Hello all,

I'm looking for some way to track changes on a Qradar rules.
We have many people who develop new rules and make changes on existing ones, so we need some control on that. 
I didn't find any solution but I believe that not only I struggle with that problem.

I will be grateful for all ideas :)




------------------------------
Patryk Prauze
------------------------------

Hi Patryk,

have you ever tried searching the audit log? I'm sure you can make a report out of it. I have attached an example.



------------------------------
Kind regards
Oliver
------------------------------

Original Message:
Sent: Fri March 27, 2020 07:47 AM
From: Patryk Prauze
Subject: Way to track content change

Hello all,

I'm looking for some way to track changes on a Qradar rules.
We have many people who develop new rules and make changes on existing ones, so we need some control on that. 
I didn't find any solution but I believe that not only I struggle with that problem.

I will be grateful for all ideas :)




------------------------------
Patryk Prauze
------------------------------

Hi Oliver,

Yes I know that there are such events and I can build a report upon this, but that's not what I want to achieve.
I'm looking for some solution to build something like rules repository where I will be able to track changes on rules.

• Add to Phrasebook
  • No word lists for English -> Polish...
  • Create a new word list...
• Copy

• Add to Phrasebook
  • No word lists for Yoruba -> Polish...
  • Create a new word list...
• Copy

------------------------------
Patryk Prauze
------------------------------

Original Message:
Sent: Mon March 30, 2020 03:57 AM
From: Oliver Braun
Subject: Way to track content change

Hi Patryk,

have you ever tried searching the audit log? I'm sure you can make a report out of it. I have attached an example.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Fri March 27, 2020 07:47 AM
From: Patryk Prauze
Subject: Way to track content change

Hello all,

I'm looking for some way to track changes on a Qradar rules.
We have many people who develop new rules and make changes on existing ones, so we need some control on that. 
I didn't find any solution but I believe that not only I struggle with that problem.

I will be grateful for all ideas :)




------------------------------
Patryk Prauze
------------------------------

Hi Patryk,

you can use the Audit Logs of QRadar either with the CLI or with the WebGUI. Just filter on log source 'SIM Audit-2' and low level category 'SIM Configuration Change'.

I hope this helps...

Kind regards,
Volker

------------------------------
Volker Scholz
------------------------------

Original Message:
Sent: Fri March 27, 2020 07:47 AM
From: Patryk Prauze
Subject: Way to track content change

Hello all,

I'm looking for some way to track changes on a Qradar rules.
We have many people who develop new rules and make changes on existing ones, so we need some control on that. 
I didn't find any solution but I believe that not only I struggle with that problem.

I will be grateful for all ideas :)




------------------------------
Patryk Prauze
------------------------------

Volker is correct in seeing what has changed using that log source, but the problem I think you also have is policing change and versioning of any changes (I have seen this challenge in my environment).

QRadar is great in a number of areas however does not have any concept of versioning (e.g. roll back a change) nor policing of change (i.e. permitting change only on parts of the configuration).

It is a bit of a weakness given other real-time multi-tenant [voice/carrier] systems have had versioning/policing functions since the 1990s. For us this is more problematic when the SIEM is larger with multiple tenants or operating as a MSSP.

I'll chat behind the scenes to see where this sits in the list of to-dos with the development community.

Darren H.

------------------------------
Darren H.
------------------------------

Original Message:
Sent: Mon March 30, 2020 03:35 AM
From: Volker Scholz
Subject: Way to track content change

Hi Patryk,

you can use the Audit Logs of QRadar either with the CLI or with the WebGUI. Just filter on log source 'SIM Audit-2' and low level category 'SIM Configuration Change'.

I hope this helps...

Kind regards,
Volker

------------------------------
Volker Scholz

Original Message:
Sent: Fri March 27, 2020 07:47 AM
From: Patryk Prauze
Subject: Way to track content change

Hello all,

I'm looking for some way to track changes on a Qradar rules.
We have many people who develop new rules and make changes on existing ones, so we need some control on that. 
I didn't find any solution but I believe that not only I struggle with that problem.

I will be grateful for all ideas :)




------------------------------
Patryk Prauze
------------------------------

Hi guys

I agree with you, SIM Audit logs are the best option to track what has been done.

You could check this content pack on the App Exchange: https://exchange.xforce.ibmcloud.com/hub/extension/0be9613a768a5a05ea102535b7bce76a
The pack includes monitoring of the CLI, the web interface, QRadar's health status, etc.
Check the screenshot given as an example.

Hope this helps

------------------------------
Gladys Koskas
------------------------------

Original Message:
Sent: Mon March 30, 2020 10:34 AM
From: Darren H.
Subject: Way to track content change

Volker is correct in seeing what has changed using that log source, but the problem I think you also have is policing change and versioning of any changes (I have seen this challenge in my environment).

QRadar is great in a number of areas however does not have any concept of versioning (e.g. roll back a change) nor policing of change (i.e. permitting change only on parts of the configuration).

It is a bit of a weakness given other real-time multi-tenant [voice/carrier] systems have had versioning/policing functions since the 1990s. For us this is more problematic when the SIEM is larger with multiple tenants or operating as a MSSP.

I'll chat behind the scenes to see where this sits in the list of to-dos with the development community.

Darren H.

------------------------------
Darren H.

Original Message:
Sent: Mon March 30, 2020 03:35 AM
From: Volker Scholz
Subject: Way to track content change

Hi Patryk,

you can use the Audit Logs of QRadar either with the CLI or with the WebGUI. Just filter on log source 'SIM Audit-2' and low level category 'SIM Configuration Change'.

I hope this helps...

Kind regards,
Volker

------------------------------
Volker Scholz

Original Message:
Sent: Fri March 27, 2020 07:47 AM
From: Patryk Prauze
Subject: Way to track content change

Hello all,

I'm looking for some way to track changes on a Qradar rules.
We have many people who develop new rules and make changes on existing ones, so we need some control on that. 
I didn't find any solution but I believe that not only I struggle with that problem.

I will be grateful for all ideas :)




------------------------------
Patryk Prauze
------------------------------