Topic
  • 9 replies
  • Latest Post - ‏2016-07-06T19:33:02Z by Rahul0807
arun23
arun23
7 Posts

Pinned topic Whitelist IP in Qradar

‏2015-01-16T09:50:11Z |

Hello

I want to white list my scanner IP

so i cant get any alert in qradar

we have option for fine tuning but this will work on high level category so for every high level category we have to create a rule.

instead of this  can we do this by using one rule only in which we can whitelist that particular IP.

 

Thanks in advance

Arun

 

  • JonathanPechtaIBM
    JonathanPechtaIBM
    11 Posts

    Re: Whitelist IP in Qradar

    ‏2015-01-16T19:51:50Z  

    The easiest way to manage whitelists and blacklists for common data sets like terminated employees or IP addresses is to leverage reference sets within QRadar. This allows you to call a single rule and instead of adding a number of IPs to the rule, just add the reference set you created. It is much easier to manage the reference set than it is to edit several rules when changes occur.

     

    For example, I grabbed a few screen captures of a reference set I created quickly called "Whitelist Scanner IPs". I gave the reference set a name and assigned the data type as IPs and saved the reference set. I then edited it to include a few generic values, such as IP address 1.1.1.1 and 2.2.2.2. Where 1.1.1.1 and 2.2.2.2 are the IP addresses assigned to my network scanners. I then edited an existing Event Rule to look for events where the Source IP is part of the reference set I created. This would allow me to either trigger on or not trigger rules based on the IP addresses within my reference set. In the future, if I needed to re-IP my scanner from 2.2.2.2 -> 5.5.5.5, it is just a matter of updating the reference set itself. All rules that include the reference set "Whitelist Scanner IPs" are automatically updated.

     

    Reference set rules under listed under "Property Test" functions in the rule editor. For example, Event rules have a drop down called "Event Property Tests" where you will find different reference set rules. Common rules have a list called "Common Property Tests" where reference set rules are listed.

     

    You must be an administrator to create a reference set. See the Admin tab > Reference Set Management. After you have created your reference set, take a look at the reference set rules and let us know if you have further questions.

     

    Note: On Wednesday, January 28th, 2015 @ 11am Eastern time we are going to be having our next QRadar Open Mic webcast. This webcast will be a round table discussion on QRadar assets. After a short presentation, we will open the phone call up to live questions. There will also be support representatives answering questions in the chat and discussing chat questions live on the call. This is an open event where anyone can join.

     

  • arun23
    arun23
    7 Posts

    Re: Whitelist IP in Qradar

    ‏2015-01-20T14:34:39Z  

    The easiest way to manage whitelists and blacklists for common data sets like terminated employees or IP addresses is to leverage reference sets within QRadar. This allows you to call a single rule and instead of adding a number of IPs to the rule, just add the reference set you created. It is much easier to manage the reference set than it is to edit several rules when changes occur.

     

    For example, I grabbed a few screen captures of a reference set I created quickly called "Whitelist Scanner IPs". I gave the reference set a name and assigned the data type as IPs and saved the reference set. I then edited it to include a few generic values, such as IP address 1.1.1.1 and 2.2.2.2. Where 1.1.1.1 and 2.2.2.2 are the IP addresses assigned to my network scanners. I then edited an existing Event Rule to look for events where the Source IP is part of the reference set I created. This would allow me to either trigger on or not trigger rules based on the IP addresses within my reference set. In the future, if I needed to re-IP my scanner from 2.2.2.2 -> 5.5.5.5, it is just a matter of updating the reference set itself. All rules that include the reference set "Whitelist Scanner IPs" are automatically updated.

     

    Reference set rules under listed under "Property Test" functions in the rule editor. For example, Event rules have a drop down called "Event Property Tests" where you will find different reference set rules. Common rules have a list called "Common Property Tests" where reference set rules are listed.

     

    You must be an administrator to create a reference set. See the Admin tab > Reference Set Management. After you have created your reference set, take a look at the reference set rules and let us know if you have further questions.

     

    Note: On Wednesday, January 28th, 2015 @ 11am Eastern time we are going to be having our next QRadar Open Mic webcast. This webcast will be a round table discussion on QRadar assets. After a short presentation, we will open the phone call up to live questions. There will also be support representatives answering questions in the chat and discussing chat questions live on the call. This is an open event where anyone can join.

     

    Thanks a lot Jon....:)

     

  • JonathanPechtaIBM
    JonathanPechtaIBM
    11 Posts

    Re: Whitelist IP in Qradar

    ‏2015-01-20T14:38:27Z  
    • arun23
    • ‏2015-01-20T14:34:39Z

    Thanks a lot Jon....:)

     

    No problem, if you have further questions just let us know.

