Note: The approach used in this code pattern can be used to add any log source not already supported by QRadar out of the box.
Monitoring and preventing security or policy related incidents is an important goal for any organization. Some examples of such incidents are:
- A company vehicle exceeds the specified speed limit.
- An employee attempts to swipe his badge and access a restricted area.
- A company asset is that is bonded to a location is moved to another location.
How can you detect or monitor security or policy related incidents? With the increasing adoption of IoT, a number of security related incidents can be detected from the data generated by embedded IoT devices. For example, the speed and location of connected vehicles can be monitored.
IBM QRadar Security Information and Event Management (SIEM) can help achieve the security goals of an organization. It can consolidate log events and network flow data from thousands of devices, endpoints and applications distributed throughout your network. It correlates all this different information and aggregates related events into single alerts to accelerates incident analysis and remediation.
IBM Watson IoT platform provides IoT devices a mechanism to securely register and sent events. These events can be stored and processed. With an integration between the IBM Watson IoT platform and IBM QRadar, an organization can bring a huge number of devices under the monitoring umbrella.
The Watson IoT Platform is not supported as a log source by default on QRadar. This code pattern demonstrates an integration of the Watson IoT platform with QRadar. The capability demonstrated here can be extended to any other log source that is not supported by QRadar by default. The Universal DSM support in QRadar has been used to build this integration.
In this pattern, we will demonstrate the solution with the following usecase. A vehicle has been assigned a speed limit of 100 kmph. If the speed of the vehicle exceeds 100kmph, it is a violation. The vehicle has been fitted with an IoT gateway device that regulary sends the speed information to the IoT platform. Whenever the speed of the vehicle exceeds 100kmph, it should generate an offence on the QRadar.
When the reader has completed this pattern, they will understand how to use the Universal DSM support available in QRadar to monitor device events from Watson IoT Platform.
The following aspects will be demonstrated in this pattern:
- Create an
Universal DSMlog source in QRadar. - Create a rule to detect offense in QRadar.
- Subscribe to device events from Watson IoT platform and send them to QRadar in RFC_3164 or RFC_5424 format using Syslog client at https://github.com/CloudBees-community/syslog-java-client.
- Monitor offences if any from the devices on QRadar Log Activity.
Note: The approach used in this code pattern can be used to add any log source not already supported by QRadar out of the box.
- Subscribe to device events from Watson IoT Platform.
- Use the Syslog client to create a message in RFC_3164 or RFC_5424 format.
- Send message to QRadar. The pre-created rules are automatically run on the message and an offence is generated for violations.
-
IBM Watson IoT Platform: IBM Watson™ IoT Platform for IBM Cloud gives you a versatile toolkit that includes gateway devices, device management, and powerful application access. By using Watson IoT Platform, you can collect connected device data and perform analytics on real-time data from your organization.
-
Liberty for Java:Develop, deploy, and scale Java web apps with ease. IBM WebSphere Liberty Profile is a highly composable, ultra-fast, ultra-light profile of IBM WebSphere Application Server designed for the cloud.
-
IBM QRadar version 7.3.1: QRadar Community Edition is a free version of QRadar that is based off of the core enterprise SIEM.
-
Syslog Java Client: Client library written in Java to send messages to a Syslog server from CloudBees community(https://github.com/CloudBees-community).
Note: Please read the licensing terms for usage of the Syslog Java Client at - https://github.com/CloudBees-community/syslog-java-client. It is downloaded as part of the maven build in this code pattern.
-
Security Information and Event Management: In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.
-
Java: Java is a general-purpose computer-programming language that is concurrent, class-based and object-oriented.
- QRadar Community edition : Please visit the site for download and installation instructions.
- Git Client : Please visit the site for download and installation instructions.
- Maven : Please visit the site for download and installation instructions.
- IBM Cloud account : Create an IBM Cloud account.
- Apache Tomcat - Install Apache Tomcat to run the Java web application locally.
Please follow the below to setup and run this code pattern.
- Install QRadar community edition
- Create IBM Cloud services
- Register a device on Watson IoT platform
- Create log sources and rules on QRadar
- Deploy the web application
- Analyze results
The version of QRadar that was used for this pattern is 7.3.1.
