Integrated Security Solutions

Click roadmap title to expand/collapse roadmap

Systems Integration Architect

The total time required to complete this roadmap is 17h 1m.

A systems integration architect Is responsible for implementing integrated security solutions that support compliance, protect business assets, and combat security threats.

Compliance related integrations

These courses teach how to use security products to meet compliance requirements.

Threat detection and prevention integrations

These courses teach how to use security products to detect and stop threats, manage incident response, and investigate threat data.

Asset protection integrations

These courses show you how to integrate security products to secure cloud environments, protect critical assets, and prevent fraud.

Analyzing Threats Using IBM i2 and IBM QRadar Integration V2

This course demonstrates how IBM i2 Enterprise Insight Analysis (EIA) and IBM i2 Analyst's Notebook can enrich the analysis of an IBM QRadar offense by curating and importing data from several disparate sources into the EIA Information Store. In this use case, data from multiple sources is imported into i2 Analyst's Notebook where you use link analysis to uncover connections and networks among different entities as well as behavior patterns.

Among the topics that you will cover in this course are:

  • Using the Offense Investigator app to bring a QRadar offense into i2 Analyst's Notebook (ANB) and expanding on an offense
  • Connecting to (EIA) from i2 Analyst's Notebook to  to find data using Search and Visual Search tools from the Home toolbar
  • Using Expand and Expand with Conditions to bring linked items from the EIA Information Store into an ANB chart to visualize connections
  • Using i2 Analyst's Notebook analysis tools and the Analyze toolbar features like Search, List Items, Bar Charts and Histograms, Find Connecting Network
  • Bringing data from multiple sources into one analytical investigation to shut down security breaches and to find out who is behind them and why

Carbon Black Response - Integrating with IBM QRadar SIEM

This course includes two technical demonstrations that highlight how Carbon Black Response and IBM QRadar SIEM integrate to quickly detect, respond, and remediate live security incidents. This integration is part of the long standing strategic partnership between Carbon Black and IBM.

Guardium and Resilient integration: Email Connector

Overview

In this video, you will see how to set up IBM Guardium email alerts in an IBM Resilient incident response workflow using the Resilient Email Connector.

How to use IBM X-Force Threat Intelligence and integrate with QRadar SIEM

This course teaches you how to take advantage of the information posted in IBM X-Force Exchange (XFE) platform by using the API, curl tool, and python language.

The course also demonstrates integration between XFE and QRadar SIEM using XFE SDK and direct integration or Threat Intelligence Application and TAXII endpoints.


Objectives

  • Learn how to leverage the X-Force Exchange API, curl tool, and python scripts to pull threat data from the X-Force Exchange platform
  • Install the Threat Intelligence app in QRadar SIEM
  • Test the API using online documentation
  • Use curl commands and the X-Force Exchange API documentation to simulate browser requests
  • Write a python script that uses X-Force Exchange API code
  • Use TAXII feeds, collections, and the QRadar Threat Intelligence app to integrate the X-Force Exchange API and QRadar SIEM
  • Configure threat data feeds to monitor and detect ransomware outbreaks


IBM Guardium and IBM QRadar SIEM Closed Loop integration

This lab demonstrates bidirectional integration of IBM® QRadar® SIEM and IBM® Guardium®.  QRadar SIEM collects the logs from various devices in enterprise networks.  The logs are received through connectors called Device Support Module (DSM).  QRadar has a DSM for Guardium. That DSM enables QRadar to receive and process logs from Guardium.

Alternatively, Guardium has an API that provides an option for QRadar to react to certain events detected by QRadar, and send Guardium those commands to adjust the database policy to properly react to the event.  For example, if QRadar detects that the source IP from an internal network is communicating with an IP address classified as the Botnet Server, it can send a command to Guardium to block any access to the database from the same IP address.  The call from QRadar to Guardium can be done using the Custom Actions feature of QRadar or using IBM Security Directory Integrator® (IDI) that acts as the proxy; transforming various events from QRadar into Guardium API calls.

This IDI solution uses custom developed code that IBM provides as-is without any support and maintenance commitments. You can download the code from the Security Learning Academy in the Additional Resources section of this course.


Integrating IBM Guardium and IBM Identity Governance and Intelligence to support the GDPR initiative on structured data

This learning module demonstrates the integration of IBM Guardium and IBM IGI products to support the GDPR compliance initiative on structure data. The solution provides a custom developed AssemblyLine that runs in IBM Directory Integrator (IDI), and an IBM Identity Governance and Intelligence (IGI) Custom Adapter that requires IBM Directory Server and IDI to run.

The integration goal is to identify GDPR sensitive data using a provided sample database using IBM Guardium. Guardium then exports a report that contains users who have access to tables with GDPR relevant data. Then, the IGI Custom Adapter imports these reports into IGI for further compliance and access management.

The course provides a lab environment where the integration can be tested and demonstrated.

Also, if you do not have time to run the lab, you can review the videos that demonstrate all steps in the lab.

