List of Contributions

Brian Brehart

This individual is no longer active. Application functionality related to this individual is limited.

Contact Details

My Content

1 to 12 of 12 total

RE: Log of rules firing

Posted By Brian Brehart Fri March 08, 2019 12:16 PM
Found In Egroup: IBM Security QRadar \ view thread
Drayton, It might at that. Do you have a recommendation as to how to make that go? Thanks, Brian ------------------------------ BrianBrehart ------------------------------

Log of rules firing

Posted By Brian Brehart Fri March 08, 2019 10:20 AM
Found In Egroup: IBM Security QRadar \ view thread
Greetings, Is there a log in QRadar that tracks the time and date a particular rule fired? We're looking to use this for metrics so that we can show the increase or reduction in the number of times a rule was activated. Thanks ------------------------------ BrianBrehart -------------------- ...

Filter multiple port traffic from events

Posted By Brian Brehart Fri March 01, 2019 11:27 AM
Found In Egroup: IBM Security QRadar \ view thread
Greetings, I've been tasked with filtering traffic over ports 443 and 80/8080 that pass through our firewall for the past two months. I created this AQL search: SELECT * FROM events WHERE destinationip = ' ' AND destinationport = '443' OR destinationip = ' ' AND destinationport = '80' START '2019-01-01 ...

RE: Using QRadar to monitor Active Directory sessions

Posted By Brian Brehart Mon February 04, 2019 04:51 PM
Found In Egroup: IBM Security QRadar \ view thread
So I figured it out, and it's not QRadar's fault; it's Active Directory's. Turns out it all comes down to a small entry in the Payload that works with the EventID= field: Logon Type. For a local machine, there are several, as listed in this article (and multiple others): https://docs.microsoft.com/e ...

RE: Using QRadar to monitor Active Directory sessions

Posted By Brian Brehart Mon February 04, 2019 03:01 PM
Found In Egroup: IBM Security QRadar \ view thread
Hey Eduardo, thanks for the answer. That makes a lot of sense, I never realized that accessing a network share counted as an successful login event. I wanted to let you know that the Microsoft docs link you provided works just fine, but when I click on the RFE you provided, I receive the following message: ...

Using QRadar to monitor Active Directory sessions

Posted By Brian Brehart Mon February 04, 2019 02:25 PM
Found In Egroup: IBM Security QRadar \ view thread
I have a request from another department to monitor when a particular user has logged on and logged off the domain. Sounds simple, right? But when I tell QRadar to show me all login activity related to the user in question, I get hundreds of entries per day of the chosen log monitoring duration. Most ...

Creating the correct search for my report

Posted By Brian Brehart Fri January 04, 2019 11:02 AM
Found In Egroup: IBM Security QRadar \ view thread
Greetings, We use CA ELM to monitor login information to and from our Oracle databases, but that's going to be retired, so we're looking to QRadar to take up the reins. I'm having difficulty replicating one of the reports that CA ELM creates, mostly because QRadar only likes to show either logon fails ...

RE: Isolate Admin/Privileged Accounts

Posted By Brian Brehart Fri November 30, 2018 02:26 PM
Found In Egroup: IBM Security QRadar \ view thread
Gladys, Also, is there some documentation concerning how to use the Custom Event Properties? I see a lot about how to create them, but nothing past that. Thanks again, Brian ------------------------------ Brian Brehart ------------------------------

RE: Isolate Admin/Privileged Accounts

Posted By Brian Brehart Fri November 30, 2018 12:48 PM
Found In Egroup: IBM Security QRadar \ view thread
Gladys, Any word on when that extension is going to be released? I clicked the link today and the current version was uploaded in February of 2016. Cheers, Brian ------------------------------ Brian Brehart ------------------------------

RE: Isolate Admin/Privileged Accounts

Posted By Brian Brehart Fri November 30, 2018 12:46 PM
Found In Egroup: IBM Security QRadar \ view thread
Nico, Did I ever answer you? I'm following up in case I didn't. When I say involved I mean that the Admin wasn't the target of the change, but the facilitator. I need to focus only when the Admin is the target of the change, whether it be a password reset, account lock, or password change. I hope ...

RE: Isolate Admin/Privileged Accounts

Posted By Brian Brehart Mon October 29, 2018 10:26 AM
Found In Egroup: IBM Security QRadar \ view thread
As requested, here's the text of the Rule I created. Apply Domain Administrator Password Reset on events which are detected by the Local system and when the event(s) were detected by one or more of Microsoft Windows Security Event Log and when the event QID is one of the following (5000895) Success ...

Isolate Admin/Privileged Accounts

Posted By Brian Brehart Thu October 25, 2018 01:35 PM
Found In Egroup: IBM Security QRadar \ view thread
Greetings, I've been using QRadar SIEM for almost three years and, while there's obviously a lot more for me to learn, there's one aspect of QRadar that I've been trying to figure out ever since I started using the system: how do we isolate events related to Admin/Privileged accounts? One of the major ...