SIEM – QRadar Learnings

I gathered a number of SIEM issues, addressed them, and then provided you with the patch so that everyone may profit.

——> Basic steps: <——
– ✔️ installing a SIEM (QRadar, Graylog, ELK, Splunk, SumoLogic,..etc)

🛡️ QRadar
Download >https://www.ibm.com/community/qradar/ce/
install >https://www.youtube.com/watch?v=DCd5f4VFDdk

__
✔️ All material you need:- 
. WinCollect Agent: https://bit.ly/3xhioeb
. 730_QRadar_wincollectupdate-7.3.1-16.sfs: https://bit.ly/3xdPzPS
. WinSCP-5.21.3-Setup: https://bit.ly/3QsblpO
. CCNA Cyber Ops SECOPS: https://bit.ly/3L0W6Dj
. DSM Configuration Guide: https://ibm.co/3dhP9Bl
. Incident Handling and Response: https://bit.ly/3QPvDtJ
. What is SIEM: https://bit.ly/3dkIohW

✔️ If you encounter any of these issues below, I’ve collected the solutions.

__
. install WinCollect Agent another way:
https://www.youtube.com/watch?v=CI6g5brdSdw |
https://lnkd.in/db_7ai_j

__
. send Linux logs to Qradar
https://www.youtube.com/watch?v=z3XezJnGtq0

___
. No Log Activity | Qradar CE 
https://www.youtube.com/watch?v=IwkEm772EZI

__
. No Log Activity | Qradar Code:
https://www.ibm.com/support/pages/node/6395080

__
. Logs source problem:
https://bit.ly/3QyysPD

__
. Modify maximum Log size using Group Policy
https://www.youtube.com/watch?v=LeUx8EGFKXE

__
. Rule creation, use case creation Basic in Qradar SIEM
https://lnkd.in/daWJmTu3 |
https://ibm.co/3DwndEq

✔️ Don’t forget to generate an Authentication token from AS to write in WinCollect Agent when you install it 
____

✔️ where logs and events from Windows, Linux, DB,..,etc :
 . DSM Configuration Guide: https://ibm.co/3dhP9Bl
___

–> Does it work? Great! That is a mini SOC. Document it somewhere and link it to your resume.🙏

____

——> Additional steps: <——

– Increase log visibility (activate PowerShell logging, Scriptblock logging, install Sysmon, etc)

– Install extra tools to get more visibility e.g.: Bluespan, DeepBlueCLI, Suricata Zeek, RITA (all are on GitHub)

– Test your setting! Be a bad guy and try to catch yourself. (WinPwn, Atomic Red Team, Caldera -> again, check out GitHub)

– If needed improve your SIEM with matching alert rules and build Dashboards. (Ideas? Look at Sigma rules -> GitHub)

– Threat Intelligent Cyber Threats and Where to Find Them :
socprime.com
– Insert your IOCs, and get queries on the fly:
cti.uncoder.io
#soc

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!