What are /r/QRadar's favorite Products & Services?

From 3.5 billion Reddit comments

Just a quick update.

An additional workaround for customers who must be Google Chrome, instead of an alternate browser is to also use Chrome Canary. This is Google Chrome's development build, which can run side-by-side with the stable version of the Chrome Browser. The development version of Chrome does not have the HTTPs header issue.

For more info on Google Chrome Canary (developer version), see: https://www.google.com/chrome/browser/canary.html

This info is also posted on the official QRadar forums.

Hi,

I've done this myself a number of times.
One quick thing to note, at the minute Qradar only supports Winlogbeats version 6.X and based on elastics support matrix only versions 7.x are supported on server 2019: https://www.elastic.co/support/matrix

This means your going to have to create some custom parsing rules using JSON expressions in the DSM editor or wait until support for winlogbeats 7.x is released.

Your understanding is correct, you configure winlogbeats to forward to the logstash server which then forwards the logs on to QRadar. Everything is setup on the windows machine but the idea of a logstash server is that you could forward logs from several machines to one logstash server if you wanted. For instance you could have winlogbeats on 20 individual machines but only have the logstash server on one which then ultimately forwards the logs on to QRadar. As previously stated version 7.x isn't supported but if you were to send output from winlogbeats 6.8 it would automatically be detected as a windows security event log source on the QRadar side.

My configuration for Winlogbeats 6.8 and Logstash 7.4.2 is the following:
For logstash I only changed the .conf file in the config directory to forward to QRadar:

input { beats { port => 5044 } } output { tcp { host => ["172.16.xx.xx"] port => 514 mode => "client" codec => "json_lines" } stdout { codec => rubydebug }
}

And for my winlogbeats configuration I just have the winlogbeat.yml file sending output to my local logstash server on port 5044, it's pretty much the default.

https://www.blumira.com/ntlm-relay-attack-petitpotam/

Looks like if you have good windows event collection you could look for the QIDs associated with thes eventids, followed by either a payload matches regex or a CEP for the specific qids for "elevated=true"