Management
Event Dictionary
Working with event definitions
CYBERQUEST ships with a full event dictionary built around Windows operating systems. The dictionary is under continuous expansion, and future platform releases will start including event dictionaries for all major supported technologies.
A list of all events available at the time of editing this document can be found in Appendix: Event Dictionary.
Unlike other SIEM solutions on the market, CYBERQUEST's dictionary is open, which means at any time you can edit, export and delete existing event definitions, or create and import new ones -- building your own dictionary supporting technologies you have under management.
The event dictionary can be accessed from Web Interface by navigating to Settings > Management > Event Dictionary. The page opens, listing defined objects. Here you can manage existing definitions and from Actions menu, import an object or create a new definition from scratch.
-
To export a definition, press
button next to it. The export is saved as a proprietary CQO file. Likewise, to import a definition select 
in Actions menu. -
To update the event dictionary, press
button. -
To edit details for a specific object, press
button next to it. Edit event definition window opens allowing you to change the
Name and Description, correct the Script or enable/disable the object. -
To delete an event from the list, press
button next to it. As a measure of precaution, you will be asked to confirm deletion. -
Events can be searched in the Quick Filter bar by event ID, event name, or its description.
Creating a new event definition
In Event Definitions page, select 
from Actions menu. Add Event Dictionary configuration page opens allowing you to create the new definition.
All fields are free text, which permits complete freedom on defining a new event. The template contains up to 150 custom fields to add. As a general recommendation, it is advisable to define a company-wide standard for issuing EventIDs, event names and platforms for all the applications in scope.
When you finished creating the parser, press 
button to save changes.
Managing dashboards
Dashboards page allows you to granularly configure dashboards appearance and behaviour in Dashboards module. To access the page, go to Settings > Management > Dashboards. All objects in your CYBERQUEST instance are listed here.
Dashboards can be exported 
and imported 
, edited 
, or deleted 
.
To create a dashboard, press 
button. A window will open that allows for dashboard configuration:
Save Dashboard window opens.
Press "Save" to save your changes and close the window, or "Cancel" to close the window without saving.
Managing filters
Filters page allows you to modify predefined filters or create new ones. To access the page, go to Settings > Management > Filters.
To edit and existing filter press , or create a new one select 
in Action menu. Edit Filter configuration page opens.
All predefined filters have queries built on compliance standards. Editing these usually involves advanced knowledge on building queries. As a general recommendation, it is advisable to always create a new filter based on an existing one and test before introducing to production.
When you finished creating or editing the filter, press "Save" button to save changes.
Managing objects
Objects Management page allows you to modify predefined objects or create new ones. To access the page, go to Settings > Management > Objects.
Anything can be an object: users, computers, IP addresses, an IP address range, network equipment and so on. Most objects are created automatically. For example, when logging in with a new Windows domain account, the correspondent object is also created.
New objects can be created also manually, or by importing from a CSV file. Once added to the system, they can be edited by pressing button. The list of editable attributes is limited (name, value, corresponding object list). Their role in the platform is to provide the needed display consistency in lists, making easier for an administrator to correctly identify the target of
their investigations.
Agent Manager
Agent Manager page allows you to register a new agent and manually with download windows agent. To access this page, go to Settings > Management > Agent Manager.
-
Edit agent settings
: allows you to edit the agent configurations. -
Set status manually deploy and not deployed
: Allows you to choose the status for the agent between two options: Manually deploy & not deployed.A -
Start agent service
: starts CYBERQUEST agent from target machine. -
Stop agent service
: stops CYBERQUEST agent from target machine. -
Uninstall service
: uninstall the agent service.
The register new agent button is for deploying the CYBERQUEST agent on Windows or Linux operating systems.
For more details about how to register a new agent, please access the link below: Collecting with CQ Windows agent.
Download windows agent - download the latest version of the CYBERQUEST agent. The agent must be installed on a Windows target machine and the file will be downloaded as “AgentSetup.msi”.
Fore more details how to manually deploy the agent please follow the link: How to manually deploy the agent
Data Source Manager
Data Source Manager page alows you to add data sources. To access this page, go to Settings > Management > Data Sources Manager. All data sources in your CYBERQUEST instance are listed here.
- Bulk Clone
: Clone the current data source settings for each element of the field “Bulk Clone”; - Clone
: Clone the data source; - Edit : Edit the data source;
- Delete : Delete the data source;
To add a new data source, press 
button. A window will open allowing you to select the desired data source from a predefined list.
