VMRay-QRadar App v1.0.

QRadar App for VMRay Analyzer

Documentation

VMRay-QRadar
App v1.0.0

© 2021 VMRay. All Rights Reserved.

1
 VMRay-QRadar App v1.0.0

Table of contents
Overview 3

Prerequisites 3

Installation 3

Configure Log Sources for VMRay Analyzer (Approach 1) 5

Configure Log Sources for VMRay Analyzer (Approach 2) 6

Configure the VMRay Analyzer integration 10

Filter VMRay Analyzer Events in Log Activity 12

VMRay Analyzer Dashboard 14

VMRay Analyzer Dashboard Items 15

VMRay Analyzer Right Click Actions 22

Extending an existing Right Click Action 26

Troubleshooting the App 27

© 2021 VMRay. All Rights Reserved.

2
 VMRay-QRadar App v1.0.0

Overview
This document describes how to install and use the QRadar App for VMRay Analyzer. The
QRadar App for VMRay Analyzer integrates the QRadar Platform with VMRay Analyzer. The app
can be configured to receive events from VMRay. The analysis reports generated by VMRay are
received as events in QRadar and can be shown in the Dashboard created by the app.

Prerequisites
Verify that your environment meets the following requirements:

1. Your QRadar platform is running one of the following versions or later:

○ IBM Security QRadar 7.3.3 Fix pack 6
○ IBM Security QRadar 7.4.0 is not supported.
○ IBM Security QRadar 7.4.1 Fix pack 2
○ IBM Security QRadar 7.4.2
2. You designated a Master Administrator account on the QRadar platform
3. You have downloaded the VMRay integration file, vmray-qradar-1.0.0.zip, from the IBM
Security App Exchange

Installation
Perform the following steps to install the app on QRadar:

1. Login to the QRadar console with Master Administrator privileges

2. Go to ‘Admin’ tab in the navigation menu
3. In the System Configuration section, click ‘Extensions Management’.

Fig. Admin Tab of IBM QRadar

© 2021 VMRay. All Rights Reserved.

3
 VMRay-QRadar App v1.0.0

4. To upload the VMRay extension, click Add > Browse, browse to the downloaded file, and
then click Add. Check Install immediately if you want to install integration after uploading
it.

Fig. IBM QRadar Package Upload in Extension Management

5. After the installation is successful. The VMRay app is shown as installed in the Extension
Management window.

Fig. IBM QRadar Extension Management

© 2021 VMRay. All Rights Reserved.

4
 VMRay-QRadar App v1.0.0

Configure Log Sources for VMRay Analyzer (Approach 1)

1. Go to ‘Admin >> Data Sources >> Log Sources’.
2. Click on the ‘Add’
3. Specify the Name and Description of the log source.
4. Select VMRay Analyzer as Log Source Type.
5. Select Syslog in Protocol Configuration.
6. Specify the Log Source Identifier of VMRay-Analyzer.
7. Uncheck Coalescing Events to avoid grouping of the events on the basis of Source and
Destination IP.
8. Select VMRayCustom_ext as Log Source Extension.
9. Check Enable to start parsing VMRay events.
10. Click Save.

Fig. Log Source creation page

Note: Make sure you deploy the changes after creating/changing a

log source

© 2021 VMRay. All Rights Reserved.

5
 VMRay-QRadar App v1.0.0

Configure Log Sources for VMRay Analyzer (Approach 2)

Ensure that the QRadar Log Source Management app is installed on your QRadar Console. For
more information about installing the app, see Installing the QRadar Log Source Management
app.

1. Open the QRadar Log Source Management app from the QRadar console.

Fig. QRadar console Admin Tab

2. Click + New Log Source -> Click Single Log Source

Fig. Log Source Selection in QRadar Log Source Management App

© 2021 VMRay. All Rights Reserved.

6
 VMRay-QRadar App v1.0.0

3. On the Select Log Source Type page, select VMRay Analyzer and click Select Protocol
Type.

Fig. Log Source Type Selection in QRadar Log Source Management App

4. Select a Syslog protocol and click Configure Log Source Parameters on the Select
Protocol Type page.

Fig. Protocol Type Selection in QRadar Log Source Management App

© 2021 VMRay. All Rights Reserved.

7
 VMRay-QRadar App v1.0.0

5. On the Configure the Log Source parameters page, enter the log source parameters,
similar to the first approach in Configure Log Sources for VMRay Analyzer (Approach
1) of this document.
6. On the Configure the Log Source parameters page, make sure to uncheck Coalescing
Events to avoid grouping of the events on the basis of Source and Destination IP and
then click Configure Protocol Parameters.

