IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Wants to Create Rule/Alert for if any log source stops sending logs to QRadar Console.

    Posted Mon December 18, 2023 02:12 AM

    We want to Create Rule/Alert for if any log source stops sending logs to QRadar Console. Any one have idea how to configure such settings in QRadar.

    Regards,

    Ganesh R.



    ------------------------------
    Praful Mayekar
    ------------------------------


  • 2.  RE: Wants to Create Rule/Alert for if any log source stops sending logs to QRadar Console.

    Posted Tue December 19, 2023 02:28 AM

    Hello Ganesh,

    I think the following article might answer your question.

    QRadar: Generate alerts when a Log Source stops receiving events

    https://www.ibm.com/support/pages/qradar-generate-alerts-when-log-source-stops-receiving-events

    Regards,

    Kiril



    ------------------------------
    Kiril Bonev
    System Engineer
    CNsys PLC
    ------------------------------

    Original Message


  • 3.  RE: Wants to Create Rule/Alert for if any log source stops sending logs to QRadar Console.

    Posted Tue December 19, 2023 08:33 AM

    The rule type mentioned below only work with a specific time per log souirce or group.  We make a rule that puts the log source name into specific reference sets that expire at specific times, updating the entry every 1/2 the expiration time.  When the entry expires from the reference set, we fire the offense based on that entry.  Someone in the forums is a good write up of how to do that with cluster log sources as well. 

    Different log source types log on different time lines, payroll printers for instance only log every payroll, where DC's and firewall should log every 15 minutes or so. This is actually a VERY complex use case... 



    ------------------------------
    Frank Eargle
    ------------------------------

    Original Message


  • 4.  RE: Wants to Create Rule/Alert for if any log source stops sending logs to QRadar Console.

    Posted Wed December 20, 2023 04:34 AM

    What Frank wrote is the solution we finally end up as well. The build in alert is not informativ enough, in our case was not reliable and could not be customized the way we need it. Also think about using some kind of keepalive for logsources that do send frequent. We used a cron job notification to have always an hourly log entry for all linux logsources.



    ------------------------------
    Martin Schmitt
    Senior Cyber Defense Consultant
    SECUINFRA
    Berlin
    ------------------------------

    Original Message


  • 5.  RE: Wants to Create Rule/Alert for if any log source stops sending logs to QRadar Console.

    Posted Wed December 20, 2023 08:37 AM

    Configuring an alert for when a log source stops sending logs to the QRadar Console involves setting up a rule that triggers an alert when expected log data fails to arrive within a specified timeframe. Here's a general guideline:

    1. **Create a Rule:**
       - Access the QRadar Console and navigate to the 'Rules' section.
       - Generate a new rule for log source monitoring.

    2. **Define Conditions:**
       - Set conditions to identify the log sources you want to monitor.
       - Establish the time duration (threshold) for which the absence of logs triggers an alert.

    3. **Select Actions:**
       - Configure the rule to trigger an alert when the defined conditions are met.
       - Determine the response action (like sending an email, generating a notification, etc.).

    4. **Test and Monitor:**
       - Apply the rule and test it to ensure it's correctly monitoring log sources.
       - Regularly monitor alerts to detect any issues with log sources not sending logs.

    Keep in mind, the exact steps may vary based on the version of QRadar and its configuration. It's recommended to refer to the official documentation or reach out to QRadar support for detailed and version-specific instructions.



    ------------------------------
    ahmad hassan
    ------------------------------

    Original Message


  • 6.  RE: Wants to Create Rule/Alert for if any log source stops sending logs to QRadar Console.

    Posted Thu December 21, 2023 07:34 AM

    You can use an alternative approach as well.
    Create BBs that group a class or other set of devices (e.g. per device type) and use them in a rule with a test like this example:

    Apply Log Source Monitoring - Group 1 on events which are detected by the Local system
    and when none of BB:LogSource definition: Group 1 Monitored Systems match in 30 minute(s) after BB:LogSource definition: Group 1 Monitored Systems match with the same Log Source

     



    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message