List of Contributions

Pipotron 2.0

Contact Details

My Content

1 to 12 of 12 total
Posted By Pipotron 2.0 Thu July 16, 2020 05:58 PM
Found In Egroup: IBM Security QRadar
\ view thread
Hi, someone know or have ever try to foward json events to sparks ? thx ------------------------------ Pipotron 2.0 ------------------------------
Posted By Pipotron 2.0 Sat February 15, 2020 05:54 PM
Found In Egroup: IBM Security QRadar
\ view thread
Hi, there is a way to collect windows security events in XML format with wincollect agent like below ? - S-1-5-18 PIPO$ WORKGROUP 0x3e7 S-1-5-18 System AUTORITE NT 0x3e7 5 Advapi Negotiate - (00000000-0000-0000-0000-000000000000) ...
Posted By Pipotron 2.0 Wed July 17, 2019 07:11 AM
Found In Egroup: IBM Security QRadar
\ view thread
hi, your right about keeping original Payload and avoid expensive lookups in the first steps ;) but while adding information later using historic correlation, those informations can be add into indexed properties or simple properties ? same question with AQL properties or AQL custom.functions, ...
Posted By Pipotron 2.0 Tue July 16, 2019 11:10 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hey :) Let's take an example Here a simplified payload from a DNS event SystemTime = 2019-16-07T16 :00 :00.6545646546Z EventID = 3006 Computer = WINDOWS88 QueryName = Google.Fr QueryType = 28 Qradar will parse the payload and only extract the 5 properties But as enrichment, ...
Posted By Pipotron 2.0 Mon July 15, 2019 04:05 AM
Found In Egroup: IBM Security QRadar
\ view thread
and i need add the enrichment before the normalization step if i want the informations parsed i could add a syslog or ELK to do the job before sending to EC but i would prefer have a solution with qradar ------------------------------ Pipotron 2.0 ------------------------------
Posted By Pipotron 2.0 Mon July 15, 2019 03:48 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hello Anthony, yep i tought about the script when the rule triggers but i will not have any enrichment for all events :( and i need to know how to modify the payload of events with a script ;) thanks ------------------------------ Pipotron 2.0 ------------------------------
Posted By Pipotron 2.0 Mon July 15, 2019 03:44 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi, yep it will be complicate to get informations :p thank you anyway ------------------------------ Pipotron 2.0 ------------------------------
Posted By Pipotron 2.0 Fri July 12, 2019 03:31 AM
Found In Egroup: IBM Security QRadar
\ view thread
hi Anthony , thx for your answer! but in my case i want information about index and SuperIndex if available ;) ------------------------------ Pipotron 2.0 ------------------------------
Posted By Pipotron 2.0 Fri July 12, 2019 03:26 AM
Found In Egroup: IBM Security QRadar
\ view thread
hey Jeremy , thx but it's not what i want.. ;) i need to add context / information to events like i did it on logstash ex : i have a python script which calcul the domain generation algorithm. how to use it to add the results directly in the events ? thx ! ------------------------------ ...
Posted By Pipotron 2.0 Wed July 10, 2019 06:05 PM
Found In Egroup: IBM Security QRadar
\ view thread
hey ;) something like : when there is an IP in the event i want add the ISP, ASN etc when i have an URL i want add the length of the query or the DGA for the domain ;) i want add as many as informations to have to speed up the analysis thx ------------------------------ Pipotron 2.0 -- ...
Posted By Pipotron 2.0 Wed July 10, 2019 09:05 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi, i want to do event enrichment with informations that are not present in the payload ? what are the solutions to do that in Qradar plz ? :) thx !
Posted By Pipotron 2.0 Wed July 10, 2019 09:05 AM
Found In Egroup: IBM Security QRadar
\ view thread
Hi, someone can explain me how works the indexes / super indexes in qradar plz? i didn't found any deep informations on this subject :( Thanks !