IBM Security QRadar

Hi All,
   I'm part of a MSSP in NZ and we currently have numerous different QRadar deployments. One of our biggest pain points is being able to health monitor the various different QRadar appliances we have deployed. We do have a centralised monitoring system that can poll basic metrics (like CPU, memory utilization, disk space etc) via snmpwalk, but not QRadar specific items.

As an example, we'd like to be alerted if a core QRadar service (hostcontext, hostervices, tomcat etc) stopped for more than a certain period of time. I've been looking for specific events in the system that show this but haven't been able to find anything yet, there are heaps of events against the health metrics log source, but none seem to show exactly what I need.

Keen to hear what others have done in this space.


Thanks & Regards
Brian

------------------------------
Brian Robertson
------------------------------

Hi Brian,

Have you checked out QLean (formerly Health Check Framework) from Sciencesoft on the App Exchange? They provide some pretty comprehensive tuning and health check metrics and is multi-tenanted for MSSPs. I believe they offer a free trial as well.

https://exchange.xforce.ibmcloud.com/hub/extension/7b76f487c8e370a3749d9264cd5998d9

https://www.scnsoft.com/services/security/siem/qlean/overview

Best,
Jeremy

------------------------------
Jeremy Goldstein
------------------------------

Original Message:
Sent: Mon July 08, 2019 11:33 PM
From: Brian Robertson
Subject: Health Monitoring of QRadar Appliances

Hi All,
   I'm part of a MSSP in NZ and we currently have numerous different QRadar deployments. One of our biggest pain points is being able to health monitor the various different QRadar appliances we have deployed. We do have a centralised monitoring system that can poll basic metrics (like CPU, memory utilization, disk space etc) via snmpwalk, but not QRadar specific items.

As an example, we'd like to be alerted if a core QRadar service (hostcontext, hostervices, tomcat etc) stopped for more than a certain period of time. I've been looking for specific events in the system that show this but haven't been able to find anything yet, there are heaps of events against the health metrics log source, but none seem to show exactly what I need.

Keen to hear what others have done in this space.


Thanks & Regards
Brian

------------------------------
Brian Robertson
------------------------------

Hi Jeremy,
   Yes we've had a bit of look at that​ but it doesn't look like it can do real-time external alerting of what it finds. Looks like it has a heap of metrics and lots of graphs etc but its the external alerting functionality we really need as we can't have people watching graphs etc across a number of different deployments just to see if something goes a wry.
I'm sure other QRadar users have the same issue so keen what they've done to solve it.

Regards
Brian

------------------------------
Brian Robertson
------------------------------

Original Message:
Sent: Wed July 10, 2019 12:05 PM
From: Jeremy Goldstein
Subject: Health Monitoring of QRadar Appliances

Hi Brian,

Have you checked out QLean (formerly Health Check Framework) from Sciencesoft on the App Exchange? They provide some pretty comprehensive tuning and health check metrics and is multi-tenanted for MSSPs. I believe they offer a free trial as well.

https://exchange.xforce.ibmcloud.com/hub/extension/7b76f487c8e370a3749d9264cd5998d9

https://www.scnsoft.com/services/security/siem/qlean/overview

Best,
Jeremy

------------------------------
Jeremy Goldstein

Original Message:
Sent: Mon July 08, 2019 11:33 PM
From: Brian Robertson
Subject: Health Monitoring of QRadar Appliances

Hi All,
   I'm part of a MSSP in NZ and we currently have numerous different QRadar deployments. One of our biggest pain points is being able to health monitor the various different QRadar appliances we have deployed. We do have a centralised monitoring system that can poll basic metrics (like CPU, memory utilization, disk space etc) via snmpwalk, but not QRadar specific items.

As an example, we'd like to be alerted if a core QRadar service (hostcontext, hostervices, tomcat etc) stopped for more than a certain period of time. I've been looking for specific events in the system that show this but haven't been able to find anything yet, there are heaps of events against the health metrics log source, but none seem to show exactly what I need.

Keen to hear what others have done in this space.


Thanks & Regards
Brian

------------------------------
Brian Robertson
------------------------------

It depends if you want to stay " supported by ibm"  i've been working with https://grafana.com/grafana/dashboards/1860 and https://grafana.com/grafana/dashboards/1617 but it means you have to install node-exporter on your qradar box

------------------------------
Martijn Groenewegen
------------------------------

Original Message:
Sent: Mon July 08, 2019 11:33 PM
From: Brian Robertson
Subject: Health Monitoring of QRadar Appliances

Hi All,
   I'm part of a MSSP in NZ and we currently have numerous different QRadar deployments. One of our biggest pain points is being able to health monitor the various different QRadar appliances we have deployed. We do have a centralised monitoring system that can poll basic metrics (like CPU, memory utilization, disk space etc) via snmpwalk, but not QRadar specific items.

As an example, we'd like to be alerted if a core QRadar service (hostcontext, hostervices, tomcat etc) stopped for more than a certain period of time. I've been looking for specific events in the system that show this but haven't been able to find anything yet, there are heaps of events against the health metrics log source, but none seem to show exactly what I need.

Keen to hear what others have done in this space.


Thanks & Regards
Brian

------------------------------
Brian Robertson
------------------------------

Hi Guys,

we have two Qradar AiO Appliances when during the install phase we pulled out the power cables or Qradar just to see what types of reaction would show up. Unfortunately nothing! I logged into IMM of Qradar itself and could see all the events, but nothing really showed up in QRadar. I had to configure a syslog destination for the IMM to send its events to Qradar. Then I could catch those events and generate a notification. Shouldn't that be already implemented by? That also includes hard drive and adapter notifications. Have I slipped up somewhere ?

