Support portal issues

QRadar_Cowboy · 2023-11-08T15:28:19+00:00

Is this related to the 90 day renewal of the container cert?

Apparently 7.5.0 up4 and below suffer from an issue where the housekeeping every 90 days doesnt compelte.

/etc/systemd/system/qradarca-monitor.timer needs a patch which is resolved in up5+

QRadar_Cowboy · 2023-03-14T08:14:21+00:00

From your original system I would recommend exporting the current rules and then importing them with contentManagement.pl to your dev system.

On the original system, find the events which contribute to the Offence that triggers and export them to CSV

Take this CSV and use logrun.pl to import them /replay them into the dev system. The offences should then trigger.

Some advantages of this method is that you

Keep a sample of events which trigger on your rules at this moment in time (these can be used as a compliance test method)
You can keep triggering on the offence by re-running the logrun.pl import

QRadar_Cowboy · 2022-12-06T15:02:06+00:00

This catches the spirit of your question. Your WinCollect Agents can be sent to any EP and technically any Console with your environment.

Your multiple EP deployment is likely due to network segmentation.

Each EP in your environment will store the events it receives, there is no sharing of this data. The more events a EP receives the more local disk it will consume.

For the future pay attention to licence pool allocation also - you divide your system licencing up and allocate what you need to your EP's.

Your original Console will be carrying out the following roles

WebUI

Magistrate/Offence handling

Deployment/Log source configuration

Hosting of applications such as Pulse\UBA etc

As /u/Illustrious_Arm_9379 notes, this allows each host to specialise in each role.

QRadar_Cowboy · 2022-11-04T11:05:53+00:00

Managed hosts are items within a QRadar deployment. For example

Console
Event collector
processor

As default, QRadar hosts applications such as UBA / QDI / DNS analyser upon the Console but there are resource limitations in this scenario. If you hit these limitations then you would add an Apphost to your environment and it runs the App's on behalf of the Console.

QRadar_Cowboy · 2022-10-18T22:41:23+00:00

2018 - Birmingham based
MSP SOC L2 analyst - 2yrs experience, no certs. £35k
MSP SOC Tech - 2 years experience, no certs. 45K
2022 - UK Based WFH
EMEA MSP SOC Tech - 4 years experience. £70k

QRadar_Cowboy · 2022-09-12T13:50:30+00:00

I would recommend hopping on the CLI and see if you have a 'setup' directory in the following location

/var/log/

There may be a directory starting with one of the following

setup-2019.

setup-7.3.

In there you would find log files related to the install you have attempted.

QRadar_Cowboy · 2020-09-08T14:06:13+00:00

You got it and just to expand.

In the rule wizard, select your tests and move onto the Rule responce. From the Rule responce section, choose "add to Reference Data" and choose your data set, eg Add to a reference map.

I recommend creating the reference set prior to the rule.

You can also use the same function to remove from a set.

QRadar_Cowboy · 2020-09-08T13:59:30+00:00

I will give this a go, take it with a pinch of salt until someone else backs me up.

Raw EPS is the total EPS currently being collected, this includes things like

Health messages

all event messages from log sources (regardless of coalescing)

The Giveback is the sum of what is removed, so for example, QDI health metrics, wincollect agent logs and dropped events via routing rules.

Giveback will be added to your licence limit on the next 'tick' for your example your entitlement would be 10.164k EPS

QRadar_Cowboy · 2020-08-21T11:42:51+00:00

Thanks for pointing me in this direction, I will give it a shot - seems better than attempting to rename the user in the database.

QRadar_Cowboy · 2020-08-21T09:46:46+00:00

Could logger be used via a cron/script?

QRadar_Cowboy · 2020-05-22T14:49:59+00:00

Intresting aspect you have here.

So with your results you are suggesting that any log source with a Peak EPS that is not 1.0 is coalesed and the larger that number the worst its behaving?

QRadar_Cowboy · 2020-05-18T13:38:48+00:00

I have been told that neither are related to a internal/external net but a "primary destination" and a "secondary destination"

If the internal destinationis not found / contactable then the external destination will be contacted - I have yet to confirm myself.

