Transcription
QRadar IntegrationUser Guide V1.0
Introduction . 3Features .3Extension Contents .3Configuration . 4Prerequisites .4Tanium User Configuration.4QRadar Configuration .6Tanium Connect Configuration for Alerts.9Tanium Connect Configuration for Discover . 11Tanium Connect Configuration for Comply . 12Usage . 14Ingesting Tanium Events . 14Right-Click Actions. 16Help and Troubleshooting . 17 2020 Tanium Inc. All Rights ReservedPage 2
IntroductionThe Tanium App for QRadar allows you to easily bring your Tanium data into QRadar. Correlating the events fromvarious Tanium modules with the alerts from any system on your network gives your analysts the knowledge andcontext necessary to make faster, more informed decisions. You can further cut down on investigation time byinstantly lookup the real-time details of any machine right from QRadar’s Log Activity screen.Features Uses Tanium’s Connect module to forward your data from:Threat ResponseComplyDiscoverRight-Click actions for instant IP lookups using Tanium’s REST APIExtension ContentsThe following contents are included in this extension:Custom Properties (52):Comply Row TypeTanium SourceIP AddressFirst Found DateMatch VersionMatch TypeHashIntel TypeMatch NameIntel IDThreat Response Service IDComputer IPComputer NameOS GenerationUpdated AtIntel NameScriptMAC OrganizationManagedLast Discovered AtUnmanageableArpLast Managed AtMD5Tanium Created AtTimestampIntel LabelsSHA1Threat Response SourceTanium Computer IDPortsMAC AddressNmapFull Path 2020 Tanium Inc. All Rights ReservedSizeHostnameOSConnectedLocationsNAT IP AddressLabelsDiscover IDArgsCWDLast Found DateAlert IDSHA256CVEPIDPPIDStart TimeScoreGroups (1):TaniumLog Source Extensions (1):TaniumJSONCustom extLog Source Types (1):TaniumJSONQID Records (3):Tanium ComplyTanium DetectTanium DiscoverCustom Applications (1):TaniumPage 3
ConfigurationPrerequisites QRadar 7.3.1 or newerTanium version 7.3 or newerAccess from QRadar to the Tanium Server on port 443Access from Tanium Server to QRadar on port 6514Tanium User ConfigurationThe Tanium App for QRadar requires a Tanium User account to interact with the API. It is recommended to createa new role and user with the required permissions. In Tanium, create a new role for the QRadar app with the“Read Sensor” permission and add access to your sensors. Enable the Ask Dynamic Question feature. 2020 Tanium Inc. All Rights ReservedPage 4
Next, create a new user for the QRadar App to use, and assign it the role you just created. You will also need toassign the user access to computer groups. For most organizations, assigning this user “Unrestricted ManagementRights” will be the best option since that will allow all machines to respond to questions. 2020 Tanium Inc. All Rights ReservedPage 5
QRadar Configuration1. Download the Tanium Extension from the IBM X-Force Exchange app store2. From the QRadar Admin page, select Extensions Management3. Add the downloaded package to QRadar, selecting the “Install immediately” option.4. Once the package has successfully installed, navigate back to QRadar’s Admin screen and scroll down tothe bottom of the page where you will open up the Tanium app configuration page. 2020 Tanium Inc. All Rights ReservedPage 6
5. Select Application Configuration and enter the connection details for your Tanium Server. Please notethat if you choose to upload the public certificate for your Tanium server to use for verification, shouldexport it in PEM format and the value you enter for Server must match the hostname in the certificate.6. Next we will do a test call to confirm that the app has been properly configured and that it can communicatewith the Tanium Server. Click on the Lookup IP option at the top of the screen. Enter the IP address of amachine is managed by Tanium and that you know is currently online. Click Submit.7. It may take up to a minute depending on the size and architecture of your network, but you should get thebasic machine details back. If you get an error or no results, proceed to the Troubleshooting sectionbelow.8. Next create a Log Source in QRadar to receive the events from the Tanium Connect module.a. Select “TaniumJSON” for the Log Source Type and “TaniumJSONCustom ext” for the LogSource Extension.b. Select “TLS Syslog” for the Protocol Configuration and “TLS” for the Authentication Mode.c. Check the Store Event Payload option and uncheck the Coalescing Events option.d. Configure the remaining settings for the collector and port as desired. 2020 Tanium Inc. All Rights ReservedPage 7
