Categories
Upgrade

QRadar upgrade – Parallel upgrade vs. Patch all

There are two methods commonly used for the QRadar upgrade. These methods apply to the distributed deployment only but not to the All-in-One installation. By default, the QRadar console has all the capabilities and features. However, when there is a need to improve functionality and there are not enough resources in a single hardware server, […]

Categories
General

Add new DNS servers to QRadar

There is a common problem with how to add new DNS servers to QRadar if you need to change them. Normally, you should run the qchange_netsetup script, which is looking after this change. Nevertheless, the problem appears when there is more than one appliance in the deployment. In order to run the qchange_netsetup script, you […]

Categories
Offenses

An open offense can be inactive in the Backend

An open offense can be inactive in the Backend if there are no new events that arrived for at least 30 minutes. Despite this fact, the end-user (after opening the GUI) can see only two states (Open or Closed), while in the backend there are three different states. In the backend (including API) you can […]

Categories
Admin Architecture

How to change a forgotten password in QRadar

QRadar has multiple ways to authenticate users. Apart from the default System Authentication based on data kept in the Postgres database, you can configure external Authentication using RADIUS, TACACS, LDAP or SAML methods. In the screenshot above you can also see Active Directory option, which has been recently removed from the allowed methods of authentication […]

Categories
Tutorial

List and export all enabled Log Sources using psql query in QRadar

In order to export a list of all enabled log sources, SIEM administrators can run one of the following commands basd on psql query in QRadar. The commands are available from the Console back end, so using SSH, log in to the QRadar Console as the root user. To enter the command line for the database, […]

Categories
Architecture

Manually stop QRadar services

Most of QRadar administrators are familiar with the command issued in the backend, which restarts services (systemctl restart hostcontext). You should know what kind of services are available and responsible for in the system. If you are not familiar, then please read this article first http://18.203.92.225/2015/10/22/qradar-services/ In this short article, I would like to mention […]

Categories
Admin

Deploying changes locally

Many QRadar users and admins hit time out or error issue when they are deploying changes in QRadar to the Managed Hosts. Not all of them know how to troubleshoot this problem. I will describe here a simple solution to this problem when qradar not deploying changes. QRadar has two different approaches to store configuration. […]

Categories
App

User Behavior Analytics 3.6 (UBA) with Multi-Tenancy support

It has been announced, that soon we can expect a new version of UBA extension to QRadar functionality. The new version with number 3.6 will bring a number of new features including the most overlooked by the customers, the Multi-Tenancy support. In order to avail this great new feature of QRadar, the software installation needs […]

Categories
Architecture

Deployment Model in QRadar

QRadar can work in the Deployment Model which is master and slave environment. The single master is the console, which manages the configuration updates for all the managed hosts (slaves) available in the deployment set. The console only has the ability to read and write to Postgres database, while the all managed hosts have read-only […]

Categories
Log Activity Video

DSM Editor (part two)

This is the second part of the article about DSM Editor. Please find the link here to the first part of this article. As mentioned there, DSM Editor can create a new Log Source, based on repeating information in any kind of log. Sample Log Suppose, that you are dealing with logs collected from the […]