Scribd
Upload
16 views21 pages

Data Collection Slides

The document outlines the importance of data collection in cybersecurity, focusing on event, flow, and vulnerability scan collection methods. It details the components of QRadar, including Device Support Modules (DSMs) for log normalization and various collection protocols like Syslog and APIs. Additionally, it discusses how QRadar integrates with external vulnerability managers to enhance security monitoring and incident response capabilities.

Uploaded by

jidis55182
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
16 views21 pages

Data Collection Slides

The document outlines the importance of data collection in cybersecurity, focusing on event, flow, and vulnerability scan collection methods. It details the components of QRadar, including Device Support Modules (DSMs) for log normalization and various collection protocols like Syslog and APIs. Additionally, it discusses how QRadar integrates with external vulnerability managers to enhance security monitoring and incident response capabilities.

Uploaded by

jidis55182
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Data Collection

Ricardo Reimao, OSCP, CISSP


Cybersecurity Consultant
The importance of the data
Event collection
Module Overview - DSMs and main collection protocols
Flow collection
- Packet capture and forwarded flows
Vulnerability scans
- QRadar Vulnerability Manager
- External vulnerability scanners
QRadar Overview

Firewalls Alerts (Offenses)

Databases
Reports
Web Servers
Network Traffic
QRadar
SIEM Compliance Audits
Vulnerability Info
Active Directory Threat Hunting

etc.
Event Collection
QRadar Components

Event Processor Event Collector

PUSH Collection
Console
PULL Collection
Data Node
User

Flow Processor Flow Collector

Vulnerability
Scanner
What Is a DSM?

Device Support Modules (DSM)


Plugins for log collection (parsers)
Normalize raw logs into meaningful fields
Over 400 log types supported
Custom DSMs
[RedHat]
Mar 12 12:27:00 server3 named[32172]: lame server resolving
'jakarta5.wasantara.net.id' (in 'wasantara.net.id'?): 202.159.65.171#53

[PostFix]
Mar 1 00:00:58 avas postfix/smtpd[2314]: connect from
unknown[208.37.192.234]

[Cisco Firewall]
Mar 29 2022 09:56:19: %PIX-6-302005: Built UDP connection for faddr
211.9.32.235/32770 gaddr 10.0.0.187/53 laddr 192.168.0.2/53

Syslog
Most used protocol for log collection
Provide log standardization
Generated by the log source and send to collector (push-collection)
Port 514 UDP (or TCP)
Windows Log Sources

Windows Security
Syslog Agents WinCollect
Event Logs (MSRPC)

Converts windows logs Agents managed by


Enables QRadar to
into syslog and forward QRadar that collect logs
connect to the server via
to QRadar. from a windows source
RPC and collect security
logs. and send through syslog
Push-collection
to QRadar.
Examples: Pull-collection
Push-collection
Snare, Winlogd, Kiwi
Credentials Required
Other Collection Methods

Database
Local Files
Connectors OPSEC/LEA
(SSH/FTP)
(JDBC)

REST APIs TLS Syslog Several Others

QRadar DSM Guide


http://public.dhe.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_dsm_guide.pdf
Information from Security Devices

Firewall IPS/IDS Proxy


TCP connections Policy violations Browsing history
Dropped packets Attack attempts HTTP connections
Config. changes Dropped connections Exfiltration attempts

Auth. Devices Anti-Virus End Point Agents


Authentication logs Server infections USB logs
Access level changes User behavior Browsing history
Access logs Malware outbreaks Access logs
Flow Collection
QRadar Components

Event Processor Event Collector

Console Data Node


User

Flow Processor Flow Collector

Vulnerability
Scanner
Network Listening

Provide full flow information


- Headers and partial content

Similar to a TCP Dump


- Parsed and normalized by QRadar

Can be achieved through:


- Network taps
- Span ports
Flow Information Forwarding

Provides only flow headers


- Source, destination, port, flow size, etc

Does not provide full packet inspection


- No access to the body of the packet

Main collection methods:


- NetFlow
- JFlow
- Sflow
Vulnerability Scans
Vulnerability Scans Diagram

Vulnerability
Scanner
External Integrations

QRadar can be integrated with your existing


vulnerability manager solution
- APIs
- Manual import

Supported solutions:
- Qualys
- Nessus
- Nmap
- and several others
Information Provided
Vulnerability information
- Based on up-to-date vulnerability database

Port scan information


- Helps on incident investigation/forensics

Asset discovery
- Find hosts on your network

Asset information
- Software installed
- Services running
- Accounts
- etc.
Summary How events are collected
- Syslog, WinCollect, APIs and JDBC
How flows are collected
- Packet capture vs. flow forwarding
How vulnerability scan information
contributes to QRadar
Next up:
Events

You might also like