IBM QRadar

 View Only

How are you checking your QRadar deployment ?

By Gladys Koskas posted Thu October 14, 2021 01:36 PM

  

Hello guys !

It has been a long time and you need to be aware of our new release of the QRadar Self Monitoring content extension on the App Exchange!

In the previous blog post Did you think of monitoring QRadar ? we talked about data corruption detection, host monitoring and compliance requirements, which is a lot already, but there is always more to do!

Today we are going to answer a few more "how can I" questions related to QRadar environment monitoring.

How can I:

  • Get a quick overview on the number of times my rules are triggering ?
  • Get a status on my Wincollect deployment
  • Have an idea on the number of events per second I am receiving in real time

Spoiler alert ! To all of the above, there is only one answer… You can do it all by looking at the new version of the QRadar Self Monitoring Dashboard in Pulse !


This blog will be short really, I just wanted to show you all the cool new indicators we added in the pack !

Scenarios Highlights

How can I get a quick overview on the number of times my rules are triggering ?

 
Since the beginnings of QRadar, you can see how much a rule triggers by looking at the rules screen...

...but there is a few limits with the two indicators that we are being provided in this view, let’s have a quick look:

  • Offense Count: This is valid, but the offense indexing can impact the number of offenses greatly (ie: a rule that matches authentication failure on the active directory can create 1 offense per IP or thousands on username)
  • Event / Flow count: In this case, the filters of the rules can make the number of events participating to an offense vary a lot (ie: a rule that matches 200 firewall denies vs a rule that matches 1 specific command execution)
  • and… you need to have access to that part of the UI ! 

So if you want to cross reference your indicators, or provide the info to restricted users, check out these new widgets!

It is the most basic you can think of, but provides so much value to monitor which rules are the ones matching the most in real time.

How can I get a status on my Wincollect deployment

 
Have you noticed there is a new version of Wincollect ? That's right, Wincollect 10 is out, with great new functionalities such as auto tuning, web based configuration console and many others. To learn more about it, check out Wendy Willner’s blog WinCollect 10: Stand Alone Released !

To help you with the management of your agents we included 3 new widgets that will allow you to monitor the migration progress and the status of your deployment at any time.

If you want to go further in the management of your agents and monitor the agents that are not sending logs anymore as an example, you can have a look at Cristian Ruvalcaba’s blog post on the topic Monitoring WinCollect Agents: Managed AND Stand Alone.

One more reference to another blog and I’ll become your second best friend after Google !

How can I have an idea on the number of events per second I am receiving in real time

 
There is 2 new widgets for that too !

These two graphs will show you the average and the maximum number of EPS for the last 2 hours for each host of your deployment. Should be simple and efficient !

QRadar configuration

If you know how to install a dashboard in pulse you can skip the end of the blog, but I've seen questions a few times so I figured I could help here !

Install the content extension

 

Synchronize the dashboard

Before you can install the dashboard in Pulse, you need to synchronize it in the Admin tab.

Simply click on "Synchronize".

 

Install the Dashboard

Now you can open the Pulse app and click on New Dashboard.

Select "Templates"

Click on "Install" next to "QRadar Monitoring"

Go back to your dashboards list and you're ready !

 Conclusion

I hope these new indicators will help you with the supervision of your deployment, you can find the content extension on the App Exchange here.
We're already looking at building new ones soon, so please send us your proposals.

Don’t hesitate to look at the former blog “Did you think of monitoring QRadar ?” if you want to learn more about data corruption detection, understanding how to detect that you are under attack or that something is wrong with the configuration or compliance requirement.

Was that another mention to another blog ? Am I second on the list now ?!

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.

2 comments
75 views

Permalink

Comments

Thu February 02, 2023 09:58 AM

Hi Fabien

I missed your message.
Sorry about that, I fixed the link

Thanks !

Tue October 26, 2021 06:00 AM

Hello

Thanks for the insight

The link at the end of the article seems dead, is it possible to have working url ?

Thanks a lot