IBM Security QRadar

 View Only
  • 1.  How to monitor Linux and macOS

    Posted Wed March 15, 2023 07:46 AM

    Hi folks,

    How to monitor Linux and macOS in Qradar. Is there possible and create offense.



    ------------------------------
    joel s
    ------------------------------


  • 2.  RE: How to monitor Linux and macOS

    IBM Champion
    Posted Wed March 15, 2023 12:02 PM

    Hi Joel,

    Linux OS and Mac OS are both listed as standard logsource types, so why not use it? Just creat a manual logsource when not automatically detected by Qradar. If certain events are not mapped pls see my discussion post entry on DSM editor a few minutes ago. Offenses are created up to your policy being enabled. Pls watch policy 101 to learn how to create one specific for your needs or lookup my fast track to self defense blog entry.



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 3.  RE: How to monitor Linux and macOS

    Posted Thu March 16, 2023 05:23 AM

    Hi Karl,

        Thanks for the valuable information. I follow your suggestion.



    ------------------------------
    joel s
    ------------------------------



  • 4.  RE: How to monitor Linux and macOS

    Posted Thu March 16, 2023 05:33 AM

    Hii

    I've one doubt I try to no restriction in our employees. But I want monitoring everything in our employees like what they are accessing sites, kind of exe file, whatever it is. Is there any possibility in Qradar. If any possible plz tell me.

    Thanks,

    Joel



    ------------------------------
    joel s
    ------------------------------



  • 5.  RE: How to monitor Linux and macOS

    IBM Champion
    Posted Thu March 16, 2023 08:13 AM

    Joel,

    for "deep auditing" you will not only have to enable all syslog or rsyslog level (*.*) in the config file but also need additional agents and daemons . Best approach is auditd where there is lots of info out there on monitoring OS activities, depending on your distribution, e.g. https://www.redhat.com/sysadmin/configure-linux-auditing-auditd for RH



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 6.  RE: How to monitor Linux and macOS

    Posted Thu March 16, 2023 10:10 AM

    Hi Joel

    My first advice would be to look at the Endpoint content extension on the app exchange, it contains a lot of rules to monitor Linux devices and the rules can easily be adapted to Mac environments. The description points to a few blog posts that can be helpful to understand the use cases and mindset behind the rules. The documentation includes the steps to configure the Linux machines to generate the logs necessary to trigger the rules.

    The Endpoint content extension is made to work with the Linux Custom Properties content extension, I recommend to take it as a base to create the Mac CEPs so it will work will less effort with the Endpoint rules.

    I hope this helps.



    ------------------------------
    Gladys Koskas
    ------------------------------