IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Payload Language Is Different

    Posted Mon December 11, 2023 05:20 AM

    Hi,

    The event payload is in a different language, I have verified the configuration of the log source and the event in the server, both languages are in English only. How can change it in the English language in the event payload?

    I am facing the issue for only one server.  Initially, it was in a different language.

    Thanks



    ------------------------------
    Arunkumar R
    ------------------------------


  • 2.  RE: Payload Language Is Different

    Posted Mon December 11, 2023 07:28 AM

    Hi Arunkumnar

    Can you provide some more information on the type of server and type of logsource?

    Qradar will not change the payload of an incoming event to a different languiage so this would appear to be a setting on the server sending the evnts.

    Thanks



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Payload Language Is Different

    Posted Tue December 12, 2023 06:15 AM

    Hi John,

    Server Type: Testing server

    Log source Type: Microsoft Windows Security Event

    Sample Log:

    <13>Dec 11 23:34:05 hostname AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.3.1.28 Source=Microsoft-Windows-Security-Auditing Computer=hostname.domain.com OriginatingComputer=x.x.x.x User= Domain= EventID=4702 EventIDCode=4702 EventType=8 EventCategory=12804 RecordNumber=37781387 TimeGenerated=1702317841 TimeWritten=1702317841 Level=Log Always Keywords=Audit Success Task=SE_ADT_OBJECTACCESS_OTHER Opcode=Info Message=Un'attività pianificata è stata aggiornata.  Oggetto:  ID di protezione:  NT AUTHORITY\SYSTEM  Nome account:  hostname$  Dominio account:  domain  ID di accesso:  0x3E7  Informazioni attività:  Nome attività:   \Microsoft\Windows\Data Integrity Scan\Data Integrity Check And Scan  Contenuto attività:   <?xml version="1.0" encoding="UTF-16"?> <Task version="1.6" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">   <RegistrationInfo>     <Source>$(@%systemroot%\system32\discan.dll,-601)</Source>     <Author>$(@%systemroot%\system32\discan.dll,-600)</Author>     <Description>$(@%systemroot%\system32\discan.dll,-602)</Description>     <URI>\Microsoft\Windows\Data Integrity Scan\Data Integrity Check And Scan</URI>     <SecurityDescriptor>D:AI(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FR;;;AU)</SecurityDescriptor>   </RegistrationInfo>   <Triggers>     <CalendarTrigger id="Init">       <StartBoundary>2011-01-01T23:00:00</StartBoundary>       <Enabled>true</Enabled>       <RandomDelay>PT1H</RandomDelay>       <ScheduleByDay>         <DaysInterval>1</DaysInterval>       </ScheduleByDay>     </CalendarTrigger>     <BootTrigger id="Resume">       <Enabled>false</Enabled>       <Delay>PT1H</Delay>     </BootTrigger>   </Triggers>   <Principals>     <Principal id="LocalSystem">       <UserId>NT AUTHORITY\SYSTEM</UserId>       <RunLevel>HighestAvailable</RunLevel>       <LogonType>InteractiveToken</LogonType>     </Principal>   </Principals>   <Settings>     <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>     <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>     <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>     <AllowHardTerminate>true</AllowHardTerminate>     <StartWhenAvailable>true</StartWhenAvailable>     <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>     <IdleSettings>       <StopOnIdleEnd>false</StopOnIdleEnd>       <RestartOnIdle>false</RestartOnIdle>     </IdleSettings>     <AllowStartOnDemand>true</AllowStartOnDemand>     <Enabled>true</Enabled>     <Hidden>false</Hidden>     <RunOnlyIfIdle>false</RunOnlyIfIdle>     <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>     <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>     <WakeToRun>false</WakeToRun>     <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>     <Priority>7</Priority>   </Settings>   <Actions Context="LocalSystem">     <ComHandler>       <ClassId>{DCFD3EA8-D960-4719-8206-490AE315F94F}</ClassId>     </ComHandler>   </Actions> </Task>  Altre informazioni:  Ora di creazione processo:   10133099161604336  ID processo client: 


    ------------------------------
    Arunkumar R
    ------------------------------

    Original Message


  • 4.  RE: Payload Language Is Different

    Posted Wed December 20, 2023 12:45 PM

    Hi Arunkumar

    Qradar does not control the language of the payloads which are being sent.  This will be configuration on the sending server.

    Thanks



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------

    Original Message


  • 5.  RE: Payload Language Is Different

    Posted Thu December 21, 2023 05:42 AM

    Hi John,

    Language and region settings are in English in the server side.  

    Do you have any idea where to change?

    Thanks



    ------------------------------
    Arunkumar R
    ------------------------------

    Original Message


Related Content