IBM Support

QRadar: When Windows Events do not contain Asset Information

Troubleshooting


Problem

While QRadar states that Windows events have identity properties, not all Windows events contain information that can be used for Asset identity.

Resolving The Problem

Within the Windows event payload, the Logon Type's following values do not generate Identity Asset information:
  • 3: Network
  • 4: Batch
  • 5: Service
  • 7: Unlock
  • 8: Network clear text
  • 9: New credentials based
  • 10: Remote Interactive

To be considered for Identity, an event must have certain eventID and Computer= and OriginatingComputer= must be null, or username not be null.

Windows Event IDs 528, 540, 672, 4624, 4768, 4776, 18453, 18454, 18455, 20158 are considered for identity, provided all preconditions are met: Meaning Computer= and OriginatingComputer= must be null or username not be null, and the Logon Type does not match 3,4, 5, 7, 8, 9, and 10.

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Events","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
06 February 2023

UID

swg22002180