IBM Security QRadar

 View Only
  • 1.  Temporary disable offense creation for a domain

    Posted Mon July 15, 2019 09:44 AM
    Hi,

    I'm looking for a simple solution to temporary disable offense creation, or at least lower the severity of the new offenses for a whole domain. I've tried to create a new rule in offenses and assign severity 0 to any events coming from a particular domain, but it seems this is a wrong approach. The goal is, to keep receiving and storing the events, but temporary stop generating offenses if anything suspicious happens in that domain.

    Is there an easy and elegant way to do it?


    ------------------------------
    Thank you for your efforts
    Laszlo Pal
    ------------------------------


  • 2.  RE: Temporary disable offense creation for a domain

    Posted Mon July 15, 2019 10:59 AM
    You could create a routing rule that flags the event as Log-Only.

    You do need a qradar data lake license though (QDS)

    ------------------------------
    Regards,
    Nico de Smidt
    ________________________________________________
    CTE Security Intelligence BeNeLux
    ------------------------------



  • 3.  RE: Temporary disable offense creation for a domain

    Posted Tue July 16, 2019 03:29 AM

    Thank you. It is perfect ��

     

    It can be also a solution for a long term log storage issues, so I'm interested for the licensing cost. Do you have a link for that? How long it is not enforced? Do you have any news when it will be?

     

    Thanks

    Laszlo

     






  • 4.  RE: Temporary disable offense creation for a domain

    Posted Tue July 16, 2019 07:19 PM
    Edited by Nico de Smidt Tue July 16, 2019 07:29 PM
    Part# is D1VRWLL, it's a part that's required on each machine where log-only data is stored but does not have any limit on the amount of storage (TB's) you put in the machine. ( searching will get slower the more data is in a single machine) (that's why we also have data nodes which are configurations that store data and can searching but do not do correlation and event ingestion.

    So depending on your needs you can have huge storage at a fixed price AND even faster search responses by splitting the data across multiple data nodes. (then each machine does however also need a dataStore license when you are using this log-only option).

    A data node is "only" requiring a "node license" D1S2JLL which is usually below $1000 per license.
    I'm not aware of pricing for dataStore D1VRWLL, but this is certainly above $1000 and I would point you to where you usually get your software for a price on this.

    So when you select an event to be "log-only" it bypasses correlation, does not create or contribute to offenses, cannot be used by historic-correlation but CAN be searched in all ways QRadar supports, put in dashboards and will show up in reports. The events marked this way will NOT count towards EPS.

    hope this helps.


  • 5.  RE: Temporary disable offense creation for a domain

    Posted Wed July 17, 2019 08:49 AM
    Hi,

    You can use https://www.ibm.com/in-en/marketplace/license-metric-tool/purchase to chaqt or email to sales person.

    Thanks
    Robin

    ------------------------------
    robin jangid
    ------------------------------



  • 6.  RE: Temporary disable offense creation for a domain

    Posted Tue July 16, 2019 04:48 PM
    This can be also done with a routing rule that has a bypass
    correlation selected for a domain, it would be required for each event
    processor but requires no additional licensing assuming EPS is
    sufficient already.

    Log only would not be needed but EPS will still count on license. For
    temporary disablement of CRE/ADE on a domain this is an approach. If
    its permanent and you want logging and the EPS back, the a Log Only to
    Data Store would of course be another option for along term.




  • 7.  RE: Temporary disable offense creation for a domain

    Posted Wed July 17, 2019 03:31 PM
    If you use the bypass correlation option , you cant see the rules that would have been triggered anymore on the event i guess, so depending on what you want to accomplish you could also make an bb with the domain in it and ad it to the BB for false positve management. Then you can see all the rules on the event that would have triggered. And it doesnt cost you a datastore license

    I was figuring out this also for the case when we onboard an new domain in the machine and we dont want to be overwelmed with offenses right away

    ------------------------------
    Martijn Groenewegen
    ------------------------------