List of Contributions

Dusan VIDOVIC

Contact Details

My Content

1 to 20 of 50+ total

RE: why is the offending IP from flows not displaying in Offence Type field

Posted By Dusan VIDOVIC Thu April 18, 2024 04:55 AM
Found In Egroup: IBM Security QRadar \ view thread
Is it a superflow record? In such case you could have one "leading" IP and a number of others below it in the same field in the flow record. ------------------------------ Dusan VIDOVIC ------------------------------

RE: QRadar /store disk expansion

Posted By Dusan VIDOVIC Thu April 11, 2024 03:59 AM
Found In Egroup: IBM Security QRadar \ view thread
Not directly the answer to this question, but the easiest way is adding the Data node. As the LVM method is not officially supported, what I did few times (to steer away from other trouble) is: provision a new (properly sized) virtual disk, add it to the QRadar instance and (after discovering the ...

RE: Combine Two Strings

Posted By Dusan VIDOVIC Fri March 15, 2024 09:40 AM
Found In Egroup: IBM Security QRadar \ view thread
That is what I meant with "no matter the capture groups within a bracket". As mentioned (I might be wrong but that is how I recall) if it is something you are personally adding as a custom property and not a common property for all the logs (like Event ID, Category, Source IP, Source MAC, Username etc.) ...

RE: CortexXDR Palo Alto Integration

Posted By Dusan VIDOVIC Thu March 14, 2024 09:12 AM
Found In Egroup: IBM Security QRadar \ view thread
If I understood correctly, you managed to create a log source and get the logs through syslog ? Now, I am not familiar with Palo Alto's solution, but it kind of sounds like you would need to create a custom log source and use the Universal Cloud REST API protocol (https://community.ibm.com/commun ...

RE: Combine Two Strings

Posted By Dusan VIDOVIC Wed March 13, 2024 07:40 AM
Found In Egroup: IBM Security QRadar \ view thread
The last example Comghall provided is for the Log Source Time - which is a mandatory field. Using combination of Format strings when creating parsing for mandatory fields (properties) you can concatenate the needed strings. Now, you are creating a "personal" custom property, where capture groups are ...

RE: AQL query to capture disk usage on each event processor in QRadar cluster

Posted By Dusan VIDOVIC Mon January 15, 2024 05:44 AM
Found In Egroup: IBM Security QRadar \ view thread
This query should get the data from internal logs for the /store partition: SELECT DATEFORMAT(starttime, 'yyyy-MM-dd') as "Date", "Hostname" as "ManagedHost", LONG(MAX("Value")/(1024*1024*1024)) as "Used GB" FROM events WHERE (qid = 94000001) AND ("Metric ID" = 'DiskSpaceUsed') AND (Element = '/store') ...

RE: Add storage to console Qradar 7.4.3

Posted By Dusan VIDOVIC Thu January 11, 2024 06:03 AM
Found In Egroup: IBM Security QRadar \ view thread
If your QRadar was installed initially with a version higher than v. 7.3, in theory you could use LVM. In practice, however, this is not supported by IBM (or at least it is strongly discouraged). Based on the question, I am not sure what partition is reaching its limits, but I will assume it is ...

RE: load balancer with qradar

Posted By Dusan VIDOVIC Tue January 09, 2024 04:37 AM
Found In Egroup: IBM Security QRadar \ view thread
I think these might help in your investigation https://www.ibm.com/docs/pt/qsip/7.4?topic=recovery-data-redundancy-in-qradar-deployments https://community.ibm.com/community/user/security/blogs/alaa-ali1/2021/04/09/load-balancing-syslog-data-to-qradar ------------------------------ ...

RE: Wants to Create Rule/Alert for if any log source stops sending logs to QRadar Console.

Posted By Dusan VIDOVIC Thu December 21, 2023 07:34 AM
Found In Egroup: IBM Security QRadar \ view thread
You can use an alternative approach as well. Create BBs that group a class or other set of devices (e.g. per device type) and use them in a rule with a test like this example: Apply Log Source Monitoring - Group 1 on events which are detected by the Local system and when none of BB:LogSource ...

RE: QRadar Operations in Reduced Bandwidth

Posted By Dusan VIDOVIC Thu November 30, 2023 05:10 AM
Found In Egroup: IBM Security QRadar \ view thread
This bandwidth is really low - maybe to low too have the EC as managed host (if I'm not mistaken, the official recommendation was at least 100Mbps); it is usually suggested in such cases to use a DLC instance (as it would at least relieve you of the issues with "Deploy changes"). Now, would using a ...

