IBM Security QRadar

Hello,

I want to ask you something. Is it necessary to have a domain admin user for IBM Qradar? So, is there such a need?

Thank you,
Kind Regards.



------------------------------
Fatih R
------------------------------

I think you should define the question a bit better... QRadar by default uses local authentication (locally defined users and roles). If you are referring to using Active Directory as LDAP for authentication, when you are using authenticated bind you need a user that can read the LDAP directory. Instructions how to configure LDAP authentication can be found in IBM's documentation. You can e.g. opt to use group based authentication and allow/deny the groups of users per defined roles and security profiles (I recall there were some examples for that on you tube etc.).

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Wed November 23, 2022 05:00 AM
From: Fatih R
Subject: DO I NEED DOMAIN ADMIN?

Hello,

I want to ask you something. Is it necessary to have a domain admin user for IBM Qradar? So, is there such a need?

Thank you,
Kind Regards.



------------------------------
Fatih R
------------------------------

You do not need Domain Admin rights and should never monitor anything
within an enterprise using such a level of access. Windows permission
architecture should have specific service accounts with appropriate
permissions where auth is necessary such as LDAP read (which any
auth'ed user in a windows domain can actually do) or any sort of
active retrieval requiring authentication.

DA is not needed to interact with QRadar using LDAP auth for QRadar
either access should be handled by a AD ad group.


Original Message:
Sent: 11/24/2022 4:28:00 AM
From: Dusan VIDOVIC
Subject: RE: DO I NEED DOMAIN ADMIN?

I think you should define the question a bit better... QRadar by default uses local authentication (locally defined users and roles). If you are referring to using Active Directory as LDAP for authentication, when you are using authenticated bind you need a user that can read the LDAP directory. Instructions how to configure LDAP authentication can be found in IBM's documentation. You can e.g. opt to use group based authentication and allow/deny the groups of users per defined roles and security profiles (I recall there were some examples for that on you tube etc.).

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Wed November 23, 2022 05:00 AM
From: Fatih R
Subject: DO I NEED DOMAIN ADMIN?

Hello,

I want to ask you something. Is it necessary to have a domain admin user for IBM Qradar? So, is there such a need?

Thank you,
Kind Regards.



------------------------------
Fatih R
------------------------------

I understand, but our SIEM admins always want domain admin, they log using this, is there any logic to this?

------------------------------
Fatih R
------------------------------

Original Message:
Sent: Thu November 24, 2022 03:54 PM
From: hostcontext restart
Subject: DO I NEED DOMAIN ADMIN?

You do not need Domain Admin rights and should never monitor anything
within an enterprise using such a level of access. Windows permission
architecture should have specific service accounts with appropriate
permissions where auth is necessary such as LDAP read (which any
auth'ed user in a windows domain can actually do) or any sort of
active retrieval requiring authentication.

DA is not needed to interact with QRadar using LDAP auth for QRadar
either access should be handled by a AD ad group.


Original Message:
Sent: 11/24/2022 4:28:00 AM
From: Dusan VIDOVIC
Subject: RE: DO I NEED DOMAIN ADMIN?

I think you should define the question a bit better... QRadar by default uses local authentication (locally defined users and roles). If you are referring to using Active Directory as LDAP for authentication, when you are using authenticated bind you need a user that can read the LDAP directory. Instructions how to configure LDAP authentication can be found in IBM's documentation. You can e.g. opt to use group based authentication and allow/deny the groups of users per defined roles and security profiles (I recall there were some examples for that on you tube etc.).

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Wed November 23, 2022 05:00 AM
From: Fatih R
Subject: DO I NEED DOMAIN ADMIN?

Hello,

I want to ask you something. Is it necessary to have a domain admin user for IBM Qradar? So, is there such a need?

Thank you,
Kind Regards.



------------------------------
Fatih R
------------------------------

User logins for QRadar linked to LDAP do not require domain admin
level permissions, Using service accounts with domain admin level of
privileges to retrieve logs is a substantial increase in risk posture.

For retrieving windows logs, wincollect and/or WEF are more manageable
and scalable solutions for retrivening windows logs without requiring
individual log sources to use authentication.


Original Message:
Sent: 12/15/2022 3:17:00 PM
From: Fatih R
Subject: RE: DO I NEED DOMAIN ADMIN?

I understand, but our SIEM admins always want domain admin, they log using this, is there any logic to this?

------------------------------
Fatih R
------------------------------

Original Message:
Sent: Thu November 24, 2022 03:54 PM
From: hostcontext restart
Subject: DO I NEED DOMAIN ADMIN?

You do not need Domain Admin rights and should never monitor anything
within an enterprise using such a level of access. Windows permission
architecture should have specific service accounts with appropriate
permissions where auth is necessary such as LDAP read (which any
auth'ed user in a windows domain can actually do) or any sort of
active retrieval requiring authentication.

DA is not needed to interact with QRadar using LDAP auth for QRadar
either access should be handled by a AD ad group.


Original Message:
Sent: 11/24/2022 4:28:00 AM
From: Dusan VIDOVIC
Subject: RE: DO I NEED DOMAIN ADMIN?

I think you should define the question a bit better... QRadar by default uses local authentication (locally defined users and roles). If you are referring to using Active Directory as LDAP for authentication, when you are using authenticated bind you need a user that can read the LDAP directory. Instructions how to configure LDAP authentication can be found in IBM's documentation. You can e.g. opt to use group based authentication and allow/deny the groups of users per defined roles and security profiles (I recall there were some examples for that on you tube etc.).

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Wed November 23, 2022 05:00 AM
From: Fatih R
Subject: DO I NEED DOMAIN ADMIN?

