QRadar SIEM
QRadar Fundamentals
The total time required to complete this roadmap is 18h 26m.
Overview
Core functionality
Apps
Skill badges
Commercial courses
QRadar SIEM Administrator
The total time required to complete this roadmap is 49h 12m.
Operational Tasks
DevOps
Troubleshooting
Tuning
These courses teach you how to perform basic tuning tasks in your QRadar environment.
QRadar SIEM Analyst
The total time required to complete this roadmap is 24h 34m.
Investigations
QRadar SIEM Architect
The total time required to complete this roadmap is 16h 34m.
Operational Tasks
DevOps
Managed Security Service Providers (MSSP)
The total time required to complete this roadmap is 5h 35m.
MSSP Foundation
Apps integration
Overview
For each incoming event and flow, QRadar SIEM evaluates rules to test for indicators that suggest an attack or policy violation. In this lab, you learn how to create custom rules, building blocks, custom event properties, and a reference set to detect an example suspicious activity.
Objectives
- Create and use custom event properties
- Create and use a reference set
- Add tests to new custom rules and building blocks
- Leverage function tests
- Configure rule actions and responses
Duration
1 hour
Device Support Modules (DSM) enable IBM Security QRadar
SIEM to normalize events from raw logs received from various source types.
These events must be parsed, normalized, and correlated into offenses to alert
you to suspicious activities.
In this virtual lab, you use the DSM Editor to create a log source type for an unknown source of events. You also configure the new log source type to parse and normalize its properties and create unique identifiers and mappings so that QRadar SIEM can name, rate, and categorize the events from the unknown log source.
Reports in IBM QRadar SIEM condense data to statistical views on your environment for various purposes, in particular to meet compliance requirements. In this lab, you run an a report from an existing template, then create a new report based on a saved search, and finally create a new report from a new search.
Anomaly detection aims to alert to threats that are undocumented and therefore cannot be detected by methods that monitor for well defined indicators. Such threats can be detected by monitoring for an unusual volume of activities. With IBM® QRadar® SIEM, create anomaly detection rules to monitor for deviations from the baseline of expected activities.
In these exercises, you develop an anomaly detection rule of type Anomaly. It tests for the deviation of the number of events matching a grouped search from the weighted moving average. The rule fires in the exercise because the sample data spikes above the deviation percentage configured in the anomaly rule.
In this course, you learn how to create IBM Security QRadar domains and
tenants using both the user interface and the RESTful API. You send
events to QRadar and see how they get assigned to domains and why. You
understand the difference between domain aware and domain unaware rules.
You create a shared data rule and perform tests to see how this rule
works in comparison with QRadar rules without a domain assignment.
The IBM Security App Exchange is a collaborative platform that can help integrate and utilize the collective knowledge of security professionals through code sharing. The App Exchange offers enhancements and integration between IBM Security products, and can include other security vendors, such as Trend Micro, Cisco, Qualys, and so on.
The majority of the security integration offerings today is available for the IBM® QRadar® product line. The IBM Security App Exchange provides an expanded hub of QRadar content. IBM QRadar provides a RESTful API that allows access to the QRadar resources and data.
This lab guide demonstrates the tools that can help you to develop new apps for QRadar. You can use two type of tools for your app development:
- QRadar App Editor
- QRadar SDK
The labs are using IBM QRadar Community Edition, or IBM QRadar CE.
Attach scripts to custom rules to do specific actions in response to network events. Use the Custom Action window to manage custom action scripts. Use custom actions to select or define the value that is passed to the script and the resulting action.
License keys entitle you to use specific IBM Security QRadar products and control the event and flow capacity for your QRadar deployment. You can add licenses to your deployment to activate other QRadar products, such as QRadar Vulnerability Manager.
This self-paced course provides you the foundations of license management, their components, and explain how they are managed within QRadar.
Course Objectives
- Define ways to upload and maintain license keys in the QRadar SIEM console.
- Obtain hands-on experience with viewing license details, uploading a license key, allocating a license key to a host, deleting licenses, and exporting license information.
