Dear All,

I'm fairly new with QRadar (Do bear with me). I'm currently trying to check which servers/devices within our environment that does not have Command Line Auditing enabled. I have some questions regarding this;

1. Whether this is even possible in the first place
2. If it is possible, what is the approach to do this?
   • If it is a query, what would the query look like?
   • Or do I look for it within QRadar itself (for example, the Admin tab)?

I understand my question might be vague, and I am very much open to providing more context or information on this item. 

Thanks in Advance

Hello,

Are you talking about windows devices that are sending events to QRadar?

I believe you are looking to see if the Process command line is enabled in this event:
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688

So you would be searching this event ID in QRadar to see if the payload contains the 'Process Command line' field and has output (check current Regexs, Custom Event Properties for the log source type Microsoft Windows Security Event Log). 
Then you'd need to group by log source.
Though this will be fully dependent that the log source is sending events and in that timeframe. You would need to be careful of the search parameters and time frame as the searches may be quite expensive.

I hope this helps but note this would not really be considered a QRadar task and I dont believe this would garner completely accurate results. As all we can do is check the payload of what we receive. We can not login directly to all servers devices and poll them to see if this is indeed enabled. 

Regards