Tag: Events

Enriching events with additional data

In the previous article, we examined Additional Data fields and how to use them. But what if events do not have needed/required/necessary information even in Additional Data fields? You may always face the situation when events in ArcSight don’t contain all needed information for Analysts. E.g., user ID instead of username, host ID instead of […]

Read More
Configuration, Events and Content Backup in IBM QRadar

While working with SIEM, eventually you come across a situation where your tool requires to be updated to the latest version, moved to a different data center or migrated to a more productive installation. An integral part of this is the creation of backups and the subsequent transfer of data, configurations or customized content to […]

Read More
Event Filtering in IBM QRadar

While configuring a SIEM tool (including IBM QRadar), administrators often make the wrong decision: “Let’s send all logs to SIEM, and then we’ll figure out what to do with them.” Such actions most often lead to enormous license utilization, huge workload on a SIEM tool, appearance of a cache queue, and sometimes to event loss. […]

Read More
Creating Correlation Events in Splunk using Alerts

Many SIEM users ask a question: How do Splunk and HPE ArcSight SIEM tools differ? ArcSight users are confident that correlation events in ArcSight are a weighty argument in favor in using this SIEM because Splunk does not have the same events. Let’s destroy this myth. Splunk has many options to correlate events. So in […]

Read More
Historical Correlation

What if I deployed or designed new Use Case and I want to know if my company was exposed to the threat in the past? While working with ArcSight a lot of people are wondering whether there is a way to realize historical correlation. They even have several real life scenarios for this. The first […]

Read More
How to fix parsing issues in QRadar without technical support

All QRadar products can be divided into two groups: versions before 7.2.8 and all newest versions. In 7.2.8+ QRadar versions, all parsing changes are performed from the WEB console. To fix a parsing issue, you need to do the following steps: Create Search on Log Activity page in QRadar where you can get events with […]

Read More
Simple correlation scenario for Splunk using lookup tables

Events correlation plays an important role in the incident detection and allows us to focus on the events that really matter to the business services or IT/security processes.

Read More