5.6 QRadar Custom DSM Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
6 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Welcome back to the Cybrary course
00:00
in building your InfoSec Lab.
00:00
I'm your host and Instructor, Kevin Hernandez.
00:00
In the last lesson,
00:00
we created custom properties for
00:00
PFSense within our QRadar environment.
00:00
In today's lesson, we're actually going to take
00:00
it a little step above that and
00:00
create a custom DFSense for
00:00
PFSense itself. Let's get started.
00:00
As mentioned in our prior lesson,
00:00
another option we have to
00:00
our custom variables for external property,
00:00
it's the DSM Editor itself.
00:00
However, before we go there,
00:00
let's go ahead and copy this and now go to Admin,
00:00
scroll down a little and here is DSM Editor right here.
00:00
Let's give it a second for it to load.
00:00
It's going to search for.
00:00
You can type PFSense.
00:00
You can see there's nothing, what
00:00
you can do is for example,
00:00
you can say universal DSM and then you create ''New.''
00:00
You can call it PFSense.
00:00
You save it up and you select it.
00:00
Here it will be basically the same thing
00:00
we did earlier regarding the variables.
00:00
The only big difference is that now we actually
00:00
modify it here with
00:00
the variables you see on the left side.
00:00
For Instead of haring PFSense the destination IP,
00:00
we just modified a field here as destination IP.
00:00
We've got to pace the payload
00:00
we acquired and lock it in here.
00:00
Now you can see that data that's been
00:00
extracted down here in the bottom.
00:00
You can see it's pretty much
00:00
empty because it's not properly
00:00
interpreting what's being detected.
00:00
For destination IP use it's not being detected.
00:00
You're going to overwrite it.
00:00
We're going to go back to our Notepad.
00:00
We're going to capture this.
00:00
We're going to paste it here.
00:00
Expression. There we go.
00:00
Actually it is detecting a couple of them.
00:00
Up here you can see the first one
00:00
is the text is a source IP.
00:00
That's most likely because
00:00
we have the brackets right there.
00:00
Let's delete this and let's go to the L1, here we go.
00:00
Let's search for disability for should be here.
00:00
If not, we'll move around because there's
00:00
actually it's one less right here.
00:00
It's hard to see the commas and
00:00
the periods today have allergies.
00:00
It's seriously bad. It will be here.
00:00
That's a destination IP format string battle require.
00:00
It's actually that want to apologize.
00:00
QRadar.
00:00
>> You can see the destination IPs right here right now.
00:00
>> What we're going to do is that same day
00:00
>> we're going to do it for the source IP.
00:00
>> Let's scroll down alphabetically ordered.
00:00
Remember to radix itself was
00:00
probably form a first source IP.
00:00
All you have to do, dollar sign one hit.
00:00
''Okay'' If you scroll to the side,
00:00
you see the source IP now they're real good.
00:00
You can see basically the hard part about this
00:00
was building that redex will be in the prior lesson.
00:00
Now this is like a piece of cake move forward.
00:00
Now. Let's go ahead and do the ports.
00:00
For the ports, we want to capture the other ones.
00:00
Let's actually do the following,
00:00
this opening different windows on the way.
00:00
Destination port are going to overwrite that.
00:00
As well graduates, I'm going to search for
00:00
those parentheses right there.
00:00
I'm going to search for it right there. See you there.
00:00
Let's say for the other one.
00:00
Deleted their dexterity.
00:00
Let's move to the port.
00:00
You remember the first one is for to source,
00:00
the second was for the destination.
00:00
Before we do anything, let's copy
00:00
paste this since it's clean now,
00:00
let's do this under so destination port.
00:00
Remember in this case,
00:00
since we're building a radix itself,
00:00
we have to actually put the capture group.
00:00
This gives you only have one,
00:00
so we put 1 hit ''Okay'' You should
00:00
have it in there now, 8080 perfect.
00:00
Let's go to source port.
00:00
In this case it radix again, pasted.
00:00
This case, you're ready know it's this one.
00:00
There we go. Capture group 1 because we
00:00
only have 1 hit ''Okay'' Now,
00:00
for example, we're going to
00:00
search for action or event name.
00:00
Let's go for event ID.
00:00
I'm going to do 134 here.
