Scribd Logo
Hochladen

Willkommen bei Scribd!

  • SG-Module 6 - Advanced Filtering

    Hochgeladen von

    phamvanha
    35 Ansichten15 Seiten
    uy

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    uy

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    35 Ansichten15 Seiten

    SG-Module 6 - Advanced Filtering

    Hochgeladen von

    phamvanha
    uy

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 15

    1

    • Advanced event and flow filtering

    • Event and flow searches

    • Time series charts

    • Events filtering on rules

    2
    Source/Destination Network filters allow the filtering of traffic
    where clients are connecting to hosts on another network.

    Example: below would be local clients connected to servers on


    the internet.

    Note: This could also be accomplished with the Flow Direction filter of
    L2R

    Coalescing reduces all like events in a five second window to a


    single event

    • If the same event is emitted by a device multiple times for the


    same source/destination IP/ ports within the window, then the
    events are held in memory and not written to storage.
    • After the coalescing window has expired, they are released as
    a single event with a numeric event count annotation.
    • Each DSM uses a specific algorithm for coalescing events in a
    manner most appropriate to the device type.

    3
    • Combining multiple filters can help find inappropriate
    traffic.

    Example: show all remote addresses that scanned the local


    network

    4
    Scenario: Applications not running on the correct port

    Actions:
    • Filter on applications (e.g. HTTP) using Application is
    Web

    • Equation: NOT filter (Does not equal) on the targeted


    Destination Port (e.g. 80)
    • [Destination Port] [ Does not equal] [80]

    • Alternative filters:
    • „Source Port Does not equal 80‟
    • „Source or Destination Port Does not equal 80‟

    5
    Scenario: Search for large amounts of data leaving the network
    Action: Use Direction (L2R) and Byte Count (SRC Bytes >)

    Scenario: Search for flows to suspicious internet addresses


    Action: Use filter for “Matched Remote Network” (from auto-
    update) or “Matched Remote Service” (user defined)

    6
    Notes:

    7
    1. Display: Default shows standard time series view Default
    (Normalized)

    2. Chart Graph: Can be highlighted to drill down into specific


    time intervals, graph updates

    Note: Details do not

    1. Update Details: User clicks grab data based on a specific time


    interval selected

    8
    • If there is accumulated data for a Search the accumulated data will be
    queried first, detailed data second

    Note: If there is no accumulated data, the system functions like 6.3.x

    • Time Series view will automatically grab more accumulated


    data than what the requested search

    Example: If user searches for an hour, we graph a days worth


    of accumulate data surrounding that hour.

    • Data is accumulated in 1 minute (60 second) intervals


    providing granular detail

    • QRadar also does ‘minute, hour and day’ roll ups making
    displaying time series data more efficient. (e.g. 1 hour and 1
    day intervals)

    • To grab more data execute the query for a longer time period

    • If Auto-Execute search is disabled, QRadar will not fetch


    details.

    9
    Requested Time Accumulated Resolution
    Period Data Displayed
    ≤ 1 hour 1 Day 1 minute

    ≥ 12 hours < 1 Day 3 Days 1 Hour

    1 Week 2 weeks 1 Hour

    2 Weeks 1 Month 1 Day

    ≤ 1 Month Will add 1 Month 1 Day

    Notes:

    10
    Time Series Chart Scenarios:

    Scenario 1
    User wants to plot a single item over time on the graph (e.g. total bytes
    for a single application)
    Time Series Configuration
    1. Create search for specific application
    2. Make sure column for bytes (set to sum) is in column list
    3. Group by the parameter being searched (e.g. application)
    4. This ensures only a single row will be included in search results, so
    this is the only data that will get accumulated

    Scenario 2
    Users wants to plot multiple specific items over time (e.g. total number
    of events per interval for 10 specific categories for a group of devices)
    Time Series Configuration
    1. Create search which includes specific categories and specific devices
    2. Group by Categories
    3. Make sure Top N number configured in chart covers total number of
    categories (up to 50 objects can be displayed)
    Scenario 3
    Users wants to Graph Top IPs for all traffic over time.
    Time Series Configuration
    1. No search criteria required
    2. Group by IP
    3. Set Top N to desired number

    11
    • As an log events or flow events match a building block or rule those events are tagged with
    that rule.
    • Filter in the Activity interfaces to search for these events (very useful for creating reports)
    • Group of rules called Category Definitions as a number of very useful filters

    12
    • When investigating offenses it is often useful to group all events by “Matched Rules”
    • Can also be used as a information source for tuning

    13
    • Apply filters to get to the information

    • Use time series graphs to narrow search area

    • Aggregate results for investigation

    14
    Questions and Notes:

    15

    Das könnte Ihnen auch gefallen