IBM Support

IBM Security QRadar Lookups Content Extension

Question & Answer


Question

The IBM Security QRadar Lookups Content Extension allows you to look up data in external systems.

Answer

Use the IBM QRadar Lookups Content Extension to look up data in external systems. The data can be in a text file, match a list of regular expressions, or match a list of CIDR expressions.

Change list for the Lookups Content Extension V1.0.0

The following table describes the changes that are included in IBM QRadar Lookups Content Extension V1.0.0.

Type Name Change description
Custom function LOOKUPS::CONTAINS( <URL>, <VALUE>, <HTTP HEADERS> )

Returns TRUE if the VALUE is contained in the data structure that is located at the specified URL. Supports either a plain-text file or a JSON file with an array in it. HTTP HEADERS is a JSON structure that passes in authentication information or other headers, if required.

Arguments

URL

A fully qualified URL that points at the resource to be loaded into the lookup. The URL must be accessible by the QRadar console, and by any QRadar event processors and flow processors.

The response of the URL retrieval is treated as a text file. Each line in the response is loaded as a value in the lookup.

Example: https://1.2.3.4/md5_blocklist.txt

VALUE

The value to look for in the lookup. In most situations the value is a property of an event or a flow.

Example: File_Hash

HTTP HEADERS

A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup so that you can pass information such as authentication credentials.

Example: ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’

Example Use

SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::CONTAINS(‘https://1.2.3.4/md5_blocklist.txt’, File_Hash, ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’
Custom function LOOKUPS::MATCH( <URL>, <VALUE>, <HTTP HEADERS> )

Returns the regular expression that matches if the VALUE matches any of the regular expressions that are contained in the data structure that is located at the specified URL. Supports either a plain-text file or the QRadar reference set API. HTTP HEADERS is a JSON structure that passes in authentication information or other headers, if required.

Arguments

URL

A fully qualified URL that points at the resource to be tested. The URL must be accessible by the QRadar console, and by any QRadar event processors and flow processors.

The response of the URL retrieval can be one of these formats:

  • A plain text file. Each line in the response is loaded as a regular expression in the lookup.
  • A JSON file that contains a single list entry. Each entry in the list is loaded as a regular expression in the lookup.
  • A URL pointing at the QRadar reference set API. Each entry in the reference set is loaded as a regular expression in the lookup.

Example: https://example.com/api/reference_data/sets/ur l_blocklist

VALUE

The value to look for regular expression matches in the lookup. In most situations the value is a property of an event or a flow.

Example: URL

HTTP HEADERS

A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup that passes information such as authentication credentials.

Example: ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’

Example Use

SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::MATCH(‘https://example.com/api/reference_data/sets/ur l_blocklist’, URL, ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’)
IS NOT NULL
Custom function LOOKUPS::CIDRLIST( <URL>, <VALUE>, <HTTP HEADERS> )

Returns the matching Classless Inter-Domain Routing (CIDR) if the VALUE matches any of the CIDR expressions that are contained in the data structure that is located at the specified URL. Supports either a plain-text file, or the QRadar reference set API. HTTP HEADERS is a JSON structure that passes in authentication information or other headers, if required.

Arguments

URL

A fully qualified URL that points at the resource to be tested. The URL must be accessible by the QRadar console, and any QRadar event processors and flow processors.

The response of the URL retrieval can be one of these formats:

  • A plain text file. Each line in the response is loaded as a CIDR expression in the lookup.
  • A JSON file that contains a single list entry. Each entry in the list is loaded as a CIDR expression in the lookup.
  • A URL pointing at the QRadar reference set API. Each entry in the reference set is loaded as a CIDR expression in the lookup.

Example: https://example.com/api/reference_data/sets/cidr_blocklist

VALUE

The value to look for CIDR expression matches in the lookup. In most situations the value is a property of an event or a flow that resolves to an IP address.

Example: sourceIP

HTTP HEADERS

A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup, that passes information such as authentication credentials.

Example: ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’

Example Use

SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::CIDRLIST(‘https://example.com/api/reference_data/sets /cidr_blocklist’, sourceIP, ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’)
IS NOT NULL
Custom function LOOKUPS::MATCH_CSV( <URL>, <INDEX>, <VALUE>, <HTTP HEADERS> )

Returns the matching expression if the VALUE matches any of the regular expressions that are contained in the column referenced by INDEX in the CSV at the specified URL. Supports a CSV file that contains columns, of which one is a regular expression. HTTP HEADERS is a JSON structure that allows you to pass in authentication information or other headers, if required.

Arguments

URL

A fully qualified URL that points at the resource to be loaded into the lookup. The URL must be accessible by the QRadar console, and by any QRadar event processors and flow processors.

The response of the URL retrieval must be a CSV file. The INDEX field in each row is loaded as a regular expression in the lookup.

Example: https://1.2.3.4/blocklist.csv

INDEX

The field number of each row that should be loaded into the lookup

Example: 2

VALUE

The value to look for in the lookup. In most situations the value is a property of an event or a flow.

Example: File_Hash

HTTP HEADERS

A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup that passes information such as authentication credentials.

Example: ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’

Example Use

SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::MATCH_CSV(‘http://1.2.3.4/blocklist.csv’, 2, userName, ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’)
IS NOT NULL

Where do you find more information?



Installing a QRadar Extension

The Extensions Management window in QRadar is used to add applications or content extensions to your deployment to improve the functionality of QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards. Extensions can also install applications that deliver specific new functionality to QRadar. The About tab outlines the contents of the extension that are being added to QRadar. Content extensions that are installed do not disrupt QRadar user activity and do not restart services.

Procedure

  1. Log in to the QRadar Console as an administrator.
  2. Download the file to your laptop or workstation from the X-Force App Exchange: https://exchange.xforce.ibmcloud.com/.
  3. Click the Admin tab, then click Extensions Management in the System Configuration section.
  4. To upload an extension, click Add and select the extension to upload.
  5. Note: The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console.

  6. To install the extension immediately, select the Install immediately check box and then click Add.
    A preview of the content is displayed before the extension is installed, and the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data. If you choose to keep the existing data, no updated content extension items are installed.
  7. Select Overwrite when prompted to add the new data to your QRadar appliance.
  8. The installation is complete and the status is displayed in QRadar.

Results

If a yellow caution icon is displayed in the Status column there might be potential issues with the digital signature or installation. Hover over the icon for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.

If you are installing an updated version of an extension, review the change list to determine if you need to update any rules. When the extension is applied to QRadar, administrator or user rules are not modified by QRadar; instead, the base enterprise template is updated. If a rule change includes a new building block update, performance change, or new rule tests, consider updating or recreating your existing rule from the rule template.

For more information about Custom Event Properties, see QRadar: Creating a Report that Uses a Custom Event Property (http://www.ibm.com/support/docview.wss?uid=swg21690785).

Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Content Extensions","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3;7.2.8","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22011872