IBM QRadar

This post is meant to be a central place where you can find all the blog posts related to QRadar Content.
If there is one page to bookmark, this is the one !

I added a table with all the quick links to the blog posts, then a summary of their content.

Deep dive

Everything you need to know about QRadar Rules (for beginners and experts)

Link
This blog is an advanced documentation to learn everything from "what are the different types of rules" to "how does the correlation engine processes the rules
 

Content management using the API

Link
This blog shows how to export and import content using the API

Get SIGMA content optimized for QRadar !

Link
This blog explains how the IBM team has updated the script that converts SIGMA rules to AQL so it would generate better performing content

Content pack related

QRadar natively supports SIGMA for rules creation

Link

This blog highlight how the YARA and SIGMA rule manager app can help import dozens of SIGMA rules in QRadar in a few seconds

ReaQta and Randori Content

Link

This blog highlights the parsing work done for ReaQta and Randori as well as how to implement EDR and ASM content

IBM Security's Cost of a Data Breach report and QRadar content

Link
This blog post extracts a few highlights of the Cost of a Data Breach 2022 report and shows how to quickly implement some detections and responses for the biggest attack vectors and threats

Homoglyph detection with QRadar

Link
This blog explains what homoglyphs are and how to detect them with QRadar

How are you checking your QRadar deployment ?

Link
This blog shows how to go further with the monitoring of QRadar itself, with the implementation of use cases such as:
- Rules monitoring
- Wincollect deployment monitoring
- Data collection indicators

Detect suspicious activity in your AWS, Azure, VMware and O365 environments

Link
This blog explains how to implement monitoring Hybrid-Cloud related use cases in QRadar, such as:
- VM sprawl monitoring
- Virtualized security devices monitoring
- Suspicious privilege escalations detection
- Suspicious policy management detection

Did you think of monitoring QRadar ?

Link
This blog explains how to implement monitoring for one of the most important security devices that can easily be forgotten, QRadar itself.
It helps with a few use cases such as:
- Understanding when something is wrong with the configuration
- Data corruption monitoring
- Managed host unreachable alerting
- Compliance requirements implementation

Need help to monitor data exfiltration ?

Link
This blog entry explains how to implement monitoring related to data exfiltration with QRadar.
It covers the following use cases:
- Sensitive file monitoring with lightweight maintenance
- How to take advantage of the network data
- Analysis of a normal behaviour becoming suspicious

In case you've missed it: This is what happened so far in 2021 with QRadar security content

Link
This blog is a review of H1 2021. It shows:
- The new content for Hybrid-Cloud environments
- CEP Rebaselining
- The new Custom Properties that have been released
- And other essentials

Endpoint Monitoring

Anatomy of a ransomware attack

Link
This blog post explains a way of breaking a ransomware attack into 6 distinct phases, from the distribution phase to the ransom notification, and how to monitor each phase with QRadar.

Ransomware: Get ready to respond !

Link
This blog is a follow-up to the Anatomy of a ransomware blog post and talks about how to react when facing a ransomware attack.
It is highlighting 3 essentials to implement to control the risk, a step to get an overview of the situation, and finally, the battle plan.

Diving into Windows UAC Bypasses

Link
This blog explains how the Endpoint content extension can help detection dozens of exploitation of the Windows User Access Control.

Cobalt Strike: Whether it is a red team or an adversary, detect it with QRadar

Link
This blog digs into more specific rules created to detect behaviour related to Cobalt Strike.
Detection of Cobalt Strike can be useful to detect Red teams, various malware, and can be an indicator of the Log4j vulnerability (CVE-2021-44228) exploitation

Malware-as-a-Service, malware for rent !

Link
This blog shows how the QRadar Endpoint Content Extension can help with the detection of Malware-as-a-Service behaviour.
It explains the implementation of the following use cases:
- Malware-as-a-Service visibility increase
- Ryuk ransomware detection
- General ransomware activity monitoring

Endpoint monitoring essentials for QRadar

Link
This blog explains how to use QRadar to implement a few use cases related to Endpoint devices such as:
- Reconnaissance tools detection
- Ransomware detection
- Credential dumping monitoring
- Basic administration task execution by a malicious actor detection

Threat hunting with YARA

QRadar and SIGMA: Map your own Custom Properties and Log Sources Types

Link

Blog that explains how you can create your own mapping of CEP and Log sources between QRadar and SIGMA

QRadar YARA Rule Manager App awesome updates

Link
This blog shows the updates that have been made in the version 1.2.0 of the app, with an improvement of the searching capabilities and namespaces update.

Detect Spring CVE-2022-22965 with QRadar

Link
This blog covers the exploit detection of the CVE-2022-22965 with QRadar using native rules and YARA rules

Enhance your detection of Log4j exploit (CVE-2021-44228) with the YARA App

Link
Information on how to take advantage of the YARA app to detect Log4j vulnerability (CVE-2021-44228) indicators

Threat hunting with QRadar and YARA

Link
This blog explains the purpose and basics of the YARA Rule Manager App

X-Force

QRadar content and X-Force Threat Intelligence Index report 2022

Link
This blog shows the relationships between the QRadar Content and the X-Force Threat Intelligence 2022 report

QRadar and X-Force Integration

Link
This blog explains how X-Force and QRadar integrate with each other as well as the different service options available

Threat Hunting

Detect MOVEit Transfer Zero-Day with QRadar Log Insights

Link

Learn how to investigate MOVEit Transfer Zero-Day with QRadar Log Insights

Get a new perspective on your Mitre Mapping

Link

Learn about our integration in Tidal and get a new perspective on your QRadar content Mitre mapping to prioritize use cases.

Microsoft Exchange RCE vulnerabilities - Sept 2022

Link
Information related to the CVE-2021-1675 affecting Microsoft and it's indicators detection in QRadar

PrintNightmare: The Critical Windows Print Spooler Vulnerability

Link
Information related to the CVE-2021-1675 affecting Microsoft and it's indicators detection in QRadar

How can QRadar help with VMware monitoring and the CVE-2021-21985 publication?

Link
Information related to CVE-2021-21985 affecting VMware and it's indicators detection in QRadar

F5 vulnerability announcement and QRadar monitoring

Link
Information related to the F5 vulnerabilities announced in March 2021 and their indicators detection in QRadar

SUNBURST indicator detection in QRadar

Link
Information related to the Solarwinds SUNBURST incident and it's indicators detection in QRadar

FireEye Red Team Tools detection in QRadar

Link
Information related to the FireEye Red Team Tools incident and it's indicators detection in QRadar

Detect Spring CVE-2022-22965 with QRadar

Link
This blog covers the exploit detection of the CVE-2022-22965 with QRadar using native rules and YARA rules

Enhance your detection of Log4j exploit (CVE-2021-44228) with the YARA App

Link
Information on how to take advantage of the YARA app to detect Log4j vulnerability (CVE-2021-44228) indicators

#QRadar
#Spotlight