Monday, December 22, 2014

QRadar SIEM 101: Reference Maps

Reference Maps allow you to query based off key-value pairs. An example of this would be if you have certain UserIds that are only allowed to login to a specific list of Workstations. How can you set this up?

At the console command prompt the first thing you must do is create a Reference Map.

    [xxx@yyy ~]# ./ create yourReferenceMapName MAP ALNIC

    NOTE: ALNIC = Alphanumeric data that ignores case. You can replace this with ALN (case sensitive), or IP (for IPs), or NUM (for numbers)
    NOTE: The shell script is typically found in this location: /opt/qradar/bin/

Next you can create a CSV file that you'll use to import the data.

    key1,data     userid1,WorkstationName1     userid2,WorkstationName1     userid2,WorkstationName2     userid3,WorkstationName3     userid4,WorkstationName4

    NOTE: The first row is the column headers, just keep them as literally the words key1,data

Then you import/load that file into the Reference Map.

    [xxx@yyy ~]# ./ load yourReferenceMapName ~/myfile.csv

Then to validate it worked you can print them all out

    [xxx@yyy ~]# ./ list yourReferenceMapName displayContents

If you goofed, first delete, then re-add

    [xxx@yyy ~]# ./ delete yourReferenceMapName WorkstationName1 userid1 Key1
    [xxx@yyy ~]# ./ add yourReferenceMapName WorkstationName1a userid1 Key1

If you really goofed, purge them all and start over

    [xxx@yyy ~]# ./ purge yourReferenceMapName

If you really really goofed, delete the whole Reference Map

    [xxx@yyy ~]# ./ remove yourReferenceMapName

If all is well, and you created it successfully, you can goto the GUI and add a filter with it

Copyright © 2014, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment