QRadar SIEM
QRadar Fundamentals
The total time required to complete this roadmap is 18h 26m.
Overview
Core functionality
Apps
Skill badges
Commercial courses
QRadar SIEM Administrator
The total time required to complete this roadmap is 49h 12m.
Operational Tasks
DevOps
Troubleshooting
Tuning
These courses teach you how to perform basic tuning tasks in your QRadar environment.
QRadar SIEM Analyst
The total time required to complete this roadmap is 24h 34m.
Investigations
QRadar SIEM Architect
The total time required to complete this roadmap is 16h 34m.
Operational Tasks
DevOps
Managed Security Service Providers (MSSP)
The total time required to complete this roadmap is 5h 35m.
MSSP Foundation
Apps integration
In IBM Security QRadar you need two components in order to parse logs correctly. One is a protocol, such as syslog, the other part is a DSM parser. When you are dealing with cloud-based deployments, the QRadar protocol portions are API-based. QRadar supports several API-based protocols out-of-the-box, such as AWS or Azure.
Many cloud-based deployments or apps frequently change capabilities and configuration requirements. To better support these fast-paced environments, QRadar provides a Universal Cloud REST API Protocol, which enables you to keep ingesting log data from those cloud-based log sources.
In this course, Jose Bravo explains and demonstrates how to configure a setup using the Log Source Management app.
The IBM Security QRadar Network Visibility content extension provides a set of dashboards that enable security and network operations analysts to get at-a-glance insights into the network traffic in their environment. These visualisations enhance the data in Network Activity to provide out-of-the-box metrics that align with a variety of MITRE ATT&CK categories.
In this video we demonstrate the following three dashboards included in this extension:
- Overview: Gain insights into activity across the entire network, focusing on metrics that uncover unusual behaviour
- Application/Protocol Details: Drill into a specific application or protocol of interest and identify suspicious or atypical behaviour
- IP Details: Drill into a specific IPv4 address, highlighting metrics that could indicate attacks associated with this address
IBM Security QRadar needs to provide precise information about captured log events and network flows that have been collected within your network. It can only do that sufficiently after you provided enough contextual information about your assets, rules, and how to handle false positives. In this course you find resources that can help you to properly tune the following aspects:
- Server Discovery and Host Definition
- The Basics of Rules and Building Blocks
- Offense Basics
- Content Packs and the QRadar Assistant App
- SIEM Tuning Report
- False Positive Tuning
IBM Security QRadar needs to provide precise information about captured log events and network flows that have been collected within your network. It can only do that sufficiently after you provided enough contextual information about your network hierarchy
and assets.
This video series describes how to properly tune the following networking aspects:
- Introduction to QRadar and Tuning
- Domain Management
- Network Hierarchy Basics
- Structuring your Network Hierarchy
- Keeping the Network Hierarchy Updated
You can use the guided tips in
IBM Security QRadar Use Case Manager to help you ensure that QRadar is
optimally configured to accurately detect threats throughout the attack
chain.
QRadar Use Case Manager includes a rule explorer that offers flexible reports related to your rules. The app also exposes pre-defined MITRE mappings to system rules and helps you map your own custom rules to MITRE ATT&CK tactics and techniques.
This course first addresses an overview of the new features that have been introduced with Version 2.3., and then provides more details on the updates around the MITRE ATT&CK tactics and techniques.
The IBM Security QRadar SDK V2 includes many changes from the previous release. This video guides you through installation, new commands, requirements, and examples of building QRadar applications using the SDK V2.
In this video course, you learn
about the concepts of the RESTful API and how to manage IBM Security
QRadar domains and tenants by using the API endpoints. Use the GET request
to retrieve information about domains and tenants. Learn how to create
or update domain and tenant objects by using the POST request, and delete
objects with the DELETE request. Investigate a response error from a
request and find a solution for that.
Use the guided tips in the IBM Security QRadar Use Case Manager app to help you ensure QRadar is optimally configured to accurately detect threats throughout the attack chain.
In this video, you learn about the new features introduced with versions 2.2 and 2.3 of the app.
In this course, you learn about domain and tenant management capabilities in IBM Security QRadar. Managed Security Service Providers (MSSPs) use these capabilities to provide services to their customers in a shared multi-tenant environment. Multi-divisional organizations can benefit from these features as well.
