SIEM – QRadar Learnings

I gathered a number of SIEM issues, addressed them, and then provided you with the patch so that everyone may profit.

——> Basic steps: <——
– ✔️ installing a SIEM (QRadar, Graylog, ELK, Splunk, SumoLogic,..etc)

🛡️ QRadar
Download >
install >

✔️ All material you need:- 
. WinCollect Agent:
. 730_QRadar_wincollectupdate-7.3.1-16.sfs:
. WinSCP-5.21.3-Setup:
. CCNA Cyber Ops SECOPS:
. DSM Configuration Guide:
. Incident Handling and Response:
. What is SIEM:

✔️ If you encounter any of these issues below, I’ve collected the solutions.

. install WinCollect Agent another way: |

. send Linux logs to Qradar

. No Log Activity | Qradar CE

. No Log Activity | Qradar Code:

. Logs source problem:

. Modify maximum Log size using Group Policy

. Rule creation, use case creation Basic in Qradar SIEM |

✔️ Don’t forget to generate an Authentication token from AS to write in WinCollect Agent when you install it 

✔️ where logs and events from Windows, Linux, DB,..,etc :
 . DSM Configuration Guide:

–> Does it work? Great! That is a mini SOC. Document it somewhere and link it to your resume.🙏


——> Additional steps: <——

– Increase log visibility (activate PowerShell logging, Scriptblock logging, install Sysmon, etc)

– Install extra tools to get more visibility e.g.: Bluespan, DeepBlueCLI, Suricata Zeek, RITA (all are on GitHub)

– Test your setting! Be a bad guy and try to catch yourself. (WinPwn, Atomic Red Team, Caldera -> again, check out GitHub)

– If needed improve your SIEM with matching alert rules and build Dashboards. (Ideas? Look at Sigma rules -> GitHub)

– Threat Intelligent Cyber Threats and Where to Find Them :
– Insert your IOCs, and get queries on the fly:

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!