QRadar SIEM Courses (87):

Configuring the QRadar log source parsing order

In this video, you learn about log source parsing order and how to manage it. See how to solve parsing problems by changing the log source parsing order and how to reduce parsing problems.

Log source autodetection and properties with the QRadar DSM Editor

In this video, you review how to use the DSM Editor to select a log source type, configure property parsing, and create new event categories and mapping. You also examine the new features of the QRadar DSM Editor, which are contained in the Configuration section. 

This video focuses on the new features: log source autodetection and properties. These features are available with QRadar SIEM 7.3.2.

Log source concepts - protocols and Device Support Modules

This course focuses on two conceptual log source components. Protocols, which ingest event data into the QRadar ecosystem, and Device Support Modules, which act on this ingested data. You will learn about the roles of these components, and how they are aligned in the event pipeline.

Maintaining QRadar 101 - Open Mic

This video is intended for new administrators, or users, who have inherited QRadar responsibilities in their organization and want a crash course on how to maintain and manage QRadar. The goal of this video is to give administrators an idea, of what to review on a daily, weekly, and monthly basis to prevent support calls and understand QRadar as a new administrator. 

This IBM QRadar Support Open Mic session was recorded on Thursday, 25 April 2019.

QRadar Planning and Installation Guide

With the advances of technology and the occurrence of data leaks, cyber security is a bigger challenge than ever before. Cyber attacks evolve as quickly as the technology itself, and hackers are finding more innovative ways to break security controls to access confidential data and to interrupt services. Hackers reinvent themselves using new technology features as a tool to expose companies and individuals. Therefore, cyber security cannot be reactive but must go a step further by implementing proactive security controls that protect one of the most important assets of every organization: the company's information.

This IBM Redbooks publication provides information about implementing IBM QRadar SIEM and protecting an organization's networks through a sophisticated technology, which permits a proactive security posture. It is divided in to the following major sections to facilitate the integration of QRadar with any network architecture:

  •     "Before the installation" provides a review of important requirements before the installation of the product.
  •     "Installing IBM QRadar V7.3" provides step-by-step procedures to guide you through the installation process.
  •     "After the installation" helps you to configure additional features and perform checks after the product is installed.

QRadar Sysmon QRadar Sysmon and Windows Endpoint Detection - Open MicOpen Mic

In this Open Mic you learn about the enhanced Windows endpoint monitoring capability with Sysmon and QRadar. The IBM Security Support explains why you want to use Sysmon, and how to properly set it up.

How coalescing works in QRadar

In this video, you learn how coalescing works in IBM QRadar. 

QRadar foundations - Assets

To properly understand and use the capabilities of QRadar SIEM beyond the basic concepts, it is important to learn about assets. In this course, you learn how assets can be discovered and then dynamically updated by QRadar, including network information, running applications and services, active users, and vulnerabilities.

QRadar foundations - Rules and Offenses

In this video, you learn about how QRadar rules perform tests on events, flows, or offenses. If all the conditions of a test are met, the rule generates a response.

QRadar SIEM includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. 

The following list describes the two rule categories:

  • Custom rules perform tests on events, flows, and offenses to detect unusual activity in your network
  • Anomaly detection rules perform tests on the results of saved flow or event searches to detect when unusual traffic patterns occur in your network

QRadar WinCollect Troubleshooting Open Mic

In this QRadar WinCollect Troubleshooting Open Mic video, you will learn about the following topics:

  • About WinCollect
  • Managed vs standalone deployment
  • Troubleshooting tuning issues 
  • Error messages 
  • General WinCollect troubleshooting 
  • Troubleshooting with IBM Support 
  • Q&A
This Open Mic session was recorded on 21 September 2018.

Developing log source types in QRadar SIEM

Device Support Modules (DSM) enable QRadar SIEM to normalize events from raw logs received from various source types. These events must be parsed, normalized, and correlated into offenses to alert you to suspicious activities. In these exercises, you use the DSM Editor to create a log source type for an unknown source of events. You also configure the new log source type to parse and normalize its properties and create unique identifiers and mappings so that QRadar SIEM can name, rate, and categorize the events from the unkown log source.

QRadar foundations - Flows

In IBM QRadar SIEM, you can investigate the communication sessions between two hosts.

If the content capture option is enabled, the Network Activity tab displays information about how network traffic is communicated and what was communicated. Using the Network Activity tab, you can do the following tasks:

  • Investigate the flows that are sent to QRadar SIEM in real time
  • Search network flows
  • Monitor network activity by using configurable time-series charts

Deploying managed QRadar WinCollect agents

WinCollect is a syslog event forwarder that collects Windows-based events from local and remote Windows-based systems and sends them to QRadar for processing and storage. In this video you learn about the two different WinCollect deployment models and how to manage them.

