This is a collection of scripts from Richard Xiao for getting data out of APM Cloud:
https://github.com/xiaojias/ipm-auto/tree/master/scripts
Thursday, February 21, 2019
Tuesday, February 5, 2019
A great video on deploying and operating Kubernetes at scale
Here's a video from Chick-Fil-A's IT team describing exactly how they use Kubernetes clusters at the edge (in each restaurant). The problems and their solutions are really intriguing.
https://www.youtube.com/watch?v=8edDcy3oeUo
https://www.youtube.com/watch?v=8edDcy3oeUo
Wednesday, January 16, 2019
Improving the QRadar to ServiceNow integration by adding QRadar event payloads to ServiceNow incident
Using the standard configuration for the QRadar/ServiceNow integration gives you some great capabilities, but some of our customers have asked for more information in the generated ServiceNow incidents. Specifically, they've asked to have the payloads from the events associated with the offense to be added to the Description of the incident in ServiceNow. This provides extensive details about the events that triggered the offense in one pane of glass so the SOC engineer doesn't have to separately open QRadar to get this information.
This can be accomplished my making some configuration changes in both QRadar and ServiceNow. I'll provide the overview here. If you would like more details, please contact me.
1. Add the offense start time to the incident description in the mapping within QRadar.
2. Create a ServiceNow business rule to parse the offense id and start time from the description whenever a new incident is created from QRadar.
3. In that same business rule, use the offense id, start time and a stop time (equal to start time +1) to submit an Ariel query to QRadar via REST to have the query run.
4. In that same business rule, parse the results of the previous REST call to get the results id, then make a second REST call to obtain the actual results, which will be the payloads of the events that caused the offense (and resulting incident) to be created.
The solution doesn't tax either system very much at all and makes life easier for the security engineer researching the issue.
This can be accomplished my making some configuration changes in both QRadar and ServiceNow. I'll provide the overview here. If you would like more details, please contact me.
1. Add the offense start time to the incident description in the mapping within QRadar.
2. Create a ServiceNow business rule to parse the offense id and start time from the description whenever a new incident is created from QRadar.
3. In that same business rule, use the offense id, start time and a stop time (equal to start time +1) to submit an Ariel query to QRadar via REST to have the query run.
4. In that same business rule, parse the results of the previous REST call to get the results id, then make a second REST call to obtain the actual results, which will be the payloads of the events that caused the offense (and resulting incident) to be created.
The solution doesn't tax either system very much at all and makes life easier for the security engineer researching the issue.
Thursday, January 10, 2019
Install IBM's QRadar Community Edition 7.3.1 on CentOS 7.5 instead of RHEL 7.5
IBM offers a QRadar Community Edition for free available here:
https://developer.ibm.com/qradar/ce/
The documentation states that it runs on "CentOS or Red Hat 7.5 with a Minimal install". If you're installing the OS from scratch, I would recommend that you use CentOS 7.5 (officially CentOS 7 1804) because it works much better than Red Hat. Specifically, I downloaded CentOS 7.5 from here:
http://repos-lax.psychz.net/centos/7.5.1804/isos/x86_64/CentOS-7-x86_64-Everything-1804.iso
There are smaller downloads in that same directory, but I wanted to get everything I might need. I then installed it with 16GB RAM and 8 cores and selected the "Minimal Install" option (this is the default option). I did this install under VMWare Workstation 14 Pro running on a Windows 10 laptop.
I could then directly follow the install instructions from IBM:
https://developer.ibm.com/qradar/wp-content/uploads/sites/89/2018/08/b_qradar_community_edition.pdf
The QRadar install will 100% fail if you try to install it on CentOS 7.6 (1810). The prerequisite checker will tell you that 7.5 is REQUIRED.
Trying to install on CentOS 7.5 using the "Server with GUI" option fails on glusterfs* package problems.
Installing on RHEL 7.5 requires that you configure your RHEL instance to be registered with the Red Hat Subscription Manager
https://developer.ibm.com/qradar/ce/
The documentation states that it runs on "CentOS or Red Hat 7.5 with a Minimal install". If you're installing the OS from scratch, I would recommend that you use CentOS 7.5 (officially CentOS 7 1804) because it works much better than Red Hat. Specifically, I downloaded CentOS 7.5 from here:
http://repos-lax.psychz.net/centos/7.5.1804/isos/x86_64/CentOS-7-x86_64-Everything-1804.iso
There are smaller downloads in that same directory, but I wanted to get everything I might need. I then installed it with 16GB RAM and 8 cores and selected the "Minimal Install" option (this is the default option). I did this install under VMWare Workstation 14 Pro running on a Windows 10 laptop.
I could then directly follow the install instructions from IBM:
https://developer.ibm.com/qradar/wp-content/uploads/sites/89/2018/08/b_qradar_community_edition.pdf
What doesn't work very well or at all:
(Guess how I know these)The QRadar install will 100% fail if you try to install it on CentOS 7.6 (1810). The prerequisite checker will tell you that 7.5 is REQUIRED.
Trying to install on CentOS 7.5 using the "Server with GUI" option fails on glusterfs* package problems.
Installing on RHEL 7.5 requires that you configure your RHEL instance to be registered with the Red Hat Subscription Manager
Subscribe to:
Posts (Atom)