QRadar Use Case Series: Part 1 - User Activity Monitoring - Employee Probation
In this series of use case scenarios using IBM QRadar SIEM, we will look at a set of key log sources which are required for a successful deployment. These log sources although not glamorous are embedded into all companies, forming the backbone of most organisations security posture.
This series will consist of a deep-dive into the basic elements of any SIEM, Active Directory, Firewall Events and Anti-Virus logs. Although many would argue that feeding logs from any device that is capable into a tool like IBM QRadar would be most effective, this has often been proved as ineffective and a waste of resources. Taking these three sources and correctly tuning each instance by creating rule sets for anomalies, behavioural patterns etc. will enhance the way that the SIEM triggers offenses and provide you with a greater trust in your network security than ever before.
Behind the scenes configuration
This use case is comprised of two conjoining rules. These rules are used to identity new accounts created in AD and identify access to unauthorised systems. The aforementioned accounts are automatically added to a dynamic watch list (Reference Set) based on the response of the first rule, to be used in the following rule to alert on any event that has been classified as ‘Authentication’ with the destination of critical servers.
Reference Set Management:
A reference set in QRadar is a dynamic / static list of values – IPs, Hostnames, Usernames etc. which can be referenced in searches & rules. Each reference set can be configured with a time to live period – for this particular use case the time to live for each username is 3 months (a sample probation period).
A second reference set has been created to include a list of ‘Critical Server IPs’. This includes SQL instances storing Payment card information, Employee information etc. This list has similarities to the username reference set, with one key difference all values are user defined static entries, with a time to live of ‘Forever’.
What Happens Next?
On the off chance a user on probation attempts to access one of these servers, the below offense will trigger ‘Probation User Unauthorised Access Attempt’. The offense will summarise the username, source IP, destination IP etc. for quick investigation, with the ability to drill down into the raw payload of an event to pick out key aspects of that event for example; directories, URLs etc.
Hopefully this has given some insight into the capabilities of QRadar and how utilising events from Domain Controllers and Windows servers can help identify users behaving badly.