Using the table of contents menu in the video you can navigate to each one of these topics individually, or you can explore the content altogether:

  • WinCollect overview
  • WinCollect deployment models
  • Installing and configuring a managed deployment
  • Generating an authentication token
  • WinCollect agent GUI installation
  • WinCollect agent command line installation
  • Upgrading all WinCollect agents to V7.2.8
  • Troubleshooting a faulty WinCollect installation

QRadar foundations - Events

With IBM QRadar SIEM, you can monitor and display network events in real time or perform advanced searches.

The Log Activity tab displays event information as records from a log source, such as a firewall or router device. Use the Log Activity tab to do the following tasks:

  • Investigate events that are sent to QRadar SIEM in real time
  • Search events
  • Monitor log activity by using configurable time-series charts
  • Identify false positives to tune QRadar SIEM

QRadar domains and tenants Open Mic

In this QRadar Open Mic you learn about domains and tenants, and how these concepts are implemented and used. You also hear about tips and other helpful information for QRadar administrators.

Using the IBM Disconnected Log Collector to collect and forward logs to QRadar

In this video, you learn how to set up and use the IBM Disconnected Log Collector (DLC), which is a free-of-charge event collector that can work independently of QRadar.

QRadar Software Updates and Best Practice Admin Checklist Open Mic

This IBM Support Open Mic video covers topics around QRadar software updates and a best practice admin checklist.

  • Before you begin 
  • Patch and upgrade checklist 
  • Firmware 
  • Troubleshooting
  • Reference

QRadar License Management event and flow processing capacity

The capacity of a deployment is measured by the number of events per second (EPS) and flows per minute (FPM) that IBM QRadar can collect, normalize, and correlate in real time. The event and flow capacity is set by the licenses that are uploaded to the system. In this video, you learn about the features of managing the license event and flow capacity.

  • Define functions of event and flow processing capacity, such as shared license pool, capacity sizing, and internal events
  • Define burst handling

QRadar Log Source Management App

Managing log sources is one of the everyday challenges in QRadar administration, which can be quite time consuming. The Log Source Management App can help facilitate these tasks more efficiently. This video course shows the features of version 3.0 of this app.

The course objectives are:

  • Searching, filtering, and sorting capabilities
  • Bulk editing
  • Bulk deleting
  • Adding new log sources using csv-file upload

Overview of Building Blocks in QRadar SIEM

In this video, you learn how to create building blocks and how they differ from QRadar custom rules. You will be able to leverage building blocks for their typical purposes of reducing complexity and resource consumption, facilitating reuse of functionality and information, as well as reflecting your organization's IT environment.

How to configure rule actions in QRadar SIEM

Similar to the if-then statement in programming languages, custom rules consist of a boolean operation and statements. If the QRadar custom rule engine (CRE) evaluates the boolean operation to true, then the CRE performs the configured rule actions and rule responses. This course addresses the following rule actions:

  • Changing severity, credibility and relevance of the event or flow
  • Adding the event or flow to an offense
  • Annotating the event or flow
  • Dropping the event or flow by rule action and routing rule

Experience Center - Demonstration of Threat Simulator use cases

Threat Simulator is part of the QRadar Experience Center App. It contains five use cases for common threats, and for each of them, it generates a set of pre-defined logs in real time. These logs are displayed on the Log Activity tab of the Console as they are being received so that you can learn how to analyze them.

In this course, you learn how to run and analyze the results of each use case in the Threat Simulator.

QRadar SIEM - Deploying an App Node

This video course explains how to set up an App Node server that is separate from your QRadar Console to offload the processing of apps in your deployment.

QRadar Log Source Protocols - Open Mic

This IBM Security Support Open Mic video explains how QRadar uses log source protocols to collect event data, capturing configuration properties, error messages, and other use cases for data collection.


  • Events FAQ and terminology
  • Listening protocols (Syslog)
  • Polling protocols (JDBC / Log File)
  • Tips and performance Suggestions
  • Specialty protocols (APIs)
  • Questions and discussion

Creating custom log sources in QRadar SIEM

Custom log sources enable QRadar SIEM to normalize events from raw logs that have been received from various source types. These events must be parsed, normalized, and correlated into offenses to alert you to suspicious activities. Based on a business scenario, you will learn how to perform each step in the process of creating custom log sources.


