Administrators looking for the latest firmware downloads can review this page to locate firmware updates for QRadar appliances. The installation instructions include a direct download link to the firmware from IBM Fix Central.

How do I locate known issues or open defects logged against QRadar?

What is the impact of initiating a Deploy Full Configuration on QRadar systems?

After Administrative actions a "Deploy Changes" may be required. This article provides information on when to either perform a "Deploy" or "Deploy Full Configuration" and their impact on your QRadar services.

How can you determine the physical specifications of an appliance?

I provide support for european customers of QRadar and all of the family products (QVM, QRM, QRIF, QNI). Nowadays, I am more IT consultant than Civil engineer (MSc Eng), but I still have great passion for all reinforced concrete construction around the world.

Siphons cookies, exposes internal router & installs web backdoor on locked computers

The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the system. By default it is set to “Restricted“, which basically means none. However, it’s important to understand that the setting was never meant to be a security control.

The version  of the DSA utility differs based Operating systems and appliance Model types. QRadar 7.2.x uses a different build than QRadar 7.3.x.  M3 and M4 appliances use a different build of the DSA than M5+ appliances. This technote lists the builds required for your base Operating and Appliance type.

QRadar: HA synchronization progress resets to 0%

What are the sequence of events during an High-Availability (HA) failover and how are these experienced?

Event categories are used to group incoming events for processing by IBM® Security QRadar®. The event categories are searchable and help you monitor your network.

Is there a way to test the high-availability (HA) crossover connection?

You can manually map a normalized or raw event to a high-level and low-level category (or QID).

FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran.

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Click a check mark in the following matrix to go to the log source that you're most interested in. For each log source, the relevant ATT&CK framework categories are listed. The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was developed by Mitre Corp.

There’s no need to reinvent the wheel to create this model of measurement, but analysts must be able to catalog and group the characteristics they aim to measure to determine what level of SIEM implementation is appropriate for the organization.

Because Azure and Office 365 are widely used, I decided to start with this. I hope you will find it useful because unfortunately, there is a lack of good resources other than Microsoft when it comes to monitoring Azure with a SIEM and I had to spend many hours to study the logs and figure out what was relevant.

Some tips about problems most of us should see in our network and security jobs, including troubleshooting, configurations, correlation rules, compliance stuff etc.