Domain and tenant management capabilities are essential when you want to provide services from a shared QRadar environment. Every internal customer becomes a tenant in your QRadar deployment and each has different requirements. To separate your tenants' data, you define domains.
You can use the guided tips in IBM Security QRadar Use Case Manager to help you ensure that QRadar is optimally configured to accurately detect threats throughout the attack chain.
QRadar Use Case Manager includes a rule explorer that offers flexible reports related to your rules. The app also exposes pre-defined MITRE mappings to system rules and helps you map your own custom rules to MITRE ATT&CK tactics and techniques.
This course first addresses an overview of the new features that have been introduced with Version 2.2 and 2.3., and then provides more details on the updates around the MITRE ATT&CK tactics and techniques.
Use the guided tips in the IBM Security QRadar Use Case Manager app to help you ensure QRadar is optimally configured to accurately detect threats throughout the attack chain.
In this video, you learn how to explore rules through visualization and generated reports, how to tune your environment based on built-in analysis, and how you can visualize threat coverage across the MITRE ATT&CK framework.
This video series introduces the IBM QRadar advanced search capability using the Advanced Query Language, or AQL.
Part 1 - Quick Filter and UI Searches
Part 2 - AQL Introduction
Part 3 - Where, Group, Having, Order
Part 4 - Counting
Part 5 - Ref Set, Assets and UBA
Part 6 - Health Metrics and X Force
Part 7 - More Health Metrics and API calls
Part 8 - Payload, Indexed and Regex Searches
IBM Security QRadar flows represent network activity by normalizing IP addresses, ports, byte and packet counts, and other data, into flow records, which are records of network sessions between two hosts. Flows are a differentiating component in QRadar that provide detailed visibility into your network traffic.
In this course, you learn how QRadar analyzes your flow data for applications, flow direction, and superflows. You also learn how to build a QRadar flow rule, and how to perform flow searches in QRadar.
A large volume of data aggregation can decrease your system performance. The IBM Security QRadar Ariel component uses a separate database for aggregated data in order to improve system performance and to make the data more readily available. Time series charts, report charts, and anomaly rules use aggregated data views. Learn how to use the Aggregated Data management tool to disable, enable, or delete aggregated data views.
In this video series, Jose Bravo explains how to use the IBM Security QRadar Use Case Manager App to keep your QRadar deployment properly tuned using the following parts:
- Introduction
- Noisy offenses
- Rules with the most CRE events
- Network Hierarchy
- Building Blocks and Reference Sets
In this video, you learn about log source parsing order and how to manage it. See how to solve parsing problems by changing the log source parsing order and how to reduce parsing problems.
QRadar SIEM routes events and flows directly to storage, if an alarmingly high system load might cause degradation of real-time processing. After this happens, the Custom Rule Engine (CRE) can collect metrics data about rule execution. From this data,
the CRE calculates throughput capacities for most enabled custom rules and building blocks. The UI displays the capacities as event and flow rates, and also indicates the level of concern with colored bars.
QRadar 7.3.2 or higher is required to enable this capability.

Custom log sources enable QRadar SIEM to normalize events from raw logs that have been received from various source types. These events must be parsed, normalized, and correlated into offenses to alert you to suspicious activities. Based on a business scenario, you will learn how to perform each step in the process of creating custom log sources.
This course provides useful information for administrators to understand how the Console deploys user changes to managed hosts. See the difference between Deploy Changes and Deploy Full Configuration and what impact they have on events, flows and offenses. Discover how to audit users that initiated changes and monitor the progress of deployment actions. Learn about troubleshooting steps when a Deploy Changes does not complete.
IBM Security QRadar Network Insights (QNI) provides deep, real-time
investigations into your network traffic. In this course, you learn
about the increased level of data that QNI provides for searches, rules,
and building blocks. You also learn about QNI inspection levels. You
learn how to create a rule that raises an offence when your traffic
contains data from a QNI property. You also investigate flow properties
for an email exchange.
WinCollect is a syslog event forwarder that collects Windows-based events from local and remote Windows-based systems and sends them to QRadar for processing and storage. In this video you learn about the two different WinCollect deployment models and
how to manage them.
