List of Contributions

COLIN HAY

IBM Security

Contact Details

IBM Security

My Content

1 to 20 of 50+ total

RE: WinCollector - DLC - QRADAR

Posted By COLIN HAY Mon September 25, 2023 10:51 AM
Found In Egroup: IBM Security QRadar \ view thread
If you're sending plaintext syslog over either UDP or TCP, you don't need to configure anything on the DLC side, it will automatically listen for plaintext syslog. However if you want to send TLS syslog you'd need to configure a TLS listener for the DLC, either by editing the json file directly, or by ...

RE: Resent old payload to other SIEM system

Posted By COLIN HAY Wed April 26, 2023 09:47 AM
Found In Egroup: IBM Security QRadar \ view thread
Hi Niv, It sounds liek you already have a routing rule+forwarding destination configured to forward data from QRadar to the other SIEM. But is this routing rule configured in online or offline mode? Online mode means it happens in real-time, while the event is still "in flight" within the QRadar event ...

RE: Do Disabled Log Sources Count Towards EPS?

Posted By COLIN HAY Tue November 22, 2022 02:44 PM
Found In Egroup: IBM Security QRadar \ view thread
As a general rule, if you can see the events in Log Activity, even if they're being routed to the SIM Generic Log source because the log source that is supposed to process them is disabled, that means they're counting towards your EPS license. As hostcontext restart said, if you disable a log source ...

RE: Log Source Groups Names

Posted By COLIN HAY Mon October 31, 2022 10:37 AM
Found In Egroup: IBM Security QRadar \ view thread
Just to add to Karl's comments, Log Source groups have their own internal IDs and parent IDs (which is how the hierarchy is defined), so if you have two groups with the same name, the system will still understand them to be different groups. Searchs, rules, etc that reference rules do so by ID internally ...

RE: JSON expression | Office 365 DSM | QRADAR

Posted By COLIN HAY Thu October 06, 2022 09:20 AM
Found In Egroup: IBM Security QRadar \ view thread
Hi Vijay, A JSON expression won't work for this particular case because the "RuleActions" property's Value contains partially escaped JSON (the quotes are escaped via backslash) so it is not valid JSON. You'll need to use a Regex expression in this case: For the ActionType value: ActionType\\ ...

RE: Extra device type in exported DSM?

Posted By COLIN HAY Tue March 15, 2022 02:26 PM
Found In Egroup: IBM Security QRadar \ view thread
Hi Dan, sorry I went quiet on you, was out on vacation and then got hit with a medical problem that's had me out of commission for a while. I'm working with your lab advocate and the support team on this, you'll be getting a more formal update soon. Short answer is you're hitting a defect of some kind ...

RE: Extra device type in exported DSM?

Posted By COLIN HAY Sun February 27, 2022 02:39 PM
Found In Egroup: IBM Security QRadar \ view thread
Hi Dan, How are you exporting, through the UI, API, or the command line tool (contentManagement.pl)? If via API, what request are you making, and if via command line, what command are you running? Once I have that answer I should be able to tell you why the extra log source type is being included ...

RE: How to rename DSM / log source?

Posted By COLIN HAY Thu February 17, 2022 05:02 AM
Found In Egroup: IBM Security QRadar \ view thread
Dan/Karl, Karl's solution will work for migrating the LSX, but the LSX is just one artifact generated by the DSM Editor; it only defines the logic for how standard properties are parsed. If Dan has defined any custom property expressions, event mappings, QID records, or config in the Configuration ...

RE: Help in the DSM Editor with Regex

Posted By COLIN HAY Mon January 24, 2022 01:44 PM
Found In Egroup: IBM Security QRadar \ view thread
That's because you didn't include the next field. The User-Agent field is followed by the Accept field, so use a regex like this: User-Agent: (.*?)Accept: Or since you want to remove the \r\n characters, do this: User-Agent: (.*?)\r\nAccept: Cheers Colin ------------------------------ ...

RE: Help in the DSM Editor with Regex

Posted By COLIN HAY Fri January 21, 2022 06:18 PM
Found In Egroup: IBM Security QRadar \ view thread
Hello Cristian, Is there another field that comes after the User-Agent field? If so you can use it as a "perimeter" for the capture, like so: User-Agent: (.*?) Next-Field: Cheers Colin ------------------------------ COLIN HAY IBM Security ----------------------------- ...

