QRadarCafe13 - 2021 12 17
QRadarCafe13 - 2021 12 17
QRadarCafe13 - 2021 12 17
Liher Elgezabal
• Novedades
Threat Management Technical Sales
• Blogs
Pablo Roberto
Threat Management Technical Sales • Log4Shell
Emilio Andrés • TechNotes
Threat Management Technical Sales
• Curiosidades
Marta Perez
Threat Management Technical Sales • CustomApp – MitreInfo4Offenses
• Links Interesantes
• Q&A( Microfono Abierto)
2021-09-17 QRadar Café EP10 (Master Skills University 2021, Wincollect 10)
2021-07-16 QRadar Café EP9 ( Event & Flow Exporter, Network Threat Analytics, Virtual Master Skills University, ...)
2021-06-18 QRadar Café EP8 (QRadar IaaS, Version 7.4.3, novedades apps Certificate Management, QDI,... )
2021-04-16 QRadar Café EP6 (Novedades, Log Source Management, RFEs, Recolección de eventos Windows)
2021-02-19 QRadar Café EP4 (Threat Intelligence v2 , Windows sizing , Retention Buckets)
2021-01-15 QRadar Café EP3 (Subtécnicas de MITRE en UseCaseManager, Sysflow Content Extension, FireEyeRedTeam,
Sunburst, Best Practices y Tech notes)
2020-12-18 QRadar Café EP2 (QRadar 7.4.2, UBA 4.0, Network Visibility, Universal Cloud Connector, Sysflow)
2020-11-27 QRadar Café EP1 (Apps esenciales: UBA, Watson, Use Case Manager, Assistant,...)
Tareas de Administración
7.4.3 FP4
Log4Shell (CVE-44228)
Security Bulletin: Log4j as used in IBM® Disconnected Log Collector is vulnerable to remote code execution (CVE-2021-44228)
https://www.ibm.com/support/pages/node/6526178
Blogs
https://community.ibm.com/community/user/security/communities/community-home/recent-community-blogs?communitykey=f9ea5420-0984-4345-
ba7a-d93b4e2d4864&tab=recentcommunityblogsdashboard
15
Blogs
16
Blogs
17
Blogs
18
Blogs
19
Blogs
20
Blogs
21
IBM QRadar Café
Novedades
https://exchange.xforce.ibmcloud.com/hub/QRadar
Technical Notes
https://www.ibm.com/community/qradar/home/knowledge/
The QRadar upgrade to V7.4.2 or later requires you to run a migration script on the Console appliance. This script
migrates the High Availability (HA) file system from GlusterFS to Distributed Replication Block Device on all Event
Collectors in your deployment (only collectors)
When patching a App Host that has been detached from the deployment, the installer can hang when 'Applying
presql script' in the QRadar command line interface. Administrators who experience this issue can confirm the
process ID for the IMQ service and apply the described workaround to continue the upgrade. It is critical that
administrators do NOT attempt to reboot or force the installer to quit, but use the IMQ service instructions
provided in this technical note to allow the App Host upgrade to continue
A security bulletin is issued to users on several QRadar versions identifying CVEs related to CentOS6 base
images used in QRadar applications. Administrators are advised per the security bulletin to upgrade applications
to mitigate the security issue.
The installation output of a manual rpm installation shows that the rpm was installed successfully, however the
DSM or Protocol is not displayed as an option on the Log Source Management App.
What steps can administrators review before they attempt to update their QRadar deployment?
Best Practices
https://github.com/qradar-cafe/
MitreInfo4Offenses
https://www.ibm.com/docs/en/qsip/7.4?topic=types-fragments-type
https://www.ibm.com/docs/en/qsip/7.4?topic=apps-custom-fragments-example#c_appfw_samples_CustFrags
IBM Security / © 2020 IBM Corporation 37
Componentes de la app: manifest.json
Creamos AQL
Obtenemos el resultado
Renderizamos HTML
https://github.com/qradar-cafe/QRadarApp-MitreInfo4Offenses
IBM Security / © 2020 IBM Corporation 41
Valora QRadar
Gartner - https://www.gartner.com/reviews/home
TrustRadius - https://www.trustradius.com/
G2 - https://www.g2.com/
Ask me Anything