IBM QRadar

Hi,

I have seen the recent post about the Event Enrichment by Pipotron 2.0 but I think it's a slightly different case.

I want to be able to enrich offenses with information such as CMDB or similar. I have reviewed the comments made on the aforementioned post but I couldn't really find a solution that will be suitable for me.

The idea is an offense is triggered and based on a unique id or item within the offenses I can enrich it with information from CMDB or similar. I haven't found way to link CMDB or just a "look up table" within Qradar or Resilient to enrich the offense. 

There was a mention of Custom AQL Function by Nico de Smidt and after going through the documentation I don't think this is the right approach because that would mean I would need to make an api request to retrieve the information given the thing I'm interacting with has an API to begin with. And there is a question of how would I append the information back to the offense or something else due to offenses being "immutable" due to forensic reasons as it was commented on by Nico de Smidt. 

As I mentioned above I have Qradar and Resilient instances so if I could do this from either of them or combination of both can you please provide some insight and or documentation on how to achieve this.

Thanks,

------------------------------
Mo Amiri
------------------------------

Hello Mo Amiri, 
If i have undsaund will your needs, use sysmon enrichement, install the applications and sysmon from the side of your serveur (windows) and appliy the recommandation from this link : https://github.com/SwiftOnSecurity/sysmon-config

good luck let me know if its okay .

------------------------------
[Larbi] [Belmiloud]
[Cyber Security]
[Intervalle Technologies]
[Algers] [Algeria]
[+213551193200]
------------------------------

Original Message:
Sent: Tue July 23, 2019 08:42 AM
From: Mo Amiri
Subject: Offense Enrichment

Hi,

I have seen the recent post about the Event Enrichment by Pipotron 2.0 but I think it's a slightly different case.

I want to be able to enrich offenses with information such as CMDB or similar. I have reviewed the comments made on the aforementioned post but I couldn't really find a solution that will be suitable for me.

The idea is an offense is triggered and based on a unique id or item within the offenses I can enrich it with information from CMDB or similar. I haven't found way to link CMDB or just a "look up table" within Qradar or Resilient to enrich the offense. 

There was a mention of Custom AQL Function by Nico de Smidt and after going through the documentation I don't think this is the right approach because that would mean I would need to make an api request to retrieve the information given the thing I'm interacting with has an API to begin with. And there is a question of how would I append the information back to the offense or something else due to offenses being "immutable" due to forensic reasons as it was commented on by Nico de Smidt. 

As I mentioned above I have Qradar and Resilient instances so if I could do this from either of them or combination of both can you please provide some insight and or documentation on how to achieve this.

Thanks,

------------------------------
Mo Amiri
------------------------------

Hi Larbi Belmiloud,

Unfortunately, your answer/reply is completely misunderstood. This has nothing to do with sysmon.

But thanks for the effort.

Maybe to help your understanding and others this is a video I came across that seems to be the right thing but not sure how to implement it: https://www.youtube.com/watch?v=scBhf3B2zqo


------------------------------
Mo Amiri
------------------------------

Original Message:
Sent: Wed July 24, 2019 05:43 AM
From: Larbi Belmiloud
Subject: Offense Enrichment

Hello Mo Amiri, 
If i have undsaund will your needs, use sysmon enrichement, install the applications and sysmon from the side of your serveur (windows) and appliy the recommandation from this link : https://github.com/SwiftOnSecurity/sysmon-config

good luck let me know if its okay .

------------------------------
[Larbi] [Belmiloud]
[Cyber Security]
[Intervalle Technologies]
[Algers] [Algeria]
[+213551193200]

Original Message:
Sent: Tue July 23, 2019 08:42 AM
From: Mo Amiri
Subject: Offense Enrichment

Hi,

I have seen the recent post about the Event Enrichment by Pipotron 2.0 but I think it's a slightly different case.

I want to be able to enrich offenses with information such as CMDB or similar. I have reviewed the comments made on the aforementioned post but I couldn't really find a solution that will be suitable for me.

The idea is an offense is triggered and based on a unique id or item within the offenses I can enrich it with information from CMDB or similar. I haven't found way to link CMDB or just a "look up table" within Qradar or Resilient to enrich the offense. 

There was a mention of Custom AQL Function by Nico de Smidt and after going through the documentation I don't think this is the right approach because that would mean I would need to make an api request to retrieve the information given the thing I'm interacting with has an API to begin with. And there is a question of how would I append the information back to the offense or something else due to offenses being "immutable" due to forensic reasons as it was commented on by Nico de Smidt. 

As I mentioned above I have Qradar and Resilient instances so if I could do this from either of them or combination of both can you please provide some insight and or documentation on how to achieve this.

Thanks,

------------------------------
Mo Amiri
------------------------------