Tag: dsm

Almost Everything is perfect in the Land of Qradar logs

But sometimes you can encounter a Sensor which will not send  full data information For example: We will take Imperva ScureSphere WAF as an example: IBM knowledge Center :http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.dsm.doc/t_DSM_guide_SecuresphereWhich explains  how to configure the imperva to send syslogs toward qradar machine by just configuring action set to use this format for Qradar to understand the…

Mcafee DLP Events Support

Qradar Supports MacAfee EPO and Symantec SEP But not all of it. 1. SEP has full support for Antivirus, HIPS and Sonar functions, when using SEP as Device Control the Data is incoming as Misc. event and not as Device Control event.Meaning all of the Data Coming from SEP regarding Device Control Does Not parse…

DNS traffic monitoring for malicious activity

DNS traffic on port 53, is not suspicious on itself. But we can conclude that only dns servers should communicate outside to different dns servers in a closed environment.In an open environment we will be looking for malicious dns url’s.Endpoint pc’s, users computers do not need to communicate directly with outside dns queries on port 53….

Symantec Risk Not Found

Qradar supports Symantec endpoint security out of the box , see link for IBM knowledge center.Symantec Endpoint DSM  Symantec EPS is combined of many endpoint security modules like HIPS, firewall and sonar. We usually will see Virus associated logs like : <54>Apr 10 00:00:25 Symantec Server SEPBEDPROD: Virus found,IP Address: 10.0.1.5,Computer name: af73075-pc,Source: Real Time Scan,Risk…