An L1 Security person has lots of manual work which can automated significantly to cutdown the effort and increase the efficiency. One such L1 activity is to check if the offence triggered on QRadar is valid or invalid, by validating it with the rules. In this Code Pattern, We have developed a methodology to validate if the offence triggered is valid or invalid. This pattern would significantly bring down the time that an L1 Security person spends on manually validating the offence with rules.
In this pattern, we will demonstrate the automation with the following usecase. A vehicle has been assigned a speed limit of 100 kmph. If the speed of the vehicle exceeds 100kmph, it is a violation. If speed of the vehicle exceeds 100kmph, twice within 15 min, it will generate an offence on the QRadar. In this code pattern, we will manually send speed violation events and generate an offence on QRadar. Once the offence shows up on QRadar, the Offences Watch Application will automatically detect the offence and trigger the Validation Bot. This Validation Bot will run the Validation Application, to validate the offence and tells us if the offence triggered is valid or invalid.
When the reader has completed this Code Pattern, they will understand how to:
- Automate using RPA.
- Extract offences from QRadar using REST API's.
- Automate security L1 Activities.
- Create an
Universal DSMlog source in QRadar. - Create a rule to detect offense in QRadar.
- Trigger the
Rules Extraction Bot. Rules Extraction Botwill extract all the necessary rules.Rules Extraction Botwill store the rules inrules.txt.- Run the
Offences Watch Application, which will look for new offences that are showing up on QRadar. - Run the
Offences Application. Offences Applicationwill sendspeed violationevents/logs to QRadar.This will inturn generate offence on QRadar.- Offence generated on QRadar gets detected by
Offences Watch Application. Offences Watch ApplicationtriggersValidation Bot.Validation Botextracts required information QRadar.Validation Botwill store the extracted information invalidation.txt, and runs theValidation Application.Validation Applicationdoes the validation and tells if the offence triggered is valid or invalid.
For better understanding of the methodology, refer to the below diagram
Trigger the Rules Extraction Bot, which will extract all the desired rules from QRadar.
Now run the Offence Watch Application, which will continuously track the offences on QRadar. If a new offence is detected on QRadar, the Offence Watch Application will launch the Validation Bot.Validation Bot will extract all the necessary information from QRadar and trigger the Validation Application. Validation Application is responsible for judging the genuineness(valid/invalid) of the offence.
- IBM QRadar SIEM Community Edition : Please visit the site for download and installation instructions.
- Robotic Process Automation - Automation Anywhere : You can download a community edition from this site.
- Maven : Please visit the site for download and installation instructions.
Please follow the below to setup and run this code pattern.
- Clone the repo
- Create rules to detect offences on QRadar
- Setup the Rules Extraction Bot
- Setup the Validation Bot
- Update the paths in Applications
- Build the Applications using Maven
- Run the Applications and analyze the results
Clone this git repo. Else, in a terminal, run:
$ git clone https://github.com/IBM/integrating-rpa-and-qradar-automate-security-activities.git
Setup QRadar for detecting speed and location related offences
-
Open the
QRadar Consolefrom a browser. From the menu, selectAdminto go to theAdminview. -
Scroll down to the
Data sourcessection and selectLog Sources.
-
Click on
Addto add a new log source.
- Configure the log source with the values shown. Click on
Save.
- In the
Adminview, click onDeploy changesto add the newly configured log source.
- Go to
Log Activityview.
- Go to the
Rulesview by clicking onRulesmenu.
- Select
Actionsand thenNew Common Rule.
- The rule wizard opens. Click
Next.
- Select
Events or flows. ClickNext.
- On the
Rule Test Stack Editor, enter a filter keywordpayload.
- Select the rule
when the Flow Source or Destination Payload contains this string. Enter the rule name asspeed violation.
- Click on
stringand enter the string asSPEEDINGto creating rule to detect speed offence. This is the string that we will send in the payload. ClickSubmit.
- Select the rule
when atleast this many events or flows are seen with the same propeties in this many minutes.
- Click on
thisand enter the value as2. ClickSubmit. Click onpropertiesand addEvent NameandSource IP. ClickSubmit.
- Click on
manyand enter the value as15. ClickSubmit. Click onminutesand selectminutes. ClickSubmit.
- Select the group as
Policy.
-
Click
Next. -
On the
Rule Responsepage,while creating rule to detect speed offence, enter the values as shown. Click
Next.
-
Click
Finishon theRule summarypage. -
The newly created rule now, would have been added to the rules list.
You have successfully created rules to detect speed related offences. Now you are ready to send events and generate offences on QRadar.
NOTE: Please refer to Monitor device events using QRadar for more information on rules and offences.
-
Create a new file
rules.txtand open. -
Open a new browser, preferably Mozilla Firefox or Google Chrome and open your QRadar console login page.
NOTE: Make sure both
rules.txtandQRadar console login pageare open on task bar.
-
Open Automation Anywhere Client.
-
Click on New and Select
Screen Recorder.
- Now follow the following steps,
TIP: Wait untill the browser loads.
Step 1 :Open the browser on which you have QRadar console login page. Enter your Username, Password and click on Submit.
Step 2 : Click on Log source Tab. Click on Rules dropdown and select Rules.
Step 3 : In the rules search box,enter speed. Click on speed violation rule. Select the rule and copy using CLTR + C.
Step 4 : Open the rules.txt which is on task bar and paste the contents copied using CLTR + V. Save the file using CLTR + S.
Step 5 : Stop the recording and save it as rules.atmx.
- Create two new files
validation.txtandtrigger.txt.
NOTE: Make sure both
validation.txtandLog Activitypage of QRadar are open on task bar.
-
Open Automation Anywhere Client.
-
Click on New and Select
Screen Recorder.
