®

Course Guide
IBM QRadar SIEM Foundations
Course code BQ103 ERC 1.2

IBM Training
December 2017 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
ITIL is a Registered Trade Mark of AXELOS Limited.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.

© Copyright International Business Machines Corporation 2017.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
About this course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Course agenda and description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Unit 1 Introduction to IBM QRadar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Lesson 1 The security immune system and why we need Security Intelligence . . . . . . . . . . . . . . . . . . . . . 3
Today’s security drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Attackers break through conventional safeguards every day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
How do I get started when all I see is chaos? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
An integrated and intelligent security immune system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
IBM security immune system portfolio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Lesson 2 The QRadar Ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Best practices: Intelligent detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
What is Security Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Ask the right questions – The exploit timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
IBM QRadar Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
IBM QRadar Risk Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
IBM QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
IBM QRadar Incident Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
QRadar embedded intelligence offers automated offense identification . . . . . . . . . . . . . . . . . . . . . . . . . .21
QRadar embedded intelligence directs focus for investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Benefits of IBM Security Intelligence approach using QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Unit 2 IBM QRadar SIEM component architecture and data flows . . . . . . . . . . . . . . . . . . . . . . . . . 27

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Lesson 1 QRadar functional architecture and deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Functional solution requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
An integrated, unified architecture in a single console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Identifying suspected attacks and policy violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Providing functional context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Network flow analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Extensible functional architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Cognitive Analytics: Revolutionizing how security analysts work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Open Ecosystem and Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Deep Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Scalable appliance/software/virtual architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

© Copyright IBM Corp. 2017 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents

Uempty
Lesson 2 QRadar SIEM component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
High-level component architecture and data stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Flow collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Event collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Event processor architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Console architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

Unit 3 Using the QRadar SIEM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Instructor demonstration of the QRadar SIEM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Managing the displayed data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Managing your QRadar user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Accessing help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

Unit 4 Investigating an Offense Triggered by Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Lesson 1 Offenses overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Definition offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Introduction to offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Creating and rating offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Offenses on Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Offenses tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Offenses overview by category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Offenses overview by source IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Offenses overview by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Lesson 2 Using summary information to investigate an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Instructor demonstration of offense parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Offense Summary window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Offense parameters (1 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Offense parameters (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Offense parameters (3 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Offense parameters (4 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Offense Source Summary (1 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Offense Source Summary (2 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Offense Source Summary (3 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Offense Source Summary (4 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Offense Source Summary (5 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Offense Source Summary (6 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Lesson 3 Investigating offense details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Last 5 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Last 5 Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Top 5 Source IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Top 5 Destination IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

© Copyright IBM Corp. 2017 iv

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents

Uempty
Top 5 Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Top 5 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Top 5 Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Last 10 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Last 10 Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Offense Summary toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Lesson 4 Acting on an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Offense actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Offense status and flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Offense lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Unit 5 Investigating the Events of an Offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Lesson 1 Investigating event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Definition event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Navigating to the events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
List of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Event details: Base information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Event details: Source and destination information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Event details: Reviewing the raw event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Event details: Additional details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Returning to the list of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Lesson 2 Using filters to investigate events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Filtering events (1 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Filtering events (2 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Filtering events (3 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Applying a Quick Filter to the payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Using another filter option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Using another filter option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Optimizing search execution efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Lesson 3 Using grouping to investigate events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Grouping events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Grouping events by low-level category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Grouping events by protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Removing grouping criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Viewing a range of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Lesson 4 Saving a search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Monitoring the offending host (1 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Monitoring the offending host (2 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Monitoring the offending host (3/3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Saving search criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Event list using the saved search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Lesson 5 Modifying saved searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
About Quick Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Using alternative methods to create and edit searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

© Copyright IBM Corp. 2017 v

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents

Uempty
Finding and loading a saved search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Search actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

Unit 6 Using Asset Profiles to Investigate Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Lesson 1 Asset profiles overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Definition asset profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
About asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Data sources for asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Identity information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Lesson 2 Investigating asset profile details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Navigating from an IP address to an asset profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Assets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Asset summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Network Interface Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Display additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Lesson 3 Navigating the Assets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Locating asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Filtering asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Searching asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Server Discovery and VA Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Unit 7 Investigating an Offense Triggered by Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Lesson 1 Flows overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Definition flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
About flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Creating flows from network activity information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Network Activity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Network specific properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Grouping flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Lesson 2 Using summary information to investigate an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Offense parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Top 5 Source and Destination IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Top 5 Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Top 5 Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Last 10 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Last 10 Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Lesson 3 Navigating flow details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Base information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Source and destination information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Layer 7 payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

© Copyright IBM Corp. 2017 vi

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents

Uempty
Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Lesson 4 False positives overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Preventing false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
False positive flow or event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Lesson 5 Investigating superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
About superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Superflow source and destination information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Superflow additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

Unit 8 Using Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Lesson 1 Rules overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Definition rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Testing for indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Finding the rules that fired for an event or flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Finding the rules that triggered an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Navigating to rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Navigating to rules (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Navigating to rules (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
Lesson 2 Using rule definitions during an investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Rule Wizard demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Rule Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Rule tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Custom rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Building blocks and function tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Function tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Partial match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Custom rule and building block types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Lesson 3 Custom rule actions and responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Based on the index, the Magistrate maintains offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Rule response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Rule response (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Adding and removing property values to and from reference sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Lesson 4 Using rules as search parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Searching offenses by contributing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Searching events and flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Disabled custom rules and unused building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Lesson 5 Anomaly detection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
About anomaly detection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Navigating to anomaly detection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Threshold rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Anomaly rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
Behavioral rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

© Copyright IBM Corp. 2017 vii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents

Uempty
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Unit 9 Using the Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Lesson 1 Network Hierarchy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Purpose Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Navigating to the Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Predefined Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Crown jewels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Tree structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
CIDR ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
About the Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Lesson 2 Using networks in investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Network of an IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Filtering by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Grouping by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Offenses overview by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Networks of Source and Destination IP addresses in Offense Summary . . . . . . . . . . . . . . . . . . . . . . . .254
Networks in the Offense Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Lesson 3 Using Flow Bias and Direction in Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Flow Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Flow Bias (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Flow Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Flow Bias and Direction difference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Lesson 4 Using the Network Hierarchy in rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Rule test conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Tagging by custom rules and building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265

Unit 10 Index and Aggregated Data Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Lesson 1 Using the Index Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Instructor demonstration of the Index management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Index Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Index information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Lesson 2 Using the Aggregated Data Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Instructor demonstration of the Aggregated data management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Aggregated Data Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
Enable or disable a view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Aggregated view of report data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Aggregated view of time series data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Aggregated view of ADE rules data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Lesson 3 Gathering index statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Instructor demonstration of the index management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Creating a custom event property and using it in a search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Analyze the Search and Index metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282

© Copyright IBM Corp. 2017 viii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents

Uempty
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

Unit 11 Using Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Lesson 1 Navigating the Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Instructor demonstration of the Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Adding a saved search as a dashboard item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Adding a saved search as a dashboard item (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Adding a saved search as a dashboard item (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Enabling a search to be used as a dashboard item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Lesson 2 Customizing a dashboard item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Configuring dashboard items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Select what to display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Select how to display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Lesson 3 Utilize time-series charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Enabling time-series data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Investigating data trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Details one-minute time interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Zooming in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Focusing on less prevalent data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Resetting the zoom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Navigating to activity tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Activity tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309

Unit 12 Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
Lesson 1 Navigating the Reports tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Reporting introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Reporting demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Reports tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Finding a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Running a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Selecting the generated report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Viewing a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Lesson 2 Creating a report template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Reporting demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Creating a new report template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Choosing a schedule and data time range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Time series data for report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
Choosing a layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Selecting the type of the top chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Configuring the top chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Configuring the top chart (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328

© Copyright IBM Corp. 2017 ix

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents

Uempty
Selecting the type of the bottom chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Configuring the bottom chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Layout preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Choosing a format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Distributing the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Adding a description and assigning to groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Verifying the report summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Viewing the generated report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Best practices when creating reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Student exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

Unit 13 Using Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Lesson 1 Filters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Filters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Filters introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Using Filters demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Source and Destination IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Lesson 2 Filtering events and flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Continents, countries, and regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Associated With Offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Payload Matches Regular Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Payload Contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Event Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Lesson 3 Filtering events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Log Source (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Log Source Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
Event Is Unparsed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
AccountID Custom Event Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Lesson 4 Filtering flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Flow Source and Flow Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
TCP Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
DSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
ICMP Type/Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Data Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Applications using nonstandard port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367

Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches. . . . . . . . . . . . . . . . . . . 368
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Lesson 1 Describe the basics of AQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Ariel Query Language overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
AQL query flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Structure of an AQL query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373

© Copyright IBM Corp. 2017 x

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents

Uempty
SELECT statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Examples for SELECT statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
WHERE clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Examples of WHERE clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
GROUP BY clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Examples of GROUP BY clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
HAVING clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Examples of HAVING clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
ORDER BY clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Examples of ORDER BY clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Single or Double quotation marks in AQL queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Instructor demonstration of advanced searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Lesson 2 Build AQL queries in advanced searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Build AQL queries from the QRadar GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Prepare the search window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Instructor demonstration of advanced searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392

Unit 15 Analyzing a Real-World Large-Scale Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
About Target Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
The situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Phases of the intrusion kill chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Kill chain timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
Kill chain timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400
Kill chain timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
First trigger - already compromised . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
More alerts - no linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
DOJ notification - 40 million records gone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Continued breaches undetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Missed opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Potential improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410

Appendix A A real-world scenario introduction to IBM QRadar SIEM . . . . . . . . . . . . . . . . . . . . . 411

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Anatomy of an attack - Lions at the watering hole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Anatomy of an attack - Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Anatomy of an attack - Vulnerable hosts were infected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Anatomy of an attack - Host response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
Anatomy of an attack - The risk of delaying a response to an attack . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Apply Big Data to Security Intelligence and threat management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
A dynamic, integrated system to help detect and stop advanced threats . . . . . . . . . . . . . . . . . . . . . . . .420
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421

© Copyright IBM Corp. 2017 xi

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents

Uempty
Appendix B IBM QRadar architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Lesson 1 QRadar functional architecture and deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Functional solution requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
An integrated, unified architecture in a single console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Identifying suspected attacks and policy violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Providing functional context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Network flow analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Extensible functional architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Cognitive Analytics: Revolutionizing how security analysts work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
Open Ecosystem and Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Deep Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439
Scalable appliance/software/virtual architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
Deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442
Lesson 2 QRadar SIEM component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
High-level component architecture and data stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
Flow collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447
Flows per minute (FPM) burst handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Application detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450
Superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
Event collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453
Autodiscovery of log sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Log source parsing uses QID mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
Events per second (EPS) burst handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
Event processor architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Custom Rules Engine (CRE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
Accumulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Console architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Offense management by the Magistrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
New asset and service detection by Vulnerability Information Server . . . . . . . . . . . . . . . . . . . . . . . . . . .467
Anomaly Detection Engine rule types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469
Dissecting the flow of a captured event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470
Dissecting the flow of a captured event (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471
Dissecting the flow of a captured event (3 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Dissecting the flow of a captured event (4 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477

© Copyright IBM Corp. 2017 xii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
About this course

IBM QRadar SIEM Foundations

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

IBM QRadar SIEM provides deep visibility into network, user, and application activity. It provides
collection, normalization, correlation, and secure storage of events, flows, asset profiles, and
vulnerabilities. QRadar SIEM classifies suspected attacks and policy violations as offenses.

© Copyright IBM Corp. 2017 xiii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
About this course

Uempty
In this 3-day instructor-led course, you learn how to perform the following tasks:
• Describe how QRadar SIEM collects data to detect suspicious activities
• Describe the QRadar SIEM component architecture and data flows
• Navigate the user interface
• Investigate suspected attacks and policy violations
• Search, filter, group, and analyze security data
• Investigate events and flows
• Investigate asset profiles
• Describe the purpose of the network hierarchy
• Determine how rules test incoming data and create offenses
• Use index and aggregated data management
• Navigate and customize dashboards and dashboard items
• Create customized reports
• Use filters
• Use AQL for advanced searches
• Analyze a real world scenario

Extensive lab exercises are provided to allow students an insight into the routine work of an IT
Security Analyst operating the IBM QRadar SIEM platform. The exercises cover the following
topics:
• Using the QRadar SIEM user interface
• Investigating an Offense triggered by events
• Investigating the events of an offense
• Investigating an offense that is triggered by flows
• Using rules
• Using the Network Hierarchy
• Index and Aggregated Data Management
• Using dashboards
• Creating reports
• Using AQL for advanced searches
• Analyze a real-world large-scale attack

The lab environment for this course uses the IBM QRadar SIEM 7.3 platform with a QRadar SIEM
server and a Linux based client that provides web based access to the QRadar SIEM server.

© Copyright IBM Corp. 2017 xiv

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
About this course

Uempty
Details
Delivery method Classroom or instructor-led Online (ILO)
Course level ERC 1.2
This course is a new course.
Product and version IBM QRadar SIEM 7.3
Skill level Basic

© Copyright IBM Corp. 2017 xv

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
About this course
Audience

Uempty
Audience
This course is designed for security analysts, security technical architects, offense managers,
network administrators, and system administrators using QRadar SIEM.

Prerequisites
Before taking this course, make sure that you have the following skills:
• IT infrastructure
• IT security fundamentals
• Linux
• Windows
• TCP/IP networking
• Syslog

© Copyright IBM Corp. 2017 xvi

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Course agenda and description
The course contains the following units:
1. Introduction to IBM QRadar
Every organization must consider a Security Intelligence solution at the center of their overall IT
Security strategy because too many IT security related point solutions, and the ever growing
sophistication of the attackers, demand a consolidation and analysis of events and network
traffic in a close to real-time manner.
This introduction covers the overall IBM QRadar ecosystem and shows how it is anchored at
the center of an overall security immune system.

2. IBM QRadar SIEM component architecture and data flows

Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
Security who is concerned with solutions in the overall security immune system. By learning
how the central Security Intelligence components are designed to take in and process log
events and flow data, you will be better equipped to holistically work as a Security Analyst.
In this unit we start at the functional architecture level and explain how IBM QRadar was
designed as a modular Security Intelligence solution from the ground up. After taking a look at
this modular design, its extensibility and deployment pattern, we closely examine the
component architecture so that the analyst understands how data is ingested and processed.
When the analysts later examine bits and pieces of a larger security incident investigation, this
architectural understanding can substantially enhance their capability for detailed and fast
analysis.

3. Using the QRadar SIEM User Interface

The user interface of QRadar SIEM is your workbench to gain visibility into your environment
from an security perspective. This lesson teaches you how to operate the interface, such as
pausing and refreshing the displayed data, changing your password and accessing help.

4. Investigating an Offense Triggered by Events

QRadar SIEM correlates events and flows into an offense if it assumes suspicious activity. This
unit teaches you how to investigate the information that is contained in an offense.

5. Investigating the Events of an Offense

The investigation of an offense usually leads to the investigation of the events that contributed
to the offense. This unit teaches you how to find, filter, and group events in order to gain critical
insights about the offense. You also learn how to create and edit a search that monitors the
events of suspicious hosts.

6. Using Asset Profiles to Investigate Offenses

© Copyright IBM Corp. 2017 xvii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
About this course
Course agenda and description

Uempty
QRadar SIEM stores security-relevant information about systems in your network in asset
profiles. This unit teaches you how asset profiles are created and updated, and how to use
them as part of an offense investigation.

7. Investigating an Offense Triggered by Flows

QRadar SIEM correlates flows into an offense if it determines suspicious network activities. This
unit teaches you how to investigate the flows that contribute to an offense. You also learn how
to create and tune false positives and investigate superflows.

8. Using Rules
Rules and building blocks test and correlate incoming events, flows, and offenses in QRadar
SIEM for indicators of an attack or policy violation. Building blocks are used as variables in
other rules or reports. Unlike building blocks, rules can perform an action or response if they
evaluate to true. This unit teaches you the significance of rules and building blocks, and how to
locate and understand their tests, actions and responses.

9. Using the Network Hierarchy

The Network Hierarchy reflects your environment from a security perspective. This unit teaches
you the significance of the Network Hierarchy and the many ways that QRadar SIEM uses and
displays its information.

10. Index and Aggregated Data Management

Searches leverage indexes and data aggregation. This unit teaches you about indexes and
aggregated data.

11. Using Dashboards

QRadar SIEM displays the Dashboard tab after you have signed in. Items on a dashboard
display information about activities in your network. The items enable you to focus on specific
areas of interest. You can customize and add new items and dashboards. This unit teaches you
how to navigate and customize the Dashboard tab.

12. Creating Reports

Reports condense data to statistical views on your environment for various purposes, in
particular to meet compliance requirements. This unit teaches you how to generate a report
using a predefined template and create a report template.