QRadar Flow Tutorial

QRadar collects network activity information, or what is referred to as "flow records".  Flows represent network activity by normalizing IP addresses, ports, byte and packet counts, as well as other details, into "flows", which effectively represent a session between two hosts. QRadar can collect different types of flows, which differ greatly in the collected details. In this video series, we explain and demonstrate the differences between the following network flow capture mechanisms:

  • Cisco Netflow
  • QRadar QFlow
  • QRadar Network Insights (QNI)

Determining indicators for threat detection with QRadar SIEM

With indicators of compromise or concern, you specify which activities you consider suspicious. Derive indicators from threat modeling while considering which kind of data QRadar SIEM can use to test for indicators. This course addresses the following topics:

  • Getting started with threat modeling
  • Using observables for indicators
  • Using context for indicators
  • Using external data for indicators 

QRadar Apps: A Round Table Open Mic

In this QRadar Open Mic, members of the IBM QRadar Support and Development teams discuss and demonstrate the following QRadar Apps:

  • Pulse App
  • QRadar DNS Analyzer
  • Log Source Management App
  • QRadar Assistant App

This Open Mic has been recorded on Tuesday, 28 August 2018.

Using IBM QRadar SIEM

IBM QRadar SIEM enables you to minimize the time gap between when a suspicious activity occurs and when you detect it. Attacks and policy violations leave their footprints in log events and network flows of your IT systems. QRadar SIEM connects the dots and provides you insight by performing the following tasks:

  • Alerts to suspected attacks and policy violations in the IT environment
  • Provides deep visibility into network, user, and application activity
  • Puts security-relevant data from various sources in context of each other
  • Provides reporting templates to meet operational and compliance requirements
  • Provides reliable, tamper-proof log storage for forensic investigations and evidentiary use


The exercises in this lab provide a broad introduction into the features of QRadar SIEM. The exercises cover the following topics:

  • Navigating the web interface
  • Investigating a suspicious activity
  • Creating a report
  • Managing the network hierarchy

Utilizing the Log Event Extended Format (LEEF) in QRadar

The Log Event Extended Format (LEEF) is a customized event format for IBM QRadar that contains readable and easily processed events for QRadar.  In this video, you learn what LEEF is, what its main components are, how to customize it, and finally, you see an example of what a LEEF event looks like in your QRadar Console.

QRadar Tuning Part 1 - Overview and Networking

IBM QRadar needs to provide precise information about captured log events and network flows that have been collected within your network. It can only do that sufficiently after you provided enough contextual information about your network hierarchy and assets. 

This video series describes how to properly tune the following networking aspects:

  • Introduction to QRadar and Tuning
  • Domain Management
  • Network Hierarchy Basics
  • Structuring your Network Hierarchy
  • Keeping the Network Hierarchy Updated

Introduction to Custom Action Scripts

Attach scripts to custom rules to do specific actions in response to network events. Use the Custom Action window to manage custom action scripts. Use custom actions to select or define the value that is passed to the script and the resulting action.

QRadar foundations - Data retention

This course teaches you how to configure a QRadar Retention Bucket within QRadar Administration. First, you learn about QRadar data retention and how to retain event and flow data in IBM QRadar. Then, you run an interactive simulation to configure QRadar Retention Buckets.  

Using QRadar SIEM license management

License keys entitle you to specific IBM QRadar products, and control the event and flow capacity for your QRadar deployment. You can add licenses to your deployment to activate other QRadar products, such as QRadar Vulnerability and Risk Manager. After you apply the license keys to QRadar, redistribute the EPS and FPM rates to ensure that each of the managed hosts is allocated enough capacity to handle the average volume of network traffic.

In this video, you learn about the features of managing licenses in QRadar SIEM.

Overview of using threat intelligence data with QRadar SIEM


Rules can use threat intelligence data from sources outside your organization to test for known threats. Learn about the options to leverage threat intelligence data and make an informed decision on how to get started. This course addresses the following topics:

  • Describe how threat intelligence data fits into the bigger picture
  • Use external data
  • Use built-in Remote Networks
  • Use X-Force threat intelligence feeds

Duration:  9 minutes

Revision:  1.0

QRadar Tuning Part 2 - Assets, Rules, and False Positives

IBM QRadar needs to provide precise information about captured log events and network flows that have been collected within your network. It can only do that sufficiently after you provided enough contextual information about your assets, rules, and how to handle false positives. 

This video series describes how to properly tune the following aspects:

  • Server Discovery and Host Definition
  • The Basics of Rules and Building Blocks
  • Content Packs and the QRadar Assistant App
  • SIEM Tuning Report
  • False Positive Tuning

Developing efficient rules in QRadar SIEM

Each QRadar Custom Rules Engine instance evaluates hundreds of test conditions on thousands of events and flows per second in real-time. The resource consumption of testing can cause a high system load so that real-time processing degrades. Therefore, rule developers need to consider the computational cost of tests and optimize accordingly. This guide helps rule developers to write efficient custom rules and building blocks.

