QSM Session Manager
QSM or QRadar Session Manager makes it easy to manage user sessions and investigate security events using session information even if the user name is not available in log messages e.g.:
- Firewall activity
- IDS/IPS activity
- Web Servers activity
- Operating Systems logs missing username
- Database and business application queries etc.
Session information for a specific user or IP address can be accessed via the right-click menu in the Log Activity tab, or through the QSM tab.
QSM is essential in environments with lots of DHCP endpoints and users, and other scenarios.
QSM tracks user sessions starting from initial authentication until timeout or new authentication from the same IP address, and stores session information in a special log source within QRadar.
Runtime (active) session information is stored in memory so when the session is closed for any reason, it will be tracked in the QRadar log source. It allows users to apply native QRadar retention settings to QSM data and review session information directly in the QRadar interface.
QSM session information can include any event field available in QRadar e.g. Log Source Name, Event Name, IP addresses, Custom Properties.
Different profiles can be created to connect different QRadar instances via API (QSM must be installed and configured on each QRadar instance).
Users can define a specific set of columns for user activity tracking view, enable/disable debug mode and choose grouping criteria for a session activity report.
QRadar Native Alternatives
There is no such native functionality available in the QRadar interface. Every search in a series must be created and processed manually. QSM saves up to 3 working hours daily for an analyst who’s performing such investigations.
QSM is a commercial application by ScienceSoft with some of its functionality available for free. QSM license is required in case the user wants to export all session results to Excel and open particular session information in QRadar UI (a drill-down feature).
QSM Session Manager is officially available at IBM Security App Exchange. Please, follow the link to download it now.