QRadar Advisor with Watson
QRadar Advisor with Watson Roadmap
The total time required to complete this roadmap is 8h 15m.
This roadmap outlines fundamental courses intended for someone who works
with IBM QRadar Advisor with Watson. These courses introduce you to
cognitive analytics and the QRadar Advisor architecture and deployment
models and help you to deploy QRadar Advisor into your overall QRadar
environment.
Overview
Review the following courses to learn about QRadar Advisor concepts and architecture and how to use the cognitive analytics capabilities for your threat investigations.
QRadar preparation
Before you install and configure QRadar Advisor with Watson, you must tune your QRadar deployment to leverage the QRadar Advisor analytic capabilities in the best way.
Setup and installation
During the installation process, you must address specific critical configuration parameters to make your QRadar Advisor as efficient as possible.
Configure QRadar Advisor with Watson
Once QRadar Advisor is installed, you can leverage certain features to improve your experience with the application.
Investigations
In this learning path, we present examples of how you can best leverage QRadar Advisor's potential during your investigations.
In this video, you will learn about the benefits of setting up and using third-party threat intelligence data in IBM Security QRadar Advisor with Watson.
In this video, we talk about why log sources are important to IBM Security QRadar Advisor with Watson. We show examples of one investigation with a configured L2R log source and another one without.
In this lab, you learn how to configure and use the QRadar Advisor with Watson app in a QRadar offense investigation.
You learn to use regular expressions to extract QRadar custom properties and configure reference sets, rules, network hierarchy, and assets. The lab also walks you through the investigation process and you learn how to interpret QRadar Advisor knowledge
graphs.
The lab provides an overview of the Cyber Adversary Framework Mapping Application. This app is used to map your custom rules to MITRE ATT&CK tactics and override the IBM default rule mappings.
Objectives
-
Learn about QRadar configuration changes and updates necessary for a successful QRadar Advisor with Watson investigation
-
Extract custom properties from various log sources
-
Update relevant reference sets
-
Create QRadar rules
-
Enable X-Force threat intelligence feed
-
Update network hierarchy and critical assets
-
Configure QRadar SIEM and QRadar Advisor to show files that were executed or that were blocked on the systems that are monitored by QRadar SIEM
-
Update the QRadar Advisor configuration to use proper custom mappings
-
Learn how to run investigations and interpret the QRadar Advisor knowledge graph
- Configure and use the Cyber Adversary Framework Mapping Application
This video provides a
replay of the IBM Security QRadar Open Mic: "Optimizing QRadar Advisor with
Watson" that was hosted on 08 June 2017. The following topics are
addressed in this video:
- QRadar Tuning Review
- QRadar Advisor with Watson Best Practices
In this video, you learn why mapping Custom Event Properties is important to QRadar Advisor with Watson and how to do it inside the configuration utility.
In this video, you learn how proper Asset and Network Hierarchy configuration can improve your IBM Security QRadar Advisor with Watson investigations.
In this video, you learn about QRadar Advisor with Watson tuning and best practices. The course covers the following topics:
- Preparing QRadar by tuning offenses
- Why data sources matter?
- Importance of the Network Hierarchy
- Automatic Investigations
- Local Threat Intelligence
- False Positives
- Preparing QRadar by tuning offenses
- Why data sources matter
- Importance of the Network Hierarchy
- Automatic Investigations
- Local Threat Intelligence
- False Positives
In this video, you will learn about the benefits of setting up automatic investigations in IBM Security QRadar Advisor with Watson.
In this four-part video, we explain how QRadar Advisor with Watson can empower Security Analysts by reducing critical time for investigations and at the same time enriching the findings using the information discovered by Watson.
The first video describes three different investigation methods using QRadar Advisor:
- Manual
- Automatic
- Re-Investigation.
- Local
- Watson Insights
- Expanded Local Context
Finally, a real-world use case demonstration of a user related investigation shows how QRadar Advisor with Watson is being used to shorten the investigation and response times when it really matters.
This video demonstrates how to install QRadar Advisor with Watson and how to perform the initial setup.
The video covers the prerequisites you need for the app and all the settings that are relevant to the new configuration.
