I’d like to learn more about Cyberhat!

read

QRoC SIEM integration MongoDB-Atlas script

By CyberHat

QRoC SIEM integration scripts

CyberHat publishes codes on open-source platform Github to improve global security

Within the cyber security community, IBM’s QRoC software is something of a catch-all when it comes to managing security information. QRoC (like other SIEM technologies) provides the ability to take information from multiple security tools and create rules that allow the data to be managed in a single space, analyzing them for correlations in real time.

For this strategy to be effective, however, the security products used by the organization must be able to synchronize with IBM QRoC and forward the relevant logs. While IBM QRoC has made sure firewalls, antivirus software, security products, servers and databases are able to be integrated within their technology, there are still many tools that are falling through the cracks, which can affect  an organization’s ability to properly secure its network.

 

The Issues: Correlation and Visibility

When a company invests in cyber defense tools, it is making those purchases with the assumption that these platforms will address pressing cyber-security needs. But for that to be true, those tools must be configured and integrated properly. This means synchronizing, optimizing, and properly managing all platforms. Ideally, this would be done by a knowledgeable team that sees the entire network topology, understands the security needs and is able to align them with the needs of the business.

 

The Solution:

We developed unique script for QRoC with MongoDB-Atlas.

We are now releasing those script to the public, allowing the cyber and IT security community to utilize them through step-by-step installation guides.

 

Download The Full Guide

 

MongoDB-Atlas:

  1. Connect and configure MongoDB-Atlas

(Note: After finishing step 1, contact the CYREBRO team to finish steps 2-7)

Procedure:

Step 1. Log into MongoDB-Atlas account – Admin Panel: (MongoDB-Atlas web console)

  1. At CONTEXT drowbox choose: <Organization_Name>
  2. Navigate to Access -> API Key TAB:
  • Click Manage -> Create API Key:
  1. Get Public Key
  2. Organization Permissions = Read Only
  3. Click Next
  • Get Private Key
  • Add whitelist:
  1. Insert QRoC collector IP

Step 2. Connect into the relevant QRadar collector by SSH.

Step 3. Create new directory: i. mkdir mongoDB_Atlas_integration

Step 4. Upload mongoDB _script.py and Q_logs_mongoDB.txt file into the relevant server by

MobaXtern/WinSCP/etc into /root/mongoDB_Atlas_integration directory.

Step 5. Go to mongoDB_Atlas_integration directory: i. cd /root/mongoDB_Atlas_integration

Step 6. Give executable option to script and conf.ini: i. chmod +x /root/mongoDB _script.py

Step 7. Use Crontab to run the script to collect events from MongoDB-Atlas every 10 min:

  1. Crontab -e
  2. Click i
  • Insert the following commands:
  1. */10* * * * export ATLAS_USER=<X>;export ATLAS_USER_KEY=<Y>; mkdir

/root/mongoDB_Atlas_integration/mongoDB_Atlas_Logs.txt;

root/mongoDB_Atlas_integration/mongoDB _script.py  >

/root/mongoDB_Atlas_integration/mongoDB_Atlas_Logs.txt;

/opt/qradar/bin/logrun.pl -f

/root/mongoDB_Atlas_integration/mongoDB_Atlas_Logs.txt; -u <MongoDB

Identifier> 100; rm- rf

/root/mongoDB_Atlas_integration/mongoDB_Atlas_Logs.txt; iv. Save & Exit crontab: ESC & type: 1.  :wq!

 

 

Tags: Managed SOC, SIEM Technology