Planning your migration from QRadar App Node to App Host

For QRadar SIEM 7.3.2, an App Host can take over the running of apps. The App Host replaces the App Node that was available in previous versions of QRadar SIEM. Migrating from App Node to App Host is a part of the upgrade from QRadar 7.3.0 or 7.3.1 to QRadar 7.3.2. If you are running App Node, you must perform the migration because App Node is not supported on QRadar 7.3.2 and later.

The first part of this course walks you through the steps to upgrade and migrate from an App Node to an App Host.

In the second part, Jose Bravo performs an actual migration on a test system.

Getting started with QRadar Deployment Intelligence

QRadar Deployment Intelligence is a monitoring application built to give users a birds-eye-view of the health of their QRadar deployment. The app consolidates the following historical data points on a per-host basis: 

  • Status
  • Up-time
  • Notifications
  • Event and flow rates
  • System performance metrics
  • QRadar specific metrics and more

In this course, you learn how to use the interactive app, by first displaying initial overviews for all hosts, and then drilling down and investigating specific hosts to see detailed health and status information.

Using QRadar SIEM backup management

You can back up and recover IBM QRadar configuration information as well as event and flow data by using the backup and recovery feature. However, you must restore event and flow data manually. There are two types of backups: configuration backups and data backups.


  • View backup archives
  • Create an on-demand configuration backup archive
  • Delete a backup archive
  • Schedule nightly backup
  • Import a backup archive

Local versus global rules in QRadar SIEM

Stateful tests in rules, which are configured as local, are evaluated by the CRE instance that receives the events and flows. Stateful tests in rules, which are configured as global, are evaluated by the CRE instance on the Console. In this course you learn about both of these options, which allows you to make an informed decision on whether to configure a rule as local or global. This course addresses the following topics:

  • Configuring rules as local or global
  • Examining the effects on rules with only stateful tests
  • Examining the effects on rules with only stateless tests
  • Examining the effects on rules with both stateful and stateless tests
  • Examining the effects on rule responses
  • Considering pros and cons

Creating reports in QRadar SIEM

Reports in IBM QRadar SIEM condense data to statistical views on your environment for various purposes, in particular to meet compliance requirements. In this lab, you run an a report from an existing template, then create a new report based on a saved search, and finally create a new report from a new search.

Developing Anomaly Detection Rules in IBM QRadar SIEM

Anomaly detection aims to alert to threats that are undocumented and therefore cannot be detected by methods that monitor for well defined indicators. Such threats can be detected by monitoring for an unusual volume of activities. With IBM® QRadar® SIEM, create anomaly detection rules to monitor for deviations from the baseline of expected activities.

In these exercises, you develop an anomaly detection rule of type Anomaly. It tests for the deviation of the number of events matching a grouped search from the weighted moving average. The rule fires in the exercise because the sample data spikes above the deviation percentage configured in the anomaly rule.

License management in QRadar SIEM

License keys entitle you to use specific IBM QRadar products and control the event and flow capacity for your QRadar deployment. You can add licenses to your deployment to activate other QRadar products, such as QRadar Vulnerability Manager.

This self-paced course provides you the foundations of license management, their components, and explain how they are managed within QRadar.

Course Objectives

  • Define ways to upload and maintain license keys in the QRadar SIEM console.
  • Obtain hands-on experience with viewing license details, uploading a license key, allocating a license key to a host, deleting licenses, and exporting license information.

QRadar Tuning Part 3 - Open Mic

In this video, a panel of IBM QRadar experts talk about tuning QRadar, focusing on the following:

  • Network hierarchy
  • Host definition building blocks and reference data
  • Server discovery
  • QRadar content extensions
  • Tuning methodology
  • False positive rules

QRadar SIEM - Installation and Upgrade Management

QRadar administration encompasses many different tasks. The installation and upgrade management course provides information about the following topics:

  • QRadar Installations and Upgrades - Best Practices Open Mic (2014)
  • Replacing a QRadar Console in your deployment
  • Replacing a Managed Host in your deployment (non-HA)
  • Installing a QRadar content pack from IBM Fix Central
  • Performing a QRadar v7.3 software installation on your own appliance
  • Performing a clean install of QRadar v7.3
  • Upgrading to QRadar v7.3
  • Upgrading QRadar Appliances in parallel
  • Migrating a console to a new QRadar appliance with the same IP address
  • YUM vs RPM Installation commands in QRadar
  • How to mount an ISO image using IMM

QRadar 7.3.1 Feature Discussion Open Mic

Jonathan Pechta and Chris Fraser from QRadar Technical Support deliver this Open Mic LIVE at the 2018 Think conference that focuses on discussing the new features available in QRadar 7.3.1.

