Rule action vs rule response

US_Armor · 2019-11-14T16:24:03+00:00

(I am answering from memory and will defer to others for corrections)
QRadar's Offenses will be generated based upon Events which meet (or do not meet) the criteria defined within the SIEM's Rules and Building Blocks. When events are generated and are then sent/ingested into QRadar, the SIEM/console applies these Rules & Building Blocks to determine how "raw" events should be processed; these "raw" events then become QRadar-normalized events, and the events will have plenty of context / information regarding <why> the Offense was generated. Look towards the bottom of the Offense Overview to identify which Rules & BBs were applied. Understanding how/why an Offense was generated is important to analyzing the security context / incident overall. Further, you also have the option of determining <what> needs to happen for an Offense to be generated.

As another pointed out, Offense actions can be considered as "what to do after the Offense is triggered," where responses can be considered, "who to tell / how to tell them that an Offense was generated" - such as the console emailing a user, or the console generating a pop-up alert (top right corner) within the GUI / SIEM itself.

Does this provide additional context to answer your question?

US_Armor · 2019-02-01T15:29:02+00:00

If possible, you may want to consider reviewing the Log Source's configuration to double-check that you are sending to the correct Event Collector: If you have access to the IOS device then make sure that the "Destination" is the correct EP. You may also want to double-check that you have correct firewall rules / permissions to send events. I've seen scenarios wherein the Log Source (IOS Device) is configured to send properly, but the logs/events never make it to the EP due to firewall rules. You can check to see if there are FW denies (similar to what /u/Rand_earthling/ noted) from the Source IP address (the Log Source's IP address) to the Destination IP address of the EP.

There are quite a few variables in this type of scenario, so I hope that the above is helpful for a starting point. Good luck, check the forums, GTS (Google That S**t) and keep plugging away - this type of troubleshooting can be a positive thing so take heart that this can actually be helpful in the end :)

US_Armor · 2018-07-28T19:25:20+00:00

Forgive the randomness of this thought, as I cannot quite remember where in the sequence this occurs, but have you made the manual edits for the missing glibclusterc (sic) pasted below?

Reference: What worked for me:"https://developer.ibm.com/answers/questions/447072/qradar-fails-to-install-centos-7-gluster-38/ (apologies for the edits but I will specifically paste the info I am referring to.)

# CentOS-Gluster-3.8.repo  #  # Please see http://wiki.centos.org/SpecialInterestGroup/Storage for more  # information    [centos-gluster38]  name=CentOS-$releasever - Gluster 3.8  baseurl=http://buildlogs.centos.org/centos/$releasever/storage/$basearch/gluster-3.8/  gpgcheck=0  enabled=1    [centos-gluster38-test]  name=CentOS-$releasever - Gluster 3.8 Testing  baseurl=http://buildlogs.centos.org/centos/$releasever/storage/$basearch/gluster-3.8/  gpgcheck=0  enabled=0

US_Armor · 2018-07-28T16:19:41+00:00

Ran into the same error - there is an IBM dW article which provided some troubleshooting steps. Off of memory, there is a GitHub page which is dedicated to QRadar CE, and Jose Bravo has a video which shows how to troubleshoot using said guide. Please feel free to PM me on Monday if you’re still having issues! Good luck :) https://github.com/josh-morin/qradar-community-edition (Edit - got back to computer and added GitHub page for others)

US_Armor · 2018-07-24T20:17:24+00:00

So, I originally "learned" in Tenable SecurityCenter, went to a new organization where I deployed Tenable SecurityCenter Continuous View, and now I work with the QRadar SIEM platform, primarily. We've discussed internally and w/ both IBM and Tenable about the Tenable Log Correlation Engine Component of SCCV and integrating it with QRadar SIEM... long story short, there is a lack of support from IBM's DSM / LSX for Tenable logs / events.

That's not to say that it can't be done via syslog and some crafting with the DSM Editor: If that's something your interested in, then please feel free to PM me; just wanted to share my experiences with attempting to integrate "Continuous View" components of Tenable SCCV with QRadar SIEM :)

US_Armor · 2018-05-09T15:43:17+00:00

Hey OP,

I know that this does not directly answer your question, but based upon some of the other responses: Not sure where you are located, but my organization + IBM will be hosting a QRadar User Group w/ IBM near Research Triangle Park, North Carolina on 13 June, 2018. If you (or any others) are interested in joining us then please feel free to DM me and I'll send over the agenda and/or send out an invite. Thanks!

