QRadar XDR

  • 1.  QRadar monitor modified the registry variables and configuration files

    Posted 7 days ago
    Hi All,

    hope you are all doing well. I have a question regarding the registry and file integrity monitoring. Does the QRadar WinCollect have a feature to track the changes on the server environment; for example, modified configuration files or modified registry variables?

    Thank you.

    ------------------------------
    Davin Ardian
    ------------------------------


  • 2.  RE: QRadar monitor modified the registry variables and configuration files

    Posted 6 days ago
    Hi Davin

    short answer is no. You can however collect logs from your favourite FIM solution if you like. In this case I would go for one of the supported solutions available in app exchange, like snare, sysmon or tripwire.

    Regards
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 3.  RE: QRadar monitor modified the registry variables and configuration files

    Posted 4 days ago
    Hi Karl,

    well noted, thank you for the advice

    ------------------------------
    Davin Ardian
    ------------------------------



  • 4.  RE: QRadar monitor modified the registry variables and configuration files

    Posted 3 days ago
    I agree with you Karl, particularly the newer versions of Snare which can do the FIM at the same time.  A lot easier to configure via GPO as well.

    ------------------------------
    Frank Eargle
    ------------------------------



  • 5.  RE: QRadar monitor modified the registry variables and configuration files

    Posted yesterday
    Dear Frank,

    well noted, thank you for the advice

    ------------------------------
    Davin Ardian
    ------------------------------



  • 6.  RE: QRadar monitor modified the registry variables and configuration files

    Posted 2 days ago
    Hello, Davin.

    The simple answer is no. If you like, you can go and collect logs from your favourite FIM solution. In this scenario, I'd recommend using one of the recommended app exchange options, such as snare, sysmon, or tripwire.



    Regards

    steven

    ------------------------------
    steven vaughan
    ------------------------------



  • 7.  RE: QRadar monitor modified the registry variables and configuration files

    Posted yesterday
    Dear Steven,

    well noted, thank you for the advice

    ------------------------------
    Davin Ardian
    ------------------------------