Why QRadar SIEM?

In this set of videos, we introduce the powerful capabilities of IBM QRadar SIEM.

  • The first video depicts how data is ingested into the QRadar environment by collecting log information, network flow data, and vulnerability information. You learn about the asset model, and how the QRadar rules are used to create actionable offenses. In addition, the video explains the integration with IBM BigFix, as well as QRadar Risk and Vulnerability Manager.
  • The second video starts off by explaining the concepts of QRadar Reference Sets and how to use them. It then takes a look at the forensic capabilities, and briefly introduces the deployment architecture.
  • The third video focuses on integration capabilities between QRadar and IBM BigFix, IBM Guardium, network intrusion prevention systems, IBM Trusteer, IBM Identity Manager, and IBM mainframe SMF records,
  • After a brief recap of the QRadar fundamentals, the fourth video explains many of the new capabilities that have been recently added to QRadar. These include the new appliances QRadar Network Insights, the Data Node, and the App Node. It then provides an overview of the QRadar API and the App Exchange, and takes a closer look at some of the available app extensions, including the BigFix App, User Behavior Analytics, Sysmon integration, and the QRadar Advisor with Watson. Finally, it introduces the new DSM Editor.
  • Collecting and investigating network flows is one of the outstanding QRadar capabilities. The final video explains how QRadar approaches network flows, and how the security analysts benefit from this in their daily investigations.

Managing Custom Rules in QRadar SIEM

In this video we talk about how to enhance and manage the detection capabilities of our IBM QRadar SIEM solution to better adapt to changes in your IT environment and the threat landscape.

  •     Defining rules
  •     Introducing the QRadar rules engines
  •     Enabling rules
  •     Duplicating rules
  •     Editing rules
  •     Creating rules
  •     Navigating rule groups

QRadar Architecture

Understanding the architecture of the IBM QRadar ecosystem is viable for everyone in IT Security who is concerned with solutions within the security immune system. By learning how the central Security Intelligence components are designed to take in and process log events and flow data, you will be better equipped to holistically work as a Security Analyst with IBM QRadar. This course includes three videos:

  1. QRadar functional architecture and deployment models
  2. QRadar SIEM component architecture
  3. Dissecting the flow of a captured event

Sizing and Scoping your QRadar SIEM Deployment Open Mic

In this video, Adam Frank and Robert McGinley from the QRadar team deliver the Open Mic LIVE at the 2018 Think conference, which focuses on sizing and scoping your QRadar SIEM deployment.

QRadar SIEM Investigation - Working with Offenses

An offense represents a security incident related to a suspicious attack or policy violation. As event and flow data passes through QRadar SIEM, it tests different conditions to generate an offense if such tests results are positive.

In this 2-part video course you learn about investigating offenses that are based on either events or flows.

QRadar SIEM - High availability

QRadar administration encompasses many different tasks. The high availability course provides information about the following topics:

  • Adding and removing an HA host
  • Setting an HA host back online

QRadar Cloud Architecture Open Mic

This Open Mic video first explains the different cloud deployment architecture models for IBM QRadar and then spends some time to discuss the installation procedures for various cloud offerings. Take a look at the overall agenda:

  • Third Party Cloud Vendors
  • AWS Deployment Architecture Examples
  • Azure Deployment Architecture Examples
  • Installing QRadar in AWS Today
  • Installing QRadar CE in AWS
  • Installing QRadar in AWS (Soon)
  • Instance Log Ingestion from Auto-Scaling Groups
  • Resources

How to locate rules that triggered in QRadar SIEM

Determining the rules that triggered can provide valuable insight into your IT environment and guide you for further rule development and improvement. In this course, you learn how to gain different perspectives on matching rules.

  • Sorting rules by their contributions to offenses
  • Grouping dispatched events by event name
  • Grouping events by rules that triggered for them
  • Grouping flows by rules that triggered for them
  • Filtering by rules that triggered

QRadar Troubleshooting Lab - Part 1: get_logs

This lab walks you through exporting get_logs from:

  • QRadar SIEM's user interface, or
  • the QRadar server.
The get_logs collect logs so you can troubleshoot issues on your own or you can provide  to IBM QRadar Support for assistance with troubleshooting issues.

QRadar log sources - General configuration tips

This course provides general tips on log source configuration. Learn how to gather information about DSMs. Understand the capabilities of the QRadar UI to configure log sources. See what else can help you do this task and get linked to it.

QRadar Troubleshooting Lab - Part 3: Resource tuning


These labs walk you through advanced troubleshooting for the QRadar software and architecture.

