I provide support for european customers of QRadar and all of the family products (QVM, QRM, QRIF, QNI). Nowadays, I am more IT consultant than Civil engineer (MSc Eng), but I still have great passion for all reinforced concrete construction around the world.

Siphons cookies, exposes internal router & installs web backdoor on locked computers

Votre environnement Cloud Shell est un conteneur Docker. Le conteneur est démarré par défaut à partir d'une image Docker gérée par Google, mais vous pouvez aussi spécifier une image Docker personnalisée pour votre environnement Cloud Shell. La personnalisation s'effectue en deux étapes :

Localisez une image Docker pertinente. Notre outil Créer une image personnalisée peut créer une image personnalisée standard que vous pouvez utiliser comme point de départ pour votre image.
Modifiez votre environnement afin de référencer l'image souhaitée.

The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the system. By default it is set to “Restricted“, which basically means none. However, it’s important to understand that the setting was never meant to be a security control.

The version  of the DSA utility differs based Operating systems and appliance Model types. QRadar 7.2.x uses a different build than QRadar 7.3.x.  M3 and M4 appliances use a different build of the DSA than M5+ appliances. This technote lists the builds required for your base Operating and Appliance type.

QRadar: HA synchronization progress resets to 0%

What are the sequence of events during an High-Availability (HA) failover and how are these experienced?

Event categories are used to group incoming events for processing by IBM® Security QRadar®. The event categories are searchable and help you monitor your network.

Is there a way to test the high-availability (HA) crossover connection?

You can manually map a normalized or raw event to a high-level and low-level category (or QID).

FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran.

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Click a check mark in the following matrix to go to the log source that you're most interested in. For each log source, the relevant ATT&CK framework categories are listed. The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was developed by Mitre Corp.

There’s no need to reinvent the wheel to create this model of measurement, but analysts must be able to catalog and group the characteristics they aim to measure to determine what level of SIEM implementation is appropriate for the organization.

Because Azure and Office 365 are widely used, I decided to start with this. I hope you will find it useful because unfortunately, there is a lack of good resources other than Microsoft when it comes to monitoring Azure with a SIEM and I had to spend many hours to study the logs and figure out what was relevant.

Some tips about problems most of us should see in our network and security jobs, including troubleshooting, configurations, correlation rules, compliance stuff etc.

Introduction & Processes to upgrading QRadar software.

Asset exclusion rules that are tuned to exclude IP addresses from the blacklist.

Events are being dropped on Console with Pipeline NATIVE_To_MPC messages.

List of Open Mic events and presentations.