Complete with the below form and press "Save" button to save changes, or "Cancel" button to close the window without saving.
Select datasource button 
reveals a menu with the following buttons 
:
- Assign Agent
: You can assign multiple agents to data sources. Select the desired data sources using the checkbox on the left, press the "Assign Agent" button and select the desired agent that will collect data and send to CYBERQUEST. - Unassign Agents
: Unassign the agent or agents for multiple data sources. Select the desired data sources using the checkbox on the left and click the "Unassign Agents" button that will stop collecting data from the selected data source. - Bulk delete
: Delete multiple data sources. Select the desired data sources using the checkbox on the left and click the “Bulk delete” button. - Close selection
: Close the menu.
To check how to add/collect data from different types of datasources, please follow the link:
- How to collect data on Windows System Log
- How to connect to CQ Threat Intelligence
- How to connect to Active Directory
Discovered Data Sources
Credential Manager
Credential Manager allows you to create a set of credentials which is using for collecting data. Windows agent needs an account with administrative rights to collect data. To access this page, go to Settings > Management > Credential Manager.
On this page you can add new credential / edit / delete access credentials for collection agents.
To edit the credentials, press button. This process is almost identical to adding credentials.
You can also delete the credentials by pressing button.
To create credentials press the 
button and complete the form:
Name: This is the name given to the credentials. More than one set of credentials can be created.
**Username/Email: ** Username or Email.
Password: add a Password.
Confirmation Password: You have to confirm the password.
Domain: The domain name, if there is a case of using a domain user.
Notes: We can add details about credentials.
Click the "Save" button to confirm the creation of your credentials or you can cancel by pressing the "Cancel" button.
Vulnerability Manager
Vulnerability Assessment Module: provided by integration with OpenVAS (https://www.openvas.org/). It's a full-featured vulnerability scanner.
The scanner obtains the tests for detecting vulnerabilities from a feed that has a long history and daily updates. To see more information about Vulnerability Manager function, please follow the link: Vulnerability Manager.
Tag Alias
Tag Alias is a function that allows parsing events using a parser other than the original one given by the data server.
To see more information about this function, please follow the link: Tag Alias
UEBA Mananger
A strong tool like UEBA Manager can assist organizations in effectively identifying and responding to security threats, reduce the risk of data breaches and insider threats while also enhancing overall security posture. With UEBA Manager, security teams can spot and address insider threats, such as staff members accessing private information or downloading significant amounts of data atypically.
Users accessing data outside of their regular working hours, users connecting to systems from strange locations, or users accessing data they don't typically engage with—all of these behaviors can be recognized by UEBA Manager.
Allows you to set the membership of users, assets and events to their related groups (AssetGroup, UserGroup, EventGroup) :
To access the page, go to Settings > Management > UEBA Manager, and will open:
For more informations about UEBA Manager function, please follow the link: How to manage Ueba
Data-Storage
Allows for advanced configuration of data storages used by CYBERQUEST. To edit Data-Storage, open /var/opt/cyberquest/datastorage/conf.xml file on CYBERQUEST server.
You can find all configurable variables in the following table:
| Parameter | Description | Default value |
|---|---|---|
| dbDriver | This is the driver of the mysql DB server | com.mysql.jdbc.Driver |
| dbUserName | This is the username of the mysql DB server | root |
| dbPass | This is the password of the mysql DB server | **** |
| dbUrl | This is the address of the mysql DB server | jdbc:mysql://127.0.0.1:3306/config |
| dbAlternateUrl | This is the address of the alternate mysql DB server | jdbc:mysql://127.0.0.1:3306/config |
| serverGuid | This is the Globally Unique IDentifier(GUID) of server | D39498A9-1C85-0379-1E78-C161E6FFEEEA |
To edit Data-Storage, open Settings > Application Settings > Data Storage on web application:
The settings of Data Storage opens:
To make changes to the variables, use the Edit 
button.After edit, press "Save" button to save changes, for discard changes use "Cancel" button.
