Hi Joel
My first advice would be to look at the Endpoint content extension on the app exchange, it contains a lot of rules to monitor Linux devices and the rules can easily be adapted to Mac environments. The description points to a few blog posts that can be helpful to understand the use cases and mindset behind the rules. The documentation includes the steps to configure the Linux machines to generate the logs necessary to trigger the rules.
The Endpoint content extension is made to work with the Linux Custom Properties content extension, I recommend to take it as a base to create the Mac CEPs so it will work will less effort with the Endpoint rules.
I hope this helps.
------------------------------
Gladys Koskas
------------------------------
Original Message:
Sent: Thu March 16, 2023 08:12 AM
From: Karl Jaeger
Subject: How to monitor Linux and macOS
Joel,
for "deep auditing" you will not only have to enable all syslog or rsyslog level (*.*) in the config file but also need additional agents and daemons . Best approach is auditd where there is lots of info out there on monitoring OS activities, depending on your distribution, e.g. https://www.redhat.com/sysadmin/configure-linux-auditing-auditd for RH
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Thu March 16, 2023 05:32 AM
From: joel s
Subject: How to monitor Linux and macOS
Hii
I've one doubt I try to no restriction in our employees. But I want monitoring everything in our employees like what they are accessing sites, kind of exe file, whatever it is. Is there any possibility in Qradar. If any possible plz tell me.
Thanks,
Joel
------------------------------
joel s
Original Message:
Sent: Wed March 15, 2023 12:01 PM
From: Karl Jaeger
Subject: How to monitor Linux and macOS
Hi Joel,
Linux OS and Mac OS are both listed as standard logsource types, so why not use it? Just creat a manual logsource when not automatically detected by Qradar. If certain events are not mapped pls see my discussion post entry on DSM editor a few minutes ago. Offenses are created up to your policy being enabled. Pls watch policy 101 to learn how to create one specific for your needs or lookup my fast track to self defense blog entry.
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Wed March 15, 2023 07:45 AM
From: joel s
Subject: How to monitor Linux and macOS
Hi folks,
How to monitor Linux and macOS in Qradar. Is there possible and create offense.
------------------------------
joel s
------------------------------