can play around.
00:00
Once you do that, you can save the criteria.
00:00
You can say this is pfSense.
00:00
You can include an a quick search share with everyone
00:00
in case somebody else
00:00
wants to use at real-time because you want to see
00:00
in real time and you can set it as your default search.
00:00
That way whenever you come into lock searching,
00:00
you see the pfSense log.
00:00
Now, one of the pros and cons
00:00
it's obviously that this is very specific for this.
00:00
Obviously, if you have other lock sources,
00:00
then obviously you won't see the data
00:00
or the IPs will not match.
00:00
Therefore, that's the option of
00:00
a universal Ascender you can create forever.
00:00
This is the wrap up for today. Let's carry on.
00:00
What did we learn today? We create
00:00
a custom properties for our new lexers, pfSense,
00:00
and sigh curator took
00:00
a little bit of building using range axis.
00:00
If you're not familiarized with them,
00:00
I highly recommend the radix course
00:00
or some radix tutorials.
00:00
In order to build these custom,
00:00
radix in your own environment.
00:00
In our next lesson, we're actually going to go
00:00
over and use accustomed DSM for pfSense,
00:00
you will notice that disintegration is more
00:00
complete and better overall for event correlation.
00:00
Hope to see you soon, have a great day.
Up Next
Instructed By
Similar Content