e. Set the value of Log Source Identifier to be the IP address of your Tanium Module Server andinclude your log source in the Tanium group. Make sure to deploy changes after you save. 2020 Tanium Inc. All Rights ReservedPage 8
Tanium Connect Configuration for Alerts1. Open the Tanium Connect Module and select Create Connection Create. We will create a connectionto send Tanium Alert events to QRadar.2. For Source, check only “Match Alerts Raw”. For the Destination, enter your QRadar collector hostname orIP and select TCP port to match the log source settings. Check both the “Secure” and “Trust on First Use”options.3. Select JSON as the format and use ‘\n’ as the Row Delimiter. Don’t check either “Generate Document” or“Wrap Data with Source” options.4. Expand the “Columns” section and add a new custom field called “taniumsource” and populated it with theConnection Variable “Source Name. Ensure that the “Value Type” for the “Match Details” column is set to“Unmodified”. 2020 Tanium Inc. All Rights ReservedPage 9
2020 Tanium Inc. All Rights ReservedPage 10
Tanium Connect Configuration for Discover1. Open the Tanium Connect Module and select Create Connection Create. We will create a connectionto send Tanium Discover reports to QRadar. This will generally be the same as the instructions above forcreating the Event connection.2. Check the “Enable” box at the top right so that the connection will run on the defined schedule3. For Source, select “Tanium Discover” and then which report(s) you wish to send. For the Destination, enteryour QRadar collector hostname or IP and select TCP to Port to match the log source settings. Check boththe “Secure” and “Trust on First Use” options.4. Select JSON as the format and use ‘\n’ as the Row Delimiter. Don’t check either “Generate Document” or“Wrap Data with Source” options.5. Expand the “Columns” section and add a new custom field called “taniumsource” and populated it with theConnection Variable “Source Name. See the screenshot above for the Alert Connection configuration)6. Configure the Connection to run on the desired schedule. 2020 Tanium Inc. All Rights ReservedPage 11
Tanium Connect Configuration for Comply1. Open the Tanium Connect Module and select Create Connection Create. We will create a connectionto send Tanium Comply reports to QRadar. This will generally be the same as the instructions above forcreating the Event connection.2. Check the “Enable” box at the top right so that the connection will run on the defined schedule3. For Source, select Tanium Comply and Vulnerability for the Report Type. Typically you will want tocheck only the box for Include Endpoint Findings as the Include CVE details option will generally createmore data than what most users want to send to their SIEM.4. For the Destination, enter your QRadar collector hostname or IP and select TCP to Port to match the logsource settings. Check both the “Secure” and “Trust on First Use” options.5. Select JSON as the format and use ‘\n’ as the Row Delimiter. Don’t check either “Generate Document” or“Wrap Data with Source” options.6. Expand the “Columns” section and add a new custom field called “taniumsource” and populated it with theConnection Variable “Source Name. See the screenshot above for the Alert Connection configuration)7. Configure the Connection to run on the desired schedule 2020 Tanium Inc. All Rights ReservedPage 12
2020 Tanium Inc. All Rights ReservedPage 13
UsageIngesting Tanium EventsOnce you have configured the Tanium connections and the Tanium App for QRadar, you should begin to see dataflowing into QRadar. Most common fields already have custom properties created for them in QRadar. If you wantto create efficient searches using any of these custom properties, it is suggested that up update the settings so thatthey are indexed in QRadar. By default, none of the included Tanium custom properties are indexed. 2020 Tanium Inc. All Rights ReservedPage 14
