IBM Security QRadar

 View Only
  • 1.  Security Log Filtering

    Posted Mon November 27, 2023 03:25 PM

    Hello all,

    I added a second EventID to filter and it is not working. I added a comma and no space with the EventID and Q is still showing the logs. Any help would be appreciated. 

    Thanks



    ------------------------------
    Michael Anderson
    ------------------------------


  • 2.  RE: Security Log Filtering

    Posted Tue November 28, 2023 04:15 AM

    Michael, not enough details to provide an answer. Is this a standard search or AQL? What are you trying to achieve? For example: in the standard search, if you need to have an OR test you can apply the <CustomProperty> Equals any of and then add the values in the list; adding a filter on top of an existing one means previous AND current. 



    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: Security Log Filtering

    Posted Tue November 28, 2023 02:34 PM

    If you go into the log source for Windows and the protocol is Wincollect, you have the ability to filter eventIDs so that they do not send to Qradar.



    ------------------------------
    Michael Anderson
    ------------------------------



  • 4.  RE: Security Log Filtering

    Posted Tue November 28, 2023 02:46 PM

    You are refering to inclusion,exclusion and NSA (inclusion) filters?

    Note that if any of these options is selected, the events will arrive to QRadar (and thus consume some EPS), but true - part should be discarded after the filter is checked. Which option did you use? Any other things noticed? 

    With WinCollect it might be better to create the XPATH query covering needed events - that way you will really filter the events on the source (and save some EPS).



    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 5.  RE: Security Log Filtering

    Posted Wed November 29, 2023 08:48 AM

    I have it as an exclusion filter. I had 1 EventID filtered and it worked but I added a second ID and it will not filter the second ID.



    ------------------------------
    Michael Anderson
    ------------------------------