Using the table of contents menu in the video you can navigate to each one of these topics individually, or you can explore the content altogether:
- WinCollect overview
- WinCollect deployment models
- Installing and configuring a managed deployment
- Generating an authentication token
- WinCollect agent GUI installation
- WinCollect agent command line installation
- Upgrading all WinCollect agents to V7.2.8
- Troubleshooting a faulty WinCollect installation
In this course, you learn about the high availability (HA) design for QRadar, including setup and synchronization of HA hosts, and how to work with host states in a failover situation.
With indicators of compromise or concern, you specify which activities you consider suspicious. Derive indicators from threat modeling while considering which kind of data QRadar SIEM can use to test for indicators. This course addresses the following
topics:
- Getting started with threat modeling
- Using observables for indicators
- Using context for indicators
- Using external data for indicators
Join the IBM Security Learning Services team for an in-depth tour of the Security Learning Academy, with a focus on IBM Security QRadar Security Intelligence course offerings. During this webinar, you will see how to navigate the platform, search the course catalog, enroll in a course, view your enrollments on your dashboard, create progress reports, and see how Security Learning Academy is integrated with IBM VIP Rewards for Security.
Contents
- Introduction
- Content requirements process
- Tour the IBM Security Learning Academy home page
- Take a deeper look at QRadar Security Intelligence courses and course roadmaps
- Your personal dashboard
- Progress reports
- Integration between the Academy and the IBM VIP Rewards for Security program
When you send your log file data to IBM Security QRadar, it is first parsed inside a Device Support Module (DSM) so that QRadar can fully utilize the normalized data for event and offense processing. Sometimes you encounter data that cannot be correctly parsed, or you are dealing with multiple log sources running on one physical system.
In this course, Jose Bravo reviews the basic processes inside a QRadar DSM and explains how events are flagged. He demonstrates how to find the correct parser for your log source, and how to handle the parsing order in case you have deployed more than one log source on a physical machine.
Using the attached additional resources, you can run these scenarios on your own QRadar Community Edition (or other QRadar) deployment.
- Introduction
- When parsing does not work
- SIM Generic
- Stored and Unknown
- Parsing order intro and examples
- Syslog redirect
- Property formats
- Setting the lab up
The IBM Security QRadar DSM for Amazon Web Services (AWS) CloudTrail supports audit events that are collected from Amazon S3 buckets by using the Amazon AWS S3 REST API protocol and a Simple Queue Service (SQS) queue. This method is very useful when collecting CloudTrail logs from multiple accounts or regions in an Amazon S3 bucket and reduced the chance of missing files by using ObjectCreate notifications. It is an alternative to the prefix method to collect data because it does not require that the file names in the folders be in a string sorted in ascending order based on the full path. In this course, you learn which services you need properly configured in your AWS environment to make this method work. Following this, you learn how to add an Amazon AWS CloudTrail log source, and at the end, you see how a successfully configured log source receives events from AWS.
Threat Simulator is part of the QRadar Experience Center App. It contains five use cases for common threats, and for each of them, it generates a set of pre-defined logs in real time. These logs are displayed on the Log Activity tab of the Console as they are being received so that you can learn how to analyze them.
In this course, you learn how to run and analyze the results of each use case in the Threat Simulator.
This video provides an overview of key Log
Source Management app features. In addition to the overview, the video
demonstrates how to bulk add and bulk edit log sources, and how to test
log sources with the app.
Objectives
- Learn about the new Disconnected Log Manager feature
- Explore the Log Source Management app user interface
- Learn how to bulk add and edit log sources
- Learn how to test log sources to confirm whether they are configured correctly

QRadar Deployment Intelligence is a monitoring application built to give users a birds-eye-view of the health of their QRadar deployment. The app consolidates the following historical data points on a per-host basis:
- Status
- Up-time
- Notifications
- Event and flow rates
- System performance metrics
- QRadar specific metrics and more
In this course, you learn how to use the interactive app, by first displaying initial overviews for all hosts, and then drilling down and investigating specific hosts to see detailed health and status information.
In this video, you learn how coalescing works in IBM QRadar.
