On December 12, Fortinet reported on a heap-based buffer overflow...
What is Xforce Exchange app ?
Here are some links explaining exactly it ,
https://exchange.xforce.ibmcloud.com/faq
We will be focusing on Qradar Incident Overview App ,
Incident Overview App allows an easy way to visualize offense which are live on Qradar SIEM .
Each offense is show as a bubble , offense with mutual Indicators will be connected with a blue line to show us we have same Indicators like Source IP .
To understand more i have written a simple 6 steps guide for this APP.
Enter XForce Exchange site – exchange.xforce.ibmcloud.com
Just click on the menu icon on the left side of the bar and choose App Exchange tab .
Than click on All Application and choose Incident Overview.
Download Incident Overview using your IBM ID .
http://dev.maxmind.com/geoip/geoip2/geolite2/
Please download GeoLite2 City DB format and not CSV.
Entering qradar machine and choosing admin tab ,
Enter Extension Management and upload the Incident Overview App which we download on step 1.
Make Sure you installed the extension with success status , it should like below.
Entering qradar machine and choosing admin tab ,
Enter Authorized Services and create a new token for API access.
Add Authorized Service , Name it and use no Expiry .
After creating \ saving the service , copy the authentication token . (Save it for later)
Enter Offense tab , and press on the Incident Overview button.
Once opened on the new windows click on right corner (Configuration )
Choose Polling tab , enter the API Token we created on step 4 and click on save.
Next , enter GeoIP Lookup Tab , click on browse and upload the GeoIP city database we download before on step 2,
After successfully uploading Geo City database.
Update needed fildes like time zone , country and etc .
Time zone value can be GMT for example , finish editing and click save.
Now we are done and can wait for the the APP to pull offenses data.
IBM knowledge center link
You must have QRadar administrator privileges to access and use the Incident Overview app
Each bubble in the Recent Incidents bubble graph represents an offense , the blue line shows a connection between two offenses like username ,ip and etc.
Once an offense is clicked a new tab is opened and extra data shows.
As the screen below shows we can see extra data on the involved IP dst and src.
clicking on the blue dot , enables entering the ips directly to Xforce Exchange.
I urge you to play with the offense App.
As always feel free to ask any question here or by mail gregorin[@]qmasters.co.
On December 12, Fortinet reported on a heap-based buffer overflow...
לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...
This video link has expired. Please contact Michelle at [email protected]...