Hi,
--Any roadmap for Q-Radar community edition 7.3.2 ?
--Using the latest QNI for collecting and parsing flows, I ended up with a lot of false positives.
SSH : Even some clear text syslog Flows on port 514 ended up marked as SSH. Technical support confirmed this as a bug but told us that such a bug will not be fixed soon.
Telnet : For your information, Telnet is not a layer 7 protocol. Telnet is a client tool that handshakes a TCP session and let client and server exchange whatever they want on top of it. I use Telnet as a mail client, a web client and more. QNI identifies LDAP over port 389 as Telnet, as well as basically anything. How do you try to identify what does not exist so we can work around without disabling everything ?
--I re-installed my Q-Radar CE 7.3.1 yesterday and it managed to overload its licence from nothing but its own internal noise (Health metrics, informations, etc.) before I even add any flow or event source. Is there anyway to slow down the monitoring or any other noise source to ease the load on the system ? (FYI, at the moment, I was installing a lot of apps, content pack, extension, etc. More than 20 total. I received a SAR alert about license)
--When populating assets, is there a way to extract services / open ports from events logs ? So far, I managed to get them only from flows or VA scanners. To do it from events would greatly improve the quality of the information associated with assets.
--As of now, Q-Radar does not know much about anything open source. A community based DMS for pfSense has been produced but nothing official and itself is limited (nothing about IPSec, system logs, ...). IPTables is not recognized either. Apache's format is not recognized if the process name http is absent, so HAProxy's log are not recognized even when formatted the same way as Apache. OpenVPN, FreeNAS, Postfix, Dovecot, unbound and many more are common and used in enterprise, yet have no DSM ready for them. Any plan to increase support for Open Source projects' logs format ?
Thanks for the information and congrats for your great product.
A happy professional and personal user of Q-Radar,
------------------------------
Jacques Bourdeau
------------------------------
Original Message:
Sent: Tue October 15, 2019 09:16 AM
From: Jennifer Tullman-Botzer
Subject: Ask Me Anything for #CyberSecurityAwarenessMonth
Good morning IBM Security Community! In honor of Cyber Security Awareness Month in both the United States and Europe, the IBM Security Community is pleased to bring you an exclusive "Ask Me Anything" webinar on October 29th.
This special session will feature 4 leading experts from different areas of the IBM business:
- Dimple Ahluwalia, BISO and Vice President of Services Solution Design, IBM Security
- Chris Barrett, VP, Development, SOAR and IBM Security Cloud, IBM Security
- Jose Bravo, Security Architect, IBM Global Markets
- JC Vega, Executive Security Advisor and Cyber Range Coach, IBM Security
Register now for the Oct. 29th live session, then post your questions for our panelists below in this thread. Please be sure to note which panelist(s) your question is for!
The content of this webinar will be based around your questions; however, we expect to cover a wide breadth of topics and therefore may not get into too much technical detail. Please ask whatever you want, and if we don't have time to do a deep dive on your topic, we'll be sure to follow up with you after the event concludes. We can't wait to hear all of your fantastic questions, and we look forward to learning what really makes the IBM Security Community tick!
------------------------------
Jennifer Tullman-Botzer
Digital Strategist
IBM
Tel Aviv
------------------------------