List of Contributions

T R

Contact Details

My Content

1 to 7 of 7 total
Posted By T R Thu November 05, 2020 11:29 AM
Found In Egroup: IBM Security QRadar
\ view thread
Can you configure Check Point to send the events with LEEF 2.0 format? Otherwise you will have to compare those event payloads that are not parsing to ones that are and see what the differences are and add overrides to the event ID and category parsing on the DSM. ------------------------------ T ...
Posted By T R Thu November 05, 2020 08:28 AM
Found In Egroup: IBM Security QRadar
\ view thread
Yes, we saw the same thing and I am glad you remembered about the autodetection, that is a very useful feature! ------------------------------ T ------------------------------
Posted By T R Wed November 04, 2020 08:58 AM
Found In Egroup: IBM Security QRadar
\ view thread
When we moved to Check Point DSM over syslog, I had to change some of the properties used for mapping: Event Category Expression Type: LEEF Expression: $product$ Event ID Expression Type: LEEF Expression: $eventid$ LEEF Event ID Expression Type: LEEF Expression: $eventid$ ----- ...
Posted By T R Fri September 27, 2019 06:47 AM
Found In Egroup: IBM Security QRadar
\ view thread
We use the OPSEC/LEA protocol for our logs. Following the IBM guide (linked below) worked for us: https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_Checkpoint_firewall1_intro.html?cp=SS42VS_7.3.2#c_dsm_guide_checkpoint_firewall1_intro ------------------------------ ...
Posted By T R Wed September 25, 2019 04:06 PM
Found In Egroup: IBM Security QRadar
\ view thread
Some of the event hub integration must work, our test environment is still actively receiving events from the event hub. Today I was trying to migrate that to production and things appeared to work (pulled the cert file to my QRadar box), but I am just sitting with a status of "Completed initialization". ...
Posted By T R Wed September 11, 2019 07:25 AM
Found In Egroup: IBM Security QRadar
\ view thread
We got things working with the event hubs by following the documentation on the QRadar support site (link below). I had to configure a log source, but then another was auto-discovered that had our data being sent from the event hub. We are only using the event hub for Azure Active Directory data. ...
Posted By T R Tue September 10, 2019 02:33 PM
Found In Egroup: IBM Security QRadar
\ view thread
Hello, I am working on configuring our Azure Active Directory and Office 365 logging in QRadar on-prem. I see that there are options to collect data via the Office 365 REST API through the Microsoft Office 365 log source type or via syslog (event hubs) through the Microsoft Azure log source type. ...