QRadar has multiple ways to authenticate users. Apart from the default System Authentication based on data kept in the Postgres database, you can configure external Authentication using RADIUS, TACACS, LDAP or SAML methods. In the screenshot above you can also see Active Directory option, which has been recently removed from the allowed methods of authentication […]
Category: Architecture
Manually stop QRadar services
Most of QRadar administrators are familiar with the command issued in the backend, which restarts services (systemctl restart hostcontext). You should know what kind of services are available and responsible for in the system. If you are not familiar, then please read this article first http://18.203.92.225/2015/10/22/qradar-services/ In this short article, I would like to mention […]
Deployment Model in QRadar
QRadar can work in the Deployment Model which is master and slave environment. The single master is the console, which manages the configuration updates for all the managed hosts (slaves) available in the deployment set. The console only has the ability to read and write to Postgres database, while the all managed hosts have read-only […]
Please find below embedded three movies by Jose Bravo about migrating from App Node to App Host. App Host is new component in QRadar family. It has number 4000 and it works like normal Managed Host. You can doubled the component in High Availability cluster in the same way like other Managed Hosts in your […]
Second part of QRadar 7.3.2 features
As promised in the last month, please find the second part of the QRadar 7.3.2 features article. As for today (mid of February), a new version is still not available for public, but I could see another new build generated in this month (20190201201121) and I believe we are days only from issuing a new […]
Changes in Traffic Analysis in 7.3.1
Among new features introduced in version 7.3.1, one of the most important would be a change in Traffic Analysis. Change reasons Many users have had issues with incorrectly auto detected log sources. In some extreme cases, incorrectly detected devices can have a major performance impact, which would lead to degradation on ecs-ec. The solution for this problem […]
Event retention
Event retention helps QRadar administrators keep up and organize the data collected by their SIEM system. Retention window. Click the Admin tab Retention window to configure the buckets applicable to your deployment. By default, the Event Retention functionality provides a default retention bucket and ten not configured retention buckets. System stores all events in the default retention bucket if you don’t […]
QRadar backup
QRadar backup is one of the most important feature to use by each system administrator. There are two types of backups – configuration backup and data backup. It is highly recommended to do backups on regular basis and by default, QRadar creates a backup nightly but you can reschedule and adjust it to your needs. […]
QRadar Network Activity
QRadar Network Activity is the second important tab in QRadar interface. Each flow is a record of the communication between two machines, minute by minute in the network where resides QRadar. This value of one minute is constant and its change is not possible. Flows deliver information of existing network traffic. Information base on listening on each network […]
QRadar Log Sources
QRadar Log Sources are displayed in Log Activity tab where each event information is in a form of record from that log source. An event is a record from a device that describes an action on a network or host. SIEM normalizes the varied information found in raw events. QRadar SIEM supports many protocols, to receive raw […]