Identity
The way in which QRadar is built to handle information about users and assets is not always clear. Assets and user information are both entangled with the concept of "identity" and a lot of confusion can abound about how to properly handle these things. This page exists to describe the best practices for getting this information into QRadar.
At the highest level, identity is meant to establish an association between:
a) a username and "Asset identifying information" (which includes IPv4 or IPv6 address, NetBIOS name, DNS name/hostname, or MAC address)
OR
b) two pieces of "Asset identifying information" (the idea being to primarily connect a physical machine with a network identity)
Therefore, the most basic requirement for an event to be relevant for identity is that it must contain at least two pieces of identifying information. However, it's not enough for an event to simply contain for example both an IP and a username, or an IP and a MAC. The event must clearly describe an association being made between the two things.
So there are 2 basic cases you must consider when building a custom DSM. The first type of event to consider for setting identity on is a login. The following event categories roughly count as a login:
Host Login Succeeded
Misc Login Succeeded
Auth Server Login Succeeded
Admin Login Successful
Login with username/ password defaults successful
SSH Login Succeeded
Remote Access Login Succeeded
User Login Successful
Remember that you should use your best judgement when considering the context of the event. Other event categories may count depending on the situation, and these categories may not always count (although you should evaluated why it doesn't when using these.)
The other basic case is the Asset identifying case. Categories such as the following should be considered for using that override:
DHCP Success
As well as:
DNS query events that indicate what IP a queried hostname/DNS name uses and events that establish an association between an IP address and a NetBIOS name
There is another case, that is not truly covered in the DSM Editor. This is the logout case, For purposes of identity QRadar can track logouts as well as logins. If you feel this is required (your device is focused on identity management for example and logout tracking is vital) then feel free to contact the IBM Business Development team about how to work with the QRadar development team to get this support in to QRadar.
Identity Events
At the highest level, identity is meant to establish an association between:
a) a username and "Asset identifying information" (which includes IPv4 or IPv6 address, NetBIOS name, DNS name/hostname, or MAC address)
OR
b) two pieces of "Asset identifying information" (the idea being to primarily connect a physical machine with a network identity)
Therefore, the most basic requirement for an event to be relevant for identity is that it must contain at least two pieces of identifying information. However, it's not enough for an event to simply contain for example both an IP and a username, or an IP and a MAC. The event must clearly describe an association being made between the two things.
So there are 2 basic cases you must consider when building a custom DSM. The first type of event to consider for setting identity on is a login. The following event categories roughly count as a login:
Host Login Succeeded
Misc Login Succeeded
Auth Server Login Succeeded
Admin Login Successful
Login with username/ password defaults successful
SSH Login Succeeded
Remote Access Login Succeeded
User Login Successful
Remember that you should use your best judgement when considering the context of the event. Other event categories may count depending on the situation, and these categories may not always count (although you should evaluated why it doesn't when using these.)
The other basic case is the Asset identifying case. Categories such as the following should be considered for using that override:
DHCP Success
As well as:
DNS query events that indicate what IP a queried hostname/DNS name uses and events that establish an association between an IP address and a NetBIOS name
There is another case, that is not truly covered in the DSM Editor. This is the logout case, For purposes of identity QRadar can track logouts as well as logins. If you feel this is required (your device is focused on identity management for example and logout tracking is vital) then feel free to contact the IBM Business Development team about how to work with the QRadar development team to get this support in to QRadar.