https://mega.nz/#!Bgh0URSZ!dR0GO-uJrRU5Ss82V-NHOgfhf0DFOU7z_ic9eGBIR0k
CCSF blocks Mega, so you'll have to do it off-campus. To get it
on-campus, you can copy it from storage media in SCIE 214.
Start the VM.
Log in to the console with these credentials,
as shown below.
A series of crudely graphical screens
appear. Use Tab to move through
the options and Enter to select
them.
In the first screen, accept the default
options of "ipv4" and "No",
as shown below.
Press Tab until
Next is highlighted and
then press Enter.
At the "Management Interface Setup"
screen, accept
default
options of "ens33",
as shown below.
Press Tab until
Next is highlighted and
then press Enter.
At the "Network Information Setup"
screen,
it should fill in with good default
values. Make sure one of the DNS
servers is 8.8.8.8
as shown below.
Make a note of the server's IP
address! You will need it later.
Press Tab until
Finish is highlighted and
then press Enter.
Wait while the machine configures networking
and restarts services,
as shown below. Tomcat is Java-based
and slow to start.
https://172.16.1.226/console/
Approve the self-signed certificate.
Log in with these credentials,
as shown below.
QRadar opens,
as shown below.
Scroll down to the "Data Sources"
section and click "Log Sources",
as shown below.
A box pops up,
as shown below.
In the top center, click the
Add button.
An "Add a log source" window appears.
In the "Log Source Type" list box,
scroll down to see "Microsoft Windows
Security Event Log",
as shown below.
You don't need to select it at this time;
just to verify that it's there. It's
not included in the default QRadar
Community Edition installation, but
I added it to the VM you downloaded
already.
Close the "Add a log source" window.
https://www.ibm.com/account/us-en/signup/register.html
Create an IBM ID. You will need it to download software
below.
In a Web browser, go to
https://www-945.ibm.com/support/fixcentral
Make these selections:
Click Continue.
At the bottom of the next page,
click the Text button
and type in
Windows
as shown below.
Click Continue.
In the results, scroll down to the
WINCOLLECT section,
as shown below.
There are several items here, including
the main engine for 32-bit and 64-bit windows,
and various "interim fix" patches.
We only need the first 4 files.
Check them,
as shown below.
At the bottom, click the Continue button.
If you are prompted to, sign in to your IBM account.
On the next page, click the
"Download using your browser"
button,
as shown below, and click
Continue".
On the next page, click the blue downward-pointing
arrow next to
each product you want, one by one,
as shown below,
In a Web browser, go to
https://filezilla-project.org/download.php?platform=osx
Install FileZilla with the default options.
Run FileZilla. At the top, enter these values,
as shown below:
A box pops up asking whether to remember passwords.
For this project, there's no need to worry about
unauthorized use of your QRadar VM, so
click "Save passwords"
and click OK.
An "Unknown host key" box pops up. Click OK.
FileZilla connects,
as shown below.
The left pane shows your host system,
and the right pane shows your QRadar VM.
In the folder list, click /tmp
In the left pane of FileZilla, navigate to your
Downloads folder.
Drag the
7.3.0-QRADAR-730_QRadar_wincollectupdate-7.3.0.106.sfs
file from the left pane to the right pane,
as shown below.
In your QRadar VM console,
execute these commands,
as shown below.
The installation takes about 5 minutes,
and a lot of messages scroll by.
Tomcat restarts, which is slow as always.
When it finishes, you'll see "patch
succeeded",
as shown below.
In your Web browser,
log in to the QRadar GUI again
with the credentials admin
and P@ssw0rd
Click the Admin tab.
A message says "There are no changes
to deploy". This is contrary to the
IBM patch Release Notes, which
say that a manual deploy and release
is required after the patch. However,
the console showed that this patch
automatically performed those steps
already.
This is typical for enterprise-class
software patches--you can't always
rely on the documents being accurate.
Click "Stand Alone,
as shown below, and then click
Next.
In the "Log Source Auto-creation Parameters" box,
make these selections,
as shown below.
In the next box,
make these selections,
as shown below.
Replace the IP address with the correct IP address
of your QRadar VM.
In the next box, accept the default
Machine poll interval and
click Next.
In the "Heartbeat Parameters" box,
accept the default
options and
click Next.