Additional Event TypesThe Tanium Log Source in QRadar uses the custom taniumsource field to identify the incoming events as beingfrom Tanium. If you would like to ingest events or reports in addition to the ones above, just ensure they arecoming in JSON format with the taniumsource custom column added. 2020 Tanium Inc. All Rights ReservedPage 15
Right-Click ActionsThe Tanium App for QRadar include a right-click action available for any IP Addresses in the QRadar Log ActivitySummary. You can choose from either: Tanium – Basic Info Tanium – Running ProcessesThese actions will use the Tanium REST API to ask a Question and bring back the results in a table in a newbrowser tab. Tanium – Basic Info will bring back the list of users currently logged in and Tanium – RunningProcesses will bring back a list of all processes currently matching on the Tanium-managed machine with that IPaddress. 2020 Tanium Inc. All Rights ReservedPage 16
Help and TroubleshootingFAQ§I am getting SSL errors when I try to look up an IP, what is the problem?Have you checked the “Standard SSL Verification” option in the app configuration screen? This will onlywork if your Tanium server has a certificate issued by a known signing authority trusted by the underlyinglibrary. It uses the Mozilla CA Bundle. dedCACertificateReportTry uploading your Tanium certificate to verify against instead.§I uploaded my certificate, but I am still getting SSL errors. What is the problem?Make sure you have uploaded your cert in PEM format. You can use openssl to retrieve it with thefollowing command:openssl s client -showcerts -connect Tanium Server IP :443 /dev/null sed ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' Tanium.pemMake sure your PEM file includes the entire certificate chain§Why don’t I see my Tanium events in QRadar?Check your logs in the Tanium Connect module to make sure the connection is completing successfullyand events are actually being sent.If Connect logs show that the events are being sent but you still don’t see them in QRadar, check the statusof the TaniumJSON Log source and ensure that it is enabled.Search in QRadar for any events coming in from you rTanium Server’s IP address and make sure that theyare in JSON format and include the “taniumsource” field that is used for identification.§I have an on-prem QRadar appliance and am still having problems, how to I get myapp logs?Like all QRadar apps, the Tanium App runs in a docker container on a QRadar app node. Using a utilityscript provided by QRadar, you can identify the Tanium app’s container ID, and then use this with thedocker cp command to download the log files. This example is from QRadar 7.3.1 and the name andusage of the utility will vary by QRadar version.[root@qradar2 support]# cd /opt/qradar/support/[root@qradar2 support]# ./qapp utils 730.py psCollecting app data. Complete!IdNameContainerContainer ImageContainerip:portHost ip:portABCDEFGHIJ1051 Tanium2519afa5e9c4 :9724 1002 App Authorizatio. eaeec617d0de :7280 1001 QRadar Assistant090b0c5e3bfc :31489 LEGEND [ is success, - is fail, n is not applicable ]A - App was found in QRadar app endpointB - App was found in QregistryC - App was found in Marathon apps endpointD - App was found in Mesos state endpointE - App was found in Consul services endpointF - App was found in Docker running containers 2020 Tanium Inc. All Rights ReservedPage 17
nininatFirewall nat tableFirewall filter tableApp proxy config fileit's debug endpoint[root@qradar2 support]# docker cp 2519afa5e9c4:/store/log/app.log /[root@qradar2 support]# docker cp 2519afa5e9c4:/store/log/startup.log /[root@qradar2 support]# docker cp 2519afa5e9c4:/store/log/supervisord.log /For help with this integration or to request additional features, please reach out to Tanium support.https://support.tanium.com/s/support-home 2020 Tanium Inc. All Rights ReservedPage 18
Like all QRadar apps, the Tanium App runs in a docker container on a QRadar app node. Using a utility script provided by QRadar, you can identify the Tanium app's container ID, and then use this with the docker cp command to download the log files. This example is from QRadar 7.3.1 and the name and usage of the utility will vary by QRadar .
