IBM QRadar

Hello Everyone, 

My team is working on integrating Crowdstrike (CS) with IBM QRadar (QR) using CS App. We are new to IBM QR technology, however, managed to install the App and added the client. However, we don't see any events at "Log Activity" when filtered with "Crowdstrike Detection" data source. 

FYI, our setup is running with distributed topology and is multi-tenant. 

Following are the issues at hand that we looking for a resolution :

1. Why there no events when from app.log file can see App was successfully able to fetch data stream from CS. 

2. How to manage the App in a multi-tenant environment - let's say if more than one of my customers are using CS then how to segregate the traffic among them. 

Any response with your past successful experiences will be of immense help. 

Thanks
Sai


------------------------------
Sai Kumar
------------------------------

JFYI,

Using Crowdstrike (CS) App, managed to get the event stream coming. Also, created a custom rule to trigger offense for every detection received from CS.

Looks like the rule works fine, however, can see events associated with "Custom Rule Engine-8" log source type are also part of the offense, along with "CrowdStrike Detection" log source. This keeps me thinking what is the other log source is about ? as most of them are "Stored" category. Also worried is that it may eat up our EPS.

Any advise here. Thanks.

------------------------------
Sai Kumar
------------------------------

Original Message:
Sent: Wed December 02, 2020 01:27 AM
From: Sai Kumar
Subject: Crowdstrike App

Hello Everyone, 

My team is working on integrating Crowdstrike (CS) with IBM QRadar (QR) using CS App. We are new to IBM QR technology, however, managed to install the App and added the client. However, we don't see any events at "Log Activity" when filtered with "Crowdstrike Detection" data source. 

FYI, our setup is running with distributed topology and is multi-tenant. 

Following are the issues at hand that we looking for a resolution :

1. Why there no events when from app.log file can see App was successfully able to fetch data stream from CS. 

2. How to manage the App in a multi-tenant environment - let's say if more than one of my customers are using CS then how to segregate the traffic among them. 

Any response with your past successful experiences will be of immense help. 

Thanks
Sai


------------------------------
Sai Kumar
------------------------------

Sai, you seriously should attend one of the 100s of free IBM online labs! Anyway I try to explain.
As said before you need additionaltests in your rule. Triggering on every QID doesn't makes sense. You are looking at Offenes summary which gives you all the context. CRE is the logsource your metaevent comes from. You probably kick off one metaevent for each logevent coming in. This indeed eats all your eps. Stored category means nothing else happened to your event. Export an event and Show it here. What is the event name? What is LLC? What is HLC? What is the logsource type. Event category may be still unknown is my guess so you better add an LSX for that. You are confused by the abbreviations I used? Search for those first cause you are at the 1st step of a 100 step learning curve. Very brave. Just keep going!

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Tue December 15, 2020 09:57 PM
From: Sai Kumar
Subject: Crowdstrike App

JFYI,

Using Crowdstrike (CS) App, managed to get the event stream coming. Also, created a custom rule to trigger offense for every detection received from CS.

Looks like the rule works fine, however, can see events associated with "Custom Rule Engine-8" log source type are also part of the offense, along with "CrowdStrike Detection" log source. This keeps me thinking what is the other log source is about ? as most of them are "Stored" category. Also worried is that it may eat up our EPS.

Any advise here. Thanks.

------------------------------
Sai Kumar

Original Message:
Sent: Wed December 02, 2020 01:27 AM
From: Sai Kumar
Subject: Crowdstrike App

Hello Everyone, 

My team is working on integrating Crowdstrike (CS) with IBM QRadar (QR) using CS App. We are new to IBM QR technology, however, managed to install the App and added the client. However, we don't see any events at "Log Activity" when filtered with "Crowdstrike Detection" data source. 

FYI, our setup is running with distributed topology and is multi-tenant. 

Following are the issues at hand that we looking for a resolution :

1. Why there no events when from app.log file can see App was successfully able to fetch data stream from CS. 

2. How to manage the App in a multi-tenant environment - let's say if more than one of my customers are using CS then how to segregate the traffic among them. 

Any response with your past successful experiences will be of immense help. 

Thanks
Sai


------------------------------
Sai Kumar
------------------------------