In this set of labs, you will learn how to get processing statistics from the Custom Rules Engine (CRE), determine which processes are using the most QRadar resources, and, create roll up values for time series graphs.

Note: This is an online, interactive lab. You will download and follow the lab guide using the associated elab.


  • Troubleshoot processing issues by using scripts that let you get processing statistics from the CRE and find out what process are using the most QRadar resources.
  • Troubleshoot issues with accumulated data which is used by reports and the time series graphs used in the Dashboard, Log Activity, and Network Activity for aggregated searches.

45 min

Course Revision

QRadar Troubleshooting Lab - IBM QRadar Apps

Use IBM QRadar Apps to extend and enhance your current QRadar deployment with new data and ready-to-use use cases.  A QRadar app is a means to augment and enrich your current QRadar system with new data and functionality. You can download and install other shared apps that are created by IBM, its Business Partners, and other QRadar customers.

QRadar SIEM Advanced Investigation for Windows - Sysmon Use Cases

You can enhance the Windows log collection capability by using a publicly available tool called System Monitor (Sysmon). In combination with QRadar SIEM you can now process much more detailed events to protect your deployment from malicious attacks.

This course contains the following video lessons:

  • Sysmon Introduction 
  • Use Case 1 - Malicious File Injection and Execution 
  • Use Case 2 - In memory attack 
  • Use Case 3 - Base64 encoded data obfuscation 
  • Use Case 4 - Hiding behind a common Windows service process 
  • Use Case 5 - Malicious file injection using encrypted HTTPS 
  • Use Case 6 - Detecting Other Libraries
  • Use Case 7 - Privilege Escalation Detection
  • Use Case 8 - More Privilege Escalation Detection
  • Use Case 9 - Even More Privilege Escalation Detection
  • Use Case 10 - Creating an Admin Account
  • Use Case 11 - Detecting Name Pipe Impersonation
  • Use Case 12 - Detecting Mimikatz
  • Use Case 13 - Sysmon Lateral Movement Detection, Example One
  • Use Case 14 - Sysmon Lateral Movement Detection, Example Two
  • Use Case 15 - Sysmon Lateral Movement Detection, Example Three
  • Use Case 16 - Sysmon Detecting BadRabbit
  • Use Case 17 - Sysmon and Watson chasing BadRabbit

How To Start Writing QRadar Apps

The IBM Security App Exchange is a collaborative platform that can help integrate and utilize the collective knowledge of security professionals through code sharing.  The App Exchange offers enhancements and integration between IBM Security products, and can include other security vendors, such as Trend Micro, Cisco, Qualys, and so on.
The majority of the security integration offerings today is available for the IBM® QRadar® product line.  The IBM Security App Exchange provides an expanded hub of QRadar content. IBM QRadar provides a RESTful API that allows access to the QRadar resources and data.

This lab guide demonstrates the tools that can help you to develop new apps for QRadar.  You can use two type of tools for your app development:

  • QRadar App Editor
  • QRadar SDK

The labs are using IBM QRadar Community Edition, or IBM QRadar CE.

QRadar Troubleshooting - Overview

This video series provides insight to troubleshooting activities for your IBM QRadar deployment.

  • System Notifications and Error Messages (OpenMic)
  • Understanding and troubleshooting IO errors when searching in QRadar
  • How to use tcpdump for troubleshooting in QRadar
  • Collecting QRadar System Logs
  • QRadar Dynamic Systems Analysis

QRadar Deployment Architecture

In this set of videos, we provide you with an overview of the IBM QRadar Deployment Architecture.

  • Part one talks about the different QRadar appliance models and explains how they can be used in a variety of deployment architectures.
  • Part two investigates how to deploy QRadar in remote locations. It also introduces the concepts of high availability, disaster recovery, and deployment options in virtual environments.
  • Part three explains deployment options in cloud-based environments. 
  • The final part compares deployment options for VMware and QRadar on the Cloud (QRoC)

Considering QRadar rule capacity determined by performance analysis

QRadar SIEM routes events and flows directly to storage, if an alarmingly high system load might cause degradation of real-time processing. After this happens, the Custom Rule Engine (CRE) can collect metrics data about rule execution. From this data, the CRE calculates throughput capacities for most enabled custom rules and building blocks. The UI displays the capacities as event and flow rates, and also indicates the level of concern with colored bars.

QRadar 7.3.2 or higher is required to enable this capability.

Using host definition and host reference building blocks in QRadar SIEM

Each event and flow is a record of an activity in you IT environment. For some events, and all flows, this activity includes a network connection. Many rules need to test, if this network connection is approved in your organization. The rules do this by testing whether the event or flow has been tagged by building blocks with names beginning with BB:HostDefinition and BB:HostReference. Their purpose is to signal QRadar SIEM, which network connections are approved in your organization. In this course, you learn how to approve network connections using these building blocks.

