Scribd
Upload
109 views26 pages

QRadar Searches

Uploaded by

Joel Marco VR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
109 views26 pages

QRadar Searches

Uploaded by

Joel Marco VR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

QRadar Searches

Jack Radigan
Principal Security Sales Specialist
Agenda

Quick Filter Searches 5


Basic Searches 9
Indexed Properties 12
Advanced Searches 17
Resources 22

IBM Security / © 2022 IBM Corporation 2


Types of Searches

Quick Filter
– Full text search of event or flow payloads using the Lucene index engine
– Fastest search and easy to learn

Basic Search
– Uses event or flow properties
– Very easy to use, and to get into trouble (painfully slow search execution)

Advanced Search
– Uses Ariel Query Language (AQL)
– Most powerful, but takes time to learn and use effectively

IBM Security / © 2022 IBM Corporation 3


QRadar Searches

Quick Filter Searches

IBM Security / © 2022 IBM Corporation 4


Quick Filter

The Quick Filter is one of the fastest methods to search event and flow information that contains specific
data by using a full-text index of payloads. Use Quick Filter in combination with other filers to accelerate
searches.

IBM Security / © 2022 IBM Corporation 5


Payload Retention Index Settings

The minimum retention period is 1 day, and the maximum period is 2 years.

IBM Security / © 2022 IBM Corporation 6


Quick Filter Examples

Session* AND NOT SessionToken


– Boolean operators; AND, OR, NOT must be uppercase
– Alternate: Session* -SessionToken

“firewall accept” AND (admin OR nobody)


– Terms with spaces must be enclosed in double-quotes

/.*.pdf/ OR /.*.exe/
– Regular expressions are defined within a pair of forward slashes

/.*\^.*\..*/ OR \*END\*
– Special characters must be escaped with a backslash

+ - && || ! ( ) { } [ ] ^ " ~ * ? : \ .
– Special characters

IBM Security / © 2022 IBM Corporation 7


QRadar Searches

Basic Searches

IBM Security / © 2022 IBM Corporation 8


Basic Searches

– GUI editor is accessed via the New Search and


Edit Search items in the Search menu for Log
Activity and Network Activity tabs.
– This image shows the sections most used for
creating new or editing existing searches:
• Selecting the columns to display or group by.
• The search parameters used for the search.
– Column definitions can be saved as different
views to apply as needed against a search.
– Add new filters before removing existing filters.
This allows for faster search pivoting.
– Use basic searches if changing the Display (group
by) menu is required. This menu is disabled for
AQL searches.

IBM Security / © 2022 IBM Corporation 9


Tips for Basic Searches

One tip to rule them all – limit the scope of the search, be as specific as possible

Start with small time ranges, then expand the duration of the search gradually
– There is a near linear relationship to time frame and duration to complete a search
– Interim results may show opportunities of further refining the search criteria

Always try to have at least one [Indexed] property in your search criteria
– Searches without any indexed properties will take much longer to complete

Using indexed properties is a must for “expensive” searches


– Any type of payload search

If possible, add an Event or Flow processor filter


– These are special filters that tell QRadar to restrict a search to a specific processor or type of processor
– But you need to know where the data is stored in order to use them

IBM Security / © 2022 IBM Corporation 10


QRadar Searches

Indexed Properties

IBM Security / © 2022 IBM Corporation 11


Using Indexed Properties

Adding at least one filter for an indexed property will improve search speed in QRadar. When the search
is first started the search engine filters the data set based on the indexed property first.

Look for properties with the tag [Indexed] after its name. Searching on “Indexed“ will list all of them.
IBM Security / © 2022 IBM Corporation 12
Default Indexed Properties

Events Flows

Custom Rule Application


Custom Rule Partially Matched Custom Rule Partially Matched
Destination IP Destination IP
Destination Port Destination Port
Event Name Flow ID
Has Identity Quick Filter
Log Source Source IP
Log Source Type
Low Level Category
Quick Filter
Source IP
Username

IBM Security / © 2022 IBM Corporation 13


Index Management

IBM Security / © 2022 IBM Corporation 14


When to Enable/Disable an Index

Enable index when:


– % of Searches Using Property >= 30%
– % of Searches Missing Index >= 30%
– Across all three timeframes; 24 hours, 7 days, and 30 days

Disable index when:


– % of Searches Using Property = 0% last 30 days

The above apply for properties that are frequently used.

