Exporting Risk Events to QRadar

Install the Oracle CASB extension in QRadar, then create the log source and a custom QID.

Installing the Oracle CASB Extension in QRadar

Download the OracleCASB.zip file and upload it into QRadar.

  1. Obtain the OracleCASB.zip file.

    To obtain this file, contact Oracle Support (http://support.oracle.com).  If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets.  As an alternative, you can also contact your Oracle CASB Customer Success Manager.

    Note:

    Please reference Knowledge Base Article number 2366535.1 when you contact Oracle Support or your Oracle CASB Customer Success Manager.

  2. Log in to the QRadar console.
  3. Select the Admin tab.
  4. Select System Configuration, then click Extensions Management.
  5. In the upper-right corner, click Add.
  6. In the Add a New Extension dialog box:
    1. Browse to the location of the OracleCASB.zip file.
    2. Select Install immediately.
    3. Click Add.

    When the installation has completed, an Oracle CASB tab appears at the right end of the row of tabs.

Creating a Log Source

Define and deploy the log source configuration.

Prerequisite: You have installed the Oracle CASB Extension in QRadar. See Installing the Oracle CASB Extension in QRadar.

  1. Log in to the QRadar console.
  2. Select the Admin tab.
  3. Select Data Sources, then click Log Sources.
  4. In the Log Sources dialog box, click Add.
  5. In the Add a log source dialog box, enter:
    • Log Source Name – a descriptive name, for example, OracleCASB.

    • Log Source Description – an optional, longer description.

    • Log Source Type – select Universal LEEF.

    • Protocol Configuration – select Syslog.

    • Log Source Identifier – enter the IP address or machine name where the log source resides.

    • Enabled – ensure this is selected.

    • Credibility – leave as 5.

    • Target Event Collector – enter the ID of the QRadar event processor that will parse the data from the log source.

      Select from the drop-down list. This may be either the IP address, or information in a format that is something like, eventcollector0::ip-172-31-26-193.

    • Coalescing Events – leave selected, to prevent duplicates.

    • Incoming Payload Encodingleave as UTF-8.

    • Store Event Payload – leave selected.

  6. Click Save.

    You return to the Log Sources dialog box, with the new log source listed.

  7. Close the Log Sources dialog box.

    You return to the Admin tab.

  8. Click Advanced, near the top, and select Deploy Full Configuration from the drop-down menu.
  9. When you are prompted, "Are you sure you want to deploy a full configuration?...", click Continue.

    When the deployment has completed, you return to the Admin tab.

Creating a Custom QID

Create a custom QID for the Oracle CASB extension.

Prerequisite: You have created a log source for the Oracle CASB Extension in QRadar. See Creating a Log Source.

Note:

If this task is not completed, the QRadar console Log Activity tab will show Event Name as "unknown event" for some properties and some other properties will not appear at all.
  1. Use SSH to log in to QRadar as the root user.
  2. To create a QID (QRadar Identifier), enter the following command:

    qidmap_cli.sh -c --qname <name> --qdescription <description>  --severity <severity> --lowlevelcategoryid <ID>

    Example:

    /opt/qradar/bin/qidmap_cli.sh -c --qname 'Risk Events' --qdescription 'Oracle CASB' --severity 7 --lowlevelcategoryid '21001'

    For more information on the qidmap command, see the IBM documentation.

Configuring the Oracle CASB Extension

Configure the Oracle CASB Extension that you uploaded to QRadar.

Prerequisite: You have created a custom QID for Oracle CASB Extension in QRadar. See Creating a Custom QID.

  1. Ensure that you are logged in to the QRadar console.
  2. Select the Oracle CASB tab.
    An Oracle CASB dialog box opens.
  3. Fill in the API Endpoint this way:

    api-<CASB_STACK>.palerra.net

    Where <CASB_STACK> is what precedes ".palerra.net" in the URL you use to log in to your Oracle CASB Cloud Service tenant (trial, loric, loric-eu, or loric-ca).

  4. In a separate browser window (or tab), log in to your Oracle CASB Cloud Service tenant.
  5. In the upper-right corner, click the circle that contains your initials and select API Credentials from the drop-down menu.
  6. In the API Credentials dialog box, click Generate Keys.
  7. Copy the Access Key value to the clipboard, return to the browser window (or tab) where the QRadar console is open, and paste from the clipboard into the Access Key field in QRadar.
  8. Return to the browser window (or tab) where the Oracle CASB Cloud Service console is open.
  9. Copy the Secret Key value to the clipboard, return to the browser window (or tab) where the QRadar console is open, and paste from the clipboard into the Secret Key field in QRadar.
  10. Click Test Configuration.
  11. If you want to use a proxy for this connection:
    1. Ensure that the configuration test was successful before proceeding.
    2. Enter the IP address or host name for the HTTPS proxy host.
    3. Enter the HTTPS proxy port to use.
    4. Click Test Configuration.
  12. When the configuration test is successful, click Save.

Testing Your QRadar Extension

Send a single test event from Oracle CASB Cloud Service to the Oracle CASB extension in QRadar.

Prerequisite: You have configured your Oracle CASB extension in QRadar. See Configuring the Oracle CASB Extension.

  1. Log in to the QRadar console.
  2. Select the Log Activity tab, and then click Add Filter.
  3. In the Add Filter dialog box, set Parameter to Log Source (Indexed).

    The Log Source Filter list appears on the right.

