IBM QRadar

Ahmed

very generic question. What about using wincollect? Pls outline how far you got with onboarding your windows logsource.

br Karl 

Hello all,

 

I am having problems to pull audit and admin logs of exchange, do anyone know how to proceed with such integration.

 

Best Regards,

Ahmed Elsayed

SIOC Analyst MEA
IBM Egypt

 

E-mail: ahmed.el-sayed3@ibm.com

Hi Karl,

Thank you for your reply.

I am talking about Microsoft exchange server administrator audit logs, these logs are stored locally in a mailbox within the application itself and only accessible through cmdlets, there are softwares like (LOGbinder for Exchange) that pull the logs from the mailbox parse them and forward them to Qradar.

the problem is that these softwares aren't free to use, I was thinking of extracting the logs and pull them from qradar, but not sure if this is the most suitable way to proceed with that.

Thanks

Ahmed

very generic question. What about using wincollect? Pls outline how far you got with onboarding your windows logsource.

br Karl 

Hello all,

 

I am having problems to pull audit and admin logs of exchange, do anyone know how to proceed with such integration.

 

Best Regards,

Ahmed Elsayed

SIOC Analyst MEA
IBM Egypt

 

E-mail: ahmed.el-sayed3@ibm.com

I think I noticed searching mentions of powershell scripts for the purpose of exporting Exchange audit logs/data. Maybe it could be viable to get a text/csv/xml this way and then you can pick it up and create your own parsing.

Hi Karl,

Thank you for your reply.

I am talking about Microsoft exchange server administrator audit logs, these logs are stored locally in a mailbox within the application itself and only accessible through cmdlets, there are softwares like (LOGbinder for Exchange) that pull the logs from the mailbox parse them and forward them to Qradar.

the problem is that these softwares aren't free to use, I was thinking of extracting the logs and pull them from qradar, but not sure if this is the most suitable way to proceed with that.

Thanks

Ahmed

very generic question. What about using wincollect? Pls outline how far you got with onboarding your windows logsource.

br Karl 

Hello all,

 

I am having problems to pull audit and admin logs of exchange, do anyone know how to proceed with such integration.

 

Best Regards,

Ahmed Elsayed

SIOC Analyst MEA
IBM Egypt

 

E-mail: ahmed.el-sayed3@ibm.com

I think I noticed searching mentions of powershell scripts for the purpose of exporting Exchange audit logs/data. Maybe it could be viable to get a text/csv/xml this way and then you can pick it up and create your own parsing.

Hi Karl,

Thank you for your reply.

I am talking about Microsoft exchange server administrator audit logs, these logs are stored locally in a mailbox within the application itself and only accessible through cmdlets, there are softwares like (LOGbinder for Exchange) that pull the logs from the mailbox parse them and forward them to Qradar.

the problem is that these softwares aren't free to use, I was thinking of extracting the logs and pull them from qradar, but not sure if this is the most suitable way to proceed with that.

Thanks

Ahmed

very generic question. What about using wincollect? Pls outline how far you got with onboarding your windows logsource.

br Karl 

Hello all,

 

I am having problems to pull audit and admin logs of exchange, do anyone know how to proceed with such integration.

 

Best Regards,

Ahmed Elsayed

SIOC Analyst MEA
IBM Egypt

 

E-mail: ahmed.el-sayed3@ibm.com

Hi Ahmed;

First

1- Build your own DSM named Exchange Audit

2- Bind Wincollect as a protocol for this source

3- Add XPATH Query; Path can e changeable according to your own path.

<QueryList>
<Query Id="0" Path="MSExchange Management">
<Select Path="MSExchange Management">*</Select>
</Query>
</QueryList>

I think I noticed searching mentions of powershell scripts for the purpose of exporting Exchange audit logs/data. Maybe it could be viable to get a text/csv/xml this way and then you can pick it up and create your own parsing.

Hi Karl,

Thank you for your reply.

I am talking about Microsoft exchange server administrator audit logs, these logs are stored locally in a mailbox within the application itself and only accessible through cmdlets, there are softwares like (LOGbinder for Exchange) that pull the logs from the mailbox parse them and forward them to Qradar.

the problem is that these softwares aren't free to use, I was thinking of extracting the logs and pull them from qradar, but not sure if this is the most suitable way to proceed with that.

Thanks

Ahmed

very generic question. What about using wincollect? Pls outline how far you got with onboarding your windows logsource.

br Karl 

Hello all,

 

I am having problems to pull audit and admin logs of exchange, do anyone know how to proceed with such integration.

 

Best Regards,

Ahmed Elsayed

SIOC Analyst MEA
IBM Egypt

 

E-mail: ahmed.el-sayed3@ibm.com

Hi Ahmed,

as a glance over ist seems to be a good way of integration to use logbinder. It is a supported way listed in DSM Guide as well. It sounds like a more comfortable onboarding those logrecords in case of parsing and normalisation to be used in QRadar.. regarding to cost-value ratio..

Regards,

Ralph

Hello all,

 

I am having problems to pull audit and admin logs of exchange, do anyone know how to proceed with such integration.

 

Best Regards,

Ahmed Elsayed

SIOC Analyst MEA
IBM Egypt

 

E-mail: ahmed.el-sayed3@ibm.com