RE: Security Log Filtering

Posted By Dusan VIDOVIC Tue November 28, 2023 02:46 PM
Found In Egroup: IBM Security QRadar \ view thread
You are refering to inclusion,exclusion and NSA (inclusion) filters? Note that if any of these options is selected, the events will arrive to QRadar (and thus consume some EPS), but true - part should be discarded after the filter is checked. Which option did you use? Any other things noticed? ...

RE: Security Log Filtering

Posted By Dusan VIDOVIC Tue November 28, 2023 04:15 AM
Found In Egroup: IBM Security QRadar \ view thread
Michael, not enough details to provide an answer. Is this a standard search or AQL? What are you trying to achieve? For example: in the standard search, if you need to have an OR test you can apply the Equals any of and then add the values in the list; adding a filter on top of an existing one means ...

RE: Recommendation of events to monitor for my Active Directory

Posted By Dusan VIDOVIC Wed November 15, 2023 05:05 AM
Found In Egroup: IBM Security QRadar \ view thread
What must be logged and monitored in your case depends on what you see as potential use case, specific risk/threats profile, regulatory requirements etc. (Regulatory requirements might require you to log much more than you would see having immediate value for detection, but would be needed for evidence ...

RE: Event ID and Event Category properties are not getting labelled correctly

Posted By Dusan VIDOVIC Tue November 14, 2023 04:14 AM
Found In Egroup: IBM Security QRadar \ view thread
I've encountered something similar in 7.5.0UP2 - events for regular and custom DSMs would appear as Generic and/or Stored. Support suggested this was resolved starting with UP6 or so. ------------------------------ Dusan VIDOVIC ------------------------------

RE: how to get the App host software

Posted By Dusan VIDOVIC Fri September 01, 2023 09:12 AM
Found In Egroup: IBM Security QRadar \ view thread
You can - as mentioned, there are no technical obstacles. What licenses and how many you acquired is a different question, and that is where you / your company needs to go through the software inventory and decide if you may install it (and not be in breach of licensing agreement); if in doubt, best ...

RE: how to get the App host software

Posted By Dusan VIDOVIC Fri September 01, 2023 04:23 AM
Found In Egroup: IBM Security QRadar \ view thread
You use the same ISO as for the SIEM ; during installation you will have the option to select the type of system and one option will be AppHost (same would be for e.g. Event processors, Event collector, Risk Manager ...). Note: AFAIK, from the licensing point of view, any non-appliance QRadar installed ...

RE: Detection of some offenses like SQL Injection or XSS

Posted By Dusan VIDOVIC Mon August 14, 2023 05:40 AM
Found In Egroup: IBM Security QRadar \ view thread
I'd start with the content you are feeding QRadar with. Do you have any IPS/IDS or WAF that sends logs to QRadar? Is it configured to track for such events? There are Windows event IDs that can be used to track user account changes (4720=created, 4738=changed, 4726=delected, 4722=enabled, ...

RE: Unable to parse logs from Ubuntu machine ,but can parse other Linux logs

Posted By Dusan VIDOVIC Fri August 11, 2023 03:39 AM
Found In Egroup: IBM Security QRadar \ view thread
It is hard to tell without viewing the payload. Generally, SIM Generic would appear when the ingested content is not in a form that would be recognized automatically by QRadar to create the appropriate log source. If you created a log source but logs still go to SIM Generic, then you probably used a ...

RE: Use Case Suggestion: Disabled Account Enabled

Posted By Dusan VIDOVIC Fri July 14, 2023 04:33 AM
Found In Egroup: IBM Security QRadar \ view thread
So, you do not want to trigger if a user account was enabled in short period of time after that user account was created ... Can't something like this be used for exclusion? AND NOT when these rules match at least this many times in this many minutes after any of these rules match with the same event ...

RE: CP4S Licensing for Qradar

Posted By Dusan VIDOVIC Fri June 16, 2023 11:30 AM
Found In Egroup: IBM Security QRadar \ view thread
The part you mentioned about counting the servers is true. All servers (physical or virtual, no matter what is the underlying infrastructure or OS), as well as Kubernetes nodes should be accounted for; switches, firewalls, client machines ... as I am aware are NOT counted. This sum is then mapped to ...