Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
5 replies Latest Post - ‏2014-07-21T09:14:25Z by Asadz
ldesouza
ldesouza
2 Posts
ACCEPTED ANSWER

Pinned topic finding the top facebook users on my network

‏2014-03-06T17:25:33Z |

Hi,

How do I use QRadar to find the top Facebook users on my network?

Thx.

Updated on 2014-03-06T17:42:06Z at 2014-03-06T17:42:06Z by ldesouza
  • Alaa Ali
    Alaa Ali
    8 Posts
    ACCEPTED ANSWER

    Re: finding the top facebook users on my network

    ‏2014-03-06T21:03:10Z  in response to ldesouza

    There are several ways to do this, and it depends on what devices you have and what log sources are sending to QRadar. I can think of two ways:

    1. Proxy logs. If you have a proxy, say Websense, and all the users are going through it, you can configure your proxy server to send its logs to QRadar. The payload should contain the full URL (example: http://facebook.com/directory/image.png) that the users are accessing. You can extract just the website from the URL (so you'd extract the first part which is: http://facebook.com/) into a custom property field. Now that you have a field called "URL", you can use that to search if it contains "facebook" and group by source IP.
    2. Netflows/Qflow. If your QRadar is receiving netflows or SPANs from your perimeter router or switches, you can do this:
      • search by the destination IP addresses of Facebook in the Network Activity tab and look at the traffic. Obviously, this could be very cumbersome because you first need to find out all IP addresses of Facebook, and they might be changing.
      • I just noticed that there's an entry in the Application list in the network activity called Web.Facebook (go to the Network Activity tab, click on Add Filter, and filter for "Application Equals Web.Facebook"). QRadar classifies flows as Web.Facebook from the QFlow (SPAN) payload (i.e. layer 7 visibility). You can search for that Application and group by Source IP to see the top Facebook users.
    • ldesouza
      ldesouza
      2 Posts
      ACCEPTED ANSWER

      Re: finding the top facebook users on my network

      ‏2014-03-10T22:44:38Z  in response to Alaa Ali

      Yes the "application Equals Web.facebook" worked really well.

      Thanks for the response.

    • RajaJahanzeb
      RajaJahanzeb
      1 Post
      ACCEPTED ANSWER

      Re: finding the top facebook users on my network

      ‏2014-07-19T12:46:46Z  in response to Alaa Ali

      Alaa Ali,

      When you say QFlow (SPAN) payload (i.e. layer 7 visibility)  I get one of the following meaning out of it

      1- SPAN traffic is converted to plain-text by terminating the SSL session somewhere before the SPAN port. (This can violate privacy policies and make SIEM administrators read the emails and everything coming in wire as well so I'm not expecting any organization would have done this.).    

      2- SPAN traffic is encrypted and that QFlow appliances have somehow the ability to extract application layer data from the headers/payload of SPAN traffic to be able to identify facebook.com  (Although it's not possible as far as I'm aware as DPI is not possible on encrypted data). 

      Additional Question: If SPAN traffic is encrypted how can we develop data leakage/loss detection rules e.g. sensitive information be communicated via social media or email bodies containing social security numbers? 

      Kindly explain

      Jahanzeb

      Updated on 2014-07-19T12:54:25Z at 2014-07-19T12:54:25Z by RajaJahanzeb
      • Alaa Ali
        Alaa Ali
        8 Posts
        ACCEPTED ANSWER

        Re: finding the top facebook users on my network

        ‏2014-07-20T13:28:15Z  in response to RajaJahanzeb

        Hey Jahanzeb. I haven't worked with encrypted SPAN traffic, but if SPAN traffic is encrypted, I don't think there's any way for any device to extract information from it...that's the whole point of encryption.

  • Asadz
    Asadz
    4 Posts
    ACCEPTED ANSWER

    Re: finding the top facebook users on my network

    ‏2014-07-21T09:14:25Z  in response to ldesouza

    Perhaps not directly related to your question , but from best-practice point of view, I would not like to use SIEM as volume or internet policy Monitoring tools. I had similar experience in which I was asked to full-fill the exact requirement through SIEM, the management wants to know bandwidth and internet user reporting through two -mean

    1) log activity TMG logs

    2) flows

    In both case though I was able to pull the reports which was required for e.g top bandwidth user, most frequent site visited etc.

    From risk  perspective management should be concern on REAL violations and not just regular / routine usage of traffic. For e.g there is a difference in terms of reporting and incident response activities when there is an alert fired for a user X who has been put on HR watch logins to facebook OR for user x who has been allocated x amount of bandwidth for given month has exceeded in <24 hrs.

    Unless baseline requirements and expectations are set, these alerts are of little use but to give routine picture of network usage, SIEM as security product should be managing real violations and alerts...which is by configuring the log-source to send only alerts for which these violations and compliance actions have trigger. This would not save extra processing on SIEM but on storage side, also drive more productive ROI (space/dollar cost).

    Also, if someone is interested in doing 1-1 comparison of reporting and alerting capabilities of SIEM versus an dedicated solution such as FASTVUE. Here are few-screen-grabs.

    Screen grab 1

    Screen grab 2

    I'm sure writing a PLSQL or a trigger for above scenarios for e.g in case MS-exchange (MS-sql express) and then later write results to a file. I'm sure after pre-processing the file would be useful to be send to SIEM through ALE/Wincollect etc. Thats one approach other exist depending upon specific scenarios/enviroments.