Skip to content

Management

Event Dictionary

Working with event definitions

CYBERQUEST ships with a full event dictionary built around Windows operating systems. The dictionary is under continuous expansion, and future platform releases will start including event dictionaries for all major supported technologies.

A list of all events available at the time of editing this document can be found in Appendix: Event Dictionary.

Unlike other SIEM solutions on the market, CYBERQUEST's dictionary is open, which means at any time you can edit, export and delete existing event definitions, or create and import new ones -- building your own dictionary supporting technologies you have under management.

The event dictionary can be accessed from Web Interface by navigating to Settings > Management > Event Dictionary. The page opens, listing defined objects. Here you can manage existing definitions and from Actions menu, import an object or create a new definition from scratch.

  • To export a definition, press Alt Image button next to it. The export is saved as a proprietary CQO file. Likewise, to import a definition select Alt Image in Actions menu.

  • To update the event dictionary, press Alt Image button.

  • To edit details for a specific object, press Alt Image button next to it. Edit event definition window opens allowing you to change the Name and Description, correct the Script or enable/disable the object.

  • To delete an event from the list, press Alt Imagebutton next to it. As a measure of precaution, you will be asked to confirm deletion.

  • Events can be searched in the Quick Filter bar by event ID, event name, or its description.

Alt Image

Creating a new event definition

In Event Definitions page, select Alt Image from Actions menu. Add Event Dictionary configuration page opens allowing you to create the new definition.

Alt Image

All fields are free text, which permits complete freedom on defining a new event. The template contains up to 150 custom fields to add. As a general recommendation, it is advisable to define a company-wide standard for issuing EventIDs, event names and platforms for all the applications in scope.

When you finished creating the parser, press Alt Image button to save changes.

Managing dashboards

Dashboards page allows you to granularly configure dashboards appearance and behaviour in Dashboards module. To access the page, go to Settings > Management > Dashboards. All objects in your CYBERQUEST instance are listed here.

Dashboards can be exported Alt Image and imported Alt Image, edited Alt Image, or deleted Alt Image.

To create a dashboard, press Alt Image button. A window will open that allows for dashboard configuration:

Alt Image

Save Dashboard window opens.

Press "Save" to save your changes and close the window, or "Cancel" to close the window without saving.

Managing filters

Filters page allows you to modify predefined filters or create new ones. To access the page, go to Settings > Management > Filters.

To edit and existing filter press Alt Image, or create a new one select Alt Image in Action menu. Edit Filter configuration page opens.

Alt Image

All predefined filters have queries built on compliance standards. Editing these usually involves advanced knowledge on building queries. As a general recommendation, it is advisable to always create a new filter based on an existing one and test before introducing to production.

When you finished creating or editing the filter, press "Save" button to save changes.

Managing objects

Objects Management page allows you to modify predefined objects or create new ones. To access the page, go to Settings > Management > Objects.

Anything can be an object: users, computers, IP addresses, an IP address range, network equipment and so on. Most objects are created automatically. For example, when logging in with a new Windows domain account, the correspondent object is also created.

New objects can be created also manually, or by importing from a CSV file. Once added to the system, they can be edited by pressing Alt Imagebutton. The list of editable attributes is limited (name, value, corresponding object list). Their role in the platform is to provide the needed display consistency in lists, making easier for an administrator to correctly identify the target of their investigations.

Agent Manager

Agent Manager page allows you to register a new agent and manually with download windows agent. To access this page, go to Settings > Management > Agent Manager.

Alt Image

  • Edit agent settings Alt Image: allows you to edit the agent configurations.

  • Set status manually deploy and not deployed Alt Image: Allows you to choose the status for the agent between two options: Manually deploy & not deployed.A

  • Start agent service Alt Image: starts CYBERQUEST agent from target machine.

  • Stop agent service Alt Image: stops CYBERQUEST agent from target machine.

  • Uninstall service Alt Image: uninstall the agent service.

