IBM Support

QRadar: Possible CSRF attack detected

How To


Summary

This article is intended to provide information that can assist QRadar administrators in investigating these warnings.

Steps

Cross-site request forgery (CSRF) is a method attackers can use to exploit an authenticated user of a website to send unauthorized requests to the site. For example, if a trusted user is logged in to the site, the attacker could direct the user to a link that exploits the user's active session to send malicious commands to the site.
To protect against attacks, QRadar generates CSRF session and authentication tokens when users log in. User requests use cookies and headers that include the active tokens so requests can be validated. If the request has an invalid or missing session token, QRadar logs a warning that indicates a possible CSRF attack was detected. Examples:
Jul  1 12:00:00 ::ffff:127.0.0.1 [tomcat.tomcat] [[email protected] (2771) /console/JSON-RPC/QRadar.getNotifcationCount] com.q1labs.core.ui.servlet.RemoteJavaScript: [WARN] [NOT:0000004000][10.250.9.8/- -] [-/- -]Current session is 8DC5A760EF4B4B7D336938F87D1B8B01, possible CSRF attack detected using host 192.168.0.1
Jul  1 12:00:00 ::ffff:127.0.0.1 [tomcat.tomcat] [[email protected] (3833) /console/JSON-RPC/QRadar.getUpdatePeriod] com.q1labs.core.ui.servlet.RemoteJavaScript: [WARN] [NOT:0000004000][10.9.148.5/- -] [-/- -]Current session is 8DC5A760EF4B4B7D336938F87D1B8B02, no sessionId was provided, possible CSRF attack detected using host 192.168.0.1 for method QRadar.getUpdatePeriod
If you're investigating further, it is recommended to take note of the users and IPs associated with these warnings. If a valid user allows their cookies to expire (without renewal) during their session, incorrect or missing token information could result in QRadar logging a CSRF warning. Admins can also take into account any proxies in between the user and QRadar that could have influence over cookies and headers. Further review of user behavior, as well as their browser settings are recommended to determine the validity of the warning.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS012929802","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
28 August 2023

UID

ibm17020637