13. Using Filters

Filters limit a search result to the data that meets the conditions of the applied filters. Use filters
to look for specific activities or to view your environment from various angles. This unit teaches
you about some of the many available filters.

14. Using the Ariel Query Language (AQL) for Advanced Searches
Ariel Query Language (AQL) queries can retrieve stored data more flexibly than interactively
built searches. This unit teaches you how to build use AQL.

15. Analyzing a Real-World Large-Scale Attack

© Copyright IBM Corp. 2017 xviii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
About this course
Course agenda and description

Uempty
This unit evaluates a large-scale advanced persistent attack against a US retailer. You will
evaluate how a properly implemented Security Intelligence solution could have helped to fend
off the attackers.
This unit is based on the “Kill Chain” Analysis of the 2013 Target Data Breach study by the
Committee On Commerce, Science and Transportation, which is available at the following URL:

16. A real-world scenario introduction to IBM QRadar SIEM

In this appendix you can study a real world attack scenario to explain the following details:

17. IBM QRadar architecture

Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
Security who is concerned with solutions in the overall security immune system. By learning
how the central Security Intelligence components are designed to take in and process log
events and flow data, you will be better equipped to holistically work as a Security Analyst.
In this unit we start at the functional architecture level and explain how IBM QRadar was
designed as a modular Security Intelligence solution from the ground up. After taking a look at
this modular design, its extensibility and deployment pattern, we closely examine the
component architecture so that the analyst understands how data is ingested and processed.
When the analysts later examine bits and pieces of a larger security incident investigation, this
architectural understanding can substantially enhance their capability for detailed and fast
analysis.

© Copyright IBM Corp. 2017 xix

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 Introduction to IBM QRadar

Introduction to IBM QRadar

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Every organization must consider a Security Intelligence solution at the center of their overall IT
Security strategy because too many IT security related point solutions, and the ever growing
sophistication of the attackers, demand a consolidation and analysis of events and network traffic in
a close to real-time manner.

This introduction covers the overall IBM QRadar ecosystem and shows how it is anchored at the
center of an overall security immune system.

Note: You can expand this deck by utilizing the Appendix Unit
“BQ103_A1_Introduction_Real_World_Scenario”, which walks you through a real world attack
scenario explaining the attack vectors and how a Security Intelligence solution could have stopped
this attack from being successful.

© Copyright IBM Corp. 2017 1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Describe why we need Security Intelligence and a security immune system
• Describe the QRadar ecosystem

Introduction to IBM QRadar © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty
Lesson 1 The security immune system and
why we need Security Intelligence

Lesson: The security immune system

and why we need Security
Intelligence

Introduction to IBM QRadar © Copyright IBM Corporation 2017

It is important to understand today’s IT security drivers that every organization is confronted with.
The problem is not only rooted in the large amount of attacks, but in the immense diversity in how
an individual attack can be carried out.

Let us investigate the following details:

• Today’s security drivers
• Number and diversity of attacks
• How to consolidate your security intelligence
• The IBM Security Immune System

© Copyright IBM Corp. 2017 3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty

Today’s security drivers

ADVANCED
INNOVATION SKILLS GAP
ATTACKS

HUMAN
COMPLIANCE
ERROR

Introduction to IBM QRadar © Copyright IBM Corporation 2017

Today’s security drivers

Every organization today is facing similar challenges when it comes to IT security. IT solutions need
to be easy to use and access, but securing data assets and network access is paramount for
almost every industry. Let us look at some of the most prevalent drivers.
• Advanced Attacks
Cybercrime will become a $2.1 trillion dollar problem by 20191 . It takes companies an average
of 229 days to detect advanced persistent threats2 .
Sources:
1
Juniper Research:
https://www.juniperresearch.com/researchstore/innovation-disruption/cybercrime-security/enter
prise-threats-mitigation
2
Ponemon Study:
https://www.ponemon.org/blog/new-ponemon-study-on-malware-detection-prevention-released
• Human error
More than half of data breaches are caused by insiders, including employees, third-party
contractors and partners. Inside attacks happen across all industries and are caused from both
inadvertent actors and malicious insiders. The financial services industry was hit hard in 2016
and experienced a greater percentage (58%) of insider attacks versus outsider attacks (42%).
Note: 53% inadvertent actors and 5% malicious insiders.

© Copyright IBM Corp. 2017 4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty
Source: IBM X-Force Threat Intelligence Report – 2017:
https://www.ibm.com/marketing/iwm/dre/signup?source=urx-13655&S_PKG=ov57325
• Innovation
Cloud, mobile, and IOT create unprecedented risks to organizations. 44% of security leaders
expect a major cloud provider to suffer a significant security breach in the future. 33% of
organizations do not even test their mobile apps. CISCO estimates that by 2020, there will be
50 billion devices connected.
Sources:
https://www.ibm.com/press/us/en/pressrelease/45326.wss
https://securityintelligence.com/mobile-insecurity/
http://blogs.cisco.com/diversity/the-internet-of-things-infographic
• Compliance
Adapting to a threat-aware, risk based approach vs. compliance based, box checking
approach. General Data Protection Regulation (GDPR) is a new data protection framework that
takes effect across Europe starting May 2018. GDPR does not just impact European
companies, any organization that stores, accesses, processes or uses EU residents’ personal
data is subject to the regulation. Fines for violations have the potential to reach the billions for
large, global companies — anywhere from 2 to 4 percent of a company’s gross revenue.
Source:
https://securityintelligence.com/prepared-for-the-general-data-protection-regulation-gdpr-top-10
-findings-from-hurwitz-associates-survey/
• Skills gap
The shortage in skilled cyber security professionals is growing, with the projected talent gap
reaching 1.8 million jobs by 2022. This skills shortage has left many companies stuck: A recent
report from ISACA found that 55% of organizations reported that open cyber positions take at
least three months to fill, while 32% said they take six months or more. And, 27% of US
companies said they are unable to fill cyber security positions at all.
Source:
http://www.techrepublic.com/article/4-tips-to-help-your-business-recruit-and-keep-cybersecurity
-pros/

© Copyright IBM Corp. 2017 5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty

Attackers break through conventional safeguards every day

2014 2015 2016
1+ Billion records Unprecedented Impact 4+ Billion records

average time to identify data breach average cost of a U.S. data breach

201 days $7M

Source: IBM X-Force Threat Intelligence Index - 2017

Introduction to IBM QRadar © Copyright IBM Corporation 2017

Attackers break through conventional safeguards every day

Today’s threats continue to rise in numbers and scale as sophisticated attackers break through
conventional safeguards every day.

Organized criminals, hacktivists, governments and adversaries are compelled by financial gain,
politics, and notoriety to attack your most valuable assets. Their operations are well-funded and
business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their
methods are extremely targeted ‒ they use social media and other entry points to track down
people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile,
negligent employees inadvertently put the business at risk via human error. Even worse, security
investments of the past can fail to protect against these new classes of attacks. The result is more
severe security breaches happening more and more frequently.

In fact, according to the latest IBM X-Force Threat Intelligence Report, the amount of data records
and variety of attacks have expanded to more than 4 billion!

Note: The size of the circle indicates the estimated relative impact.

Cyber criminals’ targets are now bigger and their rewards greater as they fine-tune efforts to obtain
and leverage higher value data than years past.

The demand for leaked data is trending toward higher-value records such as health-related
personally identifiable information (PII) and other highly sensitive data, with less emphasis on the

© Copyright IBM Corp. 2017 6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty
emails, passwords, and even credit card data that were the targets of years past. This PII can be
used for social engineering to gain access to valuable financial targets.

You see this in both the breach trends and the evolution of malware to target high value bank
accounts.

Source: IBM X-Force Threat Intelligence Report – 2017:

https://securityintelligence.com/media/ibm-x-force-threat-intelligence-index-2017/

According to a recent Ponemon study, 201 days is the average time it takes companies to identify a
data breach; and it costs U.S. organizations an average of $7million per data breach

Source: Key findings from the 2017 Cost of Data Breach Study: Global Analysis

https://ibm.biz/BdjqHG

© Copyright IBM Corp. 2017 7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty

How do I get started when all I see is chaos?

Threat and anomaly detection Virtual patching Indicators of compromise
Cognitive security
Network visibility and segmentation
Data access control
Incident response Data monitoring
Sandboxing
Access management
Content security Application security management

IP reputation
Threat sharing Firewalls Endpoint patching
and management
Criminal detection
Network forensics and threat management
Entitlements and roles
Privileged identity management
Malware protection Fraud protection Vulnerability management

Workload Threat hunting and investigation Transaction protection Endpoint detection

protection and response

Identity management
Cloud access
Application scanning Device management User behavior analysis security broker

Introduction to IBM QRadar © Copyright IBM Corporation 2017

How do I get started when all I see is chaos?