For QRadar SIEM 7.3.2, an App Host can take over the running of apps. The App Host replaces the App Node that was available for previous versions of QRadar SIEM. This course teaches how to add an App Host to a QRadar SIEM 7.3.2 installation.

Similar to the if-then statement in programming languages, custom rules consist of a boolean operation and statements. If the QRadar custom rule engine (CRE) evaluates the boolean operation to true, then the CRE performs the configured rule actions and rule responses.
This course addresses the following rule actions:
- Changing severity, credibility and relevance of the event or flow
- Adding the event or flow to an offense
- Annotating the event or flow
- Dropping the event or flow by rule action and routing rule
Determining the rules that triggered can provide valuable insight into your IT environment and guide you for further rule development and improvement. In this course, you learn how to gain different perspectives on matching rules.
- Sorting rules by their contributions to offenses
- Grouping dispatched events by event name
- Grouping events by rules that triggered for them
- Grouping flows by rules that triggered for them
- Filtering by rules that triggered
Use the QRadar Experience Center App to learn about the QRadar capabilities, simulate common threats, work with log samples in real time, and learn how to analyze your logs. The QRadar Experience Center App is designed for educational purposes, and its
menu includes useful videos, links, an FAQ section, and more.
In this video, you learn how to navigate the Experience Center App.
QRadar dashboard items allow the user to focus on different areas of interest. This step-by-step demonstration introduces how to perform network analysis with dashboard items.
This course teaches you how to avoid many common issues when configuring
log sources for QRadar that use the Log File protocol. In addition,
you also learn how to configure both FTPS and passwordless SCP
authentication for Log File log sources. Finally, you learn how to
configure and test Log File log sources in the QRadar Log Source
Management app.
In the IBM Security QRadar Console, you can use the Index Management tool to control database indexing on event and flow properties. By adding an indexed field in your search query, it helps to improve the speed of searches in QRadar by narrowing the overall data. Learn how to modify database indexing in the Index Management tool by making use of statistics before and after you enable or disable indexing on multiple properties.

IBM Security QRadar flows represent network activity by normalizing IP addresses, ports, byte and packet counts, and other data, into flow records, which are records of network sessions between two hosts. Flows are a differentiating component in QRadar that provide detailed visibility into your network traffic.
In this course, you learn the difference between QRadar events and flows. Learn about the packet header and payload: which information is available in the header and packet, and which technologies to use to investigate header and payload information.
In this course, we demonstrate how to use Anomaly Rules in IBM Security QRadar to detect abnormal behavior patterns throughout your IT infrastructure and user population.
In this video, you learn about the different update types in QRadar and how to use the Auto Update function. In addition, you learn how to take advantage of the QRadar Assistant app to keep your content packs and QRadar apps up-to-date.
Stateful tests in rules, which are configured as local, are evaluated by the CRE instance that receives the events and flows. Stateful tests in rules, which are configured as global, are evaluated by the CRE instance on the Console. In this course you learn about both of these options, which allows you to make an informed decision on whether to configure a rule as local or global. This course addresses the following topics:
- Configuring rules as local or global
- Examining the effects on rules with only stateful tests
- Examining the effects on rules with only stateless tests
- Examining the effects on rules with both stateful and stateless tests
- Examining the effects on rule responses
- Considering pros and cons
In this course, we demonstrate how to create an offense for monitoring an internal IBM Security QRadar Log Source.
In this video, you review how to use the DSM Editor to select a log
source type, configure property parsing, and create new event categories
and mapping. You also examine the new features of the DSM Editor, which
are contained in the Configuration section.
This video focuses on the new features: log source autodetection and properties. These features are available with QRadar SIEM 7.3.3.

This course focuses on two conceptual log source components. Protocols, which ingest event data into the QRadar ecosystem, and Device Support Modules, which act on this ingested data. You will learn about the roles of these components, and how they are aligned in the event pipeline.
- Defining rules
- Introducing the QRadar rules engines
- Enabling rules
- Duplicating rules
- Editing rules
- Creating rules
- Navigating rule groups
In this video series, you learn how QRadar can map your network flows to applications using different techniques.
In part 1, we configure QRadar to assign an application name to flow records when a specific source IP address and port combination is detected. In parts 2 and 3, we configure QRadar to assign an application name to flow records based on various information found in the payload of the flow data.