If users are performing searches with many different saved searches that use properties that are not widely
used across all searches, a threshold lower than 30% should be used.

Indexes are updated once a minute and indexing too many properties can potentially lead to performance
issues in the event pipeline and could also impact disk storage.

IBM Security / © 2022 IBM Corporation 15


QRadar Searches

Advanced Searches

IBM Security / © 2022 IBM Corporation 16


Advanced Search

Advanced searches support the use of a SQL-like language called Ariel Query Language (AQL).

IBM Security / © 2022 IBM Corporation 17


Advanced Search - Features

SQL-like Support Functions and Analytics


– Mathematical and string operations – Event category, name, etc.
– Boolean conditionals (AND / OR / NOT) – Logs: source name and group
– Result column naming – Asset data and categories
– 'Having' and 'Group by' support – External threat intelligence and IAM data
– Full text search support – Time series anomaly detection
– Quickfilter search support – Scheduled offenses
– Time and Date formatting – 'Hot', 'Warm', 'Cold' data
• Data nodes

IBM Security / © 2022 IBM Corporation 18


Advanced Search Example – Hourly Beaconing

SELECT
sourceip AS ‘Source IP’,
destinationip AS ‘Destination IP’,
UNIQUECOUNT(DATEFORMAT(starttime,’hh’)) AS ’Different Hours’,
COUNT(*) as ’Total Flows’
FROM flows
WHERE flowdirection = ‘L2R’
GROUP BY “Source IP”, “Destination IP”
HAVING ’Different Hours’ > 20
AND ’Total Flows’ < 25
LAST 24 Hours

IBM Security / © 2022 IBM Corporation 19


Advanced Search Example – External Threat Intelligence

Select
REFERENCETABLE('ip_threat_data','Category',destinationip) AS 'Category’,
REFERENCETABLE('ip_threat_data','Rating', destinationip) AS 'Threat Rating’,
UNIQUECOUNT(sourceip) as 'Source IP Count’,
UNIQUECOUNT(destinationip) as 'Destination IP Count'
FROM events
GROUP BY 'Category', 'Threat Rating'
LAST 1 Days

IBM Security / © 2022 IBM Corporation 20


QRadar Searches

Resources

IBM Security / © 2022 IBM Corporation 21


Resources

Open Mic Webcast #6: Searching Your QRadar Data Efficiently


– http://www-01.ibm.com/support/docview.wss?uid=swg27044066

Searching Your QRadar Data Efficiently


– https://www.ibm.com/support/pages/searching-your-qradar-data-efficiently-start

Lucene Query Parser Syntax


– https://lucene.apache.org/core/5_3_1/queryparser/org/apache/lucene/queryparser/classic/package-
summary.html#package_description

Sharing Dashboard Items from QRadar Saved Searches


– https://www.ibm.com/support/pages/qradar-sharing-dashboard-items

Event and Flow Searches


– https://www.ibm.com/docs/en/qsip/7.5?topic=siem-event-flow-searches

IBM Security / © 2022 IBM Corporation 22


Resources - continued

Using Search Efficiently in QRadar


– https://www.securitylearningacademy.com/enrol/index.php?id=4791

Advanced Search and Use Cases


– https://www.securitylearningacademy.com/enrol/index.php?id=1441

Using AQL for Advanced Searches in IBM QRadar SIEM


– https://www.securitylearningacademy.com/enrol/index.php?id=4683

Ariel Query Language (AQL) Guide


– https://www.ibm.com/docs/en/qsip/7.5?topic=aql-learn-about-ariel-query-language

IBM Security / © 2022 IBM Corporation 23


Questions?
Thank you

Follow us on: © Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for
informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of
direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives.
ibm.com/security IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines
Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.

securityintelligence.com Statement of Good Security Practices: IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and outside your enterprise. Improper access can
result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your
systems, including for use in attacks on others. No IT system or product should be considered completely secure and no
ibm.com/security/community single product, service or security measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a lawful, comprehensive security approach, which will
necessarily involve additional operational procedures, and may require other systems, products or services to be most

xforce.ibmcloud.com effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise
immune from, the malicious or illegal conduct of any party.

@ibmsecurity

youtube.com/ibmsecurity

You might also like