Greetings
Bruno

------------------------------
Bruno Oliveira
------------------------------

Original Message:
Sent: Wed July 17, 2019 07:32 AM
From: Martijn Groenewegen
Subject: Health Monitoring of QRadar Appliances

It depends if you want to stay " supported by ibm"  i've been working with https://grafana.com/grafana/dashboards/1860 and https://grafana.com/grafana/dashboards/1617 but it means you have to install node-exporter on your qradar box

------------------------------
Martijn Groenewegen

Original Message:
Sent: Mon July 08, 2019 11:33 PM
From: Brian Robertson
Subject: Health Monitoring of QRadar Appliances

Hi All,
   I'm part of a MSSP in NZ and we currently have numerous different QRadar deployments. One of our biggest pain points is being able to health monitor the various different QRadar appliances we have deployed. We do have a centralised monitoring system that can poll basic metrics (like CPU, memory utilization, disk space etc) via snmpwalk, but not QRadar specific items.

As an example, we'd like to be alerted if a core QRadar service (hostcontext, hostervices, tomcat etc) stopped for more than a certain period of time. I've been looking for specific events in the system that show this but haven't been able to find anything yet, there are heaps of events against the health metrics log source, but none seem to show exactly what I need.

Keen to hear what others have done in this space.


Thanks & Regards
Brian

------------------------------
Brian Robertson
------------------------------

If I recall correctly, there should be an SNMP agent there (Net-SNMP) that can be used. Also, it should be possible to configure the rule with SNMP trap response. This requires some configuration tweaks, though. There was a part dedicated to this in QRadar Administration Guide.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Mon July 29, 2019 03:59 AM
From: Bruno Oliveira
Subject: Health Monitoring of QRadar Appliances

Hi Guys,

we have two Qradar AiO Appliances when during the install phase we pulled out the power cables or Qradar just to see what types of reaction would show up. Unfortunately nothing! I logged into IMM of Qradar itself and could see all the events, but nothing really showed up in QRadar. I had to configure a syslog destination for the IMM to send its events to Qradar. Then I could catch those events and generate a notification. Shouldn't that be already implemented by? That also includes hard drive and adapter notifications. Have I slipped up somewhere ?

Greetings
Bruno

------------------------------
Bruno Oliveira

Original Message:
Sent: Wed July 17, 2019 07:32 AM
From: Martijn Groenewegen
Subject: Health Monitoring of QRadar Appliances

It depends if you want to stay " supported by ibm"  i've been working with https://grafana.com/grafana/dashboards/1860 and https://grafana.com/grafana/dashboards/1617 but it means you have to install node-exporter on your qradar box

------------------------------
Martijn Groenewegen

Original Message:
Sent: Mon July 08, 2019 11:33 PM
From: Brian Robertson
Subject: Health Monitoring of QRadar Appliances

Hi All,
   I'm part of a MSSP in NZ and we currently have numerous different QRadar deployments. One of our biggest pain points is being able to health monitor the various different QRadar appliances we have deployed. We do have a centralised monitoring system that can poll basic metrics (like CPU, memory utilization, disk space etc) via snmpwalk, but not QRadar specific items.

As an example, we'd like to be alerted if a core QRadar service (hostcontext, hostervices, tomcat etc) stopped for more than a certain period of time. I've been looking for specific events in the system that show this but haven't been able to find anything yet, there are heaps of events against the health metrics log source, but none seem to show exactly what I need.

Keen to hear what others have done in this space.


Thanks & Regards
Brian

------------------------------
Brian Robertson
------------------------------

Hi @Brian Robertson,

You can combine the following:

(1) QRadar notification rules ​for specific QIDs from log source type = "System Notification" like QID 38750092 "Disk storage unavailable".
(2) "Basic" SNMP monitoring. Memory used, storage etc. Depending on your monitoring solution, you could have an HTTP sensor for the GUI, which will basically check whether Tomcat is responding to requests, or not. - This is already in place based on what you mentioned.
(3) "Advanced" SNMP monitoring. Process/service monitoring for critical services like ecs-ec-ingress, ec-ec, hostcontext etc.
(4) Anomaly rules that check for lack of events over a certain period of time. You could use this to double check ecs, flow collection and related services are working OK.

Cheers,
Damian

------------------------------
Cheers,
Damian Zinni
------------------------------

Original Message:
Sent: Mon July 08, 2019 11:33 PM
From: Brian Robertson
Subject: Health Monitoring of QRadar Appliances

Hi All,
   I'm part of a MSSP in NZ and we currently have numerous different QRadar deployments. One of our biggest pain points is being able to health monitor the various different QRadar appliances we have deployed. We do have a centralised monitoring system that can poll basic metrics (like CPU, memory utilization, disk space etc) via snmpwalk, but not QRadar specific items.

As an example, we'd like to be alerted if a core QRadar service (hostcontext, hostervices, tomcat etc) stopped for more than a certain period of time. I've been looking for specific events in the system that show this but haven't been able to find anything yet, there are heaps of events against the health metrics log source, but none seem to show exactly what I need.

Keen to hear what others have done in this space.


Thanks & Regards
Brian

------------------------------
Brian Robertson
------------------------------