The register new agent button is for deploying the CYBERQUEST agent on Windows or Linux operating systems.

For more details about how to register a new agent, please access the link below: Collecting with CQ Windows agent.

Download windows agent - download the latest version of the CYBERQUEST agent. The agent must be installed on a Windows target machine and the file will be downloaded as “AgentSetup.msi”.

Fore more details how to manually deploy the agent please follow the link: How to manually deploy the agent

Data Source Manager

Data Source Manager page alows you to add data sources. To access this page, go to Settings > Management > Data Sources Manager. All data sources in your CYBERQUEST instance are listed here.

  • Bulk Clone Alt Image : Clone the current data source settings for each element of the field “Bulk Clone”;
  • Clone Alt Image : Clone the data source;
  • Edit Alt Image : Edit the data source;
  • Delete Alt Image : Delete the data source;

To add a new data source, press Alt Image button. A window will open allowing you to select the desired data source from a predefined list.

Alt Image

Complete with the below form and press "Save" button to save changes, or "Cancel" button to close the window without saving.

Select datasource button Alt Image reveals a menu with the following buttons Alt Image:

  • Assign Agent Alt Image : You can assign multiple agents to data sources. Select the desired data sources using the checkbox on the left, press the "Assign Agent" button and select the desired agent that will collect data and send to CYBERQUEST.
  • Unassign Agents Alt Image : Unassign the agent or agents for multiple data sources. Select the desired data sources using the checkbox on the left and click the "Unassign Agents" button that will stop collecting data from the selected data source.
  • Bulk delete Alt Image : Delete multiple data sources. Select the desired data sources using the checkbox on the left and click the “Bulk delete” button.
  • Close selection Alt Image : Close the menu.

To check how to add/collect data from different types of datasources, please follow the link:

Discovered Data Sources

Credential Manager

Credential Manager allows you to create a set of credentials which is using for collecting data. Windows agent needs an account with administrative rights to collect data. To access this page, go to Settings > Management > Credential Manager.

On this page you can add new credential / edit / delete access credentials for collection agents.

To edit the credentials, press Alt Image button. This process is almost identical to adding credentials.

You can also delete the credentials by pressing Alt Image button.

To create credentials press the Alt Imagebutton and complete the form:

Alt Image

Name:  This is the name given to the credentials. More than one set of credentials can be created.

Username/Email:  Username or Email.

Password:  add a Password.

Confirmation Password: You have to confirm the password.

Domain: The domain name, if there is a case of using a domain user.

Notes: We can add details about credentials.

Click the "Save" button to confirm the creation of your credentials or you can cancel by pressing the "Cancel" button.

Vulnerability Manager

Vulnerability Assessment Module: provided by integration with OpenVAS (https://www.openvas.org/). It's a full-featured vulnerability scanner.

The scanner obtains the tests for detecting vulnerabilities from a feed that has a long history and daily updates. To see more information about Vulnerability Manager function, please follow the link: Vulnerability Manager.

Tag Alias

Tag Alias is a function that allows parsing events using a parser other than the original one given by the data server.

To see more information about this function, please follow the link: Tag Alias

UEBA Mananger

A strong tool like UEBA Manager can assist organizations in effectively identifying and responding to security threats, reduce the risk of data breaches and insider threats while also enhancing overall security posture. With UEBA Manager, security teams can spot and address insider threats, such as staff members accessing private information or downloading significant amounts of data atypically.

Users accessing data outside of their regular working hours, users connecting to systems from strange locations, or users accessing data they don't typically engage with—all of these behaviors can be recognized by UEBA Manager.

Allows you to set the membership of users, assets and events to their related groups (AssetGroup, UserGroup, EventGroup) :

To access the page, go to Settings > Management > UEBA Manager, and will open:

For more informations about UEBA Manager function, please follow the link: How to manage Ueba

Data-Storage

Allows for advanced configuration of data storages used by CYBERQUEST. To edit Data-Storage, open /var/opt/cyberquest/datastorage/conf.xml file on CYBERQUEST server.

