Topic
  • 7 replies
  • Latest Post - ‏2015-04-08T17:11:40Z by AdrianDS
SystemAdmin
SystemAdmin
117 Posts

Pinned topic Visualize Flow or Log Data?

‏2013-01-09T19:48:46Z |
Hello Qmmunity members,

we are currently thinking about visualization possibilities to support and enhance the capabilities of our Security Operations team.
Are there mechanisms within QRadar that can be used, or otherwise APIs, methods, command line tools etc. to acquire that data, or even 3rd party tools that can support with that (commercial or non-commercial?

Has anyone already done this and can recommend a way to do this or at least point me in the right direction?
Two ideas for visualisation (inspired by http://www.networksecuritytoolkit.org)

  • Case 1: Offenses placed within our infrastructure on a world map leveraging Geo-IP and QRadar Topology Data
  • Case 2: Traffic originating from potential malicious networks to ours.

    Thank you in advance for your help.-------Posted BY Advanced Persistent Troll
  • SystemAdmin
    SystemAdmin
    117 Posts

    Re: Is there really no one who

    ‏2013-01-13T11:49:58Z  
    Is there really no one who has to leverage Visualizations beyond the integrated possibilities of QRadar?
    Posted By Advanced Persistent Troll
  • SystemAdmin
    SystemAdmin
    117 Posts

    Re: would like to. havent had

    ‏2013-01-14T16:16:23Z  
    would like to. havent had time to figure it out yet.
    Posted By Mike Calvi
  • SystemAdmin
    SystemAdmin
    117 Posts

    Re: is manageengine´s netflow

    ‏2013-01-16T13:48:36Z  
    is manageengine´s netflow analyzer maybe a product you are looking for?

    Posted By Matthias Doetterl
  • SystemAdmin
    SystemAdmin
    117 Posts

    Re: I have done it successfully

    ‏2013-01-31T21:24:32Z  
    I have done it successfully but it requires custom scripting. I run daily reports, output to xml, process the XML for IP's (along with bytes for magnitude), turn IP's into latitude and longitude, and input that data into google maps. For python you can use pygeoip and returning the lattitude and longitude of an IP is about 3 lines of code. https://github.com/appliedsec/pygeoip. You can output this data to google charts https://google-developers.appspot.com/chart/interactive/docs/gallery/geochart, google maps, or google earth pretty effectively. I do not have code that I can provide yet since it's tailored to the reports that I create. I hope this helps and let me know if you have general questions.
    Posted By Derek Thomas
  • SystemAdmin
    SystemAdmin
    117 Posts

    Re: I love the examples from the

    ‏2013-01-31T21:33:01Z  
    I love the examples from the network security toolkit. I have never seen anything like it before so I did it myself with google maps.
    Posted By Derek Thomas
  • AdrianDS
    AdrianDS
    2 Posts

    Re: I have done it successfully

    ‏2015-04-08T17:08:42Z  
    I have done it successfully but it requires custom scripting. I run daily reports, output to xml, process the XML for IP's (along with bytes for magnitude), turn IP's into latitude and longitude, and input that data into google maps. For python you can use pygeoip and returning the lattitude and longitude of an IP is about 3 lines of code. https://github.com/appliedsec/pygeoip. You can output this data to google charts https://google-developers.appspot.com/chart/interactive/docs/gallery/geochart, google maps, or google earth pretty effectively. I do not have code that I can provide yet since it's tailored to the reports that I create. I hope this helps and let me know if you have general questions.
    Posted By Derek Thomas

    Derek, we have QRadar deployed and want to learn more from you on how you have configured PyGoeip to talk to Qradar and provide lat and long for source/destination IPs.

    Can you help?

  • AdrianDS
    AdrianDS
    2 Posts

    Re: I have done it successfully

    ‏2015-04-08T17:11:40Z  
    • AdrianDS
    • ‏2015-04-08T17:08:42Z

    Derek, we have QRadar deployed and want to learn more from you on how you have configured PyGoeip to talk to Qradar and provide lat and long for source/destination IPs.

    Can you help?

    Is there any way you could share your three lines of code so we can use that as a template to modify to our specific deployment?  Thanks much for the help!!