To enrich security alerts generated by Labyrinth Deception Platform, our team has developed a deep integration with one of the most popular and functional SIEM systems – IBM QRadar. This two-way integration allows to both systems expand their functionality to increase eficiency of cybersecurity departments and SOC and improve the accuracy of detection to save time for security officers.
Implemented vectors of integration with QRadar SIEM:
Sending information about security incidents to QRadar via Syslog in CEF format
Enriching alerts with information received from QRadar via API
Detecting the use of fake credentials created by Labyrinth on real hosts, using logs from QRadar
First of all, Labyrinth can be easily configured to send information about detected malicious activities to any QRadar (or any other SIEM system). Interaction with SIEM is performed using the Syslog protocol. The structure of the events sent is fully compliant with CEF (Common Event Format).
For correct parsing / mapping of events in QRadar, the “Log Source Extension” was created. An example of displaying one of security alerts in SIEM:
An operator of Labyrinth Deception Platform additionally receives information about a compromised host available in QRadar. This data significantly expands the context of security events and saves time to search information in SIEM for detailed incident investigation. This information can contain both data about the location of the host and its functional purpose and data about direct users of this host:
A separate type of alert in Labyrinth is detection of using by an attacker of credentials, that were distributed inside file decoys. This alert indicates an attacker’s activity for gaining maximum access to a corporate IT network, using all previously collected potentially suitable data, including information from Seeder-Tasks (breadcrumbs):
At the same time, Labyrinth provides a possibility to compare the credentials applied by an attacker with the host, after getting access to which and further research of its file system, these data were obtained. Very often, this host is the primary entry point for an attacker into the corporate network, for example, via phishing mailing with attachments.
The Labyrinth Development team continues to work on even closer integration with IBM QRadar to expand functionality and provide more advanced features getting from the synergy of the two integrated systems.