The installation instructions are available at: https://developer.ibm.com/qradar/wp-content/uploads/sites/89/2018/08/b_qradar_community_edition.pdf.
The product can be downloaded at: https://developer.ibm.com/qradar/ce/. For installation troubleshooting tips, please refer Troubleshooting guide.
-
Create an instance of Internet of Things Platform at Internet of Things Platform.
-
Launch and go to
Dashboard.
-
On the Watson IoT Platform
Dashboard, create a device typeVehicleand device with idTruck_7265. -
Note down the device credentials. The
Authentication Tokencannot be retrieved later.The device credentials will be used later to send device events.
-
Click on
Appson the menu. -
Click on
Generate API Key. ClickNext. -
Select the role as
Data processor application. -
Make a note of the
API KeyandAuthentication Token.This will be needed in the web application configuration in the subsequent steps.
For more details on the above steps, please refer to this pattern.
- Open the
QRadar Consolefrom a browser. From the menu, selectAdminto go to theAdminview.
-
Scroll down to the
Data sourcessection and selectLog Sources.
-
Click on
Addto add a new log source.
- Configure the log source with the values shown. Click on
Save.
- In the
Adminview, click onDeploy changesto add the newly configured log source.
- Go to
Log Activityview.
- Go to the
Rulesview by clicking onRulesmenu.
- Select
Actionsand thenNew Common Rule.
- The rule wizard opens. Click
Next.
- Select
Events or flows. ClickNext.
- On the
Rule Test Stack Editor, enter a filter keywordpayload.
- Select the rule
When the Flow Source or Destination Payload contains this string. Enter the rule name asspeed violation. Click on the hyperlinkthis stringas shown.
- Enter the string as
SPEEDING. This is the string that we will send in the device event payload. ClickSubmit.
- Select the group as
Policy.
- Click
Next.
- On the
Rule Responsepage, enter the values as shown. ClickNext.
- Click
Finishon theRule summarypage.
- The newly created rule has been added to the list of rules.
-
Clone this git repo.
-
Run the command
mvn clean package.mvn clean package -
The war file is generated in the target directory -
WatsonIoTQRadarIntegration.war. -
Deploy the war file into Apache Tomcat container.
-
Try to access the deployed application at http://[hostname:port]/WatsonIoTQRadarIntegration/index.html.
To set up the solution and see the working, the below steps will be performed:
- Configure the
Watson IoTsubscriber application withapikeycredentials. - Configure the application with
QRadarinstallation details and the message format. - Configure the
Device TypeandDevice IDwhose events need to be monitored onQRadar. - Simulate events for the
Device TypeandDevice ID.
Let us perform the above steps. Click on Configure Watson IoT Application. Enter the apikey credentials noted in Step 3.
Click on Submit. Click on Next. Enter the IP address of the QRadar installation. Enter a message format. Click Submit. Click Next.
Enter the Device Type and Device ID.
This is the same as what we registered in Step 3.
We are all set with the configuration now. Click on Next.
Now, go to the QRadar console.
- Go to
Log Activityview.
- It is recommended to filter the events as shown below to avoid missing the offence. Repeat this for the default events that appear on the
QRadarlog.
- Select
Real Time (streaming).
Now, we are ready to simulate the events. Go back to the web page again.
Enter all the configuration details shown. Enter the event message in the below formats:
Event with no violation - {“VEHICLENUMBER":"KA05MA1234", "SPEED": "80KMPH", "VIOLATION":"NONE"}}
Event with a violation - {“VEHICLENUMBER":"KA05MA1234", "SPEED": "180KMPH", "VIOLATION":"SPEEDING"}}
Note: We assume that the speed check is performed at the edge. The key value pair
"VIOLATION":"SPEEDING"is added on the edge device.
Click on Send. The second event will generate an offence on QRadar.
Go to the QRadar console. We can see that there is an offence with regard to the second event we sent.
This code pattern is licensed under the Apache Software License, Version 2. Separate third party code objects invoked within this code pattern are licensed by their respective providers pursuant to their own separate licenses. Contributions are subject to the Developer Certificate of Origin, Version 1.1 (DCO) and the Apache Software License, Version 2.