Topic
  • 3 replies
  • Latest Post - ‏2012-11-27T17:58:43Z by SystemAdmin
SystemAdmin
SystemAdmin
184 Posts

Pinned topic Detecting log changes on source machine

‏2012-10-04T13:57:59Z |
Hi,

As it is my first post here I want to tell hello to everyone! :) I'm new to qradar solution and maybe this question is very easy to answer, but I didn't find anything about that on this forum.

I want to create rule that create offence every time that there is a possible log change (on source machine).
Is it possible to create such rule? Or maybe is it some out of box rule to investigate such cases?

Thank you in advance!
Regards,
Maciek-------Posted BY Maciej Malenda
Updated on 2012-11-27T17:58:43Z at 2012-11-27T17:58:43Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: what do you mean by detecting

    ‏2012-10-07T18:20:09Z  
    what do you mean by detecting a possible log change? Do you mean changes in the logging level (info versus debug or error) or configuration changes on the end device?
    Posted By Aaron.Breen
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: I would like to get offence

    ‏2012-10-16T05:39:33Z  
    I would like to get offence every time somebody on source machine is changing log (for example clear part of it) does QRadar solve this kinds of problems? I've found on Windows that after log is cleared OS is writing "event code 517" to log. I would need to have this also on other machines.Do you have any solutions for that?
    Posted By Maciej Malenda
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: You have identified partially

    ‏2012-11-27T17:58:43Z  
    You have identified partially how to do this. On Windows machines there are a number of Event ID's you will want to look for which indicated someone has modified the Windows Event Log on that machine. You can create a Custom Rule within QRadar to look for these specific event ID's.

    If your use case goes beyond just Windows Servers you may want to create your rule using out of the box Category based Building Blocks. These should a broader catch-all across multiple log source types for identifying these types of events.
    Posted By scott.vanwart