Optimizing Asset Management in IBM QRadar with Custom Scripting: A Step-by-Step Guide
In the cyber security landscape, effective asset management is non-negotiable. It’s the backbone of identifying vulnerabilities and safeguarding against potential threats. An organised and detailed asset inventory allows for precise correlation between security incidents and the assets they affect, be it hardware or software, within an organisation's network.
Leveraging Asset Profiles in IBM QRadar
Asset profiles are central to IBM QRadar SIEM, serving as comprehensive repositories of information for each asset within the network. These profiles include extensive details such as the services running on an asset and associated identity information, providing a 360-degree view of the asset’s security landscape.
QRadar SIEM excels in autonomously creating and updating these asset profiles by assimilating data from various sources like identity events, flow data, and vulnerability assessment scans. This capability is anchored in a process known as asset reconciliation, which ensures that the asset profiles are continuously updated with the latest information, keeping them relevant and actionable for threat detection and mitigation.
Streamlining Asset Data Collection in QRadar
Asset profiles in IBM QRadar are dynamically updated through automated processes, integrating data from identity events, flow data, and vulnerability scans. This ensures a real-time, comprehensive view of each asset. Organizations can further refine their asset management by manually importing CSV files, a standard method for adding asset data, aligning with specific security needs.
The naming convention for assets within these profiles follows a structured hierarchy, ensuring consistency and clarity across the board. The priority for assigning names to assets is as follows:
- Given name: A custom name assigned by the user or administrator, providing a personalized identifier for the asset.
- NETBios host name: A network basic input/output system name that serves as a label for the asset within certain types of networks, offering a level of identification beyond a mere IP address.
- DNS host name: The Domain Name System name, which translates more readable, alphanumeric domain names to the numerical IP addresses required for locating and identifying computer services and devices.
- IP address: The Internet Protocol address, a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. The IP address serves as the most basic form of identification if no other names are provided or available.
This structured approach to generating and naming asset profiles within QRadar SIEM ensures that each asset is accurately tracked and catalogued, providing a solid foundation for effective cyber security management and threat mitigation.
Collecting and Enhancing Asset Data in IBM QRadar
In the dynamic environment of IBM QRadar, asset profiles are not static entities; they are designed to evolve and adapt by continuously integrating new identity information. This integration can occur passively, through the analysis of event and flow data, or actively, during vulnerability scans conducted by QRadar. Moreover, QRadar offers users the flexibility to enrich and tailor these profiles by importing external asset data or by making manual adjustments as necessary.
Importing Asset Profiles
To augment the existing asset data within QRadar, users can import asset profiles from external sources. This process requires the data to be formatted as a CSV (Comma-Separated Values) file, adhering to a specific structure for seamless integration. The CSV file should follow the format:
“ip,name,weight,description”Each field in this format plays a crucial role:
- IP: Represents the asset’s IP address in dotted decimal notation, such as
192.168.5.34. It's essential that this address is valid and correctly formatted to ensure accurate identification within the network. - Name: Denotes the asset’s name, which can be up to 255 characters long. It’s important to avoid using commas within this field, as they can disrupt the import process. For instance,
WebServer01would be a valid entry. - Weight: This is a numerical value ranging from 0 to 10, indicating the asset’s relative importance or criticality within the network. A value of 0 suggests minimal importance, whereas 10 implies maximum significance.
- Description: Provides a brief textual description of the asset, allowing up to 255 characters. This field is optional but can be invaluable for adding context, such as “Main Production Web Server”.
An example entry in a CSV file for import might look like this:
192.168.5.34,WebServer01,5,Main Production Web Server
When imported, QRadar merges this new data with the existing asset profiles, enriching the overall asset database. This process not only broadens the scope of asset visibility but also enhances the precision of security monitoring and incident response by providing a more detailed and up-to-date asset inventory.
Note: Only mentioned columns can be added in this stage.
Procedure:
- Navigate to the “Assets” tab. Then, from the navigation menu, select “Actions”. Within the “Actions” dropdown, choose “Import Assets”.
- Click “Browse” to find and choose the CSV file you intend to import.
- Click “Import Assets” to initiate the import process.
