IBM Security QRadar

 View Only
  • 1.  Fine Tuning with Reference Set

    Posted Wed July 31, 2019 12:30 PM

    Hello Community, 

    I'm relatively new to this QRadar tools. 

    Since we got a dramatic amount of offenses as Multiple Login Failures, and we knew they are legitimate behaviors based on the company's policy. I was trying to create a temporary whitelist for certain users by using a reference set to eliminate numerous offenses generated by them; however, I'm still getting new offenses with same reason as multiple login failures. Could I possibly get some clarification and assistance regarding the purpose of implementing the reference set and the best practice to create a temporary whitelist?

    Thank you,

     



    ------------------------------
    Zhong Zhang
    ------------------------------


  • 2.  RE: Fine Tuning with Reference Set

    Posted Thu August 01, 2019 01:02 PM
    Zhong, it is my opinion that multiple login failures are not always a legitimate occurrence. That said, I agree that the out of the box rule(s) do create to many offenses. Now, what was your approach to enable whitelisting; changing the rule itself or adding the reference to reference sets through false positive rules? Did you analyze the events that contributed to the offense and check the rules/BBs it matched? You can also install the Tuning application from the X-Force Exchange that should help following through the offense "flow".

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: Fine Tuning with Reference Set

    Posted Thu August 01, 2019 02:21 PM

    Hello Dusan, 

    Thank you so much for your reply and suggestions. I truly appreciate it.

    I configured the Multiple Login Failure rule with additional reference set (my temporary testing set) as you suggested. I realized the reference set was not related to any rule that is the fault I made. At the writting time, this modification stopped the offenses from generating.  

    Thank you so much again!



    ------------------------------
    Zhong Zhang
    ------------------------------