QRadar SIEM
QRadar Fundamentals
The total time required to complete this roadmap is 18h 26m.
Overview
Core functionality
Apps
Skill badges
Commercial courses
QRadar SIEM Administrator
The total time required to complete this roadmap is 49h 12m.
Operational Tasks
DevOps
Troubleshooting
Tuning
These courses teach you how to perform basic tuning tasks in your QRadar environment.
QRadar SIEM Analyst
The total time required to complete this roadmap is 24h 34m.
Investigations
QRadar SIEM Architect
The total time required to complete this roadmap is 16h 34m.
Operational Tasks
DevOps
Managed Security Service Providers (MSSP)
The total time required to complete this roadmap is 5h 35m.
MSSP Foundation
Apps integration
In this foundational education event, Brian White, from the IBM Security Learning Academy, presents an introduction to IBM Security QRadar flows and QRadar Network Insights (QNI), and IBM QRadar Support Lead YiFeng You presents solutions to common customer issues with QNI.
During this session, we explain how flows differ from events, and what types of investigations you can perform with flows. We then talk about the QRadar flow pipeline, and how QNI can enhance your flow insights. Next, we look at QNI workflows, including investigations into encrypted traffic. Finally, we discuss common customer issues with QNI and how to resolve them.
Use the guided tips in the IBM Security QRadar Use Case Manager app to help you ensure QRadar is optimally configured to accurately detect threats throughout the attack chain.
In this video, you learn how to explore rules through visualization and generated reports, how to tune your environment based on built-in analysis, and how you can visualize threat coverage across the MITRE ATT&CK framework.
When you send your log file data to IBM Security QRadar, it is first parsed inside a Device Support Module (DSM) so that QRadar can fully utilize the normalized data for event and offense processing. Sometimes you encounter data that cannot be correctly parsed, or you are dealing with multiple log sources running on one physical system.
In this course, Jose Bravo reviews the basic processes inside a QRadar DSM and explains how events are flagged. He demonstrates how to find the correct parser for your log source, and how to handle the parsing order in case you have deployed more than one log source on a physical machine.
Using the attached additional resources, you can run these scenarios on your own QRadar Community Edition (or other QRadar) deployment.
- Introduction
- When parsing does not work
- SIM Generic
- Stored and Unknown
- Parsing order intro and examples
- Syslog redirect
- Property formats
- Setting the lab up
This course provides an introduction to IBM Security QRadar architectural patterns for Managed Security Service Providers (MSSPs).
An MSSP provides
Security Operations Center (SOC) services to customers of different
sizes and requirements. This will result in different architectural
patterns and use of QRadar
Console, Event collectors (EC), Event processors (EP), and Disconnected
Log Collectors (DLC).
The intent of the MSSP SOC is to offer services to multiple clients and at the same time to ensure confidentiality, integrity, and availability of services and data to their clients. To accomplish this goal, the QRadar components can be deployed across three zones that rely on the QRadar core functions for data isolation, such as users access management, domains, and tenants.
This video presented by Jose Bravo discusses a technique to use Guardium Data Encryption and QRadar to help protect against ransomware.
The IBM QRadar Use Case Manager app provides many options for filtering and searching rules in IBM Security QRadar. You can create custom views and reports of your rules based on a wide variety of criteria, and view relationships between rules and content packs, log sources, reference sets, and other data.
In addition to the filtering and searching options, the Use Case Manager app lets you view and
configure your coverage of the MITRE ATT&CK framework. You can also view and add a number of
recommended changes to your rules.
Tuning
recommendations, unique to your environment, are also available in the
Use Case Manager app. Follow guidance in the app to tune your rules
that generate the most offences to reduce false-positives. You can
update network hierarchy, building blocks,
and server discovery based on recommendations.
The Use Case Manager helps you to keep QRadar optimally configured to accurately detect threats throughout the attack chain.