Updating QRadar Assets via Custom Script
Procedure:
- Import the asset CSV file as previously described, but include only the “IP Address” column. The custom script will use this to update values associated with the IP addresses.
- Create a new CSV file with the required columns for the next step in the process.
- Add the following columns to the new CSV file:
a. ipaddress: Start with this column, ensuring it matches the IP addresses uploaded to the QRadar console in the first step.
b. Given Name
c. Unified Name
d. Weight (0–9)
e. Description
f. Business Owner
g. Business Contact
h. Technical Owner
i. Technical Contact
j. Location
k. Detection Confidence
l. Wireless AP
m. Wireless SSID
n. Switch ID
o. Switch Port ID
p. CVSS Confidentiality Requirement: Use 'h', 'm', or 'l' for High, Medium, or Low, respectively.
q. CVSS Integrity Requirement: Use 'h', 'm', or 'l' for High, Medium, or Low, respectively.
r. CVSS Availability Requirement: Use 'h', 'm', or 'l' for High, Medium, or Low, respectively.
s. CVSS Collateral Damage Potential: Use 'h', 'm', 'l', 'lm', or 'mh' for High, Medium, Low, Low-Medium, or Medium-High, respectively.
t. Technical User
u. User Supplied OS
v. OS Override Type
w. OS Override Id
x. Extended
y. Old Cvss Risk
z. VLAN
aa. Asset Type
bb. Compliance Plan
cc. Compliance Notes
dd. Compliance Notes Item
ee. Compliance Notes Declaration
ff. Compliance Notes Description
gg. Compliance Out Of Scope
hh. Primary OS ID
ii. Big Fix Agent IDNote: Ensure the “ipaddress” column is filled with values corresponding to those previously uploaded to the QRadar console, as the custom script will reference these for updates.
- Log in to the QRadar Command Line Interface (CLI) and upload both the custom script and the newly created CSV asset file.
- Additionally, it’s necessary to generate a QRadar Authentication Token for secure script execution and data integration.
- Ensure to securely save the newly generated QRadar Authentication Token, as it will be essential for executing the custom script.
Note: The QRadar Authentication Token is generated only once, so it’s crucial to keep it safe and secure to avoid loss.
- Execute the Python script using the following command structure. Here’s an example to guide you:
python update_assets.py -i localhost -t (QRadar Authentication Token) -f asset.csv -d -vHere’s what each flag means:
-h: Displays the help message with information on all the available commands and their functions.
-i: Specifies the IP address or hostname of the QRadar console. Use 'localhost' if running the script directly on the QRadar server.
-t: The QRadar Authentication Token you generated earlier, which authorizes the script to make changes.
-f: The path to the CSV file containing the asset data you wish to import or update.
-d: An optional flag that, when used, displays the asset model fields within QRadar, helping to ensure your CSV is correctly formatted.
-v: An optional flag for verbose output, providing detailed information about the script's execution and any changes made to the asset profiles.- Let’s run the script:
- Upon successful execution of the script, you will observe an output indicating the successful update of assets within the QRadar environment.
IBM’s Official Guide to Manually Modifying Asset Profiles in QRadar
For detailed asset management, IBM QRadar allows users to manually update Asset Profiles directly from the “Assets” tab. For a more automated approach, configuring a scan profile via the “Vulnerabilities” tab to conduct a discovery scan is recommended. This enables QRadar to automatically detect vital asset characteristics, including operating systems, device types, and running services.
When manually adjusting asset profiles, keep in mind that only user-entered fields can be edited. QRadar marks system-generated data in italics, indicating these fields are fixed and cannot be modified. However, if needed, you have the flexibility to delete these system-generated entries.
For comprehensive instructions on manually adding or editing an asset profile in QRadar, IBM provides an official guide, which can be found here: IBM’s Guide to Adding or Editing an Asset Profile in QRadar.
Conclusion
In essence, custom scripts offer a streamlined and efficient method for updating asset profiles in IBM QRadar SIEM, ensuring that asset inventories are both current and accurately reflect network configurations. This approach not only enhances operational efficiency but also aligns with tailored security requirements, ultimately strengthening the cyber security framework. By leveraging custom scripts, organizations can automate critical aspects of asset management, making it a cornerstone of a proactive cyber security strategy in QRadar.