RE: Updating Reference Sets Using API

Posted By COLIN HAY Tue December 07, 2021 12:49 PM
Found In Egroup: IBM Security QRadar \ view thread
Hi Michael, The original /reference_data/sets endpoints have been deprecated and will likely be removed eventually, but we've added the /reference_data_collections/sets endpoints to replace it. This is the beginning of a "v2" suite of improved APIs for managing reference data. Cheers Colin ...

RE: Exporting & Renaming DSM

Posted By COLIN HAY Tue October 05, 2021 08:33 AM
Found In Egroup: IBM Security QRadar \ view thread
Hello Pipo, No, there is no supported way to rename an IBM-provided DSM. Cheers Colin ------------------------------ COLIN HAY IBM Security ------------------------------

RE: Indexed custom properties

Posted By COLIN HAY Wed June 23, 2021 11:40 PM
Found In Egroup: IBM Security QRadar \ view thread
Hello Jérémy, There is no REST API or other supported/documented programmatic method for retrieving information about indexed properties. However you can obtain useful information directly from postgres through, specifically from the ariel_indexes table by running this command: psql -U qradar ...

RE: AQL-Custom Properties (REFERENCEMAP)

Posted By COLIN HAY Wed June 09, 2021 01:38 PM
Found In Egroup: Global Security Forum \ view thread
Hi Michail, In QRadar version 7.4.3 we have changed AQL custom properties to work the same way as extraction properties, with the same set of filtering capabilities. It is not possible to limit them in this way in older versions of QRadar. Cheers Colin ------------------------------ COLIN ...

RE: Unable to save the "Override event delimiter" configuration in DSM

Posted By COLIN HAY Wed June 02, 2021 03:25 PM
Found In Egroup: IBM Security QRadar \ view thread
Hi Nitesh, If you don't fill in a Message Pattern as part of the configuration, the HTTP Receiver protocol will accept the entire POST request Body as an event payload, including any newline characters, so the event will be preserved in a multiline form. If you provide a Message pattern, the body ...

RE: HTTP Receiver port not opened after Log source configuration

Posted By COLIN HAY Mon May 31, 2021 01:07 PM
Found In Egroup: IBM Security QRadar \ view thread
Ok if you don't see it in netstat at all then that also eliminates the possibility that you have a different listener using 12469. As Ian suggested, you could check /var/log/qradar.error aroudn the time when you first deployed the log source to see if there are any errors which give an indication ...

RE: Unable to save the "Override event delimiter" configuration in DSM

Posted By COLIN HAY Mon May 31, 2021 10:36 AM
Found In Egroup: IBM Security QRadar \ view thread
Hi Nitesh, This setting does not persist, it's just for your current session in the DSM Editor. Note that it does not affect how QRadar collects or parses real events as they are obtained, it just affects how the DSM Editor perceives events in the Workspace, and determines how those sample events ...

RE: HTTP Receiver port not opened after Log source configuration

Posted By COLIN HAY Mon May 31, 2021 10:31 AM
Found In Egroup: IBM Security QRadar \ view thread
Hi Nitesh, I don't think QRadar 7.4.1 has a general problem with this and the AWS image should be the exact same application code, but it's possible that there are other aspects of the AWS environment blocking the traffic. Are you certain that the port is not open at the host level? Have you run netstat ...

RE: HTTP Receiver port not opened after Log source configuration

Posted By COLIN HAY Fri May 28, 2021 08:00 AM
Found In Egroup: IBM Security QRadar \ view thread
Hi Nitesh, First thing to verify is if you did a deploy (Admin tab > Deploy Changes). This is required to both activate the log source (so Java binds a listener to the specified port) and to update the iptables rules to allow access to that port. Cheers Colin ------------------------------ ...

RE: Multitenant environments collect windows log error

Posted By COLIN HAY Thu May 13, 2021 10:16 AM
Found In Egroup: IBM Security QRadar \ view thread
Hi Logan, You can send Windows events to an Event Collector just like you can with Linux events, an EC supports the same log source types and protocol types as an EP or console. WinCollect is an option but you could use alternate Windows agents if you like (Snare, nxlog, Balabit syslog-ng, etc). ...