IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Log source filters centralized management

    Posted Thu August 05, 2021 08:17 AM

    Hi. We need to add EventIDs to Security Log filter on hundreds of Windows servers with Microsoft Windows Security Event log but we were unable to find this option. Does anyone know how can it be achieved?



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Log source filters centralized management

    Posted Fri August 06, 2021 06:32 AM

    Hi,

    You can install this Windows content extension pack which gives you a lot of useful CEPs but the field that would be interested in would be EventID.

    Once you have the CEP EventID, then you can use this CEP to filter out the events from your Microsoft Security Event log.

    Windows Content Extension pack:

    https://www.ibm.com/docs/en/qradar-common?topic=extensions-microsoft-windows

    Hope it helps.



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Log source filters centralized management

    Posted Fri August 06, 2021 07:10 AM

    Hi,

    This is a different case.

    I ask whether is it possible to change Security log filter from all Log Sources we have currently at once, without modifying this parameter separately on each Log source?



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: Log source filters centralized management

    Posted Wed August 11, 2021 11:24 AM

    I assume, using the API there should be an option to achieve this request..

    Regards,

    Ralph



    #QRadar
    #Support
    #SupportMigration


Related Content