QRadar Troubleshooting - Tools

The QRadar SIEM Troubleshooting Tools course contains the following videos:

  • The QRadar SIEM Troubleshooting Tools: Introduction to Log Files Part 1 and Part 2 provides an overview of the various log files available and when to use the each log file for troubleshooting.
  • The QRadar SIEM Troubleshooting Tools: get_logs shows you how to collect logs for troubleshooting. It also details how to use some of the logs in troubleshooting QRadar issues

How to add an App Host to QRadar SIEM

For QRadar SIEM 7.3.2, an App Host can take over the running of apps. The App Host replaces the App Node that was available for previous versions of QRadar SIEM. This course teaches how to add an App Host to a QRadar SIEM 7.3.2 installation.

Advanced Search and Use Cases

This video series introduces the IBM QRadar advanced search capability using the Advanced Query Language, or AQL. 

Part 1 - Quick Filter and UI Searches

Part 2 - AQL Introduction

Part 3 - Where, Group, Having, Order

Part 4 - Counting

Part 5 - Ref Set, Assets and UBA

Part 6 - Health Metrics and X Force

Part 7 - More Health Metrics and API calls

Part 8 - Payload, Indexed and Regex Searches

Developing Custom Rules in IBM QRadar SIEM


For each incoming event and flow, QRadar SIEM evaluates rules to test for indicators that suggest an attack or policy violation. In this lab, you learn how to create custom rules, building blocks, custom event properties, and a reference set to detect an example suspicious activity.


  • Create and use custom event properties
  • Create and use a reference set
  • Add tests to new custom rules and building blocks
  • Leverage function tests
  • Configure rule actions and responses


1 hour

Course Version



QRadar SIEM Log Source Custom Properties

When working with custom QRadar Log Sources, you often have to deal with collected information that falls outside the standard normalized data, and this data might be considered important. The Custom Properties are a way to collect this information and use it for your ongoing for your investigations.

QRadar Detecting Ransomware, Phishing and Malware

In this video series, we investigate various Ransomware, phishing, and malware attack use cases in QRadar.

  • Stopping Ransomware in its tracks
  • Discover Hidden Malware with QRadar
  • QRadar and Bigfix Stop Ransomware
  • Using QRadar and X-Force Exchange to protect against WannaCry ransomeware attack

How to perform Network Analysis using QRadar SIEM Dashboard Items

QRadar dashboard items allow the user to focus on different areas of interest. This step-by-step demonstration introduces how to perform network analysis with dashboard items.

How to navigate the QRadar Experience Center App interface

Use the QRadar Experience Center App to learn about the QRadar capabilities, simulate common threats, work with log samples in real time, and learn how to analyze your logs. The QRadar Experience Center App is designed for educational purposes, and its menu includes useful videos, links, an FAQ section, and more. 

In this video, you learn how to navigate the Experience Center App.

Using AQL for Advanced Searches in IBM QRadar SIEM

The Ariel Query Language (AQL) is a structured query language that you use to communicate with the Ariel databases. You can use AQL to extract, filter, and perform actions on event and flow data that you extract from the Ariel database in IBM Security QRadar. AQL is used for advanced searches to get data that might not be easily accessible from the user interface. This provides extended functionality to QRadar's search and filtering capabilities. In this lab you learn how to utilize AQL for some advanced search tactics inside QRadar SIEM.

QRadar SIEM Operational Tasks

QRadar administration encompasses many operational tasks. In this video series you can learn more about the following topics:

  • Installation and Upgrade Management  
  • High Availability
  • System Configuration
  • Assets
  • Data Sources 
  • Plug-Ins
  • LDAP Authentication Group Based 
  • Authorized Services 


Use the representational state transfer (REST) application programming interface (API) to make HTTPS queries and integrate QRadar with other solutions. In this series of videos you learn how to make best use of the QRadar API. 

QRadar Troubleshooting Lab - Custom Rules

IBM Security QRadar includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. You can also create your own rules to detect unusual activity.  Custom rules customize default rules to detect this suspicious activity in your network.

QRadar SIEM Integration & Extension

Two major capabilities of QRadar SIEM are to integrate with many other solutions and platforms, and to provide an API platform that can be utilized to build powerful extensions. 