The Ariel Query Language (AQL) is
a structured query language that you use to communicate with the Ariel
databases. You can use AQL to extract, filter, and perform actions on
event and flow data that you extract from the Ariel database in IBM
Security
QRadar.
AQL is used for advanced searches
to get data that might not be easily accessible from the user interface.
This provides extended functionality to QRadar's search and filtering
capabilities.
In this lab you learn how to utilize AQL for some advanced search tactics inside QRadar SIEM.
This course teaches you how to take advantage of the information posted in IBM X-Force Exchange (XFE) platform by using the API, curl tool, and python language.
The course also demonstrates integration between XFE and QRadar SIEM using XFE SDK and direct integration or Threat Intelligence Application and TAXII endpoints.
Objectives
- Learn how to leverage the X-Force Exchange API, curl tool, and python scripts to pull threat data from the X-Force Exchange platform
- Install the Threat Intelligence app in QRadar SIEM
- Test the API using online documentation
- Use curl commands and the X-Force Exchange API documentation to simulate browser requests
- Write a python script that uses X-Force Exchange API code
- Use TAXII feeds, collections, and the QRadar Threat Intelligence app to integrate the X-Force Exchange API and QRadar SIEM
- Configure threat data feeds to monitor and detect ransomware outbreaks
In this lab, you configure IBM Security QRadar to recognize an unknown event. You search for and sort your log sources in the Log Source Management app. You bulk add and bulk edit multiple log sources. Finally, you test a new log source.
The QRadar Analyst Workflow application provides security analysts with a new UI to investigate offenses and search for threats. Some highlights of the new investigation workflows include:
- Critical information to help inform decision making is one click away. Objects like IP addresses, Log Sources, Events, Insights, Magnitude, and more can be selected to expose a side panel that will provide additional context and details
- Filters are available when tables of information is exposed to help users narrow down results
- AQL smart query builder enables an analyst to search for common objects like IP, Hash, URL, and more without having to build a query
- Performance improvements in loading screens and navigating between workflows
The IBM QRadar Use Case Manager app provides many options for filtering and searching rules in IBM Security QRadar. You can create custom views and reports of your rules based on a wide variety of criteria, and view relationships between rules and content packs, log sources, reference sets, and other data.
In addition to the filtering and searching options, the Use Case Manager app lets you view and
configure your coverage of the MITRE ATT&CK framework. You can also view and add a number of
recommended changes to your rules.
Tuning
recommendations, unique to your environment, are also available in the
Use Case Manager app. Follow guidance in the app to tune your rules
that generate the most offences to reduce false-positives. You can
update network hierarchy, building blocks,
and server discovery based on recommendations.
The Use Case Manager helps you to keep QRadar optimally configured to accurately detect threats throughout the attack chain.
The IBM Security User Behavior Analytics (UBA) app 3.6.0 supports multi-tenant environments in IBM Security QRadar 7.4.0 Fix Pack 1 and later.
Multi-tenant environments allow Managed Security Service Providers (MSSPs) and multidivisional organizations to provide security services to multiple client organizations from a single, shared QRadar deployment. You don't need to deploy a unique QRadar instance for each customer.
With QRadar 7.4.0 Fix Pack 1 or later and UBA 3.6.0, you can create multiple tenants from a single deployment instead of managing multiple deployments.
This virtual lab walks you through all concepts that are needed to set up the UBA app in a multi-tenant environment such as log sources, tenants, domains, security profiles, UBA users, and roles.
- Alerts to suspected attacks and policy violations in the IT environment
- Provides deep visibility into network, user, and application activity
- Puts security-relevant data from various sources in context with each other
- Provides reporting templates to meet operational and compliance requirements
- Provides reliable, tamper-proof log storage for forensic investigations and evidentiary use
The exercises in this lab provide a broad introduction to the features of QRadar SIEM. The exercises cover the following topics:
- Navigating the web interface
- Reviewing the Pulse app
- Investigating a suspicious activity
- Use QRadar Analyst Workflow app to investigate offenses
- Creating a report
- Managing the network hierarchy