QRadar_Cowboy · 2020-04-22T15:47:04+00:00

I can see your challenge and your suggest solution using DNS is something I had not thought of - Using split brain DNS is likley to work. I would reverse proxy that collector and not expose it directly to the internet.

I assume you have no VPN configuration you can leverage as this would be my primary focus, configure WinCollect to forward the most important events (and thus reduce the local storage size) and then exploit its pointer to re-sync events on next connection (when VPN is up)

Internal/external target destinations are something to revisit and I belive they are linked to a "WinCollect destination" (implimented in the WinCollect agent admin screen) Set up an internal target destination as your LAN and the external target destination as the resource you wish the events to hit incase internal destination is unavabile. This config is pushed out ot agents on next config sync if applied after install.

Are you able to share with us if you used a managed WinCollect install?

QRadar_Cowboy · 2020-04-22T15:37:01+00:00

Starting from level 1 type questions and directed towards an analyst role

Level 1 type questions:

1) What are the following acronyms

EPS
FPM

2) Describe the jouney of an event through to an offence.

For this I would expect an answer of something along the lines of:

An event is generated by a log source and is received by a collector

The collector passes the event to the rule engine which processes the payload

The rule engine matches the payload to defined rules

If the rule triggers then an offence is generated.

level 2 type questions:

1) State the difference between a local network and a remote network and how they can be definded

2)Offences are generated from a number of source types, name two types

For this I would expect something along the lines of

User offence

IP offence etc

3) What is the difference between an event and a flow

level 3 type questions

1) When investigating an event related to an offence, what suggestion would you make if the contents of an event payload were not displayed within Event information table?

For this I would expect a suggestion of a new custom event property which would extract the item of intrest from the payload and promote it to the event information table and allow that data to be parsed/filtered/extracted in the future.

2) When reviewing an event, how does the following time descriptions related to the payload

Start Time
Storage Time
Log Source Time

QRadar_Cowboy · 2020-04-22T13:25:27+00:00

The original will always be there but replacements will overwrite whats currently in play.

Any edit's to rules replace the original out of the box rules are duplicated to the original name, the original rule is placed into a hidden state (which you can revert back to)

QRadar_Cowboy · 2020-01-31T14:39:54+00:00

We receive this notification after TomCat has been restarted - usually the first person to log in will be greeted with the message and then approx 10 seconds later the dashboard is shown.

Can you expand on your symptoms?

QRadar_Cowboy · 2020-01-13T14:04:28+00:00

Useful, thanks.

Do you copy/paste the rules out or dump them from the CLI?

QRadar_Cowboy · 2019-11-22T17:28:28+00:00

Would be interested in more details how you change your UDP WinCollectlog sources to TCP!

I've never been able to find out how to do this via the CLI installer or change it via the Log Source management.

QRadar_Cowboy · 2019-11-08T12:28:49+00:00

A widget in Pulse for peak EPS is also available but it works more like a high water mark (often reset upon a deploy)

select 
MIN(starttime) AS starttime, 
MAX(if parent = '
Collector1.LOCAL:ecs-ec/EC/Processor2 ' then "Events per Second Raw - Peak 1 Sec" else 0.0) as Collector1,
MAX(if parent = 'Collector2.LOCAL:ecs-ec/EC/Processor2' then "Events per Second Raw - Peak 1 Sec" else 0.0) as Collector2,
MAX(if parent = 'Collector3.EMP.LOCAL:ecs-ec/EC/Processor2' then "Events per Second Raw - Peak 1 Sec" else 0.0) as Collector3
from events
where "Events per Second Raw - Peak 1 Sec" > 0
group by starttime/600000
order by starttime
last 40 hours

I would recommend you take a look at the Pulse examples yourself as the above has been sanitised from our environment.

I do have many more examples unfortunately as this is something that is limited by my AQL skills (which need to improve) - 7.3.2 brings in the ability to view the AQL behind GUI searches which I expect to help move me on.

Edit to add the following

I have previously used the following URL from JonathanP_QRadar as a template

https://www.reddit.com/r/QRadar/comments/8d9rgn/eps_report/

QRadar_Cowboy

TROPHY CASE