IBM Security QRadar

 View Only
  • 1.  Offense Enrichment

    Posted Tue July 23, 2019 09:15 AM
    Hi,

    I have seen the recent post about the Event Enrichment by Pipotron 2.0 but I think it's a slightly different case.

    I want to be able to enrich offenses with information such as CMDB or similar. I have reviewed the comments made on the aforementioned post but I couldn't really find a solution that will be suitable for me.

    The idea is an offense is triggered and based on a unique id or item within the offenses I can enrich it with information from CMDB or similar. I haven't found way to link CMDB or just a "look up table" within Qradar or Resilient to enrich the offense. 

    There was a mention of Custom AQL Function by Nico de Smidt and after going through the documentation I don't think this is the right approach because that would mean I would need to make an api request to retrieve the information given the thing I'm interacting with has an API to begin with. And there is a question of how would I append the information back to the offense or something else due to offenses being "immutable" due to forensic reasons as it was commented on by Nico de Smidt

    As I mentioned above I have Qradar and Resilient instances so if I could do this from either of them or combination of both can you please provide some insight and or documentation on how to achieve this.

    Thanks,

    ------------------------------
    Mo Amiri
    ------------------------------


  • 2.  RE: Offense Enrichment

    Posted Wed July 24, 2019 05:44 AM
    Hello Mo Amiri, 
    If i have undsaund will your needs, use sysmon enrichement, install the applications and sysmon from the side of your serveur (windows) and appliy the recommandation from this link : https://github.com/SwiftOnSecurity/sysmon-config

    good luck let me know if its okay .

    ------------------------------
    [Larbi] [Belmiloud]
    [Cyber Security]
    [Intervalle Technologies]
    [Algers] [Algeria]
    [+213551193200]
    ------------------------------



  • 3.  RE: Offense Enrichment

    Posted Wed July 24, 2019 08:34 AM
    Edited by Mo Amiri Wed July 24, 2019 08:35 AM
    Hi Larbi Belmiloud,

    Unfortunately, your answer/reply is completely misunderstood. This has nothing to do with sysmon.

    But thanks for the effort.

    Maybe to help your understanding and others this is a video I came across that seems to be the right thing but not sure how to implement it: https://www.youtube.com/watch?v=scBhf3B2zqo


    ------------------------------
    Mo Amiri
    ------------------------------