Categories
General

Add new DNS servers to QRadar

There is a common problem with how to add new DNS servers to QRadar if you need to change them. Normally, you should run the qchange_netsetup script, which is looking after this change. Nevertheless, the problem appears when there is more than one appliance in the deployment. In order to run the qchange_netsetup script, you […]

Categories
Admin Architecture

How to change a forgotten password in QRadar

QRadar has multiple ways to authenticate users. Apart from the default System Authentication based on data kept in the Postgres database, you can configure external Authentication using RADIUS, TACACS, LDAP or SAML methods. In the screenshot above you can also see Active Directory option, which has been recently removed from the allowed methods of authentication […]

Categories
Architecture

Manually stop QRadar services

Most of QRadar administrators are familiar with the command issued in the backend, which restarts services (systemctl restart hostcontext). You should know what kind of services are available and responsible for in the system. If you are not familiar, then please read this article first http://18.203.92.225/2015/10/22/qradar-services/ In this short article, I would like to mention […]

Categories
Architecture

Deployment Model in QRadar

QRadar can work in the Deployment Model which is master and slave environment. The single master is the console, which manages the configuration updates for all the managed hosts (slaves) available in the deployment set. The console only has the ability to read and write to Postgres database, while the all managed hosts have read-only […]

Categories
General

DSM Editor (part one)

DSM Editor is multi-task editor, which let you parse any event received by QRadar box. QRadar supports more than 1000 Log Sources out of the box. It is possible because this type of SIEM software has installed a device support modules called DSMs, which let QRadar parse the logs. The most widely used software and […]

Categories
Architecture Extensions Video

Migrating from App Node to App Host

Please find below embedded three movies by Jose Bravo about migrating from App Node to App Host. App Host is new component in QRadar family. It has number 4000 and it works like normal Managed Host. You can doubled the component in High Availability cluster in the same way like other Managed Hosts in your […]

Categories
Architecture

Second part of QRadar 7.3.2 features

As promised in the last month, please find the second part of the QRadar 7.3.2 features article. As for today (mid of February), a new version is still not available for public, but I could see another new build generated in this month (20190201201121) and I believe we are days only from issuing a new […]

Categories
General

Sneak Peek at QRadar 7.3.2

Soon (the first quarter of 2019), we can expect a new version of QRadar. This is a sneak peek at QRadar 7.3.2, which runs on RHEL 7.5. New version introducing so many improvements, that I could not list all of them at once. In this article, I describe only the most significant changes for me, […]

Categories
General Uncategorized

Generating and receiving events with QRadar

QRadar is capable of receiving and parsing events from a variety of third-party security products. The full list of supported devices is available in the documentation and the several formats and devices increases often. Receiving events with QRadar QRadar can pick up events in “auto-detected” mode from supported appliance, what let you see events immediately […]

Categories
Architecture

Changes in Traffic Analysis in 7.3.1

Among new features introduced in version 7.3.1, one of the most important would be a change in Traffic Analysis. Change reasons Many users have had issues with incorrectly auto detected log sources.  In some extreme cases, incorrectly detected devices can have a major performance impact, which would lead to degradation on ecs-ec. The solution for this problem […]