Configuration Guide: Recorded Future Lookup for IBM QRadar

Preface

These instructions are applicable to users desiring to set up right click lookup functionality in QRadar, v7.2.3 - 7.2.5.  An app for v7.2.7 or above will be available through IBM QRadar's App Exchange in Q1 2017.

I. Customizing the Console Right-Click Menu

To provide quick access to Recorded Future’s Intelligence Cards directly from within the QRadar Console, one can customize the “right-click” menu options by using a plug-in application programming interface (API). 

Procedure

1.  Using SSH, log in to IBM® Security QRadar® as the root user.
2.  On the QRadar server, copy the ip_context_menu.xml file from the /opt/qradar/conf/templates directory to the /opt/qradar/conf directory
3.  Open the file /opt/qradar/conf/ip_context_menu.xml file for editing.
4.  Edit the file.

The file accepts menuEntry XML nodes to customize the right-click menu. 
 

<menuEntry name="{Name}" description="{Description}" exec="{Command}"

url="{URL}" requiredCapabilities="{Required Capabilities}"/>


The following list describes the attributes in the menuEntry element:

Name

           The text that is displayed in the right-click menu.

Description


           The description of the entry. The description text is displayed in the tooltip for your menu option. The description is optional.

URL


           Specifies the web address that opens in a new window. You can use the placeholder %IP%, to represent the IP address. To pass other URL parameters to this URL, you must use the &amp; option, for example, url="/lookup?&amp;ip=%IP%;force=true".


Command


           A command that you want to run on the Console. The output of the command is displayed in a new window. Use the placeholder, %IP%, to represent the IP address that is selected.


Required Capabilities


           Any capabilities, for example, "ADMIN", that the user must have before they select this option, comma-delimited. (for example, "ADMIN"). If the user does not have all capabilities that are listed, the entries are not displayed. Required capabilities is an optional field.




The edited file must look similar to the following example:

<?xml version="1.0" encoding="UTF-8"?>

<!- This is a configuration file to add custom Recorded Future IP Card lookup into the IP address right-click menu. -->

<contextMenu>

<menuEntry name="Recorded Future Lookup" url="https://www.recordedfuture.com/live/sc/entity/ip:%IP%" />

</contextMenu>


5.  Save and close the file.
6.  To restart services, type the following command:

service tomcat restart

II. Enhancing the right-click menu for event and flow columns

You can add a Recorded Future IP enrichment lookup action to the right-click options that are available on the columns in the Log Activity table or the Network Activity table. In particular, you can add an option to view more information (via Recorded Future) about the source IP or destination IP.

Restriction:

You can add options to the right-click menu on only the QRadar® SIEM Console appliance and to only some Ariel database fields.

Procedure

1. Using SSH, log in to the QRadar Console appliance as the root user.
2.  Go to the /opt/qradar/conf directory and create a file that is named arielRightClick.properties.
3.  Edit the /opt/qradar/conf/arielRightClick.properties file by adding the following lines:

pluginActions=sourceIPwebUrlAction 

sourceIPwebUrlAction.arielProperty=sourceIP

sourceIPwebUrlAction.text=Recorded Future Lookup

sourceIPwebUrlAction.url=https://www.recordedfuture.com/live/sc/entity/ip:$sourceIP$

pluginActions=destinationIPwebUrlAction

destinationIPwebUrlAction.arielProperty=destinationIP

destinationIPwebUrlAction.text=Recorded Future Lookup

destinationIPwebUrlAction.url=https://www.recordedfuture.com/live/sc/entity/ip:$destinationIP$

4.  Save and close the file.
5.  Log in to the QRadar user interface.
6.  Click the Admin tab.

7.     Select Advanced > Restart Web Server.

To learn more about Recorded Future Intelligence cards, click here.

Notes:

• These instructions are based on QRadar v7.2.3
• When a user uses the Recorded Future Lookup right-click functionality, a new browser window will open with the summary of available open web content known about the given IP Address.  Users not logged into the Recorded Future enterprise platform will see an abbreviated set of information.

Sources:

• Recorded Future internal documentation
• IBM Support page for customizing the Right Click Menu
• IBM support page for right click menus on event and flow columns