List of Contributions

@Jonathan Pechta Is this something you can assist us with to direct us in the correct direction since this is unanswered i've also used the "provice feedback" allready on IBM Security App Exchange - Reference Data Management - QRadar v7.3.3 FP6+/7.4.1FP2 (ibmcloud.com) but there is no update feedback ...

I think that a big problem that gets overlooked is, and we've done our fair share of updating dsm's parsing, mapping etc is that whenever the DSM gets updated you are left with a DSM that behaves different then IBM anticipates so if a new content pack comes out they build that content pack and work with ...

I know a long time ago we asked the same question and the answer was then " we are working on that" but the latest version of iba is still not domain aware since we are running a multi domain setup its basicly making UBA useless. All reference sets are being filled as " shared data" instead ...

If you use the bypass correlation option , you cant see the rules that would have been triggered anymore on the event i guess, so depending on what you want to accomplish you could also make an bb with the domain in it and ad it to the BB for false positve management. Then you can see all the rules on ...

It depends if you want to stay " supported by ibm" i've been working with https://grafana.com/grafana/dashboards/1860 and https://grafana.com/grafana/dashboards/1617 but it means you have to install node-exporter on your qradar box ------------------------------ Martijn Groenewegen ------------ ...

You can use QID 28250180 for that , it shows : Jan 21 14:40:32 127.0.0.1 USERWHODIDIT@CONSOLEIP(5159932) /console/restapi/api/siem/offenses/OFFENSEID | [Action] [Offense] [OffenseAssigned] User: OFFENSEASSIGNEDTO has been assigned offense:OFFENSEID ------------------------------ Martijn Groenewegen ...

I dont really have documentation apart from my own searchs on configuring it. maybe have a look at https://www.logbinder.com/Products/Supercharger/ it has some nice documentation and guides you trouh the gpo's you need to create i think ------------------------------ Martijn Groenewegen ------- ...

If you really want to use windows evenforwarding to centralize the logs , so you can forward them with GPO settings What you could do is create an subscription that puts the forwarded events not in " forwarded events " but dumps them in the " application logs" then you can use an xpath query to get ...

You can just use the normal windows eventlog with advanced auditing policies and NTFS auditing on the files and folders and collect them trough normal windows security events. Adding some custom properties and a reference set with file to monitor ------------------------------ Martijn Groenewegen ...