This course teaches you how to configure a QRadar Retention Bucket within QRadar Administration. First, you learn about QRadar data retention and how to retain event and flow data in IBM QRadar. Then, you run an interactive simulation to configure QRadar Retention Buckets.  

QRadar Deployment Intelligence is a monitoring application built to give users a birds-eye-view of the health of their QRadar deployment. The app consolidates the following historical data points on a per-host basis: 

• Status
• Up-time
• Notifications
• Event and flow rates
• System performance metrics
• QRadar specific metrics and more

In this course, you learn how to use the interactive app, by first displaying initial overviews for all hosts, and then drilling down and investigating specific hosts to see detailed health and status information.

Insider threats account for 60 percent of cyber attacks, and they are incredibly difficult to detect. In fact, most cases go unnoticed for months or years. Regardless of whether the insider is a malicious employee or a contractor whose credentials have been compromised, security teams need the ability to quickly and accurately detect, investigate and respond to these potentially damaging attacks.

QRadar User Behavior Analytics (UBA) analyzes user activity to detect malicious insiders and determine if a user’s credentials have been compromised. Security analysts can see risky users, view their anomalous activities, and drill down into the underlying log and flow data that contributed to a user’s risk score. As an integrated component of the QRadar Security Intelligence Platform, UBA leverages out of the box behavioral rules and machine learning (ML) models to adds user context to network, log, vulnerability and threat data to more quickly and accurately detect attacks.

IBM QRadar SIEM alerts to suspicious activity by creating offenses. An offense contains and links to information helpful to investigate it, such as events, flows, and asset profiles. Many offenses turn out to be false positives, and some false positives can be prevented by keeping the configuration of QRadar up to date.

The QRadar network hierarchy can cause false positives if it does not completely reflect which IP address ranges are local.

In this video, you learn how to change the network hierarchy based on the conclusion that an offense is a false positive.

This video is intended for new administrators, or users, who have inherited QRadar responsibilities in their organization and want a crash course on how to maintain and manage QRadar. The goal of this video is to give administrators an idea, of what to review on a daily, weekly, and monthly basis to prevent support calls and understand QRadar as a new administrator. 

This IBM QRadar Support Open Mic session was recorded on Thursday, 25 April 2019.

Security profiles define the networks, log sources, and domains that a user can access. QRadar includes one default security profile for administrative users. The Admin security profile includes access to all networks, log sources, and domains. Before you add new user accounts, you must create more security profiles to meet the specific access requirements of your organization. In this video, you learn about security profiles and how to manage them in QRadar.

A user role defines the functions that a user can access in IBM QRadar. During the installation, two default user roles are defined Admin and All. Before you add user accounts, you must create the user roles to meet the permission requirements of your users. In this course you learn about user roles and how to manage them in QRadar.

In this lab, you learn how to configure and use the QRadar Advisor with Watson app in a QRadar offense investigation. You can download QRadar Advisor with Watson from the IBM Security App Exchange, but you must have a valid subscription to configure and run the app. In this lab, you can use the app without activating your paid subscription or enrolling in a 30-day free trial. You learn to use regular expressions to extract QRadar custom properties and configure reference sets, rules, network hierarchy, and assets. The lab also walks you through the investigation process and you learn how to interpret QRadar Advisor knowledge graphs. 

The lab provides an overview of the Cyber Adversary Framework Mapping Application. This app is used to map your custom rules to MITRE ATT&CK tactics and override the IBM default rule mappings.

To properly understand and use the capabilities of QRadar SIEM beyond the basic concepts, it is important to learn about assets. In this course, you learn how assets can be discovered and then dynamically updated by QRadar, including network information, running applications and services, active users, and vulnerabilities.

The user account defines the unique user name that is used to log in to QRadar. It specifies, which user role, security profile, and tenant assignments the user is assigned to. When you initially configure your system, you must create user accounts for each person who requires access to QRadar. In this course, you learn about users and how to manage them in QRadar.

In this video, you learn how to configure a Linux system to send syslog information to QRadar.

The Log Event Extended Format (LEEF) is a customized event format for IBM QRadar that contains readable and easily processed events for QRadar.  In this video, you learn what LEEF is, what its main components are, how to customize it, and finally, you see an example of what a LEEF event looks like in your QRadar Console.