- Open
Log Activitypage of QRadar. Pause by clicking on the pause button on the right top corner. From theViewdropdown selectLast 15 Minutes.
- Click on
Add Filter. From theParameterdropdown selectEvent Name. Click on browse.
- In the
QID/Namesearch box, type in the log source name or the QID of the logs. Click onAdd Filter.
NOTE: In our case the log source name would be Unknown. So type in unknown and press enter. Select your log type from the ones displayed. If not you can type in QID as well, which can be found when you receive a
speed violationlog. If you open the log you will find a QID.
Sending a
speed violationlog is taught in the step 7.
- Click on
Current Statisticsdropdown. Select theTotal Resultsnumber and copy usingCLTR + C. Paste it invalidation.txtusingCLTR + Vand save it usingCLTR + S.
- Stop the recording and save it as
validation.atmx.
- Open the Automation Anywhere Client and follow the steps below to setup a trigger. This trigger will be used to launch
Validation Botautomatically, everytime a new offence is detected,
Step 1 :Click on Manage.
Step 2 :Click on Triggers.
Step 3 :Click on Add.
Step 4 :In the Select Task section, select validation.atmx that you have recorded in this section.
Step 5 :In the Trigger Type dropdown, select File.
Step 6 :In the File Name section, select trigger.txt that you have created in this section.
Step 7 :In the Action dropdown, select When file is modified.
- The files
rules.txt,validation.txtandtrigger.txt, that you had create in Step 3 and Step 4 respectively will be used here.
Validation Application
-
Update the paths of
rules.txtandvalidation.txtinValidation.javapresent at/java/validation/src/main/java/com/example/RPAValidation/Validation.java. -
Search for
String path_rulesandString path_logs, update as follows.
Offence Check Application
-
Update the path of
trigger.txtinQRadar.javapresent at/java/check/src/main/java/app/example/RoboticProcessAutomation/QRadar.java. -
Search for
String path_trigger, update as follows.
Offence Check Application
- The Offence Check Application checks for the new offences that are showing up on QRadar.
- The Offence Check Application sources are present in the folder
Java/checkof the repo. - Check your environment before executing the next step. Make sure, you are able to run
mvncommands properly.If
mvncommands fails, please refer to Pre-requisites to install maven.
To work with the Offence Check Application, perform the following steps.
-
Open a command terminal and navigate to the
java/checkdirectory in the repo. Run the commandmvn install.cd ../java/check mvn clean compile assembly:single -
A jar file
RoboticProcessAutomation-0.0.1-SNAPSHOT-jar-with-dependencies.jaris built and can be found under thetargetfolder. This jar can be renamed toRPA.jarto keep the name short.cd target cp RoboticProcessAutomation-0.0.1-SNAPSHOT-jar-with-dependencies.jar RPA.jar
Offences Application
- The Offences Application is used to send events/logs to QRadar.
- The Offences Application sources are present in the folder
Java/offencesof the repo. - Check your environment before executing the next step. Make sure, you are able to run
mvncommands properly.If
mvncommands fails, please refer to Pre-requisites to install maven.
To work with the Offences Application, perform the following steps.
-
Open a command terminal and navigate to the
java/offencesdirectory in the repo. Run the commandmvn install.cd ../java/offences mvn clean compile assembly:single -
A jar file
offence-0.0.1-SNAPSHOT-jar-with-dependencies.jaris built and can be found under thetargetfolder. This jar can be renamed tooffences.jarto keep the name short.cd target cp offence-0.0.1-SNAPSHOT-jar-with-dependencies.jar offences.jar
Validation Application
- The Validation Application validates the genuineness( valid/invalid ) of the offence.
- The Validation Application sources are present in the folder
java/validationof the repo. - Check your environment before executing the next step. Make sure, you are able to run
mvncommands properly.If
mvncommands fails, please refer to Pre-requisites to install maven.
To work with the Validation Application, perform the following steps.
-
Open a command terminal and navigate to the
java/validationdirectory in the repo. Run the commandmvn install.cd ../java/validation mvn clean compile assembly:single -
A jar file
RPAValidation-0.0.1-SNAPSHOT-jar-with-dependencies.jaris built and can be found under thetargetfolder. This jar can be renamed toRPAV.jarto keep the name short.cd target cp RPAValidation-0.0.1-SNAPSHOT-jar-with-dependencies.jar RPAV.jar
- Run the Rules extraction bot that you have trained.
- Execute the following command from the target directory(directory where the RPA.jar file is located)
java -cp RPA.jar app.example.RoboticProcessAutomation.App
Fill in your QRadar Hostname/IP Address,Username and Password,
Output:
>>>Enter your QRadar username:
admin
>>>Enter your QRadar password:
xxxxxxxxx
>>>Enter your QRadar hostname/IP Address:
192.168.xxx.xxx
- This application now looks for new offences on QRadar.
NOTE: Don't abort this program. This is a dynamic application which continously tracks for offences on QRadar. If an offence is found, this application triggers a validation bot to check if the offence triggered is valid or invalid.
- In the next step we shall create an offence on QRadar.
-
First let us create a speed related offence on QRadar,by execute the following command twice. from the target directory(directory where the offences.jar file is located).
java -cp offences.jar app.example.offence.AppFill in your QRadar Hostname/IP Address and enter to sent speed related event,
Output:
>>>Enter the QRadar Hostname/IP Address 192.168.xxx.xxx Sending speed violation Event sent successfullyNOTE: Run the above command twice, because we need two speed violations to create an offence.
The above detected offence is valid, since it was triggered according to the rule.
If it is not triggered according to the rule, we would get offence is invalid.
we can furthur enhance this pattern to generate a detailed offence report as follows,
If you encounter any certificate related issues, refer to TROUBLESHOOTING.md

