In the "Installation Parameters Summary" box,
click Next.
Click Install.
Click Finish.
Install it with the default options. If it wants to install .NET, allow it
to do that.
From your Windows desktop, click
Start, "Control Panel",
"Local Security Policy".
The audit policies available are different in
different Windows versions.
These are the policies available in
Windows Server 2008.
In Local Security Policy,
in the left pane, click the +
next to "Local Policy" to
expand it.
Click "Audit Policy".
In the right pane, double-click
"Audit account logon events",
as shown below.
Check Success and Failure,
as shown below, and click OK.
In that manner, configure these options, as listed below.
You have already configured the first item.
Close Local Security Policy.
In the left pane, click the +
next to Devices to
expand it.
In the left pane, click the +
next to "Microsoft Windows Event Log" to
expand it.
In the left pane, click the name of your
Windows machine.
The right pane shows your audit policy
selections in a long list,
as shown below. You can adjust them here.
Close WinCollect Configuration Console.
If it has timed out, you need to log in again.
Click the "Log Activity" tab.
Log events should be scrolling by,
as shown below.
Capture a whole-desktop image and save it as
"Proj 5x from YOURNAME".
YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT
Send a Cc to yourself.
Unzip the file with 7-zip on a PC, or The Unarchiver on a Mac.
To set up networking,
execute this command,
as shown below.
At the "Do you wish to proceed (Y/[N])?"
prompt, enter Y,
as shown below.
qchange_netsetup
Logging In to QRadar
On your host system, in a Web
browser, go to this URL,
replacing the IP address with the
IP address of your QRadar VM.
Viewing Log Sources
In the QRader administration page,
at the top center, click the
Admin tab.
Making an IBM Account
In a Web browser, go to
Downloading WinCollect
The WinCollect agent is free software from IBM
to send Windows event logs to QRadar.
as shown below.
Overview of WinCollect Installation
To collect windows logs, we'll need to do these steps:
On the QRadar VM
Install File 1: 7.3.0-QRADAR-730_QRadar_wincollectupdate-7.3.0.106.sfs
On 32-Bit Windows Systems
Install these files, in this order:
On 64-Bit Windows Systems
Install these files, in this order:
Installing FileZilla
We need to update software on the QRadar VM.
We'll need FileZilla to do that.
At the top right, click the Quickconnect button.
Installing Software on the QRadar VM
In the right pane of FileZilla,
click the top yellow folder icon for /
A message asks "Do you wish to continue?".
Enter Y.
mkdir -p /media/updates
cd /tmp
mount -o loop -t squashfs 730_QRadar_wincollectupdate-7.3.0.106.sfs /media/updates
/media/updates/installer
Deleting the Patch File
In FileZilla, in the right pane,
left-click the
730_QRadar_wincollectupdate-7.3.0.106.sfs,
then right-click it
and click Delete. Click Yes
to delete it.
Installing Wincollect on the Windows System
Copy the appropriate version of Wincollect
from your host machine's Downloads folder
to your Windows
machine.
Start the installer. Accept the default selections
until you see the "Setup Type" box.
Click Next.
Click Next.
Installing the Patch
Drag the
wincollect-standalone-patch-installer-7.2.7-20.exe
file into your Windows VM and double-click it.
Adjusting Local Security Policy
We need to tell Windows what events to collect.
Your window should look like the image below.
Using WinCollect Configuration Console
Click Start. Search for, and click,
"WinCollect Configuration Console".
Viewing Windows Logs in QRadar
On your host system, in your Web browser,
return to the QRadar console.
Capturing a Screen Image
Make sure
there are some "Event Name" entries,
as shown above.
Turning in Your Project
Email the images to cnit.50sam@gmail.com with a subject line
of "Proj 5x From YOUR NAME", replacing
"YOUR NAME" with your real name.
References
QRadar Documentation
Deprecated Linux networking commands and their replacements
CentOS-7 "Minimal Desktop" installation GNOME
QRadar SIEM overview
QRadar: Using the qchange_netsetup command to change the IP address in QRadar
QRadar: Changing the local admin account password
Box folder with QRadar documentation
Security Intelligence Tutorial, Demo & Use Case Videos
Posted 11-23-17 by Sam Bowne