IBM Security QRadar

I'm a complete rookie at this and just setting this up on my home network. I'm running Windows 10 on a few PC's and have a dedicated PC with VirtualBoxes for QRADAR CE, Kali and Metasloitable.

I was hoping there might be some instructions for a simple home network setup and it looks like Jose Bravo has *almost* the perfect videos for me, but he's using Squid which I'm not familiar with. I'm thinking QRADAR would read logs from the Windows firewall or my Linksys mesh router, but to no avail so far.

When I add a DSM, I don't see anything for Microsoft Windows Defender in the list, although a Windows Defender ATP (what's that?) is mentioned in the b_dsm_guide.pdf but doesn't appear in the list of Log Source Types.

I've installed and used the QRadar Log Source Management app with no success.  It looks like this app changed from the morning of 4/18 to the evening. The layout changed. I also got a notice that fixes were available for several DSM's and a protocol, but Fix Central didn't seem to be working for me.

If anyone knows of any papers or video to get Windows Log data flowing, I'd really appreciate it.  In the meantime, I'll keep searching and trying things.

Thanks in advance,
John

------------------------------
John Tyson
------------------------------

Hello John,

the keyword you are looking for, regarding to get Windows Log Data into your QRadar CE is wincollect.
https://www.ibm.com/community/qradar/home/wincollect/

This should be a good starting point..

Hope this is useful for you.

Regards,
Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+49 721 90981727
------------------------------

Original Message:
Sent: Sun April 18, 2021 10:56 PM
From: John Tyson
Subject: QRADAR CE not getting data in Network Activity (Rookie user)

I'm a complete rookie at this and just setting this up on my home network. I'm running Windows 10 on a few PC's and have a dedicated PC with VirtualBoxes for QRADAR CE, Kali and Metasloitable.

I was hoping there might be some instructions for a simple home network setup and it looks like Jose Bravo has *almost* the perfect videos for me, but he's using Squid which I'm not familiar with. I'm thinking QRADAR would read logs from the Windows firewall or my Linksys mesh router, but to no avail so far.

When I add a DSM, I don't see anything for Microsoft Windows Defender in the list, although a Windows Defender ATP (what's that?) is mentioned in the b_dsm_guide.pdf but doesn't appear in the list of Log Source Types.

I've installed and used the QRadar Log Source Management app with no success.  It looks like this app changed from the morning of 4/18 to the evening. The layout changed. I also got a notice that fixes were available for several DSM's and a protocol, but Fix Central didn't seem to be working for me.

If anyone knows of any papers or video to get Windows Log data flowing, I'd really appreciate it.  In the meantime, I'll keep searching and trying things.

Thanks in advance,
John

------------------------------
John Tyson
------------------------------

Original Message:
Sent: 4/19/2021 3:42:00 AM
From: Ralph Belfiore
Subject: RE: QRADAR CE not getting data in Network Activity (Rookie user)

Hello John,

the keyword you are looking for, regarding to get Windows Log Data into your QRadar CE is wincollect.
https://www.ibm.com/community/qradar/home/wincollect/

This should be a good starting point..

Hope this is useful for you.

Regards,
Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+49 721 90981727
------------------------------

Original Message:
Sent: Sun April 18, 2021 10:56 PM
From: John Tyson
Subject: QRADAR CE not getting data in Network Activity (Rookie user)

I'm a complete rookie at this and just setting this up on my home network. I'm running Windows 10 on a few PC's and have a dedicated PC with VirtualBoxes for QRADAR CE, Kali and Metasloitable.

I was hoping there might be some instructions for a simple home network setup and it looks like Jose Bravo has *almost* the perfect videos for me, but he's using Squid which I'm not familiar with. I'm thinking QRADAR would read logs from the Windows firewall or my Linksys mesh router, but to no avail so far.

When I add a DSM, I don't see anything for Microsoft Windows Defender in the list, although a Windows Defender ATP (what's that?) is mentioned in the b_dsm_guide.pdf but doesn't appear in the list of Log Source Types.