Let us first set the stage of what the average IT security environment looks like. This is a snapshot
of just some of the capabilities CISOs already have in their arsenal. They have been acquiring
these different and scattered technologies over the years to address the many challenges that their
complex environments face. The average enterprise has 85 tools from 45 vendors.

Once you start a conversation with them, you will hear them say, “Oh yeah, we have got that…”
Which is fine, but are they INTEGRATED? Are they working together across your multiple teams,
locations, and platforms? Or is just creating more complexity, risk and cost, and as a result, are they
losing visibility into their network?

How can a CISO, or frankly any security professional, gain any valuable insight and control over
their security environments when all they see is this type of scattered chaos in the technologies
they themselves are already using?

Hint: If you want to examine a typical cyber attack that depicts some of these challenges, you can
now load and study Appendix 1: BQ103_A1_Introduction_Real_World_Scenario.pptx. Once
you’re done, you can resume your studies here.

© Copyright IBM Corp. 2017 8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty

An integrated and intelligent security immune system

Indicators of compromise
IP reputation Threat sharing
Endpoint detection
and response Network forensics and threat management
Endpoint patching Firewalls
and management Sandboxing
Malware protection Virtual patching
Network visibility and segmentation

Threat and anomaly detection User behavior analysis

Transaction protection Vulnerability management Incident response Fraud protection

Device management Criminal detection
Content security Cognitive security Threat hunting and investigation

Data monitoring Privileged identity management

Data access control Entitlements and roles
Application scanning Access management
Cloud access Workload Identity management
Application security management security broker protection

Introduction to IBM QRadar © Copyright IBM Corporation 2017

An integrated and intelligent security immune system

We encourage organizations to think about their security imperatives in a more organized fashion;
structured around logical domains, and centered around a core discipline of security analytics. This
core is enabled by cognitive intelligence that continuously understands, reasons, and learns the
many variables that are affecting their environments and feeds the entire ecosystem of connected
capabilities.

This is where the immune system metaphor really comes into play where you can start to imagine...

Different organs as your layers of defense, all working together to automate policies and block
threats. Much like when you get sick, these are the organs that understand the threat and send data
up through your central nervous system (security analytics) to create white blood cells / antibodies
to gather information, prioritize and take actions. This is what is called the “Immune Response”.

And by the way, this is just part of the story. It is really not fully integrated until it is integrated with
the extended partner ecosystem. Integration that enables collaboration across companies and
competitors, to understand global threats and data, and adapt to new threats.

Integration can help increase visibility. Notice how capabilities organize around their domains. You
will start to get an idea of how this immune system works. Like a body fighting a virus, there are
different parts of a security portfolio working at once.

© Copyright IBM Corp. 2017 9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty

IBM security immune system portfolio

App Exchange X-Force Exchange

BigFix QRadar Network Security (XGS)

QRadar Incident Forensics

SECURITY OPERATIONS
AND RESPONSE
QRadar SIEM QRadar User Behavior Analytics

QRadar Vulnerability / Risk Manager Resilient Incident Response Trusteer Pinpoint

MaaS360 Trusteer Mobile

QRadar Advisor with Watson i2 Enterprise Insight Analysis Trusteer Rapport

INFORMATION RISK
AND PROTECTION
Guardium Identity Governance and Access
Key Manager Privileged Identity Manager
AppScan Cloud Identity Service
zSecure
Cloud Security

SECURITY
SECUR
CUR
URRITY TRANTRA
TRANSFORMATION
S
SFORMA
SFORMATI O SER
ON SERVICES
S secuRV
RVI
RVICES
Management consulting | Systems integration | Managed security
rity

Introduction to IBM QRadar © Copyright IBM Corporation 2017

IBM security immune system portfolio

IBM offers a rich portfolio of products and services that are organized into three domains that
uniquely address client needs.

Note: This slide uses animation as explained below.

• First is the Security Operations and Response domain that helps organizations orchestrate their
defenses throughout the attack lifecycle.
• The second is the Information Risk and Protection domain that helps organizations protect their
most critical information and risks.
• And the third is the Security Transformation Services which help organizations transform their
security program. All of the IBM Security offerings are backed by an extensive business partner
ecosystem which consists of industry-leading technology, sales and service partners.

© Copyright IBM Corp. 2017 10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty
Security Operations and Response

These are the key offerings:

• IBM X-Force Exchange: Automatically update incident artifacts with threat intelligence
• IBM App Exchange: Quickly defend your organization with apps and add-ons
• IBM BigFix: Find, fix, and secure endpoint threats and vulnerabilities
• IBM QRadar Network Security (XGS): Prevent network exploits and limit malware
communications
• IBM QRadar Security Intelligence: Use advanced analytics to discover and eliminate threats
• IBM Resilient Incident Response Platform: Generate response playbooks and coordinate
activity
• IBM QRadar User Behavior Analytics: Helps detect insider threat and risks
• IBM Security Services: Deliver operations consulting to help implement processes and
response experts when something goes wrong

Information Risk and Protection

These are the key offerings:

• IBM Cloud Security: Delivering new investments to help secure innovation to and from the cloud
• IBM MaaS360: Mobile productivity and enterprise security without compromise
• IBM Identity Governance and Access Management: Govern and enforce context-based access
to critical assets
• IBM Guardium: Protect crown jewels across the enterprise and cloud
• IBM AppScan: Scan and remediate vulnerabilities in modern applications
• IBM Trusteer: Stop financial and phishing fraud, and account takeovers
• IBM Security Services: Deliver governance, risk and compliance consulting, systems
integration and managed security services

© Copyright IBM Corp. 2017 11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 1 The security immune system and why we need Security Intelligence

Uempty
Security Transformation Services

• Security Strategy, Risk and Compliance: Automate governance, risk and compliance programs
• Security Intelligence and Operations: Build security operations and security fusion centers
• Cyber Security Assessment and Response: Establish robust security testing and incident
management programs
• Identity Governance and Management: Modernize identity and access management for the
cloud and mobile era
• Data and Application Security: Deploy robust critical data protection programs
• Infrastructure and Endpoint Security: Redefine infrastructure and endpoint solutions with secure
software-defined networks

© Copyright IBM Corp. 2017 12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty
Lesson 2 The QRadar Ecosystem

Lesson: The QRadar Ecosystem

Introduction to IBM QRadar © Copyright IBM Corporation 2017

This lesson explains how Security Intelligence works and how IBM defines it. Realizing that the
overall goal is to detect, or even prevent any vulnerability exploit, we examine the exploit timeline,
and how IBM QRadar solutions can help.

© Copyright IBM Corp. 2017 13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

Best practices: Intelligent detection

1 Predict and prioritize security weaknesses
ƒ Gather threat intelligence information
ƒ Manage vulnerabilities and risks
ƒ Augment vulnerability scan data with context for optimized prioritization
ƒ Manage device configurations (firewalls, switches, routers, IPS/IDS)

2 Detect deviations to identify malicious activity

ƒ Establish baseline behaviors
ƒ Monitor and investigate anomalies
ƒ Monitor network flows

3 React in real time to exploits

ƒ Correlate logs, events, network flows, identities, assets, vulnerabilities, and configurations, and add
context
ƒ Use automated and cognitive solutions to make data actionable by existing staff

Introduction to IBM QRadar © Copyright IBM Corporation 2017

Best practices: Intelligent detection

To recap, the cost of cyber attacks is increasing, threats are escalating and becoming more
complex, perimeter defenses are no longer sufficient, and new techniques like flow analysis,
anomaly detection, and vulnerability management are needed. That statement defines the problem,
and offers some capabilities that can help, but exactly what can you do about it? What are the best
practices that you should follow?
• The first best practice is proactive in nature. Identify, predict, and prioritize your security
weaknesses so you can take actions to prevent a breach. Use resources such as X-Force and
the US National Vulnerability Database (https://nvd.nist.gov/) to gather threat information,
address vulnerabilities and risks based on priorities, add network context, and manage device
configurations to improve security. You could improve security, for example, by removing
ineffective firewall rules and adding new rules that are more effective.
• Use tools that can detect unusual behavior for follow-up. Deploy solutions that can find network
anomalies and provide visibility to network flows for the reasons mentioned earlier.
• Use Security Intelligence solutions that use integrations, automation, and context to provide a
complete view of what is happening in your network. Automation is key so that you can utilize
existing staff more efficiently, and reduce the large amount of collected data into a small number
of events that can be acted upon by existing personnel.

