Aug 212017
 

One of the questions that I get about QRadar is how to write a case insensitive regex. One of the common examples is to search for all variations of the word “administrator” in the username field.

There are 2 ways of doing this in programming languages using the “i” flag that is indicated below.

(?i) administrator

/administrator/i

However, none of these options work in QRadar as of now, and there is an open ticket for it with the QRadar team.

IV98710: ATTEMPTING TO USE THE VALID REGEX (?I) (FOR CASE INSENSITIVE) IN A CUSTOM PROPERTY FAILS WITH “REGEX IS INVALID”

As a workaround, you can use a character set in your regex to cover all the possible variations. Below is an example on how to cover all the possible varations of the word “administrator”.

[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]
Sep 202012
 

As QRadar needs both public and private key to be in clear-text format, you should follow the steps below to extract the keys from a pfx file:

1. The following command exports the private key and saves it in “key.pem”.

# openssl pkcs12 -in filename.pfx -nocerts -out key.pem

2. The following command exports the public key and saves it in “cert.pem”.

# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

3. The following command removes the passphrase from the private key.

# openssl rsa -in key.pem -out server.key

Once these steps are done, “server.key” can be imported in QRadar as a private key, and “cert.pem” can be used as the public key.