Security Intelligence Courses (8):
Insider threats account for 60 percent of cyber attacks, and they are incredibly difficult to detect. In fact, most cases go unnoticed for months or years. Regardless of whether the insider is a malicious employee or a contractor whose credentials have been compromised, security teams need the ability to quickly and accurately detect, investigate and respond to these potentially damaging attacks.
QRadar User Behavior Analytics (UBA) analyzes user activity to detect malicious insiders and determine if a user’s credentials have been compromised. Security analysts can see risky users, view their anomalous activities, and drill down into the underlying log and flow data that contributed to a user’s risk score. As an integrated component of the QRadar Security Intelligence Platform, UBA leverages out of the box behavioral rules and machine learning (ML) models to adds user context to network, log, vulnerability and threat data to more quickly and accurately detect attacks.
IBM QRadar SIEM alerts to suspicious activity by creating offenses. An offense contains and links to information helpful to investigate it, such as events, flows, and asset profiles. Many offenses turn out to be false positives, and some false positives can be prevented by keeping the configuration of QRadar up to date.
The QRadar network hierarchy can cause false positives if it does not completely reflect which IP address ranges are local.
In this video, you learn how to change the network hierarchy based on the conclusion that an offense is a false positive.
Security profiles define the networks, log sources, and domains that a user can access. QRadar includes one default security profile for administrative users. The Admin security profile includes access to all networks, log sources, and domains. Before you add new user accounts, you must create more security profiles to meet the specific access requirements of your organization. In this video, you learn about security profiles and how to manage them in QRadar.
A user role defines the functions that a user can access in IBM QRadar. During the installation, two default user roles are defined Admin and All. Before you add user accounts, you must create the user roles to meet the permission requirements of your users. In this course you learn about user roles and how to manage them in QRadar.
To properly understand and use the capabilities of QRadar SIEM beyond the basic concepts, it is important to learn about assets. In this course, you learn how assets can be discovered and then dynamically updated by QRadar, including network information, running applications and services, active users, and vulnerabilities.
The user account defines the unique user name that is used to log in to QRadar. It specifies, which user role, security profile, and tenant assignments the user is assigned to. When you initially configure your system, you must create user accounts for each person who requires access to QRadar. In this course, you learn about users and how to manage them in QRadar.
In this video, you learn how to configure a Linux system to send syslog information to QRadar.
The Log Event Extended Format (LEEF) is a customized event format for IBM QRadar that contains readable and easily processed events for QRadar. In this video, you learn what LEEF is, what its main components are, how to customize it, and finally, you see an example of what a LEEF event looks like in your QRadar Console.