The additional learning section provides a custom AssemblyLine and a custom IGI adapter as-is with no IBM support. You can provide feedback to the Security Learning Academy if you have any issues with the code.

Using IBM X-Force Indicators of Compromise in QRadar

IBM Security X-Force continuously monitors threats and contributes to the X-Force collections with Indicators of Compromise (IoC). Some of the X-Force collections and threat intelligence data are public and some is premium. To effectively search and discover malicious activity in your organization based on X-Force threat intelligence, you can use the "Am I Affected" feature. To continuously and proactively monitor IBM Security QRadar events and receive X-Force threat intelligence data, install and configure the free Threat Intelligence app from the IBM Security App Exchange. This video describes those integrations that use the X-Force threat intelligence data related to malicious threats associated with the COVID-19 pandemic.


MaaS360 and QRadar SIEM integration

This video series demonstrates integration between IBM MaaS360 and IBM QRadar SIEM. It includes the following demonstrations:

  • MaaS360 and QRadar Integration overview
  • Sending MaaS360 events to QRadar SIEM
  • Installing the MaaS360 app
  • Using QRadar Action Script with MaaS360 API

Prerequisites: This video series assumes that you have the following skills:

  • Basic knowledge of QRadar SIEM concepts
  • Basic knowledge of the MaaS360 portal
  • Basic knowledge of Python scripting

For more information about these topics, visit the QRadar SIEM and MaaS360 roadmaps in the Security Learning Academy.


Protecting sensitive data from privileged users

This self-paced learning content represents an integration scenario that uses IBM Privileged Identify Manager (PIM), IBM Guardium, IBM Network Protection (XGS), IBM QRadar, and IBM Directory Integrator (IDI). The course includes three videos that depict a database administrator interacting with the system. Watch the videos in the following order:

1)     Testing Initial PIM and Guardium Setup – This video shows the basic functionality of PIM and Guardium without implementing integration between them.

2)     Testing PIM and Guardium Integration – This video shows the benefits of integrating PIM and Guardium. There is no direct integration path between the two products. QRadar and IDI are used to bridge integration gaps between PIM and Guardium.

3)     Testing a Complete Integration Solution– This video shows a fully integrated security solution. It includes the XGS appliance that terminates any existing connection from the database administrator workstation to the database server.

This course also includes an Integration Guide that documents the configuration steps necessary to integrate the products. It also includes the IDI.zip file that contains the custom files, including developed IDI assembly lines, necessary to successfully implement this integration scenario.

QRadar and AppScan integration

This course shows you how to integrate a scanner, such as IBM Security AppScan, with QRadar SIEM. This integration can help you correlate vulnerabilities discovered by the scanner with other log sources, such as IBM XGS, to protect your network assets from the attack at the application level.

Resilient and QRadar Advisor integration topics

Overview

  • Part 1 demonstrates the integration of QRadar Advisor with Watson with Resilient functionality. QRadar with Watson provides artificial intelligence to automatically investigate and provide insights to threat indicators and related entities. Integration with Resilient allows the security analyst to automatically track and enrich incident artifacts and reporting.
  • Part 2 demonstrates how to use Resilient as a workflow automation tool to enhance the analyst's ability to manage the response to the more complex threats that require more than the actions allowed directly from within QRadar.


Using IBM Security products to manage user activity on the network

IBM Security products can be used to manage user activity on the network. This course focuses on using IBM XGS, Identity Manager, and Directory Integrator to control user access.

Using IBM X-Force Deep Packet Inspection in the IBM Security Access Manager Appliance

This course demonstrates how IBM X-Force PAM engine works in IBM Security Access Manager (ISAM) appliance. The course is the how-to lab guide with the set of virtual machines that students can explore on they own time.

IBM Security Secret Server and QRadar integration
NEW

This course demonstrates integration between IBM Security Secret Server and IBM Security QRadar SIEM. You use Secret Server to manage privileged user account activity, which is reported to QRadar in syslog events.

In the course demonstration, syslog CEF logging is enabled in Secret Server, and QRadar is configured to parse and normalize the events that are received from Secret Server. As part of the course, a custom content extension is provided, which contains over 170 mapped events from the Secret Server. In addition, the extension has one custom rule, two reference sets, two custom search queries, and one log source type named SecretServer_SLA.
The purpose of this custom extension is to show how Secret Server can help you investigate some critical activities.


Carbon Black Response - Integrating with IBM Resilient

This video is a technical demonstration in which IBM Resilient and Carbon Black Response detect, respond, and remediate a live security incident. This integration is part of the long standing strategic partnership between Carbon Black and IBM.

Duration: 13 minutes
Closed captions: English, French, German, Spanish and Japanese

Carbon Black Response - Integrating with IBM Resilient and IBM QRadar SIEM

This video is a technical demonstration of the integration between Carbon Black Response, IBM Resilient, and QRadar to detect, respond, and remediate a live security incident. This integration is part of the long standing strategic partnership between Carbon Black and IBM.