In this video, you learn how to create building blocks and how they differ from QRadar custom rules. You will be able to leverage building blocks for their typical purposes of reducing complexity and resource consumption, facilitating reuse of functionality and information, as well as reflecting your organization's IT environment.
Rules can use threat intelligence data from sources outside your organization to test for known threats. Learn about the options to leverage threat intelligence data and make an informed decision on how to get started. This course addresses the following
topics:
- Describe how threat intelligence data fits into the bigger picture
- Use external data
- Use built-in Remote Networks
- Use X-Force threat intelligence feeds
For QRadar SIEM 7.3.2, an App Host can take over the running of apps. The App Host replaces the App Node that was available in previous versions of QRadar SIEM. Migrating from App Node to App Host is a part of the upgrade from QRadar 7.3.0 or 7.3.1 to
QRadar 7.3.2. If you are running App Node, you must perform the migration because App Node is not supported on QRadar 7.3.2 and later.
The first part of this course walks you through the steps to upgrade and migrate from an App Node to an App Host.
In the second part, Jose Bravo performs an actual migration on a test system.
Understanding the architecture of the IBM QRadar ecosystem is viable for everyone in IT Security who is concerned with solutions within the security immune system. By learning how the central Security Intelligence components are designed to take in and process log events and flow data, you will be better equipped to holistically work as a Security Analyst with IBM QRadar. This course includes three videos:
- QRadar functional architecture and deployment models
- QRadar SIEM component architecture
- Dissecting the flow of a captured event
In this set of videos, we provide you with an overview of the IBM QRadar Deployment Architecture.
- Part one talks about the different QRadar appliance models and explains how they can be used in a variety of deployment architectures.
- Part two investigates how to deploy QRadar in remote locations. It also introduces the concepts of high availability, disaster recovery, and deployment options in virtual environments.
- Part three explains deployment options in cloud-based environments.
- The final part compares deployment options for VMware and QRadar on the Cloud (QRoC)
In this video series, we investigate various Ransomware, phishing, and malware attack use cases in QRadar.
- Stopping Ransomware in its tracks
- Discover Hidden Malware with QRadar
- QRadar and Bigfix Stop Ransomware
- Using QRadar and X-Force Exchange to protect against WannaCry ransomeware attack
QRadar collects network activity information, or what is referred to as "flow records". Flows represent network activity by normalizing IP addresses, ports, byte and packet counts, as well as other details, into "flows", which effectively represent a session between two hosts. QRadar can collect different types of flows, which differ greatly in the collected details. In this video series, we explain and demonstrate the differences between the following network flow capture mechanisms:
- Cisco Netflow
- QRadar QFlow
- QRadar Network Insights (QNI)
To properly understand and use the capabilities of QRadar SIEM beyond the basic concepts, it is important to learn about assets. In this course, you learn how assets can be discovered and then dynamically updated by QRadar, including network information, running applications and services, active users, and vulnerabilities.
This course teaches you how to configure a QRadar Retention Bucket within QRadar Administration.
First, you learn about QRadar data retention and how to retain event and flow data in IBM QRadar. Then, you run an interactive simulation to configure QRadar Retention Buckets.
IBM QRadar uses the network hierarchy objects and groups to organize network activity and monitor groups or services in your network.
When you develop your network hierarchy, consider the most effective method for viewing network activity. The network hierarchy does not need to resemble the physical deployment of your network. QRadar supports any network hierarchy that can be defined by a range of IP addresses. You can base your network on many different variables, including geographical or business units.
In this course, you learn about the following Network Hierarchy fundamentals:
- Part 1 - Network Hierarchy Basics
- Part 2 - Structuring your Network Hierarchy
- Part 3 - Keeping the Network Hierarchy Updated
Employees in every organization are granted different levels of clearance to access information and classified or restricted areas based on their job profiles, such as different network locations, applications, or data. This process includes users who manage and have access to IT security products that protect the organization's critical resources, such as QRadar.
Every organization implements its own security policies to provide users with different permissions according to their roles. In this context, QRadar provides the ability to segment users' access based on a combination of factors, which can yield granular results. The information contained in QRadar includes network hierarchy and topology, assets, log and flow sources, event and flow data, offenses, scanning activity, management activity, and more.