© Copyright IBM Corp. 2017 14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

What is Security Intelligence

Security Intelligence
--noun
The real-time collection, normalization, and
analytics of the data generated by users,
applications, and infrastructure that impacts
the IT security and risk posture of an
enterprise

Security Intelligence provides actionable and comprehensive insight for managing

risks and threats from protection and detection through remediation
Introduction to IBM QRadar © Copyright IBM Corporation 2017

What is Security Intelligence

Several years ago, IBM introduced the term Security Intelligence to describe the value that
organizations can gain from their security data by treating and analyzing security information in
much the same way they do the outputs produced from other business functions, such as
marketing.

This term is being used more and more by customers, vendors, and industry experts, but they do
not seem to be describing the same concept. To avoid confusion, IBM’s definition is stated on the
slide. The goal of Security Intelligence is to provide actionable and comprehensive insight that
reduces risk and operational effort for any organization, regardless of its size.

Data collected and warehoused by security intelligence solutions includes logs, events, network
flows, user identities and activities, asset profiles and locations, vulnerabilities, asset configurations
and external threat data.

Security Intelligence provides analytics to answer fundamental questions that cover the full
“before-during-and-after” timeline of risk and threat management.

© Copyright IBM Corp. 2017 15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

Ask the right questions – The exploit timeline

Are we configured
What are the major risks What security incidents What was the impact
to protect against
and vulnerabilities? are happening right now? to the organization?
advanced threats?

Vulnerability Pre-Exploit Exploit Post-Exploit Remediation

PREDICTION / PREVENTION PHASE REACTION / REMEDIATION PHASE

• Gain visibility over the organization’s security posture • Automatically detect threats with prioritized workflow to
and identify security gaps quickly analyze impact
• Detect deviations from the norm that indicate early • Gather full situational awareness through advanced
warnings of APTs security analytics
• Prioritize vulnerabilities to optimize remediation • Perform forensic investigation, reducing time to find the
processes and close critical exposures before exploit root cause; use results to drive faster remediation

Vulnerability Risk SIEM Incident

Manager Manager Forensics

Introduction to IBM QRadar © Copyright IBM Corporation 2017

Ask the right questions – The exploit timeline

Securing today’s businesses and public organizations requires a new approach. Everyone needs to
gain insights across the entire security event timeline.

The IBM Security Intelligence solution helps customers react and respond to exploits as they occur
in a network. IBM solutions that help to model risk, evaluate configurations, and prioritize
vulnerabilities also provide much-needed value to customers as they seek to predict and prevent
incidents in the first place.

To IBM, Security Intelligence can be characterized in two ways. First, Security Intelligence is the
result of advanced analytics. It is the wisdom gained from reviewing every available bit of data and
normalizing, correlating, indexing, and pivoting it to discover the dozen things your team needs to
investigate as soon as possible. Alternatively, Security Intelligence characterizes the iterative
process of eliminating false positive results by continuously tuning the system analytics and rules to
remove an increasing number of interesting but nonthreatening incidents.

Adding QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Incident Forensics
modules to the core Security Information and Event Management (SIEM) engine improves
accuracy and provides context throughout the entire security event timeline, from detection and
protection through investigation and remediation. Working together, these solutions can help you
both reduce exposures and recognize attacks as early as possible.

© Copyright IBM Corp. 2017 16

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

IBM QRadar Vulnerability Manager ®

Scan, assess, and remediate vulnerabilities

• Contains an embedded, well proven, scalable, analyst recognized

vulnerability detection engine that detects more than 70,000
vulnerabilities

• Integrates into the QRadar ecosystem

• Is present on all QRadar event and flow collector and processor
appliances (QRadar 7.2 and up) as well as QRadar data nodes
(QRadar 7.2.8 and up)

• Integrates with endpoint management (IBM BigFix), web application

security (IBM AppScan), database security (IBM Guardium), and
network management (IBM Security SiteProtector)
• Leverages QRadar Risk Manager to report which vulnerabilities are
blocked by your IPS and FW

• Uses QFlow report if a vulnerable application is active

• Presents a prioritized list of vulnerabilities you should deal with as
soon as possible

Introduction to IBM QRadar © Copyright IBM Corporation 2017

IBM QRadar Vulnerability Manager

QRadar Vulnerability Manager proactively discovers network device and application security
vulnerabilities, adds context, and supports the prioritization of remediation and mitigation activities.
It is fully integrated with the QRadar Security Intelligence platform, and enriches the results of both
scheduled and dynamic vulnerability scans with network asset information, security configurations,
flow data, logs, and threat intelligence to manage vulnerabilities and achieve compliance.

QRadar Vulnerability Manager helps you develop an optimized plan for addressing security
exposures. Unlike stand-alone tools, the solution integrates vulnerability information to help
security teams gain the visibility they need to work more efficiently and reduce costs. It is part of the
QRadar SIEM architecture. It can be quickly activated with a licensing key and requires no new
hardware or software appliances.

IBM QRadar Vulnerability Manager provides the following capabilities:

• Helps prevent security breaches by discovering and highlighting over 70,000 known dangerous
default settings, misconfigurations, software features, and vendor flaws.
• Provides a consolidated vulnerability view across major vulnerability products and technologies.
• Adds context to identify key vulnerabilities and reduce false positives.
• Integrates with IBM QRadar Security Intelligence Platform for easy installation, faster time to
value, and reduced deployment cost.
• Performs intelligent, customizable scheduled and event-driven scanning, asset discovery, and
asset profiling for 360-degree, enterprise wide visibility to your network.

© Copyright IBM Corp. 2017 17

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

IBM QRadar Risk Manager

Scan, assess, and remediate risks

• Network topology model based on security device

configurations enables visualization of actual and
potential network traffic patterns
• Policy engine correlates network topology, asset
vulnerabilities and configuration, and actual network
traffic to quantify and prioritize risk, enabling risk-
prioritized remediation and compliance checking,
alerting, and reporting
• Centralizes network security device configuration data
Asset risk
isk quantification
and discovers configuration errors; monitors firewall
rule activity Remediation prioritization

• Models threat propagation and simulates network Network topology

topology changes
Policy and compliance
monitoring

Threat simulations

Introduction to IBM QRadar © Copyright IBM Corporation 2017

IBM QRadar Risk Manager

QRadar Risk Manager provides three key areas of value that build on top of the QRadar SIEM
value proposition:
• Network topology visualization and path analysis
• Network device optimization and configuration monitoring
• Improved compliance monitoring and reporting

A key area to emphasize is the ability of the product to risk-prioritize vulnerable machines based on
network reachability, and to provide detailed device configuration information that can be used to
quickly shut down network paths that attackers may use to exploit vulnerabilities. This is key, as
many vulnerabilities either cannot be rapidly remediated due to change windows or technological
limitations, or remediation might not be available because many vulnerabilities never have patches
available. In either case, the ability to rapidly pinpoint the precise firewall rules that enable the
attack path is key.

© Copyright IBM Corp. 2017 18

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

IBM QRadar SIEM

Web-based command console for Security Intelligence
• Delivers actionable insight, focusing security teams on high-
probability incidents
Employs rules-based correlation of events, flows, assets, topologies, and
vulnerabilities

• Detects and tracks malicious activity over extended time

periods, helping uncover advanced threats often missed by
other solutions
Consolidates “big data” security incidents within purpose-built, federated
database repository
Optimized threat analysis
• Provides anomaly detection to complement existing
perimeter defenses Daily volume of events and flows
Calculates identity and application baseline profiles to assess abnormal 2,000,000,000
conditions automatically analyzed to find

• Provides deep visibility into network, user, and application ~25

Potential offenses to investigate
activity
Global enterprise
• Provides reliable, tamper-proof log storage for forensic Dedicated SOC team
investigations and evidentiary use
Introduction to IBM QRadar © Copyright IBM Corporation 2017

IBM QRadar SIEM

QRadar SIEM consolidates log source event data from thousands of device endpoints and
applications distributed throughout a network. It performs immediate normalization and correlation
activities on raw data to distinguish real threats from false positives. As an option, this software
incorporates IBM X-Force Threat Intelligence, which supplies a list of potentially malicious IP
addresses including malware hosts, spam sources, and other threats. QRadar SIEM can also
correlate system vulnerabilities with event and network data, helping to prioritize security incidents.

