IBM Support

QRadar: Restore MITRE mappings from backup

How To


Summary

If you do not export and save them before you uninstall your UCM application, MITRE Mappings are lost. This process can be used to recover them from backup.

Steps

Before you start
Identify whether a backup exists and the app ID for the uninstalled UCM instance.
Important: Administrators are advised to schedule a maintenance window to run the steps in this article.
  1. SSH into your QRadar Console.
  2. (Optional) If you have an app host, SSH to the app host.
  3. Locate the app backup that contains the mite mapping:
    /opt/qradar/bin/app-volume-backup.py ls
    Jan 10 13:38:07 [app-volume-backup] Current app volume backups found in [/store/apps/backup]:
    Jan 10 13:38:07 [app-volume-backup] backup.apps-volumes.all.1662532201.tgz      2022-09-07 02:30:01
    
  4. Go to the backup directory.
    cd /store/apps/backup
  5. Identify which dated backup file contains the last UCM backup before uninstalling by observing the dates.
    ls -la
    In this example, backup.apps-volumes.all.1666333802.tgz contained the last UCM backup:
    The contents of /store/apps/backup looks like
  6. Make temporary directory to extract your backups.
    mkdir -p /store/ibmsupport/tempdir
  7. Copy the latest backup file to a temporary directory.
    cp backup.apps-volumes.all.XXX.tgz /store/ibm_support/tempdir
    
  8. Extract the file and cd into the directory. 
    cd /store/ibm_support/tempdir
    tar -xzvf backup.apps-volumes.all.XXX.tgz
    cd backup.apps-volumes.all.XXX
    The contents of each backup.apps-volumes.all.xxx.tgz file are zip files for each app_id
  9. Identify the tar file containing the json.db directory by using the following command on each of the individual xxx.tgz files. The file that contains the json.db is the app_id number for UCM. If the file name is 1652.tgz, for example, the app ID is 1652.
    tar -tzvf xxx.tgz | grep json.db
    Note: This step can be skipped if you already know the UCM app_id number of the uninstalled UCM application.
     Result
     Record this file name. If no backup file exists, the MITRE mappings cannot be recovered.
Procedure
Restore MITRE mappings from the backup.
  1. Use SSH to log in to your QRadar Console as root user.
  2. Navigate to the temp directory where you extracted the backup.apps file in Before you start.
  3. Find the mitre_custom_rule_x_x_mapping.json file within the compressed file named with your UCM app ID.
    Note: The mitre mapping file name can change depending on version of UCM:
    For UCM 3.5.0:
    [root@apphost json.db]# ls -lrt | grep mitre_custom
    -rw-r--r-- 1 nobody nobody       0 Aug  5 09:19 mitre_custom_rules_3_5_mapping.json
    For UCM 3.4.0:
    [root@apphost json.db]# ls -lrt | grep mitre_custom
    -rw-r--r-- 1 nobody nobody    1023 Oct 18 09:33 mitre_custom_rules_3_4_mapping.json
    Example:
    [root@<server> backup.apps-volumes.all.1666333802]# tar -tzvf 1652.tgz | grep -i mitre_custom_rules
    -rw-r--r-- nobody/nobody         0 2022-09-27 11:53 ./json.db/mitre_custom_rules_3_5_mapping.json
    -rw-r--r-- nobody/nobody         0 2022-01-27 08:09 ./backup/backup_mitre_custom_rules_3_3_mapping_2022-01-27T13-09-02.json
    -rw-r--r-- nobody/nobody         0 2022-05-31 13:23 ./backup/backup_mitre_custom_rules_3_4_mapping_2022-05-31T17-23-14.json
    -rw-r--r-- nobody/nobody         0 2022-09-27 11:51 ./backup/backup_mitre_custom_rules_3_4_mapping_2022-09-27T15-51-12.json
    
    
  4. Backup of the current mitre mapping file:
    scp /store/docker/volumes/qapp-<app ID>/json.db/mitre_custom_rules_3_5_mapping.json /store/ibmsupport/tempdir
  5. After verifying the backup is successfully created, move the current mitre mapping file from the UCM directory.
    ls /store/docker/volumes/qapp-<app-ID>/json.db/mitre_custom_rules_3_5_mapping.json
    mv /store/docker/volumes/qapp-<app-ID>/json.db/mitre_custom_rules_3_5_mapping.json /store/ibmsupport
  6. Extract the ./json.db/mitre_custom_rules file from the xxx.tgz file. Example,
    tar -xzvf 1652.tgz ./json.db/mitre_custom_rules_3_5_mapping.json
  7. Find the new UCM instance app_id number by using qappmanager utility from the Console. 
    /opt/qradar/support/qappmanager
  8. Find the current name of the file in the new UCM qapp-XXXX folder replacing XXXX with the new UCM instance app_id.
    ls /store/docker/volumes/qapp-XXXX/json.db/mitre_custom_rules*.json
    /store/docker/volumes/qapp-XXXX/json.db/mitre_custom_rules_3_5_mapping.json
  9. Copy the extracted mapping file from backup XXX.tgz to the path of the new UCM installation qapp-XXXX/json.db folder and rename it by using the new UCM instance app_id.
    cp ./json.db/mitre_custom_rules_3_5_mapping.json /store/docker/volumes/qapp-XXXX/json.db/mitre_custom_rules_3_5_mapping.json
    
    Important: The permissions and owner of the new file must be rw-r-r- nobody:nobody
  10. Restart the UCM application by using the qappmanager utility.
    ​/opt/qradar/support/qappmanager
    Note:  The restart must be run from the Console, not an app host.
  11. Use option 24 to stop the App instance.
    ​24) App instance - stop
  12. Select an admin or admin token:
    ​AUTHORIZED SERVICES (SP=Security Profile):
     ID | Name                    | SP    | Role 
    ----------------------------------------------
     1  | Use Case Manager        | Admin | Admin
    
    App instance - stop > Choose Authorized Service ID: 1
  13. Enter the UCM ID:
    ​
    APP INSTANCES (SP=Security Profile):
     ID   | Name                         | Status  | Task Status | Installed        | SP
    -------------------------------------------------------------------------------------
     2752 | QRadar Use Case Manager      | RUNNING | COMPLETED   | 2022-06-09 09:16 | 
    
    App instance - stop > Choose app instance ID or enter 0 to select all: 2752
  14. After UCM is in stopped state:
    ​APP INSTANCES (IID=Instance ID, DID=Definition ID, MHN=Managed Host Name, AHT=Application Host Type, SP=Security Profile):
     IID  | DID  | Name                         | Status  | Task Status | Installed        | MHN                         | AHT   | Memory | SP | Errors   
    -----------------------------------------------------------------------------------------------------------------------------------------------------
     2752 | 2752 | QRadar Use Case Manager      | STOPPED | COMPLETED   | 2022-06-09 09:16 | apphost | LOCAL |   1000 |    |
  15. Use option 23 to start the app:
    23) App instance - start
    
    APP INSTANCES (SP=Security Profile):
     ID   | Name                         | Status  | Task Status | Installed        | SP
    -------------------------------------------------------------------------------------
     2752 | QRadar Use Case Manager      | STOPPED | COMPLETED   | 2022-06-09 09:16 |   
       
    App instance - start > Choose app instance ID or enter 0 to select all: 2752


    Result
    The restart of the application automatically migrates the MITRE mappings. After the restart the MITRE mappings are restored, they can be verified in the UCM application UI.

Additional Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
12 January 2023

UID

ibm16619163