I've installed and used the QRadar Log Source Management app with no success.  It looks like this app changed from the morning of 4/18 to the evening. The layout changed. I also got a notice that fixes were available for several DSM's and a protocol, but Fix Central didn't seem to be working for me.

If anyone knows of any papers or video to get Windows Log data flowing, I'd really appreciate it.  In the meantime, I'll keep searching and trying things.

Thanks in advance,
John

------------------------------
John Tyson
------------------------------

Danke schön, Ralph

I ran into a problem just trying to start a download of this, received another automated email saying IBM fixed the problem, then tried it again tonight. Got further, but ran into an error and reported it to Fix Central, as they suggested.

Here are the details:
An error occurred

IBM Security, IBM Security QRadar SIEM (All releases, All platforms)

Fix Central was unable to complete your request. We apologize for the inconvenience.
Please use the feedback option to report the problem, and include the following details:

Cmn.ServiceProviderError
Internal error calling AVS.
Selected Fix ID(s): [7.4.0-QRADAR-wincollect-standalone-patch-installer-7.3.0-41.exe, 7.4.0-QRADAR-AGENT-wincollect-7.3.0-41.x86.exe, 7.4.0-QRADAR-AGENT-wincollect-7.3.0-41.x64.exe, 7.4.0-QRADAR-740_QRadar_wincollectupdate-7.3.0-41.sfs, 7.3.0-QRADAR-730_QRadar_wincollectupdate-7.3.0-41.sfs]
Order State History: [Initial, Order Fixes, Order Updates Started, Order Updates Failed]
Order Time: Fri Apr 23 02:15:39 UTC 2021
Entry URL: https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.4.0-QRADAR-wincollect-standalone-patch-installer-7.3.0-41.exe,7.4.0-QRADAR-AGENT-wincollect-7.3.0-41.x86.exe,7.4.0-QRADAR-AGENT-wincollect-7.3.0-41.x64.exe,7.4.0-QRADAR-740_QRadar_wincollectupdate-7.3.0-41.sfs,7.3.0-QRADAR-730_QRadar_wincollectupdate-7.3.0-41.sfs&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc&login=true
HSB Order ID: H82842794
FC Order ID: 416678707
Web ID: 55000AT3S3

I will probably get another email letting me know I can try again.

------------------------------
John Tyson
------------------------------

Original Message:
Sent: Mon April 19, 2021 03:41 AM
From: Ralph Belfiore
Subject: QRADAR CE not getting data in Network Activity (Rookie user)

Hello John,

the keyword you are looking for, regarding to get Windows Log Data into your QRadar CE is wincollect.
https://www.ibm.com/community/qradar/home/wincollect/

This should be a good starting point..

Hope this is useful for you.

Regards,
Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+49 721 90981727

Original Message:
Sent: Sun April 18, 2021 10:56 PM
From: John Tyson
Subject: QRADAR CE not getting data in Network Activity (Rookie user)

I'm a complete rookie at this and just setting this up on my home network. I'm running Windows 10 on a few PC's and have a dedicated PC with VirtualBoxes for QRADAR CE, Kali and Metasloitable.

I was hoping there might be some instructions for a simple home network setup and it looks like Jose Bravo has *almost* the perfect videos for me, but he's using Squid which I'm not familiar with. I'm thinking QRADAR would read logs from the Windows firewall or my Linksys mesh router, but to no avail so far.

When I add a DSM, I don't see anything for Microsoft Windows Defender in the list, although a Windows Defender ATP (what's that?) is mentioned in the b_dsm_guide.pdf but doesn't appear in the list of Log Source Types.

I've installed and used the QRadar Log Source Management app with no success.  It looks like this app changed from the morning of 4/18 to the evening. The layout changed. I also got a notice that fixes were available for several DSM's and a protocol, but Fix Central didn't seem to be working for me.

If anyone knows of any papers or video to get Windows Log data flowing, I'd really appreciate it.  In the meantime, I'll keep searching and trying things.