Hello,

I want to ask you something. Is it necessary to have a domain admin user for IBM Qradar? So, is there such a need?

Thank you,
Kind Regards.



------------------------------
Fatih R
------------------------------

I understand, let me ask the question differently. Siem administrators say we need a domain admin and I say why, they say we cannot collect logs without a domain admin. I am trying to understand this, is there such a thing? For example, if there is no domain when adding the log source, some logs will not come, is there such a thing? So is this information correct?

------------------------------
Fatih R
------------------------------

Original Message:
Sent: Thu December 15, 2022 03:22 PM
From: hostcontext restart
Subject: DO I NEED DOMAIN ADMIN?

User logins for QRadar linked to LDAP do not require domain admin
level permissions, Using service accounts with domain admin level of
privileges to retrieve logs is a substantial increase in risk posture.

For retrieving windows logs, wincollect and/or WEF are more manageable
and scalable solutions for retrivening windows logs without requiring
individual log sources to use authentication.


Original Message:
Sent: 12/15/2022 3:17:00 PM
From: Fatih R
Subject: RE: DO I NEED DOMAIN ADMIN?

I understand, but our SIEM admins always want domain admin, they log using this, is there any logic to this?

------------------------------
Fatih R

Original Message:
Sent: Thu November 24, 2022 03:54 PM
From: hostcontext restart
Subject: DO I NEED DOMAIN ADMIN?

You do not need Domain Admin rights and should never monitor anything
within an enterprise using such a level of access. Windows permission
architecture should have specific service accounts with appropriate
permissions where auth is necessary such as LDAP read (which any
auth'ed user in a windows domain can actually do) or any sort of
active retrieval requiring authentication.

DA is not needed to interact with QRadar using LDAP auth for QRadar
either access should be handled by a AD ad group.


Original Message:
Sent: 11/24/2022 4:28:00 AM
From: Dusan VIDOVIC
Subject: RE: DO I NEED DOMAIN ADMIN?

I think you should define the question a bit better... QRadar by default uses local authentication (locally defined users and roles). If you are referring to using Active Directory as LDAP for authentication, when you are using authenticated bind you need a user that can read the LDAP directory. Instructions how to configure LDAP authentication can be found in IBM's documentation. You can e.g. opt to use group based authentication and allow/deny the groups of users per defined roles and security profiles (I recall there were some examples for that on you tube etc.).

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Wed November 23, 2022 05:00 AM
From: Fatih R
Subject: DO I NEED DOMAIN ADMIN?

Hello,

I want to ask you something. Is it necessary to have a domain admin user for IBM Qradar? So, is there such a need?

Thank you,
Kind Regards.



------------------------------
Fatih R
------------------------------

To collect logs from Windows systems (if that is the question), it ishoild not be necessary to use domain admin accounts - the user account used to collect logs from the system should be member of the Event Log Readers group (as is stated in the documentation - and tested). I recall having some problems with Windows 2003 (but I guess this is not the case here - or you have a whole different issue using an obsolete unsupoorted OS). 

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Fri December 16, 2022 11:56 AM
From: Fatih R
Subject: DO I NEED DOMAIN ADMIN?

I understand, let me ask the question differently. Siem administrators say we need a domain admin and I say why, they say we cannot collect logs without a domain admin. I am trying to understand this, is there such a thing? For example, if there is no domain when adding the log source, some logs will not come, is there such a thing? So is this information correct?

------------------------------
Fatih R

Original Message:
Sent: Thu December 15, 2022 03:22 PM
From: hostcontext restart
Subject: DO I NEED DOMAIN ADMIN?

User logins for QRadar linked to LDAP do not require domain admin
level permissions, Using service accounts with domain admin level of
privileges to retrieve logs is a substantial increase in risk posture.

For retrieving windows logs, wincollect and/or WEF are more manageable
and scalable solutions for retrivening windows logs without requiring
individual log sources to use authentication.


Original Message:
Sent: 12/15/2022 3:17:00 PM
From: Fatih R
Subject: RE: DO I NEED DOMAIN ADMIN?

I understand, but our SIEM admins always want domain admin, they log using this, is there any logic to this?

------------------------------
Fatih R

Original Message:
Sent: Thu November 24, 2022 03:54 PM
From: hostcontext restart
Subject: DO I NEED DOMAIN ADMIN?

You do not need Domain Admin rights and should never monitor anything
within an enterprise using such a level of access. Windows permission
architecture should have specific service accounts with appropriate
permissions where auth is necessary such as LDAP read (which any
auth'ed user in a windows domain can actually do) or any sort of
active retrieval requiring authentication.

DA is not needed to interact with QRadar using LDAP auth for QRadar
either access should be handled by a AD ad group.


Original Message:
Sent: 11/24/2022 4:28:00 AM
From: Dusan VIDOVIC
Subject: RE: DO I NEED DOMAIN ADMIN?

I think you should define the question a bit better... QRadar by default uses local authentication (locally defined users and roles). If you are referring to using Active Directory as LDAP for authentication, when you are using authenticated bind you need a user that can read the LDAP directory. Instructions how to configure LDAP authentication can be found in IBM's documentation. You can e.g. opt to use group based authentication and allow/deny the groups of users per defined roles and security profiles (I recall there were some examples for that on you tube etc.).

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Wed November 23, 2022 05:00 AM
From: Fatih R
Subject: DO I NEED DOMAIN ADMIN?

Hello,

I want to ask you something. Is it necessary to have a domain admin user for IBM Qradar? So, is there such a need?

Thank you,
Kind Regards.



------------------------------
Fatih R
------------------------------