Fig. Log Source parameters configuration page

7. On the Configure the protocol parameters page, specify the Log Source Identifier.
Also, specify the encoding of the data that will be received.

Fig. Protocol parameters configuration page

© 2021 VMRay. All Rights Reserved.

8
 VMRay-QRadar App v1.0.0

8. Click Finish to add the Log Source.

Fig. Log Source list in Log Source Management App

Note: Make sure you deploy the changes after creating/changing a

log source

© 2021 VMRay. All Rights Reserved.

9
 VMRay-QRadar App v1.0.0

Configure the VMRay Analyzer integration

To configure the VMRay integration:

1. Go to ‘Admin’ tab and click on ‘Configure VMRay Analyzer Integration’

Fig. Configure VMRay Integration

2. Add the API key that you have acquired from Analysis Settings » API Keys
page of your VMRay Analyzer server. Enter the server address and click on
‘Submit’. You can also configure the Polling Interval and Historical Polling Day.
Polling Interval: The frequency of the connector to pull events from VMRay
Analyzer.
Historical Polling Day: The period that the logs will be pulled retrospectively
from VMRay Analyzer on the first run of the connector.

© 2021 VMRay. All Rights Reserved.

10
 VMRay-QRadar App v1.0.0

Fig. VMRay Configuration UI page

3. If the configuration is correct, a success message will appear.

Fig. VMRay Configuration UI page on Credentials Saved

4. Once the integration is configured, it will start polling the VMRay server for new events and
these will be seen in QRadar’s Log Activity tab.

© 2021 VMRay. All Rights Reserved.

11
 VMRay-QRadar App v1.0.0

Filter VMRay Analyzer Events in Log Activity

To filter the VMRay Analyzer events in log activity:
1. Navigate to the Log Activity tab and apply a filter
2. Click Add filter
3. Select parameter as Log Source [Indexed]
4. Operator as Equals, Value -> Log Source -> VMRay-Submission.
5. Click on Add Filter.

Fig. Quick Filter Menu on IBM QRadar Log Activity

6. You should only see the VMRay Analyzer events in the event table .

Fig. Events Table for a specified Log Source

© 2021 VMRay. All Rights Reserved.

12
 VMRay-QRadar App v1.0.0

7. When we double-click on any event, Event Details page is displayed

Fig. Event Details page for a particular event of VMRay

© 2021 VMRay. All Rights Reserved.

13
 VMRay-QRadar App v1.0.0

VMRay Analyzer Dashboard

The statistics of VMRay Analyzer events are shown in the Dashboard. To view the
dashboard please follow the below steps:

1. Go to the VMRay Analyzer Dashboard and you should be able to see the VMRay
Dashboard as shown below,

Fig. VMRay Dashboard

© 2021 VMRay. All Rights Reserved.

14
 VMRay-QRadar App v1.0.0

VMRay Analyzer Dashboard Items

1. Filter
a. Date Filter: Filters the Dashboard by date.

Fig. Date Filter for VMRay Dashboard

b. Property Filter: Filters the dashboard by specific property.

Fig. Property Filter for VMRay Dashboard

2. Metrics:
a. Submission: Shows the count of submissions made.
b. Analysis: Shows the count of analyses performed on Samples.
c. Submission with Errors: Shows the count of submission which had errors.

Fig. Metrics for Dashboard

© 2021 VMRay. All Rights Reserved.

15
 VMRay-QRadar App v1.0.0

3. Pie Charts:
a. Sample Types: Pie Chart for different Sample Types

Fig. Pie Chart for Sample Types

b. Sample Classification: Pie Chart for different Sample classifications.

Fig. Sample Classification

© 2021 VMRay. All Rights Reserved.

16
 VMRay-QRadar App v1.0.0

c. Sample Verdict: Pie Chart for different Sample Verdicts.

Fig. Sample Verdict

4. Tables:
a. Top Threat Names: Displays the top threat names detected.

Fig. Top Threat Names Table

© 2021 VMRay. All Rights Reserved.

17
 VMRay-QRadar App v1.0.0

b. Top VMRay Threat Indicators: Displays the top VTIs found.

Fig. Top Threat Indicators Table

c. Top MITRE ATT&CK: Displays the top MITRE ATT&CK techniques detected.

Fig. Top MITRE ATT&CK Techniques Table

© 2021 VMRay. All Rights Reserved.

18
 VMRay-QRadar App v1.0.0

d. Top IPs: Displays the top IP IOCs detected.

Fig. Top IPs Table

e. Top Files: Displays the top File IOCs detected.

