Lab guide

Investigate cybersecurity threats using

QRadar Analyst Workflow
Course code LSL0450X
February 2022 edition

NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties
in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All names and references for organizations and other
business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.
All names and associated information for people in this deliverable’s scenarios are fictional. Any match with a real person is
coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a world­wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware vSphere
are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are
trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
© Copyright International Business Machines Corporation 2022.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
 Table of contents

Table of contents iii

Introduction 1
Exercises 2
Exercise 1 Access the new URL and review the menu 2
Exercise 2 Offenses overview and offense management 3
Exercise 3 Investigate an individual offense (ID 2) 9
Exercise 4 Interact with events of Offense 2 14
Exercise 5 Search in the new UI 20
Exercise 6 App integration (Pulse) 22

iii
© Copyright IBM Corp. 2022
Course materials may not be reproduced in whole or in part without prior written permission from IBM.
 Introduction

The QRadar Analyst Workflow application provides security analysts with an

independent UI to investigate offenses and search for threats. You can download it
from IBM X-Force App Exchange and install it by using the procedure that is
detailed in Installing the stand-alone version.

Note: This application requires QRadar 7.4 or later and will continually release
updates as new features are developed. The core workflows that are enabled in
the QRadar Analyst Workflow app are Offense Investigation, Search, and
Dashboarding (Pulse).

After you install the app, you access the new investigation interface in a separate
URL from the Console. So, you can continue your activities on the Console while
you proceed to add the QRadar Analyst Workflow app.

• Use X.X.X.X/console/ to access the Console.

• Use: X.X.X.X/console/ui/ to access the the QRadar Analyst Workflow app UI

The new URL is shareable among your team, and with it you can share information
by copying and pasting it or any URL in the new UI.

Use the new investigation workflows in QRadar Analyst Workflow to sharpen your
investigative work:
• Select objects like IP addresses, Log Sources, Events, Insights, Magnitude,
and more to open a side panel that provides more context and details to help
inform your decisions.
• Narrow down results in tables with filters.
• Search for common objects like IP, Hash, URL, and more with AQL smart
query builder, with no need to build a query.
• Load screens and navigate between workflows with improved performance.

In this virtual lab, you use the different QRadar Analyst Workflow investigation
components.

1
© Copyright IBM Corp. 2022
Course materials may not be reproduced without prior written permission from IBM.
 Exercises

Exercise 1 Access the new URL and review the menu

Start the lab by navigating to the QRadar Analyst Workflow (Analyst Workflow) app.
Then, explore the menu options.

1. To navigate to the QRadar Analyst Workflow app, on the QRadar Console, in the
upper left of the screen, click the menu icon and then select Try the New UI.

A new browser tab (x.x.x.x/console/ui…) opens with the Analyst Workflow App
UI.

Note:
This app runs in parallel to the main Console. In the future, you can directly
access this page via URL by copying and pasting it. Any URL in the new UI can
be shared with a team member, and it will navigate directly to the page that
you are looking at. In this lab, you cannot see the app open in a new tab
because the browser is in full screen mode.

2
Course materials may not be reproduced without prior written permission from IBM.
 The Pulse Offense overview dashboard is the default first screen that opens in the
UI. It contains widgets that monitor the top offense categories, the most recent
and most severe offenses, which offenses are active, and other information,
which you can customize by adding, removing, or rearranging the widgets.
2. To view the main menu selections in the Analyst Workflow app’s UI, in the
upper left of the screen, click the menu icon.
The menu displays the core workflows and applications.

Note: The three applications that use the Analyst Workflow UI are Offenses,
Search, and Pulse. Other applications that run in their own QRadar tab can be
viewed within the QRadar Analyst Workflow UI, but not all of them are
consistent with the Analyst Workflow UI’s design.

3. Click Offenses.

Exercise 2 Offenses overview and offense management

The Offenses view provides three quick visualizations: Offenses by Magnitude,
Offenses by Assignee, and Offenses by Type. It also shows a table of offenses, which
is filterable and interactive.

3
Course materials may not be reproduced without prior written permission from IBM.
1. To sort the Offense table by magnitude, click the Magnitude column heading.
The direction of the arrow indicates whether it is sorted by ascending or
descending order.

2. To see more details about the offenses, scroll to the right.

There are decorated objects within the table, such as IP addresses. These
decorated objects indicate whether the IP address is internal or external and the
risk that is associated with the address (retrieved from the QRadar asset database
for internal, and from the IBM X-Force for external addresses). Importance is
indicated with visual indicators: red for high, orange for medium, yellow for low.

