QRadar SIEM Courses (17):

Developing log source types in QRadar SIEM

Device Support Modules (DSM) enable QRadar SIEM to normalize events from raw logs received from various source types. These events must be parsed, normalized, and correlated into offenses to alert you to suspicious activities. In these exercises, you use the DSM Editor to create a log source type for an unknown source of events. You also configure the new log source type to parse and normalize its properties and create unique identifiers and mappings so that QRadar SIEM can name, rate, and categorize the events from the unkown log source.

Using IBM QRadar SIEM

IBM QRadar SIEM enables you to minimize the time gap between when a suspicious activity occurs and when you detect it. Attacks and policy violations leave their footprints in log events and network flows of your IT systems. QRadar SIEM connects the dots and provides you insight by performing the following tasks:

  • Alerts to suspected attacks and policy violations in the IT environment
  • Provides deep visibility into network, user, and application activity
  • Puts security-relevant data from various sources in context of each other
  • Provides reporting templates to meet operational and compliance requirements
  • Provides reliable, tamper-proof log storage for forensic investigations and evidentiary use


The exercises in this lab provide a broad introduction into the features of QRadar SIEM. The exercises cover the following topics:

  • Navigating the web interface
  • Investigating a suspicious activity
  • Creating a report
  • Managing the network hierarchy

Introduction to Custom Action Scripts

Attach scripts to custom rules to do specific actions in response to network events. Use the Custom Action window to manage custom action scripts. Use custom actions to select or define the value that is passed to the script and the resulting action.

Creating reports in QRadar SIEM

Reports in IBM QRadar SIEM condense data to statistical views on your environment for various purposes, in particular to meet compliance requirements. In this lab, you run an a report from an existing template, then create a new report based on a saved search, and finally create a new report from a new search.

Developing Anomaly Detection Rules in IBM QRadar SIEM

Anomaly detection aims to alert to threats that are undocumented and therefore cannot be detected by methods that monitor for well defined indicators. Such threats can be detected by monitoring for an unusual volume of activities. With IBM® QRadar® SIEM, create anomaly detection rules to monitor for deviations from the baseline of expected activities.

In these exercises, you develop an anomaly detection rule of type Anomaly. It tests for the deviation of the number of events matching a grouped search from the weighted moving average. The rule fires in the exercise because the sample data spikes above the deviation percentage configured in the anomaly rule.

License management in QRadar SIEM

License keys entitle you to use specific IBM QRadar products and control the event and flow capacity for your QRadar deployment. You can add licenses to your deployment to activate other QRadar products, such as QRadar Vulnerability Manager.

This self-paced course provides you the foundations of license management, their components, and explain how they are managed within QRadar.

Course Objectives

  • Define ways to upload and maintain license keys in the QRadar SIEM console.
  • Obtain hands-on experience with viewing license details, uploading a license key, allocating a license key to a host, deleting licenses, and exporting license information.

QRadar Troubleshooting Lab - Part 1: get_logs

This lab walks you through exporting get_logs from:

  • QRadar SIEM's user interface, or
  • the QRadar server.
The get_logs collect logs so you can troubleshoot issues on your own or you can provide  to IBM QRadar Support for assistance with troubleshooting issues.

QRadar Troubleshooting Lab - Part 3: Resource tuning


These labs walk you through advanced troubleshooting for the QRadar software and architecture.

In this set of labs, you will learn how to get processing statistics from the Custom Rules Engine (CRE), determine which processes are using the most QRadar resources, and, create roll up values for time series graphs.

Note: This is an online, interactive lab. You will download and follow the lab guide using the associated elab.


  • Troubleshoot processing issues by using scripts that let you get processing statistics from the CRE and find out what process are using the most QRadar resources.
  • Troubleshoot issues with accumulated data which is used by reports and the time series graphs used in the Dashboard, Log Activity, and Network Activity for aggregated searches.

45 min

Course Revision

QRadar Troubleshooting Lab - IBM QRadar Apps

Use IBM QRadar Apps to extend and enhance your current QRadar deployment with new data and ready-to-use use cases.  A QRadar app is a means to augment and enrich your current QRadar system with new data and functionality. You can download and install other shared apps that are created by IBM, its Business Partners, and other QRadar customers.

How To Start Writing QRadar Apps

The IBM Security App Exchange is a collaborative platform that can help integrate and utilize the collective knowledge of security professionals through code sharing.  The App Exchange offers enhancements and integration between IBM Security products, and can include other security vendors, such as Trend Micro, Cisco, Qualys, and so on.
The majority of the security integration offerings today is available for the IBM® QRadar® product line.  The IBM Security App Exchange provides an expanded hub of QRadar content. IBM QRadar provides a RESTful API that allows access to the QRadar resources and data.

This lab guide demonstrates the tools that can help you to develop new apps for QRadar.  You can use two type of tools for your app development:

  • QRadar App Editor
  • QRadar SDK

The labs are using IBM QRadar Community Edition, or IBM QRadar CE.

Developing Custom Rules in IBM QRadar SIEM


For each incoming event and flow, QRadar SIEM evaluates rules to test for indicators that suggest an attack or policy violation. In this lab, you learn how to create custom rules, building blocks, custom event properties, and a reference set to detect an example suspicious activity.


  • Create and use custom event properties
  • Create and use a reference set
  • Add tests to new custom rules and building blocks
  • Leverage function tests
  • Configure rule actions and responses


1 hour

Course Version



Using AQL for Advanced Searches in IBM QRadar SIEM

The Ariel Query Language (AQL) is a structured query language that you use to communicate with the Ariel databases. You can use AQL to extract, filter, and perform actions on event and flow data that you extract from the Ariel database in IBM Security QRadar. AQL is used for advanced searches to get data that might not be easily accessible from the user interface. This provides extended functionality to QRadar's search and filtering capabilities. In this lab you learn how to utilize AQL for some advanced search tactics inside QRadar SIEM.

QRadar Troubleshooting Lab - Custom Rules

IBM Security QRadar includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. You can also create your own rules to detect unusual activity.  Custom rules customize default rules to detect this suspicious activity in your network.

Advanced IBM QRadar App Framework and Troubleshooting

In this self-paced course, you will do a deep dive in the foundations of the IBM QRadar Application Framework components and learn how they are managed within QRadar.


How to use IBM X-Force Threat Intelligence and integrate with QRadar SIEM

This course teaches you how to take advantage of the information posted in IBM X-Force Exchange (XFE) platform by using the API, curl tool, and python language.

The course also demonstrates integration between XFE and QRadar SIEM using XFE SDK and direct integration or Threat Intelligence Application and TAXII endpoints.


  • Learn how to leverage the X-Force Exchange API, curl tool, and python scripts to pull threat data from the X-Force Exchange platform
  • Install the Threat Intelligence app in QRadar SIEM
  • Test the API using online documentation
  • Use curl commands and the X-Force Exchange API documentation to simulate browser requests
  • Write a python script that uses X-Force Exchange API code
  • Use TAXII feeds, collections, and the QRadar Threat Intelligence app to integrate the X-Force Exchange API and QRadar SIEM
  • Configure threat data feeds to monitor and detect ransomware outbreaks