Fig. Top Files Table

© 2021 VMRay. All Rights Reserved.

19
 VMRay-QRadar App v1.0.0

f. Top URLs: Displays the top URL IOCs detected.

Fig. Top URLs Table

g. Top Registry Events: Displays the top Registry IOCs detected.

Fig. Top Registry Table

© 2021 VMRay. All Rights Reserved.

20
 VMRay-QRadar App v1.0.0

h. Top Domains: Displays the top Domain IOCs detected.

Fig. Top Domains Table

i. Top YARA Rules: Displays the top YARA rules matched.

Fig. Top YARA Rules Table

© 2021 VMRay. All Rights Reserved.

21
 VMRay-QRadar App v1.0.0

VMRay Analyzer Right Click Actions

1. VMRay Scan Summary

This right-click action displays the Sample Details, Threat Indicators, MITRE ATT&CK
based on a Sample ID. Right clicking on a ‘Sample Id’ custom property of a log will
provide you the above mentioned information.

2. VMRay Sample Details by Hash

This right-click action displays the Sample Details, Threat Indicators, MITRE ATT&CK
based on Sample Hashes (MD5 Hash, SHA1 Hash, SHA256 Hash). Right clicking on any
of the Sample MD5 Hash, Sample SHA1 Hash, Sample SHA256 Hash custom properties
of a log will provide you the above mentioned information.

Fig. VMRay Scan Summary Right Click Menu

© 2021 VMRay. All Rights Reserved.

22
 VMRay-QRadar App v1.0.0

Fig. VMRay Sample Details by Hash Right Click Menu

Fig. Sample Data Table UI (Right Click)

© 2021 VMRay. All Rights Reserved.

23
 VMRay-QRadar App v1.0.0

Fig. Threat Indicators Table UI (Right Click)

Fig. MITRE ATT&CK Table UI (Right Click)

© 2021 VMRay. All Rights Reserved.

24
 VMRay-QRadar App v1.0.0

3. Submit URL to VMRay Portal

This Right-click action submits a URL to VMRay Analyzer for analysis.

Fig. Submit URL Right Click Menu

Fig. Submit URL Response

When a URL is successfully submitted to VMRay Analyzer, we get the response as a

pop-up message (as shown in the above screenshot).

© 2021 VMRay. All Rights Reserved.

25
 VMRay-QRadar App v1.0.0

Extending an existing Right Click Action

The scope of the Right Click Action can be extended to other custom properties by adding the
custom property’s name to manifest.json file. Here, we will be demonstrating how to extend the
Submit URL to VMRay Portal Right Click action.

1. Open manifest.json file. It is located inside the qradar-app directory.

2. Inside the gui_actions block, locate the block with the id of VMRay_SubmitURL.

Fig. Manifest.json for URL only

3. As we can see in the groups, this right click action is currently only working for the URL
custom property. It means this right click action won’t be applicable for other custom
properties of other logs in which there are some form of URLs but with a different custom
property name.
4. To add this right click action for other custom properties of URLs for other logs (here we
will be adding it for ‘WebIf URL’), add them to the groups field.

Fig. manifest.json with URL and WebIf URL

5. Re-install or deploy the application again to see the changes.

© 2021 VMRay. All Rights Reserved.

26
 VMRay-QRadar App v1.0.0

Troubleshooting the App

If you face a problem which is not listed above, please fetch the application logs to debug the root
cause of the issue. The steps to fetch the application logs are as follows:

1. SSH into the QRadar server

ssh root@<qradar-server-ip-address>

2. List the apps on the server with the following command

/opt/qradar/support/recon ps

3. A list of installed applications and their App-ID values are output to the screen:

4. Note down the App-ID from previous output.

5. View logs of the application.

Find all the logs corresponding to your app id at
/store/docker/volumes/qapp-<App-ID>/log/. It will contain mainly startup.log and app.log
with the other log files. Please execute the following command to review the logs:
less /store/docker/volumes/qapp-<appID>/log/app.log

6. Copy logs from QRadar server

If you want to send the app logs to the VMRay, you will have to copy them from the
QRadar server. To do this,
a. Execute scp to copy them to your local machine. After closing ssh connection to
the QRadar server, run the following command to get a log file in your local
machine in the current folder:
scp root@<qradar-server-ip-address>:<log_file_path> .

7. If you are QRoc/non admin users, Please follow the steps in this page to collect
application logs along with all the logs from the user interface.

These steps should have been able to help you troubleshoot your application. Please contact
VMRay Support if you need any further support.

© 2021 VMRay. All Rights Reserved.

27