IBM Security QRadar

 View Only

  • 1.  Rule not removing entries from reference set

    Posted Mon April 18, 2022 09:01 AM

    Hello,

    I have to filter out which machines in my working environment don't have antivirus installed. So I made a rule that will first populate reference set with machines that talked to our domain controller (only interested in machines that are actually in use). Left that rule active for almost three weeks. Then I disabled that rule and made a new one which states that if machine talked to our AV server (AV agents are configured to report to server every three minutes), remove that machine from reference set. Left the rule to work for 3+ weeks, then I checked the results. Barely any machine got removed from reference set, sitting on 3.1k+ entries (no way that many machines don't have antivirus).

    Any idea what am I doing wrong? Below are the pictures of first rule that I used to populate reference set (log sources are our domain controllers), second rule to remove from set...and results. Thanks in advance!




    ------------------------------
    Nikola Nikolić
    ------------------------------


  • 2.  RE: Rule not removing entries from reference set

    IBM Champion
    Posted Wed April 20, 2022 06:08 AM
    Nikola
    formally this looks ok but there are a few things that come to my mind. 1st of all: 7 weeks of testing thats a long time! You should see the effect of your rules after 30 minutes latest, right? I wouldnt work on a single refset. Pls detect your active machines 1st and export them after 24h. Then you import those IP adresses to your 2nd refset and remove all those not needed by your 2nd rule. This has the advantage that you can restart the process any time, use TTL based refsets and do not have to enable/disable any rules. Most of the machines should have been removed after 24h. Pls also make sure your refsets use IP type content. Another good practice is check refset entries for unique values before adding data. In order to track whats happening you should create metaevents in you rules. Pls see my examples below.

    Good Luck

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: Rule not removing entries from reference set

    Posted Wed April 20, 2022 10:50 AM
    Hello Karl,

    thank You for Your reply. The reason I let those rules active for that long was to "catch" workstations of colleagues that were away at that time, and I wanted to catch them all. That's also reason I didn't use TTL in refset, I was afraid entries would be removed before 2nd rule had time to check them. I did use IP as value type.
    That said, I will definitely try Your approach, looks good, it didn't occur to me to try to use meta-events and unique value check.

    Thank You for the advice.

    ------------------------------
    Nikola Nikolić
    ------------------------------

    Original Message