Thanks in advance,
John

------------------------------
John Tyson
------------------------------

Hello John,

the current Version of Wincollect beginning with 7.4.0 does not fit to the CE Release.
in case of the QRadar CE Release 7.3.3 you'll have to use the Wincollect Version beginning with 7.3.0-

Regards,
Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+49 721 90981727
------------------------------

Original Message:
Sent: Thu April 22, 2021 10:31 PM
From: John Tyson
Subject: QRADAR CE not getting data in Network Activity (Rookie user)

Danke schön, Ralph

I ran into a problem just trying to start a download of this, received another automated email saying IBM fixed the problem, then tried it again tonight. Got further, but ran into an error and reported it to Fix Central, as they suggested.

Here are the details:
An error occurred

IBM Security, IBM Security QRadar SIEM (All releases, All platforms)

Fix Central was unable to complete your request. We apologize for the inconvenience.
Please use the feedback option to report the problem, and include the following details:

Cmn.ServiceProviderError
Internal error calling AVS.
Selected Fix ID(s): [7.4.0-QRADAR-wincollect-standalone-patch-installer-7.3.0-41.exe, 7.4.0-QRADAR-AGENT-wincollect-7.3.0-41.x86.exe, 7.4.0-QRADAR-AGENT-wincollect-7.3.0-41.x64.exe, 7.4.0-QRADAR-740_QRadar_wincollectupdate-7.3.0-41.sfs, 7.3.0-QRADAR-730_QRadar_wincollectupdate-7.3.0-41.sfs]
Order State History: [Initial, Order Fixes, Order Updates Started, Order Updates Failed]
Order Time: Fri Apr 23 02:15:39 UTC 2021
Entry URL: https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.4.0-QRADAR-wincollect-standalone-patch-installer-7.3.0-41.exe,7.4.0-QRADAR-AGENT-wincollect-7.3.0-41.x86.exe,7.4.0-QRADAR-AGENT-wincollect-7.3.0-41.x64.exe,7.4.0-QRADAR-740_QRadar_wincollectupdate-7.3.0-41.sfs,7.3.0-QRADAR-730_QRadar_wincollectupdate-7.3.0-41.sfs&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc&login=true
HSB Order ID: H82842794
FC Order ID: 416678707
Web ID: 55000AT3S3

I will probably get another email letting me know I can try again.

------------------------------
John Tyson

Original Message:
Sent: Mon April 19, 2021 03:41 AM
From: Ralph Belfiore
Subject: QRADAR CE not getting data in Network Activity (Rookie user)

Hello John,

the keyword you are looking for, regarding to get Windows Log Data into your QRadar CE is wincollect.
https://www.ibm.com/community/qradar/home/wincollect/

This should be a good starting point..

Hope this is useful for you.

Regards,
Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+49 721 90981727

Original Message:
Sent: Sun April 18, 2021 10:56 PM
From: John Tyson
Subject: QRADAR CE not getting data in Network Activity (Rookie user)

I'm a complete rookie at this and just setting this up on my home network. I'm running Windows 10 on a few PC's and have a dedicated PC with VirtualBoxes for QRADAR CE, Kali and Metasloitable.

I was hoping there might be some instructions for a simple home network setup and it looks like Jose Bravo has *almost* the perfect videos for me, but he's using Squid which I'm not familiar with. I'm thinking QRADAR would read logs from the Windows firewall or my Linksys mesh router, but to no avail so far.

When I add a DSM, I don't see anything for Microsoft Windows Defender in the list, although a Windows Defender ATP (what's that?) is mentioned in the b_dsm_guide.pdf but doesn't appear in the list of Log Source Types.

I've installed and used the QRadar Log Source Management app with no success.  It looks like this app changed from the morning of 4/18 to the evening. The layout changed. I also got a notice that fixes were available for several DSM's and a protocol, but Fix Central didn't seem to be working for me.

If anyone knows of any papers or video to get Windows Log data flowing, I'd really appreciate it.  In the meantime, I'll keep searching and trying things.

Thanks in advance,
John

------------------------------
John Tyson
------------------------------