List of Contributions

Oliver Braun

Contact Details

My Content

1 to 20 of 33 total
Posted By Oliver Braun Tue December 21, 2021 02:53 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi David, we had a very similar problem. Our approach was to write two rules that each wrote something to a reference table when the event occurred. And then subsequently we alerted when both entries were present in the reference table. Reference tables are always a possibility if you want to "remember" ...
Posted By Oliver Braun Tue December 22, 2020 04:35 PM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Benjamin, you are welcome. I am not sure about your question. Since VMs usually do not have dedicated hardware resources, but only virtual ones, the QRadar HA does not offer any added value in my view. Scenarios 1,2 and 4 will probably not occur in VMWare or affect all VMs. Scenarios 3 and ...
Posted By Oliver Braun Tue December 22, 2020 04:09 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Benjamin, as I wrote in my other post, normally you do an Appliance Install for VMWare and HyperV VMs during the installation. The installation type "Software" is only intended for the case when you use unsupported hardware, i.e. your own hardware or other hypervisors. With the Appliance ...
Posted By Oliver Braun Tue December 22, 2020 03:09 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Benjamin, Mario is right, normally you do an Appliance Install for VMWare and HyperV VMs during the installation. The installation type "Software" is only intended for the case when you use unsupported hardware, i.e. your own hardware or other hypervisors. With the Appliance Install, QRadar ...
Posted By Oliver Braun Tue December 15, 2020 11:58 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Benjamin, you just need to have the DR license and to show it, when you have a license audit by IBM. The license is not applied on any appliance. And there are no more activation keys. I guess your documentation is from 7.2.7 or before. ------------------------------ Kind regards Oliver ...
Posted By Oliver Braun Tue December 15, 2020 03:37 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi, Benjamin, with two subnets you can unfortunately not do HA. With HA, the VIP switches between the two appliances. This only works if both appliances are in the same subnet. By the way, the Data Sync App is unfortunately not yet fully developed. We are currently testing the app as part of a ...
Posted By Oliver Braun Wed December 09, 2020 03:15 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi J. You believe right, the data are given a note as to when they should be deleted at the moment they arrive at QRadar. If you change the retention timeline in buckets, this only affects data received by QRadar from the moment of the change and after, not before. It is not intended to delete ...
Posted By Oliver Braun Mon May 11, 2020 04:01 PM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Sushanta, do you only need SMTP or SMTP Auth? - SMTP should just work via GUI as Johan described it. - For SMTP Auth I wrote a manual for 7.3.3 which probably works with 7.3.2 as well. I'd be happy to send it to you if you are interested. ------------------------------ Kind regards Oliver ...
Posted By Oliver Braun Mon May 11, 2020 03:50 PM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Arjun, unfortunately, there is no supported way without the procedure described above. Afterwards I asked an IBM developer about this topic and he told me a fieldfix, but unfortunately it is not persistent. Sorry. ------------------------------ Kind regards Oliver -------------------- ...
Posted By Oliver Braun Thu April 02, 2020 04:13 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello, One of our customers has expressed the wish to delegate offenses to a role (for example Analyst L2) and not directly to a user. I would find that a useful thing to do as well. Do any of you have the same problem and do you have a workaround for it? Or how do you deal with it? I can imagine ...
Posted By Oliver Braun Thu April 02, 2020 03:47 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi, as you mentioned "every event that comes in passes through all rules" but sometimes the rule is not relevant to the event, isn't that kind of a waste of resources? Thats why your have to know who to write rules. Each incoming event passes through all rules, but not through all tests of all ...
Posted By Oliver Braun Tue March 31, 2020 03:45 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hallo Linsong, QRadar is different from Splunk here. With QRadar you write your search in rules and monitor the data in real time. It gives me no reason to do a search every 5 minutes. Rules monitor the incoming data in real time, meaning that every event that comes in passes through all rules. ...
Posted By Oliver Braun Mon March 30, 2020 03:57 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Patryk, have you ever tried searching the audit log? I'm sure you can make a report out of it. I have attached an example. ------------------------------ Kind regards Oliver ------------------------------
Posted By Oliver Braun Wed March 18, 2020 05:58 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Quang, Short answer: Yes you can install QRadar on any hardware that meets the necessary requirements, mainly RAM, storage and storage IO(!) are important. Long answer: Yes you can install QRadar on any hardware that meets the necessary requirements, mainly RAM, storage and storage IO(!) are ...
Posted By Oliver Braun Tue March 17, 2020 10:39 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Quang, it must be all very confusing when you don't know what the possibilities are. Official download QRadar AiO (requires a license): https://www.ibm.com/community/qradar/ 7.4.0 is released just today. Official Download QRadar Community Edition (free but limited): https://www.ibm.com ...
Posted By Oliver Braun Mon March 16, 2020 06:33 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi, You think you should start with the page https://www.ibm.com/community/qradar/ There you will find the 7.3.3 ISO linked directly on the first page. Alternatively, you can also consider the CE (Community Edition) version - this is available as OVA. ------------------------------ Kind regards ...
Posted By Oliver Braun Tue March 10, 2020 06:18 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi, I'm a fan of keep it simple. Basically, this is what I would do: Preparation which QRadar version should have the common depolyment? agree with IBM that the licenses. (EPS / FPM / Datastore?) can be transferred from AIO1 to the AIO2 deployment request a downtime for AIO1 conversion ...
Posted By Oliver Braun Thu March 05, 2020 08:41 AM
Found In Egroup: IBM Security QRadar
\ view thread
Perfect, thanks for the quick answer. When can we expect the 7.4.? ;-) ------------------------------ Kind regards Oliver ------------------------------
Posted By Oliver Braun Wed March 04, 2020 03:06 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi all, we have the challenge to use SMTP with authentication for a customer. We successfully implemented this with a tutorial from the developer.ibm.com forum. (https://developer.ibm.com/answers/questions/431340/qradar-smtp-with-authentication/ Answer 3 from Alaa Ali) Thanks for that! Only ...
Posted By Oliver Braun Thu January 30, 2020 09:54 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi Ujjwal, maybe it would be an idea to mount your azure blob storage to a different mount point, something like /store/backup/azure. And then run a cron job with rsync. This way you can sync all data from /store/Ariel/events to azure on a regular base. A restore would just be the other way ...