IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Log source credibility

    Posted Wed May 10, 2023 11:26 AM

    Hi everyone, 

    Can anybody explain the purpose of the "credibility" value for the log source? I need some use cases or examples of when it is correct to put a lower value of credibility for some log sources and when it is correct to put a higher value for some log sources. How do you decide why some log sources need to have lower or higher credibility?

    I don't need answers from the user, administration, or DSM guide on how to increase or decrease value.

    Thank you. 



    ------------------------------
    Zeljko Babogredac
    ------------------------------


  • 2.  RE: Log source credibility

    Posted Wed May 10, 2023 01:22 PM

    Zeljko
    you asked for not sending guide info, however this is an open community and other less experienced users than yourself might read this as well and I am writing this so anybody can understand. 

    5 is the standard value when creating logsources which is the medium value. As long as you dont change that in one or another dirction the influence on your system is close to zero. Side effect: when you dont change credibility of the logsource all events from that logsource will be given credibilty of 10, which means max. credit for that event. As soon as you adjust credit value to something else, say = 7, all events will be given the adjusted value. This might influence the result of your custom rules. The only standard rule I am aware of using credibilty test is default response E-mail and syslog when forwarding offense data to some external system (SOAR).
    So what is best practice for adjusting credit values? For all reliable security systems I would leave the value 10, eg firewalls, IDS, proxies, VPN gateways etc.
    All standard server I would decrase to something below., e.g. = 7. Client systems should be given a low value, e.g. = 4. As magnitude of offenses is a dynamic calculated value, this will primarily adjust the way offenses are ordered with the exception of SOAR functions talked about already.
    Regards
    Karl


    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


Related Content