Topic
8 replies Latest Post - ‏2013-08-01T15:19:46Z by mcalvi91
SystemAdmin
SystemAdmin
184 Posts
ACCEPTED ANSWER

Pinned topic Switching from ArcSight to Q1 Help

‏2011-09-09T19:45:37Z |
I'm a former ArcSight user that's now a Q1 user. I was used to having more tools in my box for being able to build content around and running into some road blocks. Is anyone else a former ArcSight user that is using Q1 that maybe able to help?

Trends - don't exist in Q1, Time series are sort of trends, but I can't display them unless in the CLI - doesn't help, I can't report off of them - which is it's real value, alter it, it is what it is, which isn't anything usable for me.

Session Lists - Don't exist in Q1. I tried to build some rules off of flows which had the only available definitions close enough, but I couldn't get it right.

Active Lists - Don't exist in Q1. Reference sets are a list, but I want to add the event, not just one data item, or multiple data items. Plus just being able to only modify the list length is nothing, I need a TTL, I need a counter, to query that counter, etc. If a device is on the list and gets added again, it just removes the previous entry.

Rule writing - I've been stopped by the wizard a few times because I'm forced to use their logic to write a rule. You can't account for every possible rule, I'm used to being able to writing it my own way, with no inhibitions. This is more of a vent, there's no way around it. Also, definitions are different for searching events vs rules vs flows.

QID's - Because event names are based off of QID's, if the QID doesn't exist at all or yet, the event name will be blank and you have to create a custom parameter. This is by design, but not efficient I feel. This was never a hindrance with ArcSight. We write our own IDS rules, these will never have a QID, hence the event name is empty. The event is passed the same way, just display the event name as it is in the raw event, not that hard. This is annoying to me, because Q1 is even behind our IDS vendor at times when they update their sigs, we have to wait for QID's to be updated. I never had to do this before.
If I say an event name equals or does not equal abcxyz, then I don't care if there are 3 QID's that equal that event name, it's stupid I have to put in multiple event names/QID's to cover the same event name. -------Posted BY Karl
Updated on 2011-09-29T20:04:49Z at 2011-09-29T20:04:49Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    184 Posts
    ACCEPTED ANSWER

    Re: Hey Karl, Let me see if I can

    ‏2011-09-29T20:04:49Z  in response to SystemAdmin
    Hey Karl,

    Let me see if I can dig up some information for you. I've passed the your posting along to try and get some help because I am not familiar with how some of these ArcSight pieces may/may not map to QRadar.
    Posted By john.cotter
    • kc3pa
      kc3pa
      4 Posts
      ACCEPTED ANSWER

      Re: Hey Karl, Let me see if I can

      ‏2013-07-15T20:23:51Z  in response to SystemAdmin

      Was this information ever provided? I am in the same boat now, previously working with ArcSight, now with QRadar.

      • mcalvi91
        mcalvi91
        4 Posts
        ACCEPTED ANSWER

        Re: Hey Karl, Let me see if I can

        ‏2013-07-16T13:10:41Z  in response to kc3pa

        what are you looking to accomplish with qradar?

        • kc3pa
          kc3pa
          4 Posts
          ACCEPTED ANSWER

          Re: Hey Karl, Let me see if I can

          ‏2013-07-16T17:09:45Z  in response to mcalvi91

          Just trying to find out if anyone was able to help Karl with the limitations he saw with QRadar, i.e. session lists, active lists, trends, rule writing, etc. I am seeing these same limitations and really miss these features that were available to me in ArcSight. I am a consultant and as such work with the systems that are available to me. How do you create a list of "bad guys" including IP address, location, etc. and then age entries off this list at the same time you add new entries with QRadar? This is just one example.

          • mcalvi91
            mcalvi91
            4 Posts
            ACCEPTED ANSWER

            Re: Hey Karl, Let me see if I can

            ‏2013-07-16T17:18:24Z  in response to kc3pa

            not sure if Karl got the info from john.cotter or not but i can answer you.

            Some of this is in the various guides and each of these have come a long ways since 2011 (original post).

            How would you define a 'bad guy'?  We have lists from various Law enforcement agencies which we have created reference sets out of with no expiration and others which are created from rules and have a TTL.

            you will need to go into the referense set management from the admin tab to create a new one.

            • kc3pa
              kc3pa
              4 Posts
              ACCEPTED ANSWER

              Re: Hey Karl, Let me see if I can

              ‏2013-08-01T14:25:29Z  in response to mcalvi91

              Ok...for instance, I created a reference set with a list of MS event IDs. I simply want to match an event to these event IDs. So I start to build a rule using the Event Property Test "when any of these event properties are contained in any of these reference set(s)". I can select the reference set I want to test against. But I cannot pick the "Event ID" property as it is not listed in the properties drop down menu. What's up with this? This is an event property that has been defined in the "Custom Event Properties" list and can be used in searches. Why isn't it available in the dropdown menu? How would you approach this?

            • kc3pa
              kc3pa
              4 Posts
              ACCEPTED ANSWER

              Re: Hey Karl, Let me see if I can

              ‏2013-08-01T15:18:33Z  in response to mcalvi91

              Think I have this figured out. Was able to get the custom event property to show up in the pull-down list and can now create a BB to use in rules. Was also able to match to this reference set in a search.