This course introduces QRadar user management foundations, where you learn about user accounts and the different methods to authenticate, and how to implement granular user controls, such as user roles, security profiles, domains, and tenants.
The capacity of a deployment is measured by the number of events per second (EPS) and flows per
minute (FPM) that IBM QRadar can
collect, normalize, and correlate in real time. The event and flow capacity is set by the licenses
that are uploaded to the system. In this video, you learn about the features of managing the license event and flow capacity.
- Define functions of event and flow processing capacity, such as shared license pool, capacity sizing, and internal events
- Define burst handling
This course provides general tips on log source configuration. Learn how to gather information about DSMs. Understand the capabilities of the QRadar UI to configure log sources. See what else can help you do this task and get linked to it.
Using a particular use case, this video demonstrates how to take advantage of reference data collections in QRadar SIEM.

QRadar administration encompasses many different tasks. The installation and upgrade management course provides information about the following topics:
- QRadar Installations and Upgrades - Best Practices Open Mic (2014)
- Replacing a QRadar Console in your deployment
- Replacing a Managed Host in your deployment (non-HA)
- Installing a QRadar content pack from IBM Fix Central
- Performing a QRadar v7.3 software installation on your own appliance
- Performing a clean install of QRadar v7.3
- Upgrading to QRadar v7.3
- Upgrading QRadar Appliances in parallel
- Migrating a console to a new QRadar appliance with the same IP address
- YUM vs RPM Installation commands in QRadar
- How to mount an ISO image using IMM
The QRadar SIEM Analyst has to perform many different tasks when it comes to the investigation of offenses, events, and flows. In this video series you learn about the following topics: - Detecting fraud and account takeover - Detecting communication to a malicious Command & Control Server - Detecting a remote scan followed by attempts to login - Detecting multiple Login Failures to Compliance Server - Detecting Chat to a malicious Site - Detecting UDP scan in flows from an IBM XGS Network Security appliance - Detecting phishing e-mails - Detecting awakening dormant Accounts - Detecting Fraud from a URL with Keyword from a bad IP - Detecting jailbroken iPhones using QFlows - Detecting insider threat - USB inserted and bad website visited
You can enhance the Windows log collection capability by using a publicly available tool called System Monitor (Sysmon). In combination with QRadar SIEM you can now process much more detailed events to protect your deployment from malicious attacks.
- Sysmon Introduction
- Use Case 1 - Malicious File Injection and Execution
- Use Case 2 - In memory attack
- Use Case 3 - Base64 encoded data obfuscation
- Use Case 4 - Hiding behind a common Windows service process
- Use Case 5 - Malicious file injection using encrypted HTTPS
- Use Case 6 - Detecting Other Libraries
- Use Case 7 - Privilege Escalation Detection
- Use Case 8 - More Privilege Escalation Detection
- Use Case 9 - Even More Privilege Escalation Detection
- Use Case 10 - Creating an Admin Account
- Use Case 11 - Detecting Name Pipe Impersonation
- Use Case 12 - Detecting Mimikatz
- Use Case 13 - Sysmon Lateral Movement Detection, Example One
- Use Case 14 - Sysmon Lateral Movement Detection, Example Two
- Use Case 15 - Sysmon Lateral Movement Detection, Example Three
- Use Case 16 - Sysmon Detecting BadRabbit
- Use Case 17 - Sysmon and Watson chasing BadRabbit
Use the representational state transfer (REST) application programming interface (API) to make HTTPS queries and integrate QRadar with other solutions. In this series of videos you learn how to make best use of the QRadar API.
Two major capabilities of QRadar SIEM are to integrate with many other solutions and platforms, and to provide an API platform that can be utilized to build powerful extensions.
In this video series we focus on the QRadar extension capabilities. We address the following topics:
- QRadar App Exchange Foundations
- QRadar App Development and Troubleshooting (Open Mic)
- Installation and configuration of the Incident Overview App
- Configuration of the X-Force Threat Intelligence feed
An offense represents a security incident related to a suspicious attack or policy violation. As event and flow data passes through QRadar SIEM, it tests different conditions to generate an offense if such tests results are positive.
