IBM Security QRadar

Hi,

I'm looking for a simple solution to temporary disable offense creation, or at least lower the severity of the new offenses for a whole domain. I've tried to create a new rule in offenses and assign severity 0 to any events coming from a particular domain, but it seems this is a wrong approach. The goal is, to keep receiving and storing the events, but temporary stop generating offenses if anything suspicious happens in that domain.

Is there an easy and elegant way to do it?


------------------------------
Thank you for your efforts
Laszlo Pal
------------------------------

You could create a routing rule that flags the event as Log-Only.

You do need a qradar data lake license though (QDS)

------------------------------
Regards,
Nico de Smidt
________________________________________________
CTE Security Intelligence BeNeLux
------------------------------

Original Message:
Sent: Mon July 15, 2019 09:43 AM
From: Laszlo Pal
Subject: Temporary disable offense creation for a domain

Hi,

I'm looking for a simple solution to temporary disable offense creation, or at least lower the severity of the new offenses for a whole domain. I've tried to create a new rule in offenses and assign severity 0 to any events coming from a particular domain, but it seems this is a wrong approach. The goal is, to keep receiving and storing the events, but temporary stop generating offenses if anything suspicious happens in that domain.

Is there an easy and elegant way to do it?


------------------------------
Thank you for your efforts
Laszlo Pal
------------------------------

Original Message------

You could create a routing rule that flags the event as Log-Only.

You do need a qradar data lake license though (QDS)

------------------------------
Regards,
Nico de Smidt
________________________________________________
CTE Security Intelligence BeNeLux
------------------------------

Part# is D1VRWLL, it's a part that's required on each machine where log-only data is stored but does not have any limit on the amount of storage (TB's) you put in the machine. ( searching will get slower the more data is in a single machine) (that's why we also have data nodes which are configurations that store data and can searching but do not do correlation and event ingestion.

So depending on your needs you can have huge storage at a fixed price AND even faster search responses by splitting the data across multiple data nodes. (then each machine does however also need a dataStore license when you are using this log-only option).

A data node is "only" requiring a "node license" D1S2JLL which is usually below $1000 per license.
I'm not aware of pricing for dataStore D1VRWLL, but this is certainly above $1000 and I would point you to where you usually get your software for a price on this.

So when you select an event to be "log-only" it bypasses correlation, does not create or contribute to offenses, cannot be used by historic-correlation but CAN be searched in all ways QRadar supports, put in dashboards and will show up in reports. The events marked this way will NOT count towards EPS.

hope this helps.

Hi,

You can use https://www.ibm.com/in-en/marketplace/license-metric-tool/purchase to chaqt or email to sales person.

Thanks
Robin

------------------------------
robin jangid
------------------------------

Original Message:
Sent: Tue July 16, 2019 07:19 PM
From: Nico de Smidt
Subject: Temporary disable offense creation for a domain

Part# is D1VRWLL, it's a part that's required on each machine where log-only data is stored but does not have any limit on the amount of storage (TB's) you put in the machine. ( searching will get slower the more data is in a single machine) (that's why we also have data nodes which are configurations that store data and can searching but do not do correlation and event ingestion.

So depending on your needs you can have huge storage at a fixed price AND even faster search responses by splitting the data across multiple data nodes. (then each machine does however also need a dataStore license when you are using this log-only option).

A data node is "only" requiring a "node license" D1S2JLL which is usually below $1000 per license.
I'm not aware of pricing for dataStore D1VRWLL, but this is certainly above $1000 and I would point you to where you usually get your software for a price on this.

So when you select an event to be "log-only" it bypasses correlation, does not create or contribute to offenses, cannot be used by historic-correlation but CAN be searched in all ways QRadar supports, put in dashboards and will show up in reports. The events marked this way will NOT count towards EPS.

hope this helps.

This can be also done with a routing rule that has a bypass
correlation selected for a domain, it would be required for each event
processor but requires no additional licensing assuming EPS is
sufficient already.

Log only would not be needed but EPS will still count on license. For
temporary disablement of CRE/ADE on a domain this is an approach. If
its permanent and you want logging and the EPS back, the a Log Only to
Data Store would of course be another option for along term.


Original Message------

Hi,

I'm looking for a simple solution to temporary disable offense creation, or at least lower the severity of the new offenses for a whole domain. I've tried to create a new rule in offenses and assign severity 0 to any events coming from a particular domain, but it seems this is a wrong approach. The goal is, to keep receiving and storing the events, but temporary stop generating offenses if anything suspicious happens in that domain.

Is there an easy and elegant way to do it?


------------------------------
Thank you for your efforts
Laszlo Pal
------------------------------

If you use the bypass correlation option , you cant see the rules that would have been triggered anymore on the event i guess, so depending on what you want to accomplish you could also make an bb with the domain in it and ad it to the BB for false positve management. Then you can see all the rules on the event that would have triggered. And it doesnt cost you a datastore license

I was figuring out this also for the case when we onboard an new domain in the machine and we dont want to be overwelmed with offenses right away

------------------------------
Martijn Groenewegen
------------------------------

Original Message:
Sent: Tue July 16, 2019 04:38 PM
From: Alfonso Lalumia
Subject: Temporary disable offense creation for a domain

This can be also done with a routing rule that has a bypass
correlation selected for a domain, it would be required for each event
processor but requires no additional licensing assuming EPS is
sufficient already.

Log only would not be needed but EPS will still count on license. For
temporary disablement of CRE/ADE on a domain this is an approach. If
its permanent and you want logging and the EPS back, the a Log Only to
Data Store would of course be another option for along term.


Original Message------

Hi,

I'm looking for a simple solution to temporary disable offense creation, or at least lower the severity of the new offenses for a whole domain. I've tried to create a new rule in offenses and assign severity 0 to any events coming from a particular domain, but it seems this is a wrong approach. The goal is, to keep receiving and storing the events, but temporary stop generating offenses if anything suspicious happens in that domain.

Is there an easy and elegant way to do it?


------------------------------
Thank you for your efforts
Laszlo Pal
------------------------------