You can find all configurable variables in the following table:
| Parameter | Description | Default value |
|---|---|---|
| maxEventsPerFile | Specifies the maximum number of events allowed per stored file | 20000 |
| fileWriterTimeout | Specifies the timeout interval for the event writer | 60 |
| mqUserName | Specifies the administrative username for MQ service access | cq |
| mqPassword | Specifies user's password for MQ service | **** |
| mqHost | Specifies the MQ service server. In distributed architectures, it may differ from the default CYBERQUEST server | 127.0.0.1 |
| mqVhost | Specifies the MQ service virtual server. In distributed architectures, it may differ from the default CYBERQUEST server | |
| mqPort | Specifies the network communication port used by MQ service | 5672 |
| mqExchangeName | Specifies the exchange name used by MQ service | eventsExchange |
| mqQueueName | Specifies the MQ queue name | jobCommands |
| mqReceiveQueueType | Specifies the MQ Receive queue type | fanout |
| mqRouting | Specifies the routing path for message queues | agents |
| mqReceiveCommandExchangeName | Specifies the MQ Receive command exchange name | eventsExchange |
| mqReceiveCommandQueueName | Specifies the MQ Receive command queue name | jobCommands |
| mqReceiveCommandQueueType | Specifies the MQ Receive command queue type | direct |
| mqReceiveCommandRouting | Specifies the MQ Receive command routing path | servers |
| mqSendExchangeName | Specifies the MQ Send exchange name | |
| mqSendQueueName | Specifies the MQ Send queue name | archive |
| mqSendRouting | Specifies the MQ Send routing path | agents |
| mqSendQueueType | Specifies the MQ Send queue type | direct |
| encryptionPublicKeyFilePath | Specifies the file path for defined public key | /var/opt/cyberquest/encryption/datastorage/public_key.txt |
| encryptionPrivateKeyFilePath | Specifies the file path for defined private key | /var/opt/cyberquest/encryption/datastorage/private_key.txt |
| elasticClusterName | Specifies the Online DataStorage cluster name | ES. |
| elasticHostName | Specifies the Online DataStorage host name | 127.0.0.1 |
| encryptionPrivateKeyPassword | Specifies the password for defined private key | *** |
| encryptionPrivateKeyPasswordPath | Specifies the file path for defined private key password | /var/opt/cyberquest/encryption/datastorage/privateKeyPassword.txt |
| fileImportThreads | Specifies how many threads are used for import | 5 |
| mqQueueType | Specifies the queue type | direct |
| mqReceiveExchangeName | Specifies the MQ Receive exchange name | DA.publish |
| mqReceiveQueueName | Specifies the MQ Receive queue name | DataStorage |
| mqReceiveRouting | Specifies the MQ Receive routing key | agents |
| mqAlternateHost | Specifies the alternate host name to use if the current queue is dead | 127.0.0.1 |
| mqVHost | Specifies the MQ Receive virtual host | / |
| elasticUserName | Specifies the Online DataStorage user name | cq |
| elasticPassword | Specifies the password for defined private key | *** |
| ElasticSearchIsHttpsConnection | Specifies the Online DataStorage Https connection | 1 |
| ElasticSearchIsUserAuth | Specifies the Online DataStorage user auth | 1 |
In the list below we have defined some examples of jobs:
Data Sources Status
Working with Data source status feature
To verify all data collection status from all sources that send events to CYBERQUEST or sources collected by CYBERQUEST, the tool provides a dedicated status screen.
In Web Interface select Settings >Management> Data Sources Status. Data Sources Status page opens, listing all data sources collected by CYBERQUEST.
The collection status is shown in color code for each data source. Available statuses are:
-
Disabled
-
Collecting
-
Stopped or critical error
-
Waiting for next collection
An 
icon present signifies that collection is scheduled to execute at defined time intervals, while all others are executing in real time. At any time, you can sort the list by any of the columns, or you can export the list by pressing 
button.
It is important to note here that due to the large number of data collections CYBERQUEST can support, the collection status list can grow very long.
You can choose to display up to 100 entries per status page. Please remember not to combine a large number of entries with automated page refresh, to avoid a decrease in performance. The columns menu at the top of the page allows you to choose which columns are displayed for all entries in list. These are described in the table below:
| Field | Description |
|---|---|
| Computer Name | Source name (network IP address or resolved FQDN) |
| Log Name | Name of the log source |
| Type | Log type |
| Messages | Number of collected events |
| Last Received Time | Last current time when data was received from source |
| Last Local Time | Last device time when data was received from source |
| Last Update Time | Last time a modification was made for data source |
| Last Message | Last message from data collector |
| Last Error | Last error message from data collector |
| Next Collection | Date and time when next collection will start |
| Producer | Module or agent that collected the events |
| Producer Uptime | Uptime of module or agent that collects events |
| Extra Data | Comments |
| Alert Interval Minutes | Time interval to check source status |
PlayBooks
Playbooks automate and streamline the incident response process, allowing security teams to respond effectively and efficiently to threats. These playbooks are developed based on industry best practices, regulatory requirements, and an organization's specific security policies. The goal is to ensure a consistent and coordinated approach to incident response, minimizing the impact of security breaches and enabling quick remediation.