In this 2-part video course you learn about investigating offenses that are based on either events or flows.
When working with custom QRadar Log Sources, you often have to deal with collected information that falls outside the standard normalized data, and this data might be considered important. The Custom Properties are a way to collect this information and use it for your ongoing for your investigations.
QRadar administration encompasses many operational tasks. In this video series you can learn more about the following topics:
|
This video series provides insight to troubleshooting activities for your IBM QRadar deployment.
- System Notifications and Error Messages (Open Mic)
- Understanding and troubleshooting IO errors when searching in QRadar
- How to use tcpdump for troubleshooting in QRadar
- Collecting QRadar System Logs
- QRadar Dynamic Systems Analysis
The QRadar SIEM Troubleshooting Tools course contains the following videos:
- The QRadar SIEM Troubleshooting Tools: Introduction to Log Files Part 1 and Part 2 provides an overview of the various log files available and when to use the each log file for troubleshooting.
- The QRadar SIEM Troubleshooting Tools: get_logs shows you how to collect logs for troubleshooting. It also details how to use some of the logs in troubleshooting QRadar issues
This hands-on lab is intended to review the configuration of a security profile, a user role, and a user account so that you can understand how these concepts are related to each other and how they can provide you with granular control of a user's access to information in your Console.
With the QRadar Experience Center App, you run a scenario that simulates an attack triggered by a spam email that allows the launch of a command shell, which helps a suspicious OS to log into an Amazon Web Services (AWS) environment and starts creating multiple instances on this cloud environment. It ends with the downloaded backup data from an S3 bucket..
In this video, you learn how to investigate this type of situation by using the provided sample data in QRadar SIEM.
Sysmon stands for System Monitor. It is a Windows service that monitors and logs system activity, such as the creation of new processes, network connections, and changes to the Windows registry. By using IBM Security QRadar to collect the events that Sysmon generates and then analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. In this Powershell attack scenario, a user in your network opens a file that runs a Powershell command, which installs a piece of malware. The malware then steals users' credentials, which allow it to move laterally to other endpoints in your network, infecting them and starting the process over again.
In a targeted attack, a user inside a company receives malicious software that allows an attacker to infiltrate the corporate network and compromise information.
With the QRadar Experience Center App, you run a scenario that simulates the execution of malware by a user, which then downloads additional tools to steal credentials, scan the network, connect to a local database, and download sensitive data.
In this video, you learn how to investigate this type of situation by using the provided sample data in QRadar SIEM.
Each event and flow is a record of an activity in you IT environment. For some events, and all flows, this activity includes a network connection. Many rules need to test, if this network connection is approved in your organization. The rules do this by testing whether the event or flow has been tagged by building blocks with names beginning with BB:HostDefinition and BB:HostReference. Their purpose is to signal QRadar SIEM, which network connections are approved in your organization. In this course, you learn how to approve network connections using these building blocks.
Reference data collections can be used to store and manage important data that you want to correlate against the events and flows in your QRadar environment. You can add business data or data from external sources into a reference data collection, and then use the data in searches, filters, rule test conditions, and rule responses.
In this course, you first get an overview of the different reference data types and what they can be used for. Next, you learn how to manage reference data collections and how to use them.
This 2-part video course explores the following topics:
Part 1: QRadar reference data types overview
- General purpose of reference data collections
- Reference set
- Reference map
- Reference map of sets
- Reference map of maps
- Reference table
- Using the QRadar UI
- Using the CLI
- Using the RESTful API
- Reference data in queries (AQL)
- Reference data in Rules (test conditions, rule responses)
You can back up and recover IBM QRadar configuration information as well as event and flow data by using the backup and recovery feature. However, you must restore event and flow data manually. There are two types of backups: configuration backups and data backups.
Objectives
- View backup archives
- Create an on-demand configuration backup archive
- Delete a backup archive
- Schedule nightly backup
- Import a backup archive
License keys entitle you to specific IBM Security QRadar products and control the event and flow capacity for your QRadar deployment. You can add licenses to your deployment to activate other QRadar products, such as QRadar Vulnerability and Risk Manager. After you apply the license keys to QRadar, redistribute the EPS and FPM rates to ensure that each of the managed hosts is allocated enough capacity to handle the average volume of network traffic.