  4. Select the name you set earlier, for example, Oracle CASB, and click Add Filter.
  5. In the Viewing real time events section, drop down the View list and select Real Time (streaming).

    Log data now appears, showing one test event from clicking Test Configuration earlier.

    Clicking Test Configuration again will send another test event.

Mapping the QID

Map the QID to the Oracle CASB Cloud Service data in the Oracle CASB extension.

Prerequisite: You have tested your Oracle CASB extension in QRadar. See Testing Your QRadar Extension.

  1. Log in to the QRadar console.
  2. Select the Log Activity tab and click Map Event, just below the Log Activity tab header.
  3. In the Log Source Event dialog box, in the Enter QIDs field, enter the QID name that you used in the --qname <name> parameter in your qidmap command above.
    The name you enter is added to the Matching QIDs section at the bottom of the dialog box.
  4. Click OK to close the Log Source Event dialog box.

Mapping All Other Attributes

Map all other attributes from the Oracle CASB data to QRadar.

Prerequisite: You have mapped the Oracle CASB QID in QRadar. See Mapping the QID.

  1. Ensure that you are logged in to the QRadar console.
  2. In the Log Activity tab, scroll down to the Payload Information section to see the detail for the event.

    Select Wrap Text to wrap the text within the window.

    Note:

    Every property in this payload from Oracle CASB must be mapped in order to display in QRadar. Username and Severity are mapped by default; you must map the other properties manually.
  3. Click Extract Property, to the right of Map Event.
  4. In the Custom Event Property Definition dialog box, set Property Type Selection is set to Extraction Based.
  5. In the Test Field section, select a property and copy the property name to the clipboard.

    For example, select appinstanceid. Omit the "^" or "|" before the property name and the "=" after it.

    Note:

    Properties in the payload may be separated by either the "^" or "|" character. Omit the separator and equal sign when you copy the property name.
  6. In the Property Definition section, select New Property and paste the property name into the text box to the right.
  7. In the Property Expression Definition section:
    1. Ensure that Log Source Type is Universal LEEF (the default).
    2. Ensure that Event Name is selected (the default).
    3. Ensure that Extraction using is set to Regex (the default).
    4. Paste the property name into the Regex text box.

      If the property name that you copied is appinstanceid, the Regex text box would now contain appinstanceid.

    5. Type these characters immediately after the property name:
      • If the payload uses "^" as the separator, type =([^^]*) after the equal sign.

        If the property name that you copied is appinstanceid, the Regex text box would now contain appinstanceid=([^^]*).

      • If the payload uses "|" as the separator, type =([||]*) after the equal sign.

        If the property name that you copied is appinstanceid, the Regex text box would now contain appinstanceid=([||]*).

  8. Click Save.

    The property name that you just mapped now appears in the Event Information section in the Log Activity tab.

    Note:

    Properties that you map this way appear in Event Information with "(custom)" after the property name.
  9. Repeat steps 8-13 for each property in the Oracle CASB payload that you want to map to QRadar.
  10. To test your property mappings, select the Oracle CASB tab:
    1. Set Data Ingestion Criteria to get the result you want:
      • Fetch all available events and continue polling gets the last 90 days of data.

        If you have used this option already, you are prompted, "You have already exported CASB events. Do you want to fetch all the available events again?" Click OK to proceed.

        Once continuous polling has begun, all available events are fetched every two hours.

      • One time events for a specific time period gets the data for the interval you set using Start Date and End Date.

        No further events are fetched.

    2. Click Save to leave the Oracle CASB extension.

      The QRadar screen is now blank.

    3. Select the Log Activity tab to see the Oracle CASB data that was retrieved.

The Oracle CASB Extension will now poll your Oracle CASB Cloud Service tenant for new risk events every two hours. New events will appear in the QRadar console for your review and analysis. For information on risk events in Oracle CASB Cloud Service, see Different Types of Risk That Oracle CASB Cloud Service Monitors.

Starting and Stopping the Oracle CASB Extension

At the end of the installation process, the Oracle CASB Extension is started. You can manually stop and start it as needed.

You can stop the Oracle CASB Extension any time that you need to stop the flow of risk events from Oracle CASB Cloud Service, for example, to perform scheduled maintenance. You can then restart the Oracle CASB Extension when you want the flow of risk events to resume.

Commands below use cURL. To download cURL or learn more about it, go to https://curl.haxx.se/.

Pass these parameters:

  • <username>: QRadar console user name used to log in.

  • <password>: QRadar console user name used to log in.

  • <qradar_ip>: IP address used for QRadar login.

  • <app_id>: Application ID.

    There are two ways to get the <app_id>, based on the name of the installed Oracle CASB Extension application, which is com.oracle.casb.qradarapp:
    • Log in to the QRadar database and enter:

      psql -U qradar -c "select id, name from installed_application;"

    • Use this cURL command:

      curl -X GET -k -u <username>:<password>https://ipaddress/api/gui_app_framework/applications

      Where <username> and <password> are your QRadar login credentials.

  1. To start the Oracle CASB Extension for QRadar when it is stopped, use this cURL command:
    curl -X POST -k -u <username>:<password> https://<qradar_ip>/api/gui_app_framework/applications/<app_id>?status=RUNNING
  2. To stop the Oracle CASB Extension for QRadar when it is running, use this cURL command:
    curl -X POST -k -u <username>:<password> https://<qradar_ip>/api/gui_app_framework/applications/<app_id>?status=STOPPED