I’d like to learn more about Cyberhat!

read

QRoC SIEM integration Carbon Black script

By CyberHat

QRoC SIEM integration scripts

CyberHat publishes codes on open-source platform Github to improve global security

Within the cyber security community, IBM’s QRoC software is something of a catch-all when it comes to managing security information. QRoC (like other SIEM technologies) provides the ability to take information from multiple security tools and create rules that allow the data to be managed in a single space, analyzing them for correlations in real time.

For this strategy to be effective, however, the security products used by the organization must be able to synchronize with IBM QRoC and forward the relevant logs. While IBM QRoC has made sure firewalls, antivirus software, security products, servers and databases are able to be integrated within their technology, there are still many tools that are falling through the cracks, which can affect  an organization’s ability to properly secure its network.

 

The Issues: Correlation and Visibility

When a company invests in cyber defense tools, it is making those purchases with the assumption that these platforms will address pressing cyber-security needs. But for that to be true, those tools must be configured and integrated properly. This means synchronizing, optimizing, and properly managing all platforms. Ideally, this would be done by a knowledgeable team that sees the entire network topology, understands the security needs and is able to align them with the needs of the business.

 

The Solution:

We developed unique script for QRoC with Carbon Black.

We are now releasing those script to the public, allowing the cyber and IT security community to utilize them through step-by-step installation guides.

 

Download The Full Guide

 

Carbon Black:

  1. Connect and configure VMware Carbon Black:

Note: VMware acquired Carbon Black, a leading next-generation security cloud provider. Carbon Black has created an innovative cloud-native security platform with a smart, lightweight agent, and an AI/ML-based Data Lake in the cloud that provides comprehensive protection of endpoints and defense against a variety of threats.

Procedure:

Step 1. Log into Carbon Black account – Admin Panel: (Carbon Black web console)

  1. On the left side of the screen, navigate to Settings:
  2. Go to API Access (Keys) -> Click “+ Add API Key”:
  3. iii. Create API “Access level”
    1. Name
    2. Choose API level
    3. Authorized IP addresses (SIEM Collector IP)
    4. Click save
    5. GET API ID
    6. GET API Secret Key
  4. Create SIEM “access level”
    1. Name
    2. Choose SIEM level
    3. Authorized IP addresses (SIEM Collector IP)
    4. Click save
    5. GET API ID
    6. GET API Secret Key
  5. On the left side of the screen, navigate to Settings:
  6. Click “+ Add notification”
  7. Create Notification Policy:
    1. Insert name
    2. Alert Severity = 1
    3. At check box, choose “Threat”
    4. Policy = “all policies”
    5. Choose the API KEY that created at stage ‘iv’ (SIEM Access Level).

Step 2. Connect into the collector DG by SSH - Prepper Linux ENV:

  1. Check Python Version: 1. python –version (The result should by 2.7.5)
  2. Install the Package manager for Python (pip)
    1. curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
    2. python get-pip.py
  3. Install carbon-black syslog connector
    1. pip install cbc-syslog --ignore-installed
    2. pip install requests --ignore-installed
  4. create direvtories:
    1. mkdir /store/log_forwarding
    2. mkdir /store/log_forwarding/cbd
    3. mkdir /store/log_forwarding/cbd/forward_logs
    4. mkdir /store/log_forwarding/cbd/Backup_Logs
    5. touch store/log_forwarding/cbd/logsAuditAlert.txt
    6. touch store/log_forwarding/cbd/other.txt
  5. Upload the connector.py and check (CBD listening) scripts into the EC:
    1. Use WinSCP or other software

Step 3. Insert the CBD variables into connector.py:

  1. connector_id = <API Key>
  2. api_key = <API Secret Key>
  3. siem_connector_id= <SIEM API Key>
  4. siem_api_key = <SIEM API Secret Key>
  5. server_url = https://<Server URL>/
    1. To choose the correct server_url:
    2. https://community.carbonblack.com/t5/Knowledge-Base/PSCWhat-URLs-are-used-to-access-the-APIs/ta-p/67346

Step 4. Use Crontab to run the ‘check’ Bash script to collect events from Carbon Black:

  1. crontab -e
  2. Click i
  3. Insert the following command:

*/2 * * * * cd /store/log_forwarding/cbd/forward_logs && (./check)

      4. Save & Exit crontab: ESC & type:
      1. :wq!

 

 

 

Tags: Managed SOC, SIEM Technology, carbon black