In this four-part course you learn the fundamental details of QRadar Advisor with Watson.
The first video provides background information about cognitive computing and Artificial Intelligence (AI), and how QRadar Advisor with Watson fits into that space. Then the video explains how IBM Watson is used in cyber security and, specifically, in QRadar.
The second video explains typical responsibilities of the security analyst job role. Then, it explains how those security analysts can use QRadar Advisor with Watson to assist them in their threat analysis and investigation.
The third video describes standard terminology and the individual components of QRadar Advisor with Watson, and how they can be utilized.
Finally, a real-world use case demonstration of a user related investigation shows how QRadar Advisor with Watson is being used to shorten the investigation and response times when it really matters.
In this course, Jeremy Begley looks at the QRadar offense investigation from a SOC analyst perspective while utilizing QRadar Advisor with Watson.
Artificial intelligence (AI) is changing the future of cybersecurity. Security professionals need to mine not only structured information but also unstructured data, including human-generated content. Artificial intelligence enables IT teams to reason, learn and provide a context in real time beyond simple analytics patterns.
Armed with this collective insight, security analysts can respond to threats with increased speed, accuracy and confidence.
Mark Brosnan, Mary O’Brien, Anthony O’Callaghan and Ronan Murphy discuss how to stay ahead of the game in today’s rapidly evolving landscape.
This Panel Discussion about "Strengthening Security With Cognitive Analytics And Intelligent Integration" has been recorded at the Zero Day Con 2017, and it is reproduced here with the permission of ZDC, February 2018.
IBM Security QRadar Advisor with
Watson (QRAW) can help drive significant improvements in your SOC
operations. Installing, configuring, and tuning QRadar Advisor with
Watson is simple. However, you need to ensure that you have both QRadar
and QRadar Advisor with Watson set up and configured properly to deliver
the objectives and outcomes you and your analysts desire.
Before
you install QRadar Advisor with Watson, follow the guidance in this
document to ensure that your QRadar is ready with the correct logs and
instrumentation. QRadar Advisor with Watson can tap into accurate and
comprehensive data to investigate any offense, asset, user, or user
activity. QRadar Advisor with Watson can substantially improve analysts’
productivity, increase their effectiveness, and reduce the time and
effort it takes to collect data and investigate offenses and users.
This
document outlines a two-phased approach. Each phase has a checklist to
ensure the proper deployment of QRadar Advisor with Watson in your
environment.
- Phase 1: Preinstall and prepare QRadar (before you install QRadar Advisor with Watson)
- Phase 2: Install and configure QRadar Advisor
IBM Security QRadar Advisor with Watson (QRAW) can help drive significant improvements in your SOC operations. QRadar Advisor with Watson can tap into accurate and comprehensive data to investigate any offense, asset, user, or user activity. QRadar Advisor with Watson can substantially improve analysts’ productivity, increase their effectiveness, and reduce the time and effort it takes to collect data and investigate offenses and users. However, integrating the information and insights from QRAW into well-established SOC processes might not be straight forward.
The intent of this document is to give guidance on how QRAW can help analysts. It provides specific examples of how to integrate the data, information, and insights into current SOC operations. It assumes that your QRadar environment is tuned and that QRAW is configured properly.
The following topics are covered in this document:
- Where does QRAW fit in the Threat Management process
- Tier 1 analyst: Defines the typical role of a Tier 1 analyst and highlights specific ways that QRAW can assist them
- Tier 2 analyst: Defines the typical role of a Tier 2 analyst and highlights specific ways that QRAW can assist them
- Tier 3 analyst: Defines the typical role of a Tier 3 analyst and highlights specific ways that QRAW can assist them
- Other features in QRAW you can use to improve SOC operations
QRadar Advisor with Watson helps you automate your repetitive SOC tasks while gaining actionable insights into critical incidents faster and to adopt a quicker and more decisive escalation process.
Version 2 allows you to align incidents with the MITRE ATT&CK chain and utilize cross-investigation analytics. Through analysis of the local environment, QRadar Advisor V2 recommends, which new investigations should be escalated to assist an analyst with driving quicker and more decisive escalations.