IBM Security QRadar

 View Only
  • 1.  No Proper Events Logging For An Offense

    Posted Thu March 09, 2023 07:13 AM

    Hi,

    I am not receiving proper events for an offense from Linux logs.  

    The offense is getting for the below event

    <86>Mar  9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

    But the proper event is

    <86>Mar  9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

    Offense Events:

    Both source and destinations are same

    <86>Mar  9 15:32:49 abcd sshd[27574]: input_userauth_request: invalid user ${jndi [preauth]

    Search events:

    <86>Mar  9 15:32:49 abcd sshd[27574]: Invalid user ${jndi from 10.x.x.71 port 12776

    I can see both events in the search, but it does not capture them as events in the offense.

    How can I tune to get the exact event for alert, please anyone assist to get this issue resolved.

    Thanks



    ------------------------------
    Arunkumar R
    ------------------------------


  • 2.  RE: No Proper Events Logging For An Offense

    Posted Mon March 13, 2023 11:28 PM


    ------------------------------
    Prabir Meher
    ------------------------------



  • 3.  RE: No Proper Events Logging For An Offense

    Posted Thu March 16, 2023 04:23 AM

    Hi Prabir,

    Thanks for the response.  But the provided link has a different issue not mine.



    ------------------------------
    Arunkumar R
    ------------------------------



  • 4.  RE: No Proper Events Logging For An Offense

    Posted Fri May 26, 2023 09:02 AM

    We have 7.5 UP5 and still not fixed. According to support should be fixed in UP6
    Jan



    ------------------------------
    Jan Luptak
    ------------------------------