IBM QRadar

prerequisite you have to get the https //exchange xforce ibmcloud com/hub/extension/0af616acd8e56913fc49c96404c25531 from ibm app exchnage to get started with below steps overview https //www boschaishield com/ is an ai security product designed to protect ai powered devices in the face of emerging security threats such as model extraction, evasion, data poisoning, and model inference attacks aishield provides automated hacker level vulnerability analysis and endpoint protection to harden the systems against emerging ai security threats aishield provided threat informed endpoint defense (edr) that integrates with ibm qradar® siem to deliver enhanced real time monitoring capabilities to security teams for their ai assets, giving them insights into ai security incidents ibm qradar® provides a robust solution for security information and event management (siem), anomaly detection, incident forensics, and vulnerability management this document provides the information to install and configure the aishield dsm for qradar® app content as of now (version 1 0 0), the package includes the following items content type contents log source type 1 log source extension 1 qidmap 5 custom property name 2 custom rule event 5 installation pre requisite for aishield users will have to leverage aishield product to scan their ai model for vulnerabilities and generate threat informed endpoint defense (edr) capable of integrating with ibm qradar® siem to complete this step, please get in touch with aishield contact\@bosch com the application installation requires access to the qradar® console machine via a web interface the web interface can be accessed via https //<\<qradarconsoleip>>/ pre requisites for qradar version qradar® version 7 3 3 or above the installation processes as follows 1\ login to qradar® console 2\ go to admin → extension management 3\ download the aishield ai security monitoring app for qradar® v1 0 0 from ibm app exchange 4\ choose the downloaded zip file by clicking on add 5\ the qradar® will prompt a list of changes being made by the app click on the install button 6\ thereafter, it will show a window that the app is installed successfully along with the dsm event mappings list 7\ clear cache and refresh the browser window after the app gets installed successfully 3\ app configuration 3 1 create log source to create a log source in qradar® (through log source management app) for ingesting data from aishield, perform following steps 1\ go to the log source management app via the admin panel 2\ a separate window will pop up click on + new log source button as shown below 3\ select log source type as “aishield” 4\ for receiving data sent through tcp/udp protocol from aishield threat informed defense model, select protocol type as “http receiver” 5\ in the section under configure log source parameters, enter the name of the log source, keep the log source enabled and coalescing events checkbox disabled 6\ in the section under configure the protocol parameters, enter log source identifier for e g ‘aishield’ note i) the value of log source identifier used in this step must also be used in “log source identifier” field while configuring aishield qradar® plugin ensure that the correct value is entered for the log source identifier field, otherwise ingested events would not be identified as aishield events 7\ now click on the skip test and finish button now, go to step 3 2 deploy 3 2 deploy click on deploy as shown below 2\ to collect events in qradar®, configure qradar® http receiver endpoint for more information about this protocol, see https //www ibm com/docs/en/ss42vs dsm/com ibm dsm doc/c logsource httpreceiver protocol html#concept iss jzl hn 4\ configure an aishield threat informed defense(edr) using the http receiver protocol collect events from aishield threat informed endpoint defense (edr) in qradar® by using the http receiver protocol collect events by using the http receiver protocol configure your aishield threat informed endpoint defense (edr) to communicate with qradar® for more information, contact update qradar® http receiver endpoint in defense model py to send attack telemetry to qradar® url = \<qradar http receiver endpoint port>> 3\ after successful receiving events via created log source, the status of log source will be ok 4\ to confirm logs in qradar® go to log activity and see the result (aishield dsm will normalized these logs) 5\ we have configured custome rule events to create offense based on the ai attack telemetry go to offense and see the list of rules 6\ this custom event rules will match the criteria and creates offense related to ai security in qradar® aishield sample event messages use these sample event messages as a way of verifying a successful integration with qradar® the following table provides a sample event message when you use the aishield threat informed endpoint defense (edr) for the aishield dsm event name low level category sample log aishield image classification model extraction vulnerability detection ai model extraction { "rawmessage" "image classification ai model extraction attack identified", "service name" "image classification extraction defense engine", "asset id" "model 01", "source name" "na", "probability" 0 9, "attack name" "model attack", "timestamp" "2021 12 03t00 50 23z", } aishield image classification model evasion vulnerability detection ai model evasion { "rawmessage" "image classification ai model evasion attack identified", "service name" "image classification evasion defense engine", "asset id" "model 01", "source name" "na", "probability" 0 8, "attack name" "model attack", "timestamp" "2021 12 03t00 50 23z", } aishield tabular classification ai model extraction attack identified ai model extraction { "rawmessage" "tabular classification ai model extraction attack identified", "service name" "tabular classification extraction defense engine ", "asset id" "model 02", "source name" "na", "probability" 0 9, "attack name" "model attack", "timestamp" "2021 12 03t00 50 23z", } aishield timeseries forecasting ai model extraction attack identified ai model extraction { "rawmessage" "timeseries forecasting ai model extraction attack identified", "service name" "timeseries forecasting extraction defense engine", "asset id" "model 02", "source name" "na", "probability" 0 9, "attack name" "model attack", "timestamp" "2021 12 03t00 50 23z" } 5\ troubleshooting case #1 – aishield events are shown up as unknown events problem aishield events shown up as unknown events troubleshooting steps 1\ go to log activity 2\ click on add filter select parameter → log source type\[indexed], operator → equals and log source → aishield 3\ select ‘last 7 days’ in views filter dropdown 4\ if any events come as unknown, i) right click on that particular event ii) view in dsm editor iii) check the value of event id and event category under log activity preview iv) if event id and event category value come as unknown, please contact aishield support contact (aishield contact\@in bosch com) case #2 – aishield events are not ingesting in qradar® problem aishield events are not being ingested in qradar® troubleshooting steps make sure the port used to receive the event is open still if you are facing issue contact support 6\ support for help using the aishield platform or the aishield threat informed endpoint defense (edr) app for ibm qradar®, please contact the aishield support you can also send an email to mailto\ aishield contact\@in bosch com with questions about this