IBM QRadar SIEM provides the following capabilities:

• Provides near real-time visibility for threat detection and prioritization, delivering surveillance
throughout the entire IT infrastructure
• Reduces and prioritizes alerts to focus investigations on an actionable list of suspected
incidents
• Enables more effective threat management while producing detailed data access and user
activity reports
• Delivers security intelligence in cloud environments
• Produces detailed data access and user activity reports to help manage compliance
• Offers multi-tenancy and a master console to help Managed Service Providers provide security
intelligence solutions in a cost-effective manner

© Copyright IBM Corp. 2017 19

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

IBM QRadar Incident Forensics ®

Intuitive investigation of security incidents Incident Forensics

• Reduces incident investigation periods from days or

hours to minutes
Employs Internet search engine technology to close security
team skill gaps

• Compiles evidence against malicious entities breaching

secure systems and deleting or stealing sensitive data
Creates rich “digital impression” visualizations of related content
• Helps determine root cause of successful breaches to
Wins
prevent or reduce recurrences the
Adds full packet captures to complement SIEM security data race
collection and analytics against
time

Introduction to IBM QRadar © Copyright IBM Corporation 2017

IBM QRadar Incident Forensics

QRadar Incident Forensics allows you to retrace the step-by-step actions of a potential attacker,
and quickly and easily conduct an in-depth forensics investigation of suspected malicious network
security incidents. It reduces the time it takes security teams to investigate offense records, in many
cases from days to hours, or even minutes. It can also help you remediate a network security
breach and prevent it from happening again.

The solution offers an optional QRadar Packet Capture appliance to store and manage data used
by QRadar Incident Forensics if no other network packet capture (PCAP) device is deployed. Any
number of these appliances can be installed as a tap on a network or subnetwork to collect the raw
packet data.

QRadar Incident Forensics provides the following capabilities:

• Retraces the step-by-step actions of cyber criminals to provide deep insights into the impact of
intrusions and help prevent their reoccurrence
• Reconstructs raw network data related to a security incident back into its original form for a
greater understanding of the event
• Integrates with IBM QRadar Security Intelligence Platform and offers compatibility with many
third-party packet capture offerings

© Copyright IBM Corp. 2017 20

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

QRadar embedded intelligence offers automated offense identification

Security devices
S
Correlation
• Logs/events Suspected
Servers and mainframes incidents
• Flows
• IP reputation
Network and virtual activity
• G
Geographic location Prioritized incidents
Data activity
Offense identification
• Credibility
Application activity
A Secure archive • Severity
• Relevance
Configuration information A
Activity baselining and
anomaly detection
• User activity
Vulnerabilities and threats
• Database activity
• Application activity
Users and identities • Network activity Embedded
dded
d
intelligence
enc
ce
Global threat intelligence
G

Introduction to
o IBM QRadar © Copyright IBM Corporation 2017

QRadar embedded intelligence offers automated offense identification

Harness security-relevant information from across the organization. Use real-time big data
analytics to provide context to help detect threats faster, identify vulnerabilities, prioritize risk, and
automate compliance activities.

For security threat management, the key challenge is to reduce millions of logs to actionable
intelligence that identify key threats. Traditional first generation SIEM systems achieve this by
leveraging correlation, for example, “five failed logins followed by a successful login,” to identify
suspected security incidents. Event correlation is a very important tool, but it is not enough.

There are two problems. First, consider a 100k to 1 reduction ratio of events to correlated incidents.
On the surface, this sounds impressive, but for companies generating 2 billion events per day (and
you do not need to be a massive company to do that), it will leave that company’s security team
with 20,000 incidents per day to investigate. Traditional SIEM correlation cannot get the data
reduced enough and of course Log Managers cannot even get a 10,000 to 1 reduction ratio.
Secondly, an exclusive reliance on event correlation assumes that the criminals will not figure out
ways to disable or bypass logging infrastructure. However, that is practically their entire focus and
you cannot correlate logs that are not there. This limitation results in missed threats or a very poor
understanding of the impact of a breach.

QRadar vastly expands the capabilities of traditional SIEM systems by incorporating new analytics
techniques and broader intelligence. Unlike any other SIEM system in the market today, QRadar
captures all activity on the network for assets, users, and attackers before, during, and after an
exploit and analyzes all suspected incidents in this context. New analytical techniques such as
behavioral analysis are applied. QRadar notifies analysts about offenses, where an offense is a
correlated set of incidents with all of the essential, associated network, asset, vulnerability, and

© Copyright IBM Corp. 2017 21

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty
identity context. By adding business and historical context to suspected incidents and applying new
analytic techniques, massive data reduction is realized and threats otherwise missed will be
detected.

IBM delivers real-time correlation and anomaly detection across a distributed and scalable
repository of security information enable more accurate security monitoring and better visibility for
any organization, small or large.

© Copyright IBM Corp. 2017 22

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

QRadar embedded intelligence directs focus for investigations

Suspected
incidents

Prioritized incidents
Directed forensics investigations

• Reduce time to resolution

through intuitive forensic workflow
• Use intuition more than technical training
• Determine root cause and prevent recurrences

Embedded
intelligence

Introduction
duction to IB
IBMMQ
QR
QRadar
Radar
ad
dar
a © Co
C
Copy
Copyright
opy
pyri
righ
ri ghtt IBM
gh IBM Corporation
Corporati 2017
Co

QRadar embedded intelligence directs focus for investigations

QRadar has the forensic ability to use collected data to recover the details that are critical to a much
deeper and faster investigation.

© Copyright IBM Corp. 2017 23

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty

Benefits of IBM Security Intelligence approach using QRadar

Threat and Anomaly Protection

Vulnerability and Incident Forensics

Risk Management and Response

User Behavior Analytics Compliance

Reporting

Cognitive Security

Introduction to IBM QRadar © Copyright IBM Corporation 2017

Benefits of IBM Security Intelligence approach using QRadar

The Security Operations Center team has a complex job to do – finding and stopping advanced
threats before they do damage and/or steal valuable assets. IBM offers an entire integrated
platform of capabilities that work together to provide the broadest visibility of any platform on the
market – and QRadar is at the center of attention.

Holistic IT security management and integration with infrastructure and processes

• Use tools and solutions that know how to communicate with each other
• Integrate with centralized vulnerability and risk management
• Provide out of the box compliance reporting

Proactive Threat and Anomaly Protection

• Detect and counteract the threat before the actual exploit
• Employ powerful User Behavior Analytics
• Use threat information and threat research from IBM’s X-Force team

Network flow analysis and forensics

• Collect data that no attacker can obfuscate (network flow) and store application data for more
detailed forensic investigations

© Copyright IBM Corp. 2017 24

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Lesson 2 The QRadar Ecosystem

Uempty
Cognitive Security
• Automated analysis of security incidents and anomalies powered by Watson for Cyber Security
to help transform security operations
• Powerful cognitive analytics that help security teams address skills shortages, alert overloads,
incident response delays, currency of security information and process risks

© Copyright IBM Corp. 2017 25

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 1 Introduction to IBM QRadar
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Describe why we need Security Intelligence and a security immune system
• Describe the QRadar ecosystem

Introduction to IBM QRadar © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 26

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2 IBM QRadar SIEM component
architecture and data flows

IBM QRadar SIEM Component

Architecture and Data Flows

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
Security who is concerned with solutions in the overall security immune system. By learning how
the central Security Intelligence components are designed to take in and process log events and
flow data, you will be better equipped to holistically work as a Security Analyst.

In this unit we start at the functional architecture level and explain how IBM QRadar was designed
as a modular Security Intelligence solution from the ground up. After taking a look at this modular
design, its extensibility and deployment pattern, we closely examine the component architecture so
that the analyst understands how data is ingested and processed. When the analysts later examine
bits and pieces of a larger security incident investigation, this architectural understanding can
substantially enhance their capability for detailed and fast analysis.

© Copyright IBM Corp. 2017 27

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Describe QRadar functional architecture and deployment models
• Describe QRadar SIEM component architecture

Component architecture and data flows © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 28

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty
Lesson 1 QRadar functional architecture and
deployment models

Lesson: QRadar functional

architecture and deployment models

Component architecture and data flows © Copyright IBM Corporation 2017

This lessons explains the QRadar functional architecture and deployment models. It shows how
IBM QRadar was designed as a modular Security Intelligence solution from the ground up.

© Copyright IBM Corp. 2017 29

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Functional solution requirements

• IT Log Management
Collect and securely archive log event and network flow records for forensic analysis
• IT Regulatory Compliance
ƒ Collect and securely archive log records for audit and compliance
ƒ Generate reports required by internal or external regulations to succesfully pass compliance audits
• IT Internal monitoring
Frequently collect, correlate, and analyze data to alert on security policy violations
• Threat detection
Analyze event log and network flow data to detect and alert on IT security risk management related
issues

Component architecture and data flows © Copyright IBM Corporation 2017

Functional solution requirements

In order to describe the functional components of the IBM QRadar solution you need to understand
the basic functional requirements for an overall SIEM solution.