They also indicate that you can select them to display additional information in a
side panel.

4
Course materials may not be reproduced without prior written permission from IBM.
3. To reveal the IP side panel, in the Source IPs column, on the first row, select the
internal address 192.168.107.107.
This IP does not contain any information yet. However, after you include more
information about this asset, it is displayed here.

4. To close the side panel, select the X in the upper right of the panel or click
anywhere on the disabled area outside of the side panel.
5. To reveal the list of the source IPs that are involved in the offense, select the
Multiple drop-down menu from the third row. To close it, click it again.
6. To reveal the IP side panel, which contains information from the integrated X-
Force Threat Intelligence, such as Categorization, Location, and WHOIS Details, on
the last row, select the external address 43.154.139.117.

5
Course materials may not be reproduced without prior written permission from IBM.
 6
Course materials may not be reproduced without prior written permission from IBM.
You can see that the IP address was involved with scanning activities.

5. Close the side panel.

6. To filter offenses, go to the left side of the screen where the Filter panel is open by
default.
7. In the Filter area, click Rules and then select EC: Sysmon - Powershell Malicious
Us….
This action updates the Offenses table to reflect the chosen filters.

7
Course materials may not be reproduced without prior written permission from IBM.
8. You can also act on an offense by using this table.
To do this, use the checkbox column to select the only row.

9. Next, click Actions.

A list of available actions opens: Follow Up, Protect, Hide, Close, Assign, and Send
to Resilient.

10. To close the menu, click Actions again.

11. To open an individual offense, click anywhere on the row that is not a decorated
object or the row selector.

The individual Offense ID 2 opens.

8
Course materials may not be reproduced without prior written permission from IBM.
 Exercise 3 Investigate an individual offense (ID 2)
Opening an individual offense provides you with an overview about why this offense
was created and who was involved.

The table underneath the title of the Offense provides quick details about the type
of offense, the source and destination IP addresses, the number of events and flows,
and other details.

You can interact with many data objects in this view by using decorated objects or
hyperlinks. To recall what a decorated object is, see Exercise 2 in this lab.

The “Mitre ATT&CK Tactics & Techniques” module shows you which tactics and
techniques were observed in this offense. They are classified with a low, medium, or
high confidence.

1. Select one of the Mitre tactics.

The Mitre tactic details panel opens to show you a description of this chosen tactic,
any techniques that are associated with the Use Case Manager, and an external link
to the Mitre ATT&CK website, which contains more information.

9
Course materials may not be reproduced without prior written permission from IBM.
2. To close the side panel, click the X.

Feel free to explore other tactics and compare their details.

The “Insights” module provides analysts with a view on why an Offense fired, and
the conditions, rules, and behaviors that were combined to create a single view of an
attack.

3. Select one of the insights.

10
Course materials may not be reproduced without prior written permission from IBM.
 The Insights panel opens to provide more details about this Rule, the associated
notes, the tests that comprise this rule, and more details.

5. To close the side panel, click the X.

Feel free to explore other insights and compare their details.

The Magnitude module provides a visualization using the Relevance, Credibility, and
Severity of the Offense.

6. To reveal the Magnitude side panel, click anywhere inside the Magnitude module.

11
Course materials may not be reproduced without prior written permission from IBM.
 This panel shows how each category is calculated.

7. To close the side panel, click the X.

You can use the Notes module to communicate among team members.

8. To add a note, click Add Note +.

You can add text and links in the Add note window. For this exercise, do not add any
text.

9. To close this module, click the X.

12
Course materials may not be reproduced without prior written permission from IBM.
 The Recent Events module in the center of the page depicts the event activity over
time, and it includes additional summary details such as internal and external IP
addresses, users, and log sources.

10. To view the events associated with the offense, click View Events in the upper right
of the module.

The Search page displays the events that are associated with this offense.

13
Course materials may not be reproduced without prior written permission from IBM.
11. There is a breadcrumb on the upper left of the screen, which you can use to
maintain a connection to the offense during your investigation. To go back to the
offense, click Return to Offense 2.

You can return to the Offense details page from this Search page. However, if you go to
the Search page from the main menu, you lose this breadcrumb.

12. Click View Events again.

Exercise 4 Interact with events of Offense 2

You can effectively examine the underlying details of an offense by using the
interactive tables and filters on the Search page.

14
Course materials may not be reproduced without prior written permission from IBM.
1. To load more than 10 events into the events table at one time, navigate to the
lower left of the table and increase the value in the Items per page list to 50.

Next, apply filters to find relevant events quickly. One way to do this is by using the
Filter panel.