You can find all configurable variables in the following table:

Parameter Description Default value
dbDriver This is the driver of the mysql DB server com.mysql.jdbc.Driver
dbUserName This is the username of the mysql DB server root
dbPass This is the password of the mysql DB server ****
dbUrl This is the address of the mysql DB server jdbc:mysql://127.0.0.1:3306/config
dbAlternateUrl This is the address of the alternate mysql DB server jdbc:mysql://127.0.0.1:3306/config
serverGuid This is the Globally Unique IDentifier(GUID) of server D39498A9-1C85-0379-1E78-C161E6FFEEEA

To edit Data-Storage, open Settings > Application Settings > Data Storage on web application:

The settings of Data Storage opens:

To make changes to the variables, use the Edit button.After edit, press "Save" button to save changes, for discard changes use "Cancel" button.

You can find all configurable variables in the following table:

Parameter Description Default value
maxEventsPerFile Specifies the maximum number of events allowed per stored file 20000
fileWriterTimeout Specifies the timeout interval for the event writer 60
mqUserName Specifies the administrative username for MQ service access cq
mqPassword Specifies user's password for MQ service ****
mqHost Specifies the MQ service server. In distributed architectures, it may differ from the default CYBERQUEST server 127.0.0.1
mqVhost Specifies the MQ service virtual server. In distributed architectures, it may differ from the default CYBERQUEST server
mqPort Specifies the network communication port used by MQ service 5672
mqExchangeName Specifies the exchange name used by MQ service eventsExchange
mqQueueName Specifies the MQ queue name jobCommands
mqReceiveQueueType Specifies the MQ Receive queue type fanout
mqRouting Specifies the routing path for message queues agents
mqReceiveCommandExchangeName Specifies the MQ Receive command exchange name eventsExchange
mqReceiveCommandQueueName Specifies the MQ Receive command queue name jobCommands
mqReceiveCommandQueueType Specifies the MQ Receive command queue type direct
mqReceiveCommandRouting Specifies the MQ Receive command routing path servers
mqSendExchangeName Specifies the MQ Send exchange name
mqSendQueueName Specifies the MQ Send queue name archive
mqSendRouting Specifies the MQ Send routing path agents
mqSendQueueType Specifies the MQ Send queue type direct
encryptionPublicKeyFilePath Specifies the file path for defined public key /var/opt/cyberquest/encryption/datastorage/public_key.txt
encryptionPrivateKeyFilePath Specifies the file path for defined private key /var/opt/cyberquest/encryption/datastorage/private_key.txt
elasticClusterName Specifies the Online DataStorage cluster name ES.
elasticHostName Specifies the Online DataStorage host name 127.0.0.1
encryptionPrivateKeyPassword Specifies the password for defined private key ***
encryptionPrivateKeyPasswordPath Specifies the file path for defined private key password /var/opt/cyberquest/encryption/datastorage/privateKeyPassword.txt
fileImportThreads Specifies how many threads are used for import 5
mqQueueType Specifies the queue type direct
mqReceiveExchangeName Specifies the MQ Receive exchange name DA.publish
mqReceiveQueueName Specifies the MQ Receive queue name DataStorage
mqReceiveRouting Specifies the MQ Receive routing key agents
mqAlternateHost Specifies the alternate host name to use if the current queue is dead 127.0.0.1
mqVHost Specifies the MQ Receive virtual host /
elasticUserName Specifies the Online DataStorage user name cq
elasticPassword Specifies the password for defined private key ***
ElasticSearchIsHttpsConnection Specifies the Online DataStorage Https connection 1
ElasticSearchIsUserAuth Specifies the Online DataStorage user auth 1

In the list below we have defined some examples of jobs:

Data Sources Status

Working with Data source status feature

To verify all data collection status from all sources that send events to CYBERQUEST or sources collected by CYBERQUEST, the tool provides a dedicated status screen.