In this video, you learn about the features of managing licenses in QRadar SIEM.
Every IBM Security QRadar SIEM Analyst has to master basic investigations skills. In this course, you learn how to use flexible Searches to narrow down your investigations by watching the following videos:
- Learning how to utilize the QRadar search functionality
- How to search data efficiently in QRadar using indexing
- How to search data efficiently in QRadar using quick filters
In this video, you learn how to set up and use the IBM Disconnected Log Collector (DLC), which is a free-of-charge event collector that can work independently of QRadar.
In this video, you learn how to use rule explorer in the QRadar Use Case Manager app, which offers flexible reports related to your rules. QRadar Use Case Manager also packages the Cyber Advisory Framework Mapping application to expose pre-defined mappings to system rules and to help you map your own custom rules to MITRE ATT&CK tactics and techniques.
The Log Event Extended Format (LEEF) is a customized event format for IBM QRadar that contains readable and easily processed events for QRadar. In this video, you learn what LEEF is, what its main components are, how to customize it, and finally, you see an example of what a LEEF event looks like in your QRadar Console.
In this set of videos, we introduce the powerful capabilities of IBM QRadar SIEM.
- The first video depicts how data is ingested into the QRadar environment by collecting log information, network flow data, and vulnerability information. You learn about the asset model, and how the QRadar rules are used to create actionable offenses. In addition, the video explains the integration with IBM BigFix, as well as QRadar Risk and Vulnerability Manager.
- The second video starts off by explaining the concepts of QRadar Reference Sets and how to use them. It then takes a look at the forensic capabilities, and briefly introduces the deployment architecture.
- The third video focuses on integration capabilities between QRadar and IBM BigFix, IBM Guardium, network intrusion prevention systems, IBM Trusteer, IBM Identity Manager, and IBM mainframe SMF records,
- After a brief recap of the QRadar fundamentals, the fourth video explains many of the new capabilities that have been recently added to QRadar. These include the new appliances QRadar Network Insights, the Data Node, and the App Node. It then provides an overview of the QRadar API and the App Exchange, and takes a closer look at some of the available app extensions, including the BigFix App, User Behavior Analytics, Sysmon integration, and the QRadar Advisor with Watson. Finally, it introduces the new DSM Editor.
- Collecting and investigating network flows is one of the outstanding QRadar capabilities. The final video explains how QRadar approaches network flows, and how the security analysts benefit from this in their daily investigations.
This course provides an introduction to IBM Security QRadar architectural patterns for Managed Security Service Providers (MSSPs).
An MSSP provides
Security Operations Center (SOC) services to customers of different
sizes and requirements. This will result in different architectural
patterns and use of QRadar
Console, Event collectors (EC), Event processors (EP), and Disconnected
Log Collectors (DLC).
The intent of the MSSP SOC is to offer services to multiple clients and at the same time to ensure confidentiality, integrity, and availability of services and data to their clients. To accomplish this goal, the QRadar components can be deployed across three zones that rely on the QRadar core functions for data isolation, such as users access management, domains, and tenants.
Amazon Web Services (AWS) CloudTrail is a service that enables operational and risk auditing of your AWS account. It collects audit events from Amazon S3 buckets and a Log group in the AWS CloudWatch Logs. CloudTrail allows you to continuously monitor your AWS account activity including actions taken through the Management Console, AWS SDKs, command line, and other services.
QRadar connects through Amazon Web Services' API to retrieve the CloudTrail events, providing
event parsing that not only allows for monitoring of your AWS account
activity, but also for newly created rules to alert on possible AWS
Security violations. AWS-related saved searches are used for reporting,
which allows for analyzing trends on policy and user/group changes, and
more.
In this video, you learn how to configure QRadar to retrieve logs from an AWS cloud environment source. Two use cases demonstrate how useful this integration can be to your cloud security posture.
This video presented by Jose Bravo discusses a technique to use Guardium Data Encryption and QRadar to help protect against ransomware.
In this video, Jose Bravo demonstrates the value that Cloud Pak for Security (CP4S) brings to a QRadar environment. Jose will demonstrate an attack on a Windows system and how QRadar recognizes an offense has occurred and triggers CP4S to take automated remedial action.