QRM – an application error may occur, when accessing policy monitor from the Risk tab

When trying to access the QRM Policy Monitor, an error may occur. As a result, the connection to the UI may be disconnected requiring the user to log in to  the UI again.

APAR IJ01014 – follow the link to register for updates:

https://www-01.ibm.com/support/entdocview.wss?uid=swg1IJ01014

RTC 153725

ARC_BUILDER GOES OUT OF MEMORY GOES WHEN THE ASSET CEILING NUMBER IS SET TO 5 MILLION ASSETS

Arc_builder goes out of the memory in the managed host when the
asset ceiling number is set to 5 million.

APAR IJ00838 – follow the link to register for updates:

https://www-01.ibm.com/support/entdocview.wss?uid=swg1IJ00838 read more

QVM – Newly configured vulnerability exceptions can sometimes be duplicated

It has been identified that when creating new vulnerability
exceptions, a duplicate can sometimes be created.

Example of steps that can sometimes reproduce this issue:

  • Click on the Vulnerabilities tab.
  • Click Manage Vulnerabilities > By Vulnerability.
  • Select (single click) a vulnerability which is affecting multiple assets and exception on all assets (Actions drop down, Exception, Exception vulnerability for all assets check box, set expiry dates/comments, click Save button).
  • Select another vulnerability which is on multiple assets and exception on a specific asset (Click the Vulnerability Instances for a vulnerability, click an asset, click Actions drop down, click Exception, set expiry dates/comments, click Save button).
  • Click on Vulnerability Exceptions on the left menu. The vulnerability exceptioned against all assets can sometimes be duplicated.
  • read more

    Bad Rabbit Malware Content Pack

    Bad Rabbit malware.

    On October 24th there were found new attacks on many sites using previously unknown ransomware, which later has been called Bad Rabbit.

    Bad Rabbit was distributed with the help of drive-by attacks. When the vicitim was visiting one of modified website, a malware dropper was being downloaded from the threat actor’s infrastructure. No exploits were used, so the victim would need execute the malware dropper manually, which was disguised as an Adobe Flash installer.
    Once infected, the user is informed that their files have been encrypted and that it will cost 0.05 bitcoins (approximately 280 US dollars) for the key to use to decrypt them. Currently, there is no indication that paying the ransom will result in a valid key that will decrypt the victim’s files properly. The screen shot below shows a ransom message displayed on victims screen: read more

    How to restart UBA app 1.x.x only.

    # /opt/qradar/support/qapp_utils.py ls

    Get the app_id

    # /opt/qradar/support/qapp_utils.py connect <app_id>

    Enter the app and restart the web server:

    # ps aux | grep run.py
    # kill -9 the pid for run.py

    After this, the flask server should automatically come up.

    To restart the backend polling:

    # ps aux | grep 'python poll.py'
    # kill -9 the pid for poll.py

    After this, the poll should come back up automatically.

    QRadar processes

    QRadar runs on top of a linux (Red Hat 6 for versions up to QRadar 7.2.8 and Red Hat 7 for above), and each of the major functions of QRadar often run within their own java virtual machines (JVMs). This means that most of the processes are running with little to no direct effect from the other processes. QRadar main processes running on console and other components are: read more

    What is QPCAP

    IBM Security QRadar Packet Capture is a network traffic capture and search application. The QRadar Packet Capture appliance has only one capture port (DNA0) and you can install either a 10G or 1G SFP transceiver.
    With QRadar Packet Capture, you can capture network packets at rates up to 10 Gbps from a live network interface, and write them to files without packet loss.
    You can use QRadar Packet Capture to search captured network traffic by time and packet envelope data. With sufficient appliance resources and tailored searches,you can use search and recorder data simultaneously without data loss.
    QRadar Packet Capture appliances that have a 10G transceiver supports clusters,which expands the overall data storage and computational ability, when compared to a single standalone server. QRadar Packet Capture appliances that have a 1G transceiver do not support clusters. read more

    Restart of QRadar services

    Whenever you notice, that no events or flows are visible on interface, you can restart three main services running in QRadar.

    Restart of  services can resolve many other issues and each QRadar admin should know these first steps of troubleshooting. Please note, that very important is order of steps and stop hostcontext first,  before  restart of hostservices. read more

    What is QRM

    IBM Security QRadar Risk Manager is a separately installed appliance for monitoring device configurations, simulating changes to your network
    environment, and prioritizing risks and vulnerabilities in your network.

    QRadar Risk Manager is accessed by using the Risks tab on your IBM Security QRadar SIEM Console.

    QRadar Risk Manager uses data that is collected by QRadar. For example, configuration data from firewalls, routers, switches, or intrusion prevention systems (IPSs), vulnerability feeds, and third-party security sources. Data sources enable QRadar Risk Manager to identify security, policy, and compliance risks in your network and estimate the probability of risk exploitation. read more

    QRadar activation key

    The activation key is a 24-digit, four part, alphanumeric string that you receive from IBM. The activation key specifies which software modules apply for each appliance type. By defalult; there is only one ISO installation disk available and depends on activation code you use during installation you can get chosen variation  of QRadar family product.
    You can obtain the activation key from the following locations:

  • If you purchased a QRadar software or virtul appliance download, a list of activation keys are included in the Getting Started document that is attached in a confirmation email. You can use this document to cross-reference the part number for the appliance that you are supplied with.
  • If you purchased an appliance that is preinstalled with QRadar Vulnerability
    Manager software, the activation key is included in your shipping box or CD.
  • read more

    What is QVM

    QRadar Vulnerability Manager (QVM) is a scanning platform based on QRadar that is used to identify, manage, and prioritize the vulnerabilities on your network assets.

    QRadar Vulnerability Manager and QRadar Risk Manager are combined into one offering and both are enabled through a single base license. With the base license, you use QRadar Vulnerability Manager for vulnerability management workflow and you are entitled to scan up to 255 assets. You can use QRadar Risk Manager to integrate with up to 50 standard configuration sources. You require extra licenses to scan more than 255 assets or to integrate with more than 50 configuration sources. If you have a licensed entitlement to either QRadar Vulnerability Manager or QRadar Risk Manager, you are automatically entitled to the base license allowances for the other product. read more