Soc Manager plugin- Qradar SIEM

‫גוריון בנגב‬-‫ אוניברסיטת בן‬,‫המחלקה למדעי המחשב‬

Stas Radchenko & Omri Ben Matitiau

Advisors: Dr. Itai Dinur & Mr. Dennis Potashnik

Juni 2018
 WHAT IS SIEM?
• SIEM: short for Security Event and Information Management, is a
term for software products and services that provide real-time
analysis of security alerts generated by network hardware and
applications and is also used to log security data and generate
reports for compliance purposes.
• Gathers security data from many, many sources
• Correlates all of this data in real time;
• Generates alerts if suspicious activity is detected
• Stores the data for a long time, providing rapid access when
needed and supporting forensic investigations

2 IBM Security
 WHAT IS SOC?
A security operations
center (SOC) is a
centralized unit that deals
with security issues on an
organizational and
technical level.
Usually each SOC uses a
SIEM technology for
monitoring and
investigating security
events in his organization.
3 IBM Security
 Project: Main goal
• To give the soc manager an overview on the
current state of the soc performance and
asses the analysts capability.
How we did it?
We developed a web application
that uses Qradar resources to build
features that provides a visual
insight on the SOC performance,
state and analysts status.

4 IBM Security
 How an application runs and interacts with Qradar?
QRadar applications run inside an isolated Python Flask environment that is independent of
the QRadar user interface. The application can also use static images, scripts, and HTML
pages.
All interaction with the application is proxied through the QRadar user interface. No direct
access to network ports or web services is usually permitted.

5 IBM Security
 Plugin features
Offences by category feature
• Gives the distribution of the open offences by
their category on specific interval.
• The ability to analyze which kind of offences
categories is mostly common in the SOC.
• An insight on unusual and suspicious events
that occur in specific time.

Opened/Closed offences feature

• Gives an overview on the amount of offences
opened in the specific interval.
• Gives an overview on the amount of offences
that was handled by an analyst in
a specific interval.
• The ability to see the correlation between
open offences and handled offences and
to asses the analyst performance.

6 IBM Security
 Plugin features
Online/Offline analyst feature
• The ability to see which analysts currently
connected to the Qradar and on duty.
• The ability to see which service is currently
accessing the Qradar resources.
• An insight on which analyst/service was lately
active.

Assigned offences feature

• The ability to see amount of unattended
offences.
• The ability to see the distribution of the
currently handled offences among the
analysts.
• The ability to notice any offline analysts
that currently seems to be in charge on
any offences.
7 IBM Security