Troubleshooting
Problem
While QRadar states that Windows events have identity properties, not all Windows events contain information that can be used for Asset identity.
Resolving The Problem
Within the Windows event payload, the Logon Type's following values do not generate Identity Asset information:
- 3: Network
- 4: Batch
- 5: Service
- 7: Unlock
- 8: Network clear text
- 9: New credentials based
- 10: Remote Interactive
To be considered for Identity, an event must have certain eventID and Computer= and OriginatingComputer= must be null, or username not be null.
Windows Event IDs 528, 540, 672, 4624, 4768, 4776, 18453, 18454, 18455, 20158 are considered for identity, provided all preconditions are met: Meaning Computer= and OriginatingComputer= must be null or username not be null, and the Logon Type does not match 3,4, 5, 7, 8, 9, and 10.
[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Events","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
13 July 2023
UID
swg22002180