IBM Security QRadar

 View Only

  • 1.  Event Filtering

    Posted Thu April 14, 2022 03:38 PM
    Hey there,

    I'm trying to take my tuning to the next level and start weeding out unnecessary events.  I like the idea of the NSA's Windows filtering but I'm curious how this is being implemented.  I found a very old Reddit post where Jonathan mentioned a list that was already in Qradar but thats nothing I've ever seen.  Very interesting to hear everyones thoughts about this.

    (Reference set for Windows Event IDs
    reddit remove preview
    Reference set for Windows Event IDs
    Has anybody found a source for a good reference set to convert windows event IDs back into human readable text?
    View this on reddit >
    )

    ------------------------------
    Paul
    ------------------------------


  • 2.  RE: Event Filtering

    Posted Fri April 15, 2022 12:25 PM
    Paul, I am assuming that all this query is already "taking care" of the context - i.e. what you want to achieve and what you you need for that.
    During engagements (and especially with compliance-sensitive entities) I usually start with recommendations from CIS about the audit policy / events to monitor and follow-up with tweaks.
    The recommendations from NSA (though not of a recent date as I recall) are certainly a valid starting point, too.
    The NSA inclusion filter list is there in QRadar if you are using WinCollect protocol.
    You can maybe use that as a template and customize / tailor to your needs.
    (If you are building a custom filter there's the option to use an exclusion instead of inclusion filter - e.g. if there's less items to specify compared to overall).
    Other option is to use the recommendations of your choice for a baseline and build your XPATH query that will be used to pull exactly the events you want from the source. The advantage is that unwanted events will never reach QRadar, so the EPS rate would be lower (in case of inclusion/exclusion filters, they first need to reach the QRadar instance before the filter is applied).
    This technote should complement this discussion.
    (Hopefully, this is what you were looking for)

    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message


  • 3.  RE: Event Filtering

    Posted Tue April 19, 2022 10:18 AM
    Exactly what I was looking for, thank you!  I'd probably seen this a thousand times and haven't noticed :)

    ------------------------------
    Paul
    ------------------------------

    Original Message


  • 4.  RE: Event Filtering

    IBM Champion
    Posted Wed April 20, 2022 09:38 AM
    This is a very interesting subject to me.  During incidents, you often want every single event you can find.  The better the visibility the more complete the picture, much like more pixels make a better photo.  However, the SIEM vendors charge by EPS and/or amount of data stored/indexed.  Seems sort of like going to a doctor and asking to know what is wrong but only mentioning one symptom of many.  I have found many times that users locking screens, screen savers activating, temp files being deleted, etc. can clarify exactly what is going on.  

    The same applies to firewalls, coalescing events; particularly on things like web servers, where the urls being accessed change but only the first events are kept.  The EPS is the same either way, but storing the events of course costs more.  But isn't storage cheap these days?  

    I'm not a huge proponent of filtering events.  But at the same time there are realities in costs, CPU, storage, licenses etc.  But after an incident, would business management be more interesting in keeping all events, much as they do in accounting....  Accounts Payable, Receivables, etc are all rolled up to general ledger, but those details are never purged for years.

    Just some thoughts on the matter.

    ------------------------------
    Frank Eargle
    ------------------------------

    Original Message


  • 5.  RE: Event Filtering

    Posted Wed April 20, 2022 02:47 PM
    Frank, along with these valid points, when it comes to Windows it is maybe less a matter of resource conservation than to lowering the "noise" that would make it harder to find what you are looking for when you are looking for. Regulatory requirements for audit trail tracking are usually translated as "collect all", but in case of Windows e.g. you will not turn on detailed object access auditing items just like that - but try to really focus on the item(s) of interest. I mentioned CIS as a recommendation as it is a well accepted hardening standard and some regulatory standards would also call to select a hardening standard as a starting point for creating own baseline configuration standard. For further adjustments/validation, this can also be compared to what Microsoft suggests for auditing. Of course, adapting to a particular situation is assumed...
    Speaking of EPS and storage optimization ... besides space, storage performance is also important for QRadar to function according to expectations; on the other hand, you would probably not keep all the collected data on the appliance all the time - something would be moved out as a backup copy and kept for longer term, and that part of storage would probably be of a cheaper type (for QRadar "online" storage there's also the option to add Data Nodes and get more space and improve search performance - which can ease the pain for this kind of scaling). Currently there is also a licensing option that is not just based on EPS, so (if the system is not undersized for the purpose), filtering out to avoid hitting the EPS limit can maybe be avoided as well.
    Regarding coalescing, even IBM provides a suggestion for what it might be beneficial to turn it off (strict regulatory requirements could demand to turn it off completely anyway).

    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message