In Web Interface select Settings >Management> Data Sources Status. Data Sources Status page opens, listing all data sources collected by CYBERQUEST.

The collection status is shown in color code for each data source. Available statuses are:

  • Disabled

  • Collecting

  • Stopped or critical error

  • Waiting for next collection

An icon present signifies that collection is scheduled to execute at defined time intervals, while all others are executing in real time. At any time, you can sort the list by any of the columns, or you can export the list by pressing button.

It is important to note here that due to the large number of data collections CYBERQUEST can support, the collection status list can grow very long.

You can choose to display up to 100 entries per status page. Please remember not to combine a large number of entries with automated page refresh, to avoid a decrease in performance. The columns menu at the top of the page allows you to choose which columns are displayed for all entries in list. These are described in the table below:

Field Description
Computer Name Source name (network IP address or resolved FQDN)
Log Name Name of the log source
Type Log type
Messages Number of collected events
Last Received Time Last current time when data was received from source
Last Local Time Last device time when data was received from source
Last Update Time Last time a modification was made for data source
Last Message Last message from data collector
Last Error Last error message from data collector
Next Collection Date and time when next collection will start
Producer Module or agent that collected the events
Producer Uptime Uptime of module or agent that collects events
Extra Data Comments
Alert Interval Minutes Time interval to check source status

PlayBooks

Playbooks automate and streamline the incident response process, allowing security teams to respond effectively and efficiently to threats. These playbooks are developed based on industry best practices, regulatory requirements, and an organization's specific security policies. The goal is to ensure a consistent and coordinated approach to incident response, minimizing the impact of security breaches and enabling quick remediation.

To access the Playbooks interface, you have to navigate to Settings > Management > Playbooks and the page will open:

Alt Image

  • Event Trigger: CYBERQUEST detects a suspicious event, such as a network intrusion attempt or a high-severity alert from a security device. The playbook execution can be automatically triggered by an alert (when setting alert actions), or manual the event actions or from alert actions.

You have the options to edit, delete and add a playbook.

Adding a playbook

In order to add a new playbook and orchestrate actions, press click on "New Playbook". The orchestration is done in a graphical way, and each playbooks contains 2 mandatory blocks called start and end.

CYBERQUEST orchestrates actions based on criterias defined in the playbook section. Actions are grouped by vendors and can be used by employing drag and drop on them.

Alt Image

Specific actions can be triggered only on certain conditions.

All actions communicate between each other with the help of an enviroment object. This object contains the Alert/Event permits saving information between actions.

This object has the following definition:

{
"Event":{
// ... the event which gets populated automatically by CyberQuest
},
"Alert":{
  // ... the alert which gets populated automatically by CyberQuest
}
"playbookGUID": // the individual playbook definition,
"startDate": 1685004728 // unix timestamp
"endDate": 1685004728  // timestamp
"status": "SUCCESS"  
"history":[
    {
      "inputEnviroment":{
      // gets populated on the input enviroment of the individual step
      },
      "outputEnviroment":{
      // gets populated on the output enviroment of the individual step
      },
      "startDate": 1685004728 // unix timestamp
      "endDate": 1685004728  // timestamp
      "status": "SUCCESS"  
    }
]
}

Internally, CYBERQUEST, on execution, modifies this object to store execution history and to log the execution. All actions have access to this object.

Execution History

Each individual action generates execution logs for debugging playbooks/actions. These execution logs play an essential role in the debugging process. When an error or problem occurs in a playbook or in a specific action, the execution logs can be analysed to identify the exact causes of the incident. This facilitates troubleshooting and ensures that the playbook execution process is correct and error-free.

Alt Image

You have the options to download the playbooks logs in .txt format, by pressing Alt Image button or to see the log by pressing Alt Image button:

Alt Image

Alt Image

Viewing Execution History

Clicking on Alt Imagebutton in Execution History to see the input data (as parameters) of the executiuon itself and the ouput data which can be queried for each individual step:

Alt Image