2. Click Filter to open the Filter panel.

3. In the Filter panel search bar, type windows and press Enter.
4. To apply the filter, select the first Experience Center: WindowsAuthServer
checkbox.
5. Close the Filter panel by selecting the X next to Filter.

15
Course materials may not be reproduced without prior written permission from IBM.
Another way to apply filters is to right-click a row in the table, which reveals an
inclusion and an exclusion filter option.

6. Right-click on any CreateRemoteThread event and select Apply IS NOT filter.

You can see all applied filters next to the Filter icon. To clear individual filters, select
the X next to an individual filter. You can also clear all filters by clicking Clear filters.

The Search results table is interactive. It enables you to retrieve additional

information for decorated objects or an individual event by either hovering over
an object or event, or by clicking an object or event.

7. In the table, hover over the LogSource column: Experience Ce… EC: TIG….

16
Course materials may not be reproduced without prior written permission from IBM.
8. To reveal the Log Source panel, click the log source Experience Ce… EC: TIG….
9. To close the side panel, click the X.

10. To reveal more event properties that might not be shown in the column set, click
one of the “Process Create” events from the table.

17
Course materials may not be reproduced without prior written permission from IBM.
This action opens the Event side panel, where you can scroll to see additional
information such as payload and custom properties.

11. Click Open payload.

Here, you can view and copy the entire payload for the event in UTF, HEX, and BASE64
formats.

12. Close the Payload window.

13. To close the side panel, click the X.

18
Course materials may not be reproduced without prior written permission from IBM.
Feel free to explore other event details and their payloads to compare their details.

19
Course materials may not be reproduced without prior written permission from IBM.
 Exercise 5 Search in the new UI
Searching in the new UI is simple but powerful. The search interface provides an
AQL query builder with a type-ahead experience to make searching for common
indicators of compromise (IOC) easy and customizable by using the AQL query
language.

1. In the query for the current event search, click in the Query Builder.

NOTE: in a real scenario, you can edit the current search parameters to run a new
search. However, due to the limitations of this virtual lab, the current search is
removed when you click in the query field.

Queries can either be entered manually or you can create them by using the AQL
type-ahead feature. To use AQL type-ahead, enter an IP address, a URL, or a hash
value.

11. Into the query builder, type 192.168.107.107 and press Enter.
A drop-down menu with possible query suggestions opens. You can use an IP
address as a Quick Filter (to search through payloads), as Any IP, as a Source IP,
or as a Destination IP.

NOTE: Due to the nature of this lab, you must press Enter. In a real environment, the
type-ahead feature suggests filtering options as you type each character in the
query field.

12. Select the Any IP option, and a predefined AQL query populates the query
builder editor with set columns, result limits, and a time range.

20
Course materials may not be reproduced without prior written permission from IBM.
HINT: you can edit the automatically populated query to include more details,
adjust the time range, dates, or any other parameter you choose.

13. To get results, click Run query.

After you run the query, a table of events and results is displayed.

14. Open the Filter panel.

Here, you can filter, sort, select rows to get event details, or select decorated
objects to retrieve information side panels. Feel free to explore the decorated IP
objects and Event Name details in the list, and the main categories and
subcategories in the Filter pane.

Note: Due to the limitations of this virtual lab, in this exercise you cannot sort the
search results by column, nor use the filters; you can only view their categories.

21
Course materials may not be reproduced without prior written permission from IBM.
 Exercise 6 App integration (Pulse)
The integration with QRadar apps is developed continually to bring existing apps
into the new framework. The first example of this is the Pulse dashboard
workflow integration.

1. On the upper left of the screen, click the menu icon and select Pulse.

Pulse is a customizable dashboard framework that enables you to visualize data

and see the most important metrics in a consumable manner.

One of the things that Pulse can do is drill down so that you can more quickly
investigate high priority offenses that are viewed in Pulse.

2. Find the “Most severe offenses” widget.

3. To go directly to the individual offense overview, select Powershell Has Been

22
Course materials may not be reproduced without prior written permission from IBM.
Launched in a Compromised Host preceded by Process Create….

This offense is the same one that you investigated in Exercise 3. Feel free to
explore its details, such as the Insights and Magnitude modules, and the Events
view.

After you finish exploring the offense, click the Offenses breadcrumb to return to
the Offenses overview.

You learned how to navigate the QRadar Analyst Workflow application to quickly
investigate offenses and their underlying events and details.

This is the end of this lab.

23
Course materials may not be reproduced without prior written permission from IBM.
© Copyright IBM Corp. 2022