  • arun23
    arun23
    7 Posts

    Re: Whitelist IP in Qradar

    ‏2015-01-20T14:53:16Z  

    No problem, if you have further questions just let us know.

    HI Jon

    I have one more query

    can we reverse after creating False positive in Q radar ?

    For Example : if i have created a false positive for IP 1.1.1.1 to any destination but now  my requirement has changed and want to remove that false positive .

    so in that case Is it possible ??

    if yes then how ??

  • JonathanPechtaIBM
    JonathanPechtaIBM
    11 Posts

    Re: Whitelist IP in Qradar

    ‏2015-01-20T15:40:08Z  
    • arun23
    • ‏2015-01-20T14:53:16Z

    HI Jon

    I have one more query

    can we reverse after creating False positive in Q radar ?

    For Example : if i have created a false positive for IP 1.1.1.1 to any destination but now  my requirement has changed and want to remove that false positive .

    so in that case Is it possible ??

    if yes then how ??

    Yes, you can reverse a false positive that you have added to QRadar. Anytime you right-click and add an IP address to a false positive, it is added to a specific building block called: "User-BB-FalsePositive: User Defined False Positives Tunings".

     

    This building block contains any IPs added through user interface actions. If you edit this building block, you can remove any IPs that have been accidentally tagged as a false positive. To locate the building block, you can search for "user defined false" in the search window when viewing building blocks in QRadar. Here is a screen capture to help you locate the building block to edit.

     

    (refresh browser page if image is not visible)

     

    By editing this building block you can remove any IPs that have been added via right-click. They will be listed as CAT: IP, IP, IP. Just edit the values and save the building block again. As soon as you save the BB, then rule set is reloaded in QRadar and the IP list is updated. The change should be almost instantaneous.

     

    Hope this helps...

    - Jonathan

     

  • arun23
    arun23
    7 Posts

    Re: Whitelist IP in Qradar

    ‏2015-01-21T11:37:21Z  

    Yes, you can reverse a false positive that you have added to QRadar. Anytime you right-click and add an IP address to a false positive, it is added to a specific building block called: "User-BB-FalsePositive: User Defined False Positives Tunings".

     

    This building block contains any IPs added through user interface actions. If you edit this building block, you can remove any IPs that have been accidentally tagged as a false positive. To locate the building block, you can search for "user defined false" in the search window when viewing building blocks in QRadar. Here is a screen capture to help you locate the building block to edit.

     

    (refresh browser page if image is not visible)

     

    By editing this building block you can remove any IPs that have been added via right-click. They will be listed as CAT: IP, IP, IP. Just edit the values and save the building block again. As soon as you save the BB, then rule set is reloaded in QRadar and the IP list is updated. The change should be almost instantaneous.

     

    Hope this helps...

    - Jonathan

     

    Thanks Jon

    but what if i create false positive without creating that building block

    for example we can directly choose false positive option from events viewer tab.(image for your reference)

    In that case building block automatically generated if not then from where we can reverse that .

    Thanks in advance...:)

     

  • Slawek.Gawlowski
    Slawek.Gawlowski
    1 Post

    Re: Whitelist IP in Qradar

    ‏2015-01-21T12:52:49Z  
    • arun23
    • ‏2015-01-21T11:37:21Z

    Thanks Jon

    but what if i create false positive without creating that building block

    for example we can directly choose false positive option from events viewer tab.(image for your reference)

    In that case building block automatically generated if not then from where we can reverse that .

    Thanks in advance...:)

     

    This building block is a default one and you dont have to create it, it's created by applying Enterprise Template during installation process.  

    so when you use right click from gui or from top of QRadar interface to "false - positive" some ip addresses they will be add into User-BB-FalsePositive: User Defined False Positives Tunings,  building block. 

     

    Best Regards .... Slawek

  • ahmadzuhd
    ahmadzuhd
    3 Posts

    Re: Whitelist IP in Qradar

    ‏2015-04-20T10:44:13Z  

    This building block is a default one and you dont have to create it, it's created by applying Enterprise Template during installation process.  

    so when you use right click from gui or from top of QRadar interface to "false - positive" some ip addresses they will be add into User-BB-FalsePositive: User Defined False Positives Tunings,  building block. 

     

    Best Regards .... Slawek

    I have tried to add a Falsepositive by right click the GUI, the result was a signature match in the rule "User-BB-FalsePositive: User Defined False Positives Tunings"

    I need to understand how these signature are created. is there any documentation?

  • Rahul0807
    Rahul0807
    3 Posts

    Re: Whitelist IP in Qradar

    ‏2016-07-06T19:33:02Z  

    I need to white list a whole bunch of subnet for my scanners.

     

    Is there a way to add the whole subnet , instead of adding each IP to the reference set?