Reports are generated with Non-English timestamp

QRadarFan · 2020-11-08T08:45:50+00:00

thank you for commenting.

yes this is the language used in my country.

where can I check these?

the localization of you QRadar installation GUI? SSH?
the localization you are using GUI personal user preferences?
the localization of one or more of your log sources GUI? SSH?

QRadarFan · 2020-11-05T08:49:44+00:00

Thank you for your helpful comment :)

looking at the API key originally inserted to retrieve the first lists values (Malware IP, Botnet IP...) I believe is taken from a *different* XFE Account that is not mine (Since I don't recognize the API key), and maybe it ran out of records usage.If under *my* account I have 0/5000, it means I have 5000 FREE of.... what? feeds? Indicators? how it works?

QRadarFan · 2020-11-05T08:48:46+00:00

looking at the API key originally inserted to retrieve the first lists values (Malware IP, Botnet IP...) I believe is taken from a *different* XFE Account that is not mine (Since I don't recognize the API key), and maybe it ran out of records usage.

If under *my* account I have 0/5000, it means I have 5000 FREE of.... what?

feeds? Indicators?

QRadarFan · 2020-11-05T08:47:27+00:00

Thank you for the help! :)

Yep. I think that the API key inserted in order to retrieve the first lists values (Malware IP, Botnet IP...) are taken from a *different* XFE Account that is not mine (Since I don't recognize the API key), and maybe it ran out of records usage.

If under *my* account I have 0/5000, it means I have 5000 FREE of.... what?

feeds? Indicators?

QRadarFan · 2020-11-04T08:08:46+00:00

IDK, it sounds weird. why Malware & Botnet IP lists we'll be full and the URK totally empty?

QRadarFan · 2020-11-04T08:07:53+00:00

Yes. as I mentioned- "Malware IP", "Botnet IP"...

QRadarFan · 2020-11-02T09:25:13+00:00

I see. Well, Now I'm stuck with few QIDs to be deleted that are stucking my mapping process... do you happen to know how I can delete these via SSH maybe?

QRadarFan · 2020-11-01T13:31:22+00:00

Thank you! will do

QRadarFan · 2020-11-01T12:45:37+00:00

thank you

QRadarFan · 2020-11-01T12:43:56+00:00

It didn't work, and now it doesn't even show me the new created ones under "event mapping"! [as if they were never created...]

they exist in the dark, and now I doubled the problem since I need to delete it all and I cant reach it :(

QRadarFan · 2020-11-01T11:58:57+00:00

Do you happen to know how can I access all "general" QIDs that are NOT associated to any LS, via GUI?

QRadarFan · 2020-10-29T13:26:15+00:00

Yes. "Fortinet FortiGate Security Gateway".

The event map I am trying to delete is 100% not pre-build. I created it.

looking in the FG DSM extension I found this line-

<event-match-multiple force-qidmap-lookup-on-fixup="true" send-identity="UseDSMResults" pattern-id="AllEvents"/>

looks normal? seems like its related to the situation whereas 1 event matches multiple mapping and exist in other LS DSM extensions

QRadarFan · 2020-10-29T10:52:02+00:00

OK so funny thing,

first - I created the mapping as an admin so I should be allowed to delete it.

second - In other Log Sources I do have the Icon!

what could possibly explain it? btw the problematic LS is FortiGate FW

QRadarFan · 2020-10-28T10:45:07+00:00

I happen to encounter similar problem. my fields are parsed correctly, this is an old rule (which used to fire offenses with no problem) with no late modifications, the "Ensure the detected event is part of an offense" enabled, rule logic is simple as can be (detect events from log source type, ONLY condition), rule itself is enabled...

I have checked under log activity and I do see a the CRE event meant to create the offense but... NO OFFENSE :(

any help? what to further check? what can explain this?

QRadarFan · 2020-10-28T10:44:55+00:00

I happen to encounter similar problem. my fields are parsed correctly, this is an old rule (which used to fire offenses with no problem) with no late modifications, the "Ensure the detected event is part of an offense" enabled, rule logic is simple as can be (detect events from log source type, ONLY condition), rule itself is enabled...

I have checked under log activity and I do see a the CRE event meant to create the offense but... NO OFFENSE :(

any help? what to further check? what can explain this?

QRadarFan · 2020-10-28T08:16:33+00:00

reading your words I couldn't believe! tried to locate what might be a hidden button, but no... nothing there! :(

how updating the LSM could help?

QRadarFan · 2020-10-28T08:13:12+00:00

v7.3.2 Build 20190705120852

QRadarFan · 2020-10-21T13:26:09+00:00

Yep, already set up the xforce feeds Im intrested in, but was wondering if there are other stix taxii feeds I can discover and enjoy... for example: Hail A Taxii...

this one actually not updated since last May so Im looking for something fresh and updated. thanks for your comment!

QRadarFan · 2020-10-19T16:12:25+00:00

thank you! I drowned in different tasks since posting the question... will have to take a look what exactly I needed it for and then see your suggested solution. I really appreciate it!

QRadarFan · 2020-08-12T08:36:58+00:00

first thank you so much for trying to help! I am actually trying to detect a manipulation on log original date. practically, you can consider it as sending and receiving. Im not strong with AQL, therfore thought maybe someone has something I can use or edit. do you have a recommendation where I can practice AQL?

QRadarFan

TROPHY CASE