IBM QRadar

 View Only
  • 1.  2FA on qradar login and message or mail notification

    Posted Thu December 01, 2022 03:20 AM
    Hello dear friends,

    I wanted to ask how can i make a 2FA with time based authentication on my qradar? Also i would like to make a message or mail notification if someone logins to the qradar. Is that possible to make on the qradar and what is the procedure to do that so?

    Thank you!

    ------------------------------
    Slavcho Andreevski
    ------------------------------


  • 2.  RE: 2FA on qradar login and message or mail notification

    Posted Tue December 06, 2022 04:32 AM
    Anyone on how to do this? Thank you

    ------------------------------
    Slavcho Andreevski
    ------------------------------



  • 3.  RE: 2FA on qradar login and message or mail notification

    Posted Wed December 07, 2022 02:04 AM

    Hi Slavcho, 

    For 2FA, as you know, QRadar supports external authentication or SAML, etc. One thing , in high level, you can think about utilize any external authentication which supports SAML and time based policy. 

    For 2nd question, QRadar always records log-in or log-out into SIM Audit. For example, 

    So you can make your own rule to send email or pop-ups as rule response for User Login/Logout/Attempt etc Events. 



    ------------------------------
    Regards, 고맙습니다.
    ByongJun "BJ" Na (나병준)
    QRadar Advisor with Watson Ambassador/Security Intelligence Senior CTP
    IBM Certified SI Solution Advisor(실장/전문위원), CISSP, IBM Certified ADP
    - You solve one problem, and you solve the next one, and then the next.
    And if you solve enough problems, you get to come home. - From Martian -
    Phone: 822-3781-4843 | Mobile: 82-10-4995-4843
    E-mail: bjna@kr.ibm.com
    ------------------------------



  • 4.  RE: 2FA on qradar login and message or mail notification

    Posted Tue December 13, 2022 07:11 AM
    Edited by Slavcho Andreevski Tue December 13, 2022 07:25 AM
    Thank you very much for your reply, I wanted to ask you where i can find a guide or something so i can implement an external authentication that supports OTP and SAML.. I found the guide about the SAML in the qradar documents but i did not find a guide about the external authentication for SAML and OTP.. Also as i understand - SAML can be my domain controller in which i can implement 2FA and than to log in to the qradar.. The qradar will send the credentials and the OTP to the DC to check them and will receive a response so the user is authorized.. But i have a question about that.. Can i just add several users to be able to log in to the qradar and not all the users in the DC? And how can i secure the super admin (root) on the qradar to be authenticated with 2FA? Thank you again

    ------------------------------
    Slavcho Andreevski
    ------------------------------



  • 5.  RE: 2FA on qradar login and message or mail notification

    Posted Tue December 13, 2022 10:32 PM
    Hi Slavcho,

    I assume your DC means Domain Controller, like AD. Before staring, I think you can refer below links if you don't. 

    https://www.ibm.com/support/pages/qradar-security-considerations-configuring-external-authentication-accounts

    https://www.ibm.com/docs/ro/qsip/7.4?topic=authentication-external-guidelines

    So, for AD, we have a note, that is, 
    "For Active Directory user authentication, you must create a local QRadar user account that is the same as the Active Directory (AD) account on the authentication server."
    It means even though any account may try to login to QRadar via AD authentication, only account who has same account name in QRadar local is allowed to login. 
    So you just add accounts you want to allow login to QRadar in QRadar local. 

    For 2nd question about 2FA for root (CLI), as far as I know, you need to have any external authentication to control CLI login from outside of QRadar. One of my customers is using the feature with 3rd party, like secure gateway to CLI login.

    ------------------------------
    Regards, 고맙습니다.
    ByongJun "BJ" Na (나병준)
    QRadar Advisor with Watson Ambassador/Security Intelligence Senior CTP
    IBM Certified SI Solution Advisor(실장/전문위원), CISSP, IBM Certified ADP
    - You solve one problem, and you solve the next one, and then the next.
    And if you solve enough problems, you get to come home. - From Martian -
    Phone: 822-3781-4843 | Mobile: 82-10-4995-4843
    E-mail: bjna@kr.ibm.com
    ------------------------------