There are two methods commonly used for the QRadar upgrade. These methods apply to the distributed deployment only but not to the All-in-One installation. By default, the QRadar console has all the capabilities and features. However, when there is a need to improve functionality and there are not enough resources in a single hardware server, […]
Add new DNS servers to QRadar
There is a common problem with how to add new DNS servers to QRadar if you need to change them. Normally, you should run the qchange_netsetup script, which is looking after this change. Nevertheless, the problem appears when there is more than one appliance in the deployment. In order to run the qchange_netsetup script, you […]
An open offense can be inactive in the Backend if there are no new events that arrived for at least 30 minutes. Despite this fact, the end-user (after opening the GUI) can see only two states (Open or Closed), while in the backend there are three different states. In the backend (including API) you can […]
QRadar has multiple ways to authenticate users. Apart from the default System Authentication based on data kept in the Postgres database, you can configure external Authentication using RADIUS, TACACS, LDAP or SAML methods. In the screenshot above you can also see Active Directory option, which has been recently removed from the allowed methods of authentication […]
In order to export a list of all enabled log sources, SIEM administrators can run one of the following commands basd on psql query in QRadar. The commands are available from the Console back end, so using SSH, log in to the QRadar Console as the root user. To enter the command line for the database, […]
Manually stop QRadar services
Most of QRadar administrators are familiar with the command issued in the backend, which restarts services (systemctl restart hostcontext). You should know what kind of services are available and responsible for in the system. If you are not familiar, then please read this article first http://18.203.92.225/2015/10/22/qradar-services/ In this short article, I would like to mention […]
Deploying changes locally
Many QRadar users and admins hit time out or error issue when they are deploying changes in QRadar to the Managed Hosts. Not all of them know how to troubleshoot this problem. I will describe here a simple solution to this problem when qradar not deploying changes. QRadar has two different approaches to store configuration. […]
It has been announced, that soon we can expect a new version of UBA extension to QRadar functionality. The new version with number 3.6 will bring a number of new features including the most overlooked by the customers, the Multi-Tenancy support. In order to avail this great new feature of QRadar, the software installation needs […]
Deployment Model in QRadar
QRadar can work in the Deployment Model which is master and slave environment. The single master is the console, which manages the configuration updates for all the managed hosts (slaves) available in the deployment set. The console only has the ability to read and write to Postgres database, while the all managed hosts have read-only […]
DSM Editor (part two)
This is the second part of the article about DSM Editor. Please find the link here to the first part of this article. As mentioned there, DSM Editor can create a new Log Source, based on repeating information in any kind of log. Sample Log Suppose, that you are dealing with logs collected from the […]