I'd start with the content you are feeding QRadar with.
Do you have any IPS/IDS or WAF that sends logs to QRadar? Is it configured to track for such events?
There are Windows event IDs that can be used to track user account changes (4720=created, 4738=changed, 4726=delected, 4722=enabled, 4725=disabled). How did you configure Windows auditing? It should be easy to track based on these IDs or associated QIDs. Question is what do you want to achieve : generally monitor (could be e.g. a good case to save a search and create a report) or monitor for particular usernames (e.g. add the names to a reference set and have a rule that tracks the QIDs for these events and username matching the items in the ref. set) or something else?
Did you integrate MySQL with QRadar already? I recall there was a need to download MySQL driver for JDBC ( https://www.ibm.com/support/pages/qradar-how-download-and-install-mysql-driver-jdbc-log-source ). How did you configure the auditing on MySQL side? Do you e.g. have the events related to user creation/deletion? Are there needed details in the log that relate to the specific roles/tables/etc?
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Sat August 12, 2023 10:59 AM
From: Henry Alonso Valdivia Barba
Subject: Detection of some offenses like SQL Injection or XSS
Hello Friends,
I would like to know if Qradar CE can detect offenses like SQL Injection or XSS because i was finding in internet and communities but i had no success. If it is possible please can you give me an example how can it be or a link to a resource where i can find the rules for this? or if you can share with me some examples.
Also i would like to know if i can detect with Qradar another attacks or offenses like this (if you have examples of rules please help me sharing with me your ideas):
- in MySQL Server Database detect if i created a new user with dba privileges or remote access with root account
- in MySQL Server Query is taking too long
- in PFSense firewall configuration has changed
- Creation/Editing users from AD in Windows server
#offense
#qradar
#sqli
#XSS
#MySQL
Thank you in advance.
Best Regards.
Henry.
------------------------------
Henry Alonso Valdivia Barba
------------------------------