How To
Summary
This article is intended to provide information that can assist QRadar administrators in investigating these warnings.
Steps
Cross-site request forgery (CSRF) is a method attackers can use to exploit an authenticated user of a website to send unauthorized requests to the site. For example, if a trusted user is logged in to the site, the attacker could direct the user to a link that exploits the user's active session to send malicious commands to the site.
To protect against attacks, QRadar generates CSRF session and authentication tokens when users log in. User requests use cookies and headers that include the active tokens so requests can be validated. If the request has an invalid or missing session token, QRadar logs a warning that indicates a possible CSRF attack was detected. Examples:
Jul 1 12:00:00 ::ffff:127.0.0.1 [tomcat.tomcat] [user@192.168.0.1 (2771) /console/JSON-RPC/QRadar.getNotifcationCount] com.q1labs.core.ui.servlet.RemoteJavaScript: [WARN] [NOT:0000004000][10.250.9.8/- -] [-/- -]Current session is 8DC5A760EF4B4B7D336938F87D1B8B01, possible CSRF attack detected using host 192.168.0.1
Jul 1 12:00:00 ::ffff:127.0.0.1 [tomcat.tomcat] [user@192.168.0.1 (3833) /console/JSON-RPC/QRadar.getUpdatePeriod] com.q1labs.core.ui.servlet.RemoteJavaScript: [WARN] [NOT:0000004000][10.9.148.5/- -] [-/- -]Current session is 8DC5A760EF4B4B7D336938F87D1B8B02, no sessionId was provided, possible CSRF attack detected using host 192.168.0.1 for method QRadar.getUpdatePeriod
If you're investigating further, it is recommended to take note of the users and IPs associated with these warnings. If a valid user allows their cookies to expire (without renewal) during their session, incorrect or missing token information could result in QRadar logging a CSRF warning. Admins can also take into account any proxies in between the user and QRadar that could have influence over cookies and headers. Further review of user behavior, as well as their browser settings are recommended to determine the validity of the warning.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS012929802","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 August 2023
UID
ibm17020637