To access the Playbooks interface, you have to navigate to Settings > Management > Playbooks and the page will open:
- Event Trigger: CYBERQUEST detects a suspicious event, such as a network intrusion attempt or a high-severity alert from a security device. The playbook execution can be automatically triggered by an alert (when setting alert actions), or manual the event actions or from alert actions.
You have the options to edit, delete and add a playbook.
Adding a playbook
In order to add a new playbook and orchestrate actions, press click on "New Playbook". The orchestration is done in a graphical way, and each playbooks contains 2 mandatory blocks called start and end.
CYBERQUEST orchestrates actions based on criterias defined in the playbook section. Actions are grouped by vendors and can be used by employing drag and drop on them.
Specific actions can be triggered only on certain conditions.
All actions communicate between each other with the help of an enviroment object. This object contains the Alert/Event permits saving information between actions.
This object has the following definition:
{
"Event":{
// ... the event which gets populated automatically by CyberQuest
},
"Alert":{
// ... the alert which gets populated automatically by CyberQuest
}
"playbookGUID": // the individual playbook definition,
"startDate": 1685004728 // unix timestamp
"endDate": 1685004728 // timestamp
"status": "SUCCESS"
"history":[
{
"inputEnviroment":{
// gets populated on the input enviroment of the individual step
},
"outputEnviroment":{
// gets populated on the output enviroment of the individual step
},
"startDate": 1685004728 // unix timestamp
"endDate": 1685004728 // timestamp
"status": "SUCCESS"
}
]
}
Internally, CYBERQUEST, on execution, modifies this object to store execution history and to log the execution. All actions have access to this object.
Execution History
Each individual action generates execution logs for debugging playbooks/actions. These execution logs play an essential role in the debugging process. When an error or problem occurs in a playbook or in a specific action, the execution logs can be analysed to identify the exact causes of the incident. This facilitates troubleshooting and ensures that the playbook execution process is correct and error-free.
You have the options to download the playbooks logs in .txt format, by pressing 
button or to see the log by pressing 
button:
Viewing Execution History
Clicking on 
button in Execution History to see the input data (as parameters) of the executiuon itself and the ouput data which can be queried for each individual step:
Service Level Agreement (SLA)
In CYBERQUEST you can define a case resolution SLAs based on Case Types. The SLAs specify confirmation and response times on incidents/cases.
To create a SLA press 
button. Add Service Level Agreement configuration page opens allowing you to create a new SLA definition.
In Name field, you have to provide a name for the SLA.
In Description field, you have to provide a description for the SLA.
In Case Types field, you have to provide a case type from a dropdown list.
In Confirmation Time (minutes) field, you have to provide a specific range for acknowledging incidents (e.g., within 60 minutes).
In Response Time (minutes) field, you have to provide a specific range for resolving incidents (e.g., within 30 minutes).
When you finished creating the SLA, press "Save" button to save changes.
After creating the SLA, you can perform the following actions on the object:
-
To edit details for a specific object, press
button next to it. Edit Service Level Agreement page opens allowing you to change the parameters described above. -
To delete a SLA from the list, press "delete" button next to it. As a measure of precaution, you will be asked to confirm deletion.
Based on this SLAs the cases automatically calculate their confirmation/response time:
Analyst Actions
When an Analyst Input or Analyst Confirmation block is encountered during the execution of a playbook, the playbook stops execution and generates a question to the analyst. The list of current questions can be found in Settings > Analyst Actions.
To continue the execution, the analyst will have to respond, with the reminder, if the analyst does not respond within the timeout defined at the action module level, the default response set at the action level will be implicitly taken (in case the timeout is reached and the analyst does not respond).
For Playbook Analyst Confirm press the 
button and a window will open:
For Playbook Analyst Input press the 
button and a window will open:
After saving the answer, the action will be deleted and the execution will resume with received answer.