In this video series we focus on the QRadar extension capabilities. We address the following topics: 

  • QRadar App Exchange Foundations
  • QRadar App Development and Troubleshooting (OpenMic)
  • Installation and configuration of the Incident Overview App
  • Configuration of the X-Force Threat Intelligence feed

QRadar SIEM Investigation

Every QRadar SIEM Analyst has to master basic investigations skills. In this video series you learn about the following topics: 

  • Using flexible Searches to narrow down your investigations 
  • Finding Anomalies
  • Monitoring internal Log Sources

QRadar SIEM Advanced Investigation & Use Cases

The QRadar SIEM Analyst has to perform many different tasks when it comes to the investigation of offenses, events, and flows. In this video series you learn about the following topics: - Detecting fraud and account takeover - Detecting communication to a malicious Command & Control Server - Detecting a remote scan followed by attempts to login - Detecting multiple Login Failures to Compliance Server - Detecting Chat to a malicious Site - Detecting UDP scan in flows from an IBM XGS Network Security appliance - Detecting phishing e-mails - Detecting awakening dormant Accounts - Detecting Fraud from a URL with Keyword from a bad IP - Detecting jailbroken iPhones using QFlows - Detecting insider threat - USB inserted and bad website visited

IBM QRadar SIEM Advanced Topics

IBM QRadar enables you to minimize the time gap between when a suspicious activity occurs and when you detect it. Attacks and policy violations leave their footprints in log events and network flows of your IT systems. To connect the dots, QRadar SIEM correlates these scattered events and flows into offenses that alert you to suspicious activities. Using the skills taught in this course, you will be able to thoroughly understand and configure QRadar rules, work with reference data, and create and manage uncommon log sources.


  • Create and manage uncommon log source types
  • Leverage reference data collections
  • Develop and manage custom rules
  • Develop and manage custom action scripts
  • Develop and manage anomaly detection rules
This is a commercial course (BQ203) taught by IBM's network of Global Training Providers.

IBM QRadar SIEM Foundations

IBM QRadar SIEM provides deep visibility into network, user, and application activity. It provides collection, normalization, correlation, and secure storage of events, flows, assets, and vulnerabilities. Suspected attacks and policy breaches are highlighted as offenses. In this course, you learn to navigate the user interface and how to investigate offenses. You search and analyze the information from which QRadar SIEM concluded a suspicious activity. Hands-on exercises reinforce the skills learned.


  • Describe how QRadar SIEM collects data to detect suspicious activities
  • Describe the QRadar SIEM component architecture and data flows
  • Navigate the user interface
  • Investigate suspected attacks and policy breaches
  • Search, filter, group, and analyze security data
  • Investigate the vulnerabilities and services of assets
  • Use network hierarchies
  • Locate custom rules and inspect actions and responses of rules
  • Analyze offenses created by QRadar SIEM
  • Use index management
  • Navigate and customize the QRadar SIEM dashboard
  • Use QRadar SIEM to create customized reports
  • Use charts and filters
  • Use AQL for advanced searches
  • Analyze a real world scenario
This is a commercial course (BQ103) taught by IBM's network of Global Training Providers.

Advanced IBM QRadar App Framework and Troubleshooting

In this self-paced course, you will do a deep dive in the foundations of the IBM QRadar Application Framework components and learn how they are managed within QRadar.


How to use IBM X-Force Threat Intelligence and integrate with QRadar SIEM

This course teaches you how to take advantage of the information posted in IBM X-Force Exchange (XFE) platform by using the API, curl tool, and python language.

The course also demonstrates integration between XFE and QRadar SIEM using XFE SDK and direct integration or Threat Intelligence Application and TAXII endpoints.


  • Learn how to leverage the X-Force Exchange API, curl tool, and python scripts to pull threat data from the X-Force Exchange platform
  • Install the Threat Intelligence app in QRadar SIEM
  • Test the API using online documentation
  • Use curl commands and the X-Force Exchange API documentation to simulate browser requests
  • Write a python script that uses X-Force Exchange API code
  • Use TAXII feeds, collections, and the QRadar Threat Intelligence app to integrate the X-Force Exchange API and QRadar SIEM
  • Configure threat data feeds to monitor and detect ransomware outbreaks

Configuration and benefits of an AWS log source in QRadar

Amazon Web Services (AWS) CloudTrail is a service that enables operational and risk auditing of your AWS account. It collects audit events from Amazon S3 buckets and a Log group in the AWS CloudWatch Logs. CloudTrail allows you to continuously monitor your AWS account activity including actions taken through the Management Console, AWS SDKs, command line, and other services.

QRadar connects through Amazon Web Services' API to retrieve the CloudTrail events, providing event parsing that not only allows for monitoring of your AWS account activity, but also for newly created rules to alert on possible AWS Security violations. AWS-related saved searches are used for reporting, which allows for analyzing trends on policy and user/group changes, and more.

In this video, you learn how to configure QRadar to retrieve logs from an AWS cloud environment source. Two use cases demonstrate how useful this integration can be to your cloud security posture.