IBM Security QRadar

 View Only
  • 1.  QRadar monitor modified the registry variables and configuration files

    Posted Thu November 25, 2021 06:00 AM
    Hi All,

    hope you are all doing well. I have a question regarding the registry and file integrity monitoring. Does the QRadar WinCollect have a feature to track the changes on the server environment; for example, modified configuration files or modified registry variables?

    Thank you.

    ------------------------------
    Davin Ardian
    ------------------------------


  • 2.  RE: QRadar monitor modified the registry variables and configuration files

    IBM Champion
    Posted Fri November 26, 2021 05:37 AM
    Hi Davin

    short answer is no. You can however collect logs from your favourite FIM solution if you like. In this case I would go for one of the supported solutions available in app exchange, like snare, sysmon or tripwire.

    Regards
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 3.  RE: QRadar monitor modified the registry variables and configuration files

    Posted Sun November 28, 2021 09:12 PM
    Hi Karl,

    well noted, thank you for the advice

    ------------------------------
    Davin Ardian
    ------------------------------



  • 4.  RE: QRadar monitor modified the registry variables and configuration files

    IBM Champion
    Posted Mon November 29, 2021 09:34 AM
    I agree with you Karl, particularly the newer versions of Snare which can do the FIM at the same time.  A lot easier to configure via GPO as well.

    ------------------------------
    Frank Eargle
    ------------------------------



  • 5.  RE: QRadar monitor modified the registry variables and configuration files

    Posted Wed December 01, 2021 09:30 PM
    Dear Frank,

    well noted, thank you for the advice

    ------------------------------
    Davin Ardian
    ------------------------------



  • 6.  RE: QRadar monitor modified the registry variables and configuration files

    Posted Mon November 29, 2021 11:13 PM
    Hello, Davin.

    The simple answer is no. If you like, you can go and collect logs from your favourite FIM solution. In this scenario, I'd recommend using one of the recommended app exchange options, such as snare, sysmon, or tripwire.



    Regards

    steven

    ------------------------------
    steven vaughan
    ------------------------------



  • 7.  RE: QRadar monitor modified the registry variables and configuration files

    Posted Wed December 01, 2021 09:33 PM
    Dear Steven,

    well noted, thank you for the advice

    ------------------------------
    Davin Ardian
    ------------------------------



  • 8.  RE: QRadar monitor modified the registry variables and configuration files

    Posted Sun December 05, 2021 08:27 PM
    The answer is simple: no. You may go collect logs from your favourite FIM solution if you like. In this case, I'd propose utilising snare, sysmon, or tripwire, which are all recommended app exchange choices.

    ------------------------------
    chris jordan
    ------------------------------



  • 9.  RE: QRadar monitor modified the registry variables and configuration files

    Posted Sun December 05, 2021 08:39 PM

    Hi Chris,

    Well noted, thank you for the advice

    Best Regards,

    Davin Ardian