The first requirement addresses IT log management for forensic analysis. The archived event and
network flow records are used to analyze incidents and gather evidence. The data must be
collected and stored reliably in its original format to stand up as evidence in a court of law or to be
used for compliance reporting. Also, the data must be archived for several years and it must be
searchable.

To fulfill the compliance audit requirement, the archived data is used to prove that relevant audit
information has been collected and securely stored. Furthermore, the data must be used to create
reports required by the regulation, and the regulatory compliance reports must be stored for a
period of time.

The next requirement addresses IT internal monitoring to alert on security policy violations. This in
itself requires an organizational IT Security Policy that defines appropriate use of the IT
environment. High risk offenses to the policy must be identified and reported upon, and offenses
must be managed. IT usage that is not in compliance with the policy must be reported upon.

The most prevalent requirement today, however, revolves around IT security risk management for
the overall organization. All of the previously described functional requirements apply here as well.
In addition, an extensive knowledge of the IT environment, and the threats to which it is exposed, is
required. To perform anomaly detection it is also necessary to understand data patterns within the
captured events and network flows.

© Copyright IBM Corp. 2017 30

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

An integrated, unified architecture in a single console

Component architecture and data flows © Copyright IBM Corporation 2017

An integrated, unified architecture in a single console

The QRadar console is the central interface for all analyst related tasks. It provides a number of
tabs that allow insight into different views of the collected and correlated data.

No matter how many QRadar applications are leveraged, or how many appliances constitute a
deployment, all capabilities are leveraged through a single, Web-based console, with all the
associated benefits that a common interface delivers in terms of speed of operation, transference of
skills, ease of adoption, and a universal learning curve.
• Dashboard
The Dashboard tab allows an organization to define many different views into the collected and
processed data. QRadar provides many predefined dashboards, but you can create and
maintain your own.
• Offenses
Use the Offenses tab to view all the offenses that occur on your network and complete the
following tasks:
– Investigate offenses, source and destination IP addresses, network behaviors, and
anomalies on your network
– Correlate events and flows that are sourced from multiple networks to the same destination
IP address
– Go to the various pages of the Offenses tab to investigate event and flow details
– Determine the unique events that caused an offense
• Log Activity

© Copyright IBM Corp. 2017 31

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty
The Log Activity tab displays event information as records from a log source, such as a firewall
or router device. Use the Log Activity tab to do the following tasks:
– Investigate event data
– Investigate event logs that are sent to QRadar SIEM in real time
– Search event
– Monitor log activity by using configurable time-series charts
– Identify false positives to tune QRadar SIEM
• Network Activity
If the content capture option is enabled, the Network Activity tab displays information about
how network traffic is communicated and what was communicated. Here, you can do the
following tasks:
– Investigate the flows that are sent to QRadar SIEM in real time
– Search network flows
– Monitor network activity by using configurable time-series charts
• Assets
QRadar automatically creates asset profiles by using passive flow data and vulnerability data to
discover your network servers and hosts.
Asset profiles provide information about each known asset in your network, including the
services that are running. Asset profile information is used for correlation purposes, which helps
to reduce false positives.
Use the Assets tab to do the following tasks:
– Search for assets
– View all the learned assets
– View identity information for learned assets
– Tune false positive vulnerabilities
• Reports

© Copyright IBM Corp. 2017 32

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty
Report templates are grouped into report types, such as compliance, device, executive, and
network reports. Use the Reports tab to complete the following tasks:
– Create, distribute, and manage reports for QRadar SIEM data
– Create customized reports for operational and executive use
– Combine security and network information into a single report
– Use or edit preinstalled report templates
– Brand your reports with customized logos. Branding is beneficial for distributing reports to
different audiences
– Set a schedule for generating both custom and default reports
– Publish reports in various formats
• Vulnerabilities
If the QRadar Vulnerability Manager license has been deployed, you will see a Vulnerabilities
tab, which you can use for the following tasks:
– Create and manage Scan Policies and Scan Profiles
– Execute vulnerability scans for your deployed assets
– Create, distribute, and manage vulnerability reports to stake holders
– Integrate with endpoint management systems to fix vulnerabilities
• Admin
The Admin tab provides all tools to manage and maintain the QRadar deployment. Analysts
typically do not have access to these tools.

The example in this screen shot depicts the integration of the QRadar console with QRadar
Vulnerability Manager on the Dashboard tab.

Designed to integrate Log Management, SIEM, Vulnerability and Risk Management, Incident
Forensics, and an extensible application framework into one solution, QRadar Security Intelligence
can deliver a large log management scale without any compromise on SIEM “Intelligence.”

As a QRadar analyst you can switch from log events, to network flows, to risk and compliance
policy reports and prioritized lists of network wide vulnerabilities, and complete analysis of incidents
after an offense has occurred. This allows an organization to reduce the time before an initial
breach is detected and avoid the actual exploit.

© Copyright IBM Corp. 2017 33

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Identifying suspected attacks and policy violations

What was the attack?

Is the attack credible?

How
valuable are Where are they located?
the targets
to the Who was responsible
business? for the attack?

What was
stolen and
where is the
evidence?

How many targeted assets

Are any assets vulnerable?
are involved?
Component architecture and data flows © Copyright IBM Corporation 2017

Identifying suspected attacks and policy violations

IBM QRadar SIEM can analyze large amounts of data and uses context to transform it into useful,
actionable information as is depicted in this slide.

Here is what you can see as a security analyst when you begin to investigate an offense record that
was triggered by a correlation rule. You can quickly investigate the who, what, and where behind an
offense and quickly determine if it is a legitimate threat or a false positive.

IBM QRadar SIEM provides strong event-management and analysis capabilities and is very
effective in detecting threats because it can leverage a broad range of data, analyze it, and apply
context from an extensive range of sources. This helps to reduce false positives, report on actual
exploits, and show what kind of activity is taking place. This can result in faster threat detection and
response.

QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context
in which systems are operating. That context includes security and network device logs,
vulnerabilities, configuration data, network traffic telemetry, application events and activities, user
identities, assets, geolocation, and application content. This activity generates a staggering amount
of data, which makes the automation in QRadar very important because it can correlate this large
amount of data down to a small number of actionable offenses.

QRadar SIEM leverages this data to establish very specific context around each potential area of
concern, and uses sophisticated analytics to accurately detect more and different types of threats.
For example, a potential exploit of a web server reported by an intrusion detection system can be
validated by unusual outbound network activity detected by QRadar.

© Copyright IBM Corp. 2017 34

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty
QRadar uses intelligence, automation, and analytics to provide actionable security information
including the number of targets involved in a threat, who was responsible, what kind of attack
occurred, whether it was successful, vulnerabilities, evidence for forensics, and so on.

© Copyright IBM Corp. 2017 35

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Providing functional context

To enable security analysts to perform investigations, QRadar SIEM correlates information such as:
• Point in time
• Offending users
• Origins
• Targets
• Asset information
• Vulnerabilities
• Known threats
• Behavioral analytics
• Cognitive analytics

Component architecture and data flows © Copyright IBM Corporation 2017

Providing functional context

The previous slide showed what a typical security analyst can see after QRadar SIEM analyzed
large amounts of data and used context to transform this data into useful, actionable information.

This slide provides an overview where all this data is coming from.
• Point in time
Everything that QRadar investigates needs to provide an exact point in time. This timestamp
allows QRadar to correlate the most complex relationships between disparate log sources and
network flows to present those as one connected event.
• Offending users
QRadar extracts user information wherever possible allowing an analyst to further investigate
individual users. QRadar also uses this information for user behavioral analytics.
• Origins
The origin represents the starting point for all QRadar correlation activity. The origin is captured
as an IP address.
• Targets
The target represents the final point for all QRadar correlation activity. The target is captured as
an IP address.
• Asset information
QRadar maintains a centralized asset database that is used to record a variety of details for
each asset that has been discovered. Assets can be discovered in two ways. Actively, by using

© Copyright IBM Corp. 2017 36

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty
vulnerability scans with QRadar Vulnerability Manager, or passively through network flow
records. Asset data can also be imported by using other enterprise tools for asset management.
Details can include IP address, host name, running applications and services, as well as
vulnerabilities.
• Vulnerabilities
QRadar maintains a list of vulnerabilities for each asset. These can either be discovered by
using QRadar Vulnerability Manager or any other 3rd party vulnerability management solution.
Asset related vulnerabilities are being used for QRadar correlations and analytics, and they can
influence several factors throughout the incident management process.
• Known threats
QRadar is able to connect to external threat feeds, such as the IBM X-Force Exchange. This
threat information can also be used for QRadar correlations and analytics to influence the
incident management process.
• Behavioral analytics
Utilizing some of the above mentioned data in combination with other enterprise wide collected
information QRadar can analyze user behavior to alert whenever abnormal activity has been
detected.
• Cognitive analytics
After all this data has been correlated it is presented to the analysts in the QRadar Console. If a
particularly important threat is discovered, an analyst has to investigate it with an utmost
urgency. To support this task QRadar now provides Cognitive Analytics. This capability
augments a security analyst's ability to identify and understand sophisticated threats, by tapping
into unstructured data (such as blogs, websites, research papers) and correlating it with local
security offenses.