LDAP Essentials

This course consists of a set of videos related to basic LDAP topics. The course is focused on IBM Security Directory Server, but the concepts are applicable to any LDAP v3 compliant directory. You learn about LDAP suffixes, directory information tree, object classes and attributes. The videos demonstrate basic LDAP commands: search, add, modify and delete. The video also explains concept of LDIF flies.

Protecting Office365 with IBM Security Verify (Cloud Identity) and MaaS360

This video walks you through how to secure access for Office365 with IBM Security Verify (Cloud Identity) and MaaS360. Along with the end to end demonstration, this video also covers the following topics:

  • Why protect access to Office365
  • Requirements for securing Office365
  • Architecture overview for on mobile and an unmanaged device
  • Configuration steps to secure Office365

Duration: 35 minutes

Investigating user behavior with QRadar Security Intelligence

In this lab, you learn how to use the User Behavior Analytics for QRadar (UBA) application to detect anomalous or malicious behavior. The lab comes with UBA already installed and configured. You learn to use the QRadar UBA Dashboard and how the application can help you detect malicious user behavior.  The lab also walks you through the investigation process and demonstrates the integration with QRadar Advisor with Watson. The QRadar Advisor with Watson app is also already installed and configured in the lab. To learn more about QRadar Advisor with Watson, visit the dedicated section in the Security Learning Academy, where you can run the lab that is focused on QRadar Advisor with Watson. Finally, the lab walks you through tuning the rules for user risky behavior by configuring the senseValue parameter.



Building the MITRE ATT&CK Framework into your Resilient Incident Response

The MITRE ATT&CK Framework is a globally-accessible knowledge base of advisory tactics and techniques based on real-world observations.

The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and services community.

This video provides and overview of the MITRE ATT&CK Framework, followed by a discussion of how IBM Resilient and other IBM Security products use MITRE ATT&CK with a live demonstration and a Q&A.


Configuring Verify (Cloud Identity) and ADFS for zero-touch authentication in MaaS360

In this lab, you explore integrating IBM MaaS360, IBM security Verify (Cloud Identity), and Active Directory Federation Service (ADFS). In this scenario, Cloud Identity acts as an alternate IaaS (Identity as a Service) provider to ADFS so when ADFS detects a mobile device user, it redirects the authentication request to Cloud Identity. Cloud Identity works with MaaS360 to manage device compliance and enrollment requirements. This lab walks you through integrating all 3 tools in a cohesive, zero-touch, architecture that does not impact your business operations.



Troubleshooting Resilient and QRadar Integration Open Mic

Experts from the IBM Resilient and QRadar Support teams show the SOC analyst how to safely and effectively troubleshoot their Resilient integration with QRadar when issues arise. This video is a recording of a live Open Mic web seminar originally broadcast on 29-July-2020.

Agenda:

  • How to enable debug and retrieve logs
  • Checking connectivity
  • How to read the logs
  • Using the IBM QRadar API
  • Common errors
  • Opening a case, what next?
  • Questions for the panel


Duration: 26minutes


Protect against ransomware using Guardium Data Encryption and QRadar

This video presented by Jose Bravo discusses a technique to use Guardium Data Encryption and QRadar to help protect against ransomware.

Giving QRadar SOAR Capabilities with CP4S
NEW

In this video, Jose Bravo demonstrates the value that Cloud Pak for Security (CP4S) brings to a QRadar environment. Jose will demonstrate an attack on a Windows system and how QRadar recognizes an offense has occurred and triggers CP4S to take automated remedial action.


IBM Resilient SOAR and IBM QRadar integration
NEW

This lab focuses on the integration of IBM Security Resilient SOAR Platform and IBM Security QRadar SIEM products.
The IBM QRadar SIEM solution helps you monitor and detect security threats. Based on the QRadar correlation rule engine (CRE), the product can generate offenses that require the attention of a security analyst.

Then, to conduct a more comprehensive investigation, you can bring offenses to the Resilient platform as incidents to take advantage of the Resilient playbooks and, if needed, make corrections in QRadar. Also, the integration keeps notes that are related to offenses and incidents in sync on both products, including the closing of offenses and incidents.

Thus, the integration is bidirectional, and according to the previous diagram, it has two components:
  • The IBM Resilient QRadar Integration app
    The app is installed on QRadar. It is responsible for sending the offense, offense details, owner, and artifacts to Resilient as well as synchronizing notes, and synchronizing closure of the incident or the offense on the both platforms.
  • The QRadar Functions for Resilient app
    The app installs on the Resilient App Host. The app can run the searches of QRadar data by using QRadar Ariel Query Language (AQL) and API calls to perform updates of QRadar configuration such as manipulation of the data in the QRadar reference sets.

Some of the topics covered in the lab are:

  • Install QRadar app for Resilient
  • Configure QRadar app for Resilient
  • Customize the Resilient configuration
  • Customize the Jinja templates
  • Configure Custom Actions and synchronization
  • Install QRadar functions for Resilient
  • Create table with artifacts by using the QRadar functions
  • Create action to search QRadar for file hashes from a log source
  • Test the apps integration and customization using the QRadar offenses