As it is my first post here I want to tell hello to everyone! :) I'm new to qradar solution and maybe this question is very easy to answer, but I didn't find anything about that on this forum.
I want to create rule that create offence every time that there is a possible log change (on source machine).
Is it possible to create such rule? Or maybe is it some out of box rule to investigate such cases?
Thank you in advance!
Maciek-------Posted BY Maciej Malenda
This topic has been locked.
Pinned topic Detecting log changes on source machine
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Re: what do you mean by detecting2012-10-07T18:20:09ZThis is the accepted answer. This is the accepted answer.what do you mean by detecting a possible log change? Do you mean changes in the logging level (info versus debug or error) or configuration changes on the end device?
Posted By Aaron.Breen
Re: I would like to get offence2012-10-16T05:39:33ZThis is the accepted answer. This is the accepted answer.I would like to get offence every time somebody on source machine is changing log (for example clear part of it) does QRadar solve this kinds of problems? I've found on Windows that after log is cleared OS is writing "event code 517" to log. I would need to have this also on other machines.Do you have any solutions for that?
Posted By Maciej Malenda
Re: You have identified partially2012-11-27T17:58:43ZThis is the accepted answer. This is the accepted answer.You have identified partially how to do this. On Windows machines there are a number of Event ID's you will want to look for which indicated someone has modified the Windows Event Log on that machine. You can create a Custom Rule within QRadar to look for these specific event ID's.
If your use case goes beyond just Windows Servers you may want to create your rule using out of the box Category based Building Blocks. These should a broader catch-all across multiple log source types for identifying these types of events.
Posted By scott.vanwart