IBM Security QRadar

 View Only
  • 1.  Way to track content change

    Posted Fri March 27, 2020 09:34 AM
    Hello all,

    I'm looking for some way to track changes on a Qradar rules.
    We have many people who develop new rules and make changes on existing ones, so we need some control on that. 
    I didn't find any solution but I believe that not only I struggle with that problem.

    I will be grateful for all ideas :)




    ------------------------------
    Patryk Prauze
    ------------------------------


  • 2.  RE: Way to track content change

    Posted Mon March 30, 2020 03:57 AM
    Hi Patryk,

    have you ever tried searching the audit log? I'm sure you can make a report out of it. I have attached an example.



    ------------------------------
    Kind regards
    Oliver
    ------------------------------



  • 3.  RE: Way to track content change

    Posted Mon March 30, 2020 07:48 AM
    Hi Oliver,

    Yes I know that there are such events and I can build a report upon this, but that's not what I want to achieve.
    I'm looking for some solution to build something like rules repository where I will be able to track changes on rules.

    • Add to Phrasebook
      • No word lists for English -> Polish...
      • Create a new word list...
    • Copy
    • Add to Phrasebook
      • No word lists for Yoruba -> Polish...
      • Create a new word list...
    • Copy


    ------------------------------
    Patryk Prauze
    ------------------------------



  • 4.  RE: Way to track content change

    Posted Mon March 30, 2020 09:21 AM
    Hi Patryk,

    you can use the Audit Logs of QRadar either with the CLI or with the WebGUI. Just filter on log source 'SIM Audit-2' and low level category 'SIM Configuration Change'.

    I hope this helps...

    Kind regards,
    Volker

    ------------------------------
    Volker Scholz
    ------------------------------



  • 5.  RE: Way to track content change

    Posted Mon March 30, 2020 10:34 AM
    Volker is correct in seeing what has changed using that log source, but the problem I think you also have is policing change and versioning of any changes (I have seen this challenge in my environment).

    QRadar is great in a number of areas however does not have any concept of versioning (e.g. roll back a change) nor policing of change (i.e. permitting change only on parts of the configuration).

    It is a bit of a weakness given other real-time multi-tenant [voice/carrier] systems have had versioning/policing functions since the 1990s. For us this is more problematic when the SIEM is larger with multiple tenants or operating as a MSSP.

    I'll chat behind the scenes to see where this sits in the list of to-dos with the development community.

    Darren H.

    ------------------------------
    Darren H.
    ------------------------------



  • 6.  RE: Way to track content change

    Posted Tue March 31, 2020 08:56 AM
    Hi guys

    I agree with you, SIM Audit logs are the best option to track what has been done.

    You could check this content pack on the App Exchange: https://exchange.xforce.ibmcloud.com/hub/extension/0be9613a768a5a05ea102535b7bce76a
    The pack includes monitoring of the CLI, the web interface, QRadar's health status, etc.
    Check the screenshot given as an example.

    Hope this helps

    ------------------------------
    Gladys Koskas
    ------------------------------