IBM Qradar SIEM Audit

Remember to change columns as needed and add new properties if you need.
Example : Rule propriety in CRE Rules Audit – what is the rule which was changed

1. Audit Changes Done To SIEM overall – Audit changes or actions done by users on the system

The search should use those filters :
High level – SIM Audit and low level – SIM Configuration Change


2. Reference Set Audit  – Audit changes done to reference set by users

The search should use those filters :
QID – 28250205 , 28250204 , 28250217
High level – SIM Audit and low level – SIM Configuration Change

3. CRE Rules – Audit changes done to rules

QID – 28250030, 28250319, 28250028, 28250029, 28250255, 28250256, 28250320

4. SIEM Backup activity

The search should use those filters :
Use predefined SIEM backup audit  and change the property in group by back to regular columns .
Use all four in one report and get a daily change activity audit on Qradar SIEM device.

Extract Properties Examples :

Rule Name: ( low level category – SIM configuration Change )

(Rule\sName|Event\sName)(\=\”|\:\’)([^\”\’]+) – capture group 3

Reference Value ( low level category – SIM configuration Change)

values\=\”\[([^\]]+)

ID ( low level category – SIM configuration Change)

Id\=\”([^\”]+)

The SIM Audit category contains events that are related to user interaction with the IBM® Security QRadar® Console and administrative features .

See Full list of low level categories for SIM Audit – http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_sim_audit.html

Source: https://qmasters.co/ibm-qradar-siem-audit/

Difference between : False Positive - False Negative - True Positive - True Negative

• True Positive: A legitimate attack which triggers to produce an alarm.
• You have a brute force alert, and it triggers. You investigate the alert, and find out that somebody was indeed trying to break into one of your systems via brute force methods.

• False Positive: An event signaling to produce an alarm when no attack has taken place.
• You investigate another of these brute force alerts, and find out that it was just some user who mistyped their password a bunch of times, not a real attack.

• False Negative: When no alarm is raised when an attack has taken place.
• There actually was someone trying to break into your system, but they did so below the threshold of your brute force attack logic. For example, you set your rule to look for 10 failed login in a minute, and the attacker did only 9. The attack occurred, but your rule failed to detect it.

• True Negative: An event when no attack has taken place and no detection is made.
• No attack occurred and your rule didn't fire

Interesting Links

http://palined.com/search/   -- Search Engine for Open Directories