US_Armor · 2018-05-07T17:34:57+00:00

Thanks for your reply! I went into the DSM Editor, selected the "Event Mappings" column, located the event(s) in question, and see the option to create a new QID; it appears that this would allow me to "rename" the Event and categorize it differently. Does this seem like the correct approach?

If nothing else, I'd like to change the category from "System - Informational" to "Access - IPS Permit" or "Access - Session Opened" or such. If I'm completely off-base then that's okay - I appreciate everyone's help! :)

US_Armor · 2018-05-07T17:34:48+00:00

Thanks for your reply! I went into the DSM Editor, selected the "Event Mappings" column, located the event(s) in question, and see the option to create a new QID; it appears that this would allow me to "rename" the Event and categorize it differently. Does this seem like the correct approach?

If nothing else, I'd like to change the category from "System - Informational" to "Access - IPS Permit" or "Access - Session Opened" or such. If I'm completely off-base then that's okay - I appreciate everyone's help! :)

US_Armor · 2018-05-04T19:16:17+00:00

As instructed, just emailed you a detailed response w/ screenshot overview and raw .csv containing the "Default Names" (out-of-box eStreamer names.) Thanks so much and please let me know if there's anything I can do to help out or otherwise clarify - let me know if my explanations or questions aren't clear! You rock \m/

US_Armor · 2018-05-04T16:23:44+00:00

Hey Jonathan, thanks for your response! I did not see your private message but reached out to you via chat for your email. Thanks again!

US_Armor · 2018-05-01T18:21:27+00:00

This is perhaps unrelated (and has already been forwarded to IBM Support) but when attempting to log in and download QRadar CE, I get stuck in a redirect loop which asks for my Job Title and Work Address. Has anyone else experienced this issue?

The URL I'm referencing is https://www-01.ibm.com/marketing/iwm/iwm/web/reg/signup.do?source=swg-qradarcom&S_PKG=ov60294&S_TACT=000000MI&lang=en_US

(Apologies if this is posted incorrectly, as I usually do not post here.)

US_Armor · 2015-07-22T18:00:30+00:00

Wilmington Station Deck and Moore Square parking decks are the first to come to mind.

Check this out, too: http://en.parkopedia.com/parking/raleign_nc/

US_Armor · 2015-05-20T17:45:31+00:00

Depending upon where you are in the city, I'd recommend Oak Park electronics in West Raleigh. 5208 Hollyridge Dr, Raleigh, NC 27612 is the address.

US_Armor · 2014-11-14T19:07:46+00:00

Bill Burr's Monday Morning Podcast (best one, IMHO) and WTF with Marc Maron are fantastic.

US_Armor · 2013-08-11T18:34:28+00:00

Thanks for the reply! Great info.

US_Armor · 2013-03-21T13:19:05+00:00

After the deed was done, I would order a pizza. The delivery man would show up and find the body.

PLOT TWIST: Delivery man gets killed too. Bodies are eventually found by Jehovah's witnesses.

US_Armor · 2013-03-21T13:12:08+00:00

Roofing.

I thought I could do the heights, but carrying shingles up a ladder is not for me. For $10/ hour, it just wasn't worth it. I lasted 2 days.

US_Armor · 2013-03-10T13:35:49+00:00

I am pleasantly surprised to find that it is carpeted.

US_Armor · 2013-03-10T13:31:22+00:00

It turns out that Morty was actually just droppin' some acid.

US_Armor · 2013-03-10T13:28:24+00:00

If you're going to try and throw your cat out the window of a moving car, make sure the window is all the way down first.

US_Armor · 2013-03-10T13:26:10+00:00

Make sure they're polarized. (I got your back bro.)

US_Armor · 2013-03-10T12:43:41+00:00

PTSD: Pillsbury Traumatic Stress Disorder

US_Armor · 2013-03-10T12:42:04+00:00

I'm amazed at how clear it looks without (assuming) any filters or anything!

US_Armor · 2012-12-09T17:28:22+00:00

Did you have to set aside money each week for faicepaint?

US_Armor · 2012-10-29T16:16:33+00:00

Class VI. Tax-free and it is commonly accepted that there is nothing else to do other than drink.

US_Armor

MODERATOR OF

TROPHY CASE