List of Contributions

Linsong Guo

Contact Details

My Content

1 to 11 of 11 total

RE: Reference set auto update

Posted By Linsong Guo Feb 19, 2021 12:18 AM
Found In Egroup: IBM Security QRadar \ view thread
Hi Ka I am looking form monitoring TOR exit node IP which means the reference set will contain a list of TOR exit node IP. I am thing about curl the list from TOR website and get imported into the reference set but not sure how to get the data into Qradar Cheers L

Reference set auto update

Posted By Linsong Guo Feb 15, 2021 6:29 PM
Found In Egroup: IBM Security QRadar \ view thread
HI Everyone, I want to auto update a reference set which contain a IP list I want to monitoring, anyone has any documentation on how to do this? Thank you for your help Regards ------------------------------ Linsong Guo ------------------------------

How to distingusion where is the 4624 event was logged, on workstation AD or remote host?

Posted By Linsong Guo Jan 6, 2021 12:11 AM
Found In Egroup: Global Security Forum \ view thread
Hi Everyone I am trying to detect RDP connection to a remote host. I read up some web post suggests looking for 4624 with logon type 10 event. I made an RDP to a remote host, however all 4624 evens I can see is logon type 3. Then I realize 4624 events can be collected from 3 places The workstation where ...

Checking user action in password manager and RDP

Posted By Linsong Guo Aug 25, 2020 3:03 AM
Found In Egroup: IBM Security QRadar \ view thread
HI Everyone We have password management system(PMS) store all admin password, the user normally needs to retrieve the password from PMS then RDP to the server. I want to detect the user who logs in the server without retrieving the password from PMS. I find this condition in rule wizard " and when these ...

RE: REST API filter for description field

Posted By Linsong Guo Jul 2, 2020 10:56 PM
Found In Egroup: IBM Security QRadar \ view thread
Hi Daniel Thank you for your reply but it throw me error message Filtering is unsupported on the field: description Does this mean the description field does not support any filter? Regards Linsong

REST API filter for description field

Posted By Linsong Guo Jul 1, 2020 1:50 AM
Found In Egroup: IBM Security QRadar \ view thread
Hi I want to use REST API to filter description field in the offense data but I am keep getting error message for example when I do description="XXXXX" then got following error An error occurred while the offense list was being retrieved. Filtering is unsupported on the field: description if I ...

How to calculate time different between event

Posted By Linsong Guo Apr 23, 2020 8:30 PM
Found In Egroup: IBM Security QRadar \ view thread
Hi Everyone I am trying to calculate how much time an analyst spend on offense. to make things simple I have data as below Offense ID start_time Event Name Offense_Assign_To 92 2020-04-23 18:25:35 Offense Assigned admin 92 2020-04-23 18:31:48 Offense Assigned -1 92 2020-04-23 18:32:03 Offense Assigned ...

REST API filter

Posted By Linsong Guo Apr 3, 2020 2:34 AM
Found In Egroup: Global Security Forum \ view thread
Hi There I am trying to use REST API to get offense data using https://192.168.0.15/api_doc#version=12.0&api=%2Fsiem%2Foffenses&method=GET the offense objective have a field called rules with nest filed id and type. when I try to use that nest ID field rules(id) it keep throw me 422 error as ...

REST API filter

Posted By Linsong Guo Apr 3, 2020 2:33 AM
Found In Library: Global Security Forum

RE: Can you schedule searches/rules run every 5 mins

Posted By Linsong Guo Apr 1, 2020 6:50 PM
Found In Egroup: IBM Security QRadar \ view thread
thank you for your explanations as you mentioned "every event that comes in passes through all rules" but sometimes the rule is not relevant to the event, isn't that kind of a waste of resources? ------------------------------ Linsong Guo ------------------------------

Can you schedule searches/rules run every 5 mins

Posted By Linsong Guo Mar 30, 2020 9:21 AM
Found In Egroup: IBM Security QRadar \ view thread
HI Everyone, I am new to QRadar and this maybe an noob questions: can you schedule your search/rules/report to run every 5 mins instead real time or hourly? Based on my research, I find you can schedule a search in a report and run the report hourly then generated an offense base on the report, but ...