00:00
We can do, for example, bomb four digits,
00:00
Let's say even though we do see three and
00:00
this actually put the parentheses in here.
00:00
For my string dollar one hit ''Okay'' is even ID.
00:00
Even it's not that most likely firewall rule.
00:00
But you get an idea that we will
00:00
have to recreate the many things.
00:00
Now the only thing we need
00:00
is going to have the date or time.
00:00
There was reading it properly since it's going live,
00:00
you don't have to reinvent the wheel for that one.
00:00
But if you want to use the system time
00:00
in case or some latency,
00:00
you can actually capture that.
00:00
What I would do is from here,
00:00
open a parenthesis here and then
00:00
do all the radix up to here,
00:00
which if you remember, it was actually w:/2/ here.
00:00
Writing and capture right here here before to space.
00:00
I should be able to work.
00:00
Let's look for one more thing in here,
00:00
which is the action.
00:00
We don't need a holders only the radix up to that point.
00:00
As we know, we don't need the digits and let's IP.
00:00
We're going to erase from here forward.
00:00
Copy this, and let's go back here.
00:00
Let's go for action and see if there's anything regarding
00:00
action or anything regarding activity,
00:00
event, something like that.
00:00
You'll see there's not much regarding that. There we go.
00:00
Let's see here.
00:00
Nothing. It doesn't mean it's not there.
00:00
You can always say search for action plus.
00:00
You can see here you can actually
00:00
set of custom properties.
00:00
However, it, since you're here,
00:00
actually searched PFSense action,
00:00
or you go and then you're going to select it.
00:00
There we go. [LAUGHTER] Then you save it,
00:00
flip injecting priority for ending.
00:00
Where we go, enable
00:00
will want to really have to modify it,
00:00
but apparently we do have to rewrite it.
00:00
Let's go ahead and type this again.
00:00
Obviously let's remove things that are not required.
00:00
From here, for example.
00:00
Thus keep erasing up to here, a little bit more.
00:00
If you recall, there was
00:00
an extra dot here that we didn't need
00:00
and that's it here.
00:00
There's the action capture group 1. Let's hit ''Save.''
00:00
Technically, once you do this through the filter,
00:00
you can now see everything
00:00
in here actually gives an action there we go you see.
00:00
Now and just one showed an order,
00:00
but just so you get a general idea.
00:00
You can save it, close it.
00:00
You're going to have auto discovering.
00:00
Sure. You can do that. I don't trust it.
00:00
I have mixed feelings about it.
00:00
Sometimes it works, sometimes keeps you on data.
00:00
The problem is, if it doesn't know what it is,
00:00
especially here that doesn't have
00:00
like variable to little fields,
00:00
to have like identifier for example,
00:00
it doesn't say SRC IP in the payload.
00:00
Now that you're here and you created that,
00:00
one of the things you can do is you
00:00
can come back to the lock source,
00:00
come double-click to edit.
00:00
Here you can select an extension.
00:00
You can see that the PF sunblock circuit extension
00:00
is there and you can save it.
00:00
Now what happens is that new logs coming in.
00:00
Now, you see here,
00:00
you're going to see that in theory.
00:00
Now there you go. It should
00:00
load the values specific to this.
00:00
Let's go ahead in clear this filter.
00:00
I didn't want to do that. Here we go.
00:00
You can actually see this variables in there now.
00:00
You can see it should be working now.
00:00
You can see that
00:00
it's reading the variables as it's supposed to.
00:00
Obviously, things in the past
00:00
will not read the proper way.
00:00
You can also see that since we actually added
00:00
the variables or the values for source,
00:00
IP and all those things.
00:00
We modify actually a properties.
00:00
We didn't include these properties
00:00
in the search itself. It's not going to read them.
00:00
You can see however that it's detecting to
00:00
source IP now as it's supposed to,
00:00
and it's detecting the source port,
00:00
destination IP and destination
00:00
port a way it's supposed to.
00:00
You can actually see that it's working as intended.
00:00
Now PF, since action,
00:00
you might need to work a little bit more
00:00
on data to actually do it.
00:00
A PFSense event name I
00:00
even made we can actually add in as well and edit it.
00:00
Why can we do here, we can actually go and say,
00:00
"We're going to do new search."
00:00
Now these seems like a good place
00:00
to take a short break. See you soon.
Up Next