Step 4 Enter values for the parameters:
Packet collisions Type the threshold number of collisions that occur per second while transmitting packets. The default setting is 1.
Dropped receive packets Type the threshold number of received packets that are dropped per second due to a lack of space in the buffers.
The default setting is 1.
Dropped transmit packets Type the threshold number of transmitted packets that are dropped per second due to a lack of space in the buffers. The default setting is 1.
Transmit carrier errors Type the threshold number of carrier errors that occur per second while transmitting packets. The default setting is 1.
Receive frame errors Type the threshold number of frame alignment errors that occur per second on received packets. The default setting is 1.
Receive fifo overruns Type the threshold number of First In First Out (FIFO) overrun errors that occur per second on received packets. The default setting is 1.
Transmit fifo overruns Type the threshold number of First In First Out (FIFO) overrun errors that occur per second on transmitted packets. The default setting is 1.
Table 5-17 Global System Notifications Parameters (continued)
Parameter Description
Table 5-18 QRadar SIEM Console Parameters
Parameter Description
Console Settings
ARP - Safe Interfaces Type the interfaces you want to be excluded from ARP resolution activities.
Results Per Page Type the maximum number of results you want to display on the main QRadar SIEM user interface. This parameter applies to the Offenses, Log Activity, Assets, Network Activity, and Reports tabs. For example, if the Default Page Size parameter is configured to 50, the Offenses tab displays a maximum of 50 offenses.
The default setting is 40. The minimum is 0 and the maximum is 4294967294.
Authentication Settings Persistent Session
Timeout (in days) Type the length of time, in days, that a user system will be persisted. The default setting is 0, which disables this feature. The minimum is 0 and the maximum is 4294967294.
Maximum Login Failures Type the number of times a login attempt can fail. The default setting is 5. The minimum is 0 and the maximum is 4294967294.
Login Failure Attempt
Window (in minutes) Type the length of time during which a maximum number of login failures can occur before the system is locked.
The default setting is 10 minutes. The minimum is 0 and the maximum is 4294967294.
Login Failure Block Time
(in minutes) Type the length of time that the system is locked if the maximum login failures value is exceeded. The default setting is 30 minutes. The minimum is 0 and the maximum is 4294967294.
Login Host Whitelist Type a list of hosts who are exempt from being locked out of the system. Enter multiple entries using a
comma-separated list.
Inactivity Timeout (in
minutes) Type the amount of time that a user will be automatically logged out of the system if no activity occurs. The default setting is 0. The minimum is 0 and the maximum is 4294967294.
Login Message File Type the location and name of a file that includes content you want to display on the QRadar SIEM login window.
The contents of the file are displayed below the current log in window.
The login message file must be located in the
opt/qradar/conf directory on your system. This file may be in text or HTML format.
Table 5-18 QRadar SIEM Console Parameters (continued)
Parameter Description
Configuring the Console Settings 83
Event Permission
Precedence From the list box, select the level of network permissions you want to assign to users. This parameter affects the events that are displayed on the Log Activity tab. The options include:
• Network Only - A user must have access to either the source network or the destination network of the event to have that event display on the Log Activity tab.
• Devices Only - A user must have access to either the device or device group that created the event to have that event display on the Log Activity tab.
• Networks and Devices - A user must have access to both the source or the destination network and the device or device group to have an event display on the Log Activity tab.
• None - All events are displayed on the Log Activity tab. Any user with Log Activity role permissions is able to view all events.
For more information on managing users, see Managing User Roles and Accounts.
DNS Settings
Enable DNS Lookups for
Asset Profiles From the list box, select whether you want to enable or disable the ability for QRadar SIEM to search for DNS information in asset profiles. When enabled, this information is available in the right-click menu for the IP address or host name located in the Host Name (DNS Name) field in the asset profile. The default setting is False.
Enable DNS Lookups for
Host Identity From the list box, select whether you want to enable or disable the ability for QRadar SIEM to search for host identity information. When enabled, this information is available in the right-click menu for any IP address or asset name. The default setting is True.
WINS Settings
WINS Server Type the location of the Windows Internet Naming Server (WINS) server.
Reporting Settings
Report Retention Period Type the period of time, in days, that you want the system to maintain reports. The default setting is 30 days. The minimum is 0 and the maximum is 4294967294.
Data Export Settings Include Header in CSV
Exports From the list box, select whether you want to include a header in a CSV export file.
Maximum Simultaneous
Exports Type the maximum number of exports you want to occur at one time. The default setting is 1. The minimum is 0 and the maximum is 4294967294.
Table 5-18 QRadar SIEM Console Parameters (continued)
Parameter Description
Step 5 Click Save.
Step 6 On the Admin tab menu, click Deploy Changes.
Managing Custom Offense Close Reasons
When a user closes an offense on the Offenses tab, the Close Offense window is displayed. The user is prompted to select a reason from the Reason for Closing list box. Three default options are listed:
• False-positive, tuned
• Non-issue
• Policy violation
Administrators can add, edit, and delete custom offense close reasons from the Admin tab.
This section includes the following topics:
• Adding a Custom Offense Close Reason
• Editing Custom Offense Close Reason
• Deleting a Custom Offense Close Reason Adding a Custom
Offense Close Reason
When you add a custom offense close reason, the new reason is listed on the Custom Close Reasons window and in the Reason for Closing list box on the Close Offense window of the Offenses tab.
To add a custom offense close reason:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.