© Copyright IBM Corp. 2017 37

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Network flow analytics

• Provides insight into raw network traffic
Attackers can interfere with logging to erase their tracks, but they
cannot cut off the network (flow data)
• Allows deep packet inspection for Layer 7 flow data
Pivoting, drill-down, and data-mining activities on flow sources
allow for advanced detection and forensics
• Helps to detect anomalies that might otherwise be missed
• Helps to detect zero-day attacks that have no signature
• Provides visibility into all attacker communications
• Uses passive monitoring to build asset profiles and classify
hosts
• Improves network visibility and helps resolve traffic
problems

Component architecture and data flows © Copyright IBM Corporation 2017

Network flow analytics

While log events are critical, they can leave gaps in visibility. When attackers compromise an IT
system, they first turn off logging to obfuscate their tracks. Traditional SIEMs are blind at this point.
However, no attacker can disable the network, or they cut themselves off as well.

Network flow analytics in QRadar allows deep packet inspection for OSI Layer 7 flow data, which
can contain very helpful information for advanced forensics. Network flow information helps to
detect communication flow anomalies, zero-day attacks that have no signature yet, and provides
visibility into all attacker communications.

Using passive monitoring, flow analytics builds up an asset database and profiles your assets. For
example, an IT system that has responded to a connection on port 53 UDP is obviously a DNS
server. Another IT system that has accepted connections on ports 139 or 445 TCP is a Windows
server.

Adding application detection can confirm this not only at a port level, but the application data level
as well.

Source: To learn more about the OSI Layer model please visit:
http://searchnetworking.techtarget.com/definition/OSI

© Copyright IBM Corp. 2017 38

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Extensible functional architecture

Deep Threat Intelligence

Cognitive Analytics Open Ecosystem
and Analysis
• QRadar Sense Analytics • IBM Security App Exchange • IBM X-Force Exchange
allows you to inspect events, provides access to apps from helps you stay ahead of the
flows, users, and more leading security partners latest threats and attacks
• Speed analysis with visuals, • Out-of-the-box integrations • Extend investigations to cyber
query, and auto-discovery for 500+ third-party security threat analysis with i2
across the platform products Enterprise Insight Analysis
• Augment your analysts’ • Open APIs allow for custom • Powered by the X-Force
knowledge and insights with integrations and apps Research team and 700TB+ of
QRadar Advisor with threat data
Watson
• Share data with a collaborative
portal and STIX / TAXII
standards

Component architecture and data flows © Copyright IBM Corporation 2017

Extensible functional architecture

The QRadar functional architecture is extensible by design. The framework allows you to add on
additional functionality as needed in an organization.

Security Analysts today are more and more overwhelmed by the amount of data that requires
investigation and by the mounting time pressure to act. Cognitive analytics augments your analysts’
knowledge and insights with QRadar Advisor with Watson to speed up analysis with visuals, query,
and auto-discovery across the platform where you can inspect events, flows, users, and more by
tapping into unstructured data (such as blogs, websites, research papers) and correlating it with
local security offenses.

QRadar provides open APIs to allow for custom integrations and applications, which can be found
at the IBM Security App Exchange. One example here is the User Behavior Analytics app, which is
available free of charge and provides early visibility to insider threats.

You can further extend the QRadar functionality with threat intelligence data and analytic functions
from the IBM X-Force Exchange and the IBM i2 Enterprise Insight Analysis solution.

These functional extensions greatly support the security analysts in their daily tasks. Let us take a
closer look at some of these extensions now.

© Copyright IBM Corp. 2017 39

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Cognitive Analytics: Revolutionizing how security analysts work

• Natural language processing with security that understands, reasons, learns, and interacts

Watson determines the specific campaign (Locky),

discovers more infected endpoints, and sends results
to the incident response team

Component architecture and data flows © Copyright IBM Corporation 2017

Cognitive Analytics: Revolutionizing how security analysts work

The cognitive era is here. “Digital everything” means that technology’s number one job in business
now is handling and responding to data. Cognitive capabilities are being applied to security to
establish a relationship between machines and humans. The role of technology can now change
from enabler to advisor. We are ushering in this new era of cognitive security to out-think and
outpace threats with security that understands, reasons, and learns.

IBM Watson enables fast and accurate analysis of security threats, saving precious time and
resources. This empowers the analysts to perform faster investigations and clear their backlog
easier. It will also help to increase the investigative skills for individual analysts over time.

With the help of IBM Watson, security analysts will be able to spend less time on the mundane
tasks of manual and time consuming threat analysis, and more time being human.

© Copyright IBM Corp. 2017 40

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Open Ecosystem and Collaboration

• Application extensions to enhance visibility and productivity

https://exchange.xforce.ibmcloud.com
Component architecture and data flows © Copyright IBM Corporation 2017

Open Ecosystem and Collaboration

Today’s attackers share tools. They collaborate in creating malware that is difficult to discover.

On the defensive side, organizations have to deal with a large number of siloed security solutions
from an equally large number of vendors. It is estimated that an average enterprise can have up the
85 security products from 40 vendors. With this mix, it is difficult to link the products together so
they can support each other.

To fill this gap, IBM has introduced the IBM Security App Exchange. The exchange is a marketplace
for the security community to create and share applications that integrate with IBM Security
solutions. The first offering in which customers, business partners, and other developers can build
custom apps is QRadar.

Releasing application programming interfaces (APIs) and software development kits for QRadar
fosters the integration with third-party technologies. This provides organizations with better visibility
into more types of data, and also offers new automated search and reporting functions that can
help security specialists focus on the most pressing threats.

The IBM Security App Exchange has a number of customized apps that extend security analytics
into areas like user behavior, endpoint data, and incident visualization.

Before releasing the app IBM Security tests them to will be closely testing every application to
ensure the integrity of these community contributions.

In the future the App Exchange will offer the opportunity to produce apps for additional IBM Security
products.

© Copyright IBM Corp. 2017 41

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Deep Threat Intelligence

• Crowd-sourced information sharing based on 700+TB of threat intelligence

https://exchange.xforce.ibmcloud.com
Component architecture and data flows © Copyright IBM Corporation 2017

Deep Threat Intelligence

One element that the offense have mastered is collaboration. According to the United Nations
Office on Drugs and Crime upwards to 80% of cybercrime acts are estimated to originate in some
form of organized activity. Cyber criminals have learned to collaborate. They share vulnerability,
targeting, and countermeasure information. They also share tools to ensure that their attacks can
be successful. Collaboration is a force multiplier for the hacking community. Organizations have
been using threat intelligence in an effort to stay abreast of the threats, but these efforts are limited.
To succeed requires much more information, shared among security professionals, researchers,
and practitioners.

IBM has built a collaboration platform called the X-Force Exchange to facility the collaboration that
will allow organizations to have a much greater understanding of threats and actors. X-Force
Exchange is a cloud-based threat intelligence sharing platform that enables users to rapidly
research the latest global security threats, aggregate actionable intelligence, consult with experts
and collaborate with peers. IBM X-Force Exchange provides timely, curated threat intelligence
insights, which adds context to machine-generated data. The platform facilitates making
connections with industry peers to validate findings and research threat indicators.

Leveraging the open and powerful infrastructure of the cloud, users can collaborate and tap into
over 700 terabytes of information from multiple data sources. This includes one of the largest and
most complete catalogs of vulnerabilities in the world, threat information based on monitoring of
more than 15 billion monitored security events per day, and malware threat intelligence from a
network of 270 million endpoints. This threat information is based on over 25 billion web pages and
images and deep intelligence on more than 8 million spam and phishing attacks.

Source: https://exchange.xforce.ibmcloud.com

© Copyright IBM Corp. 2017 42

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Scalable appliance/software/virtual architecture

• Log, flow, vulnerability, and identity correlation
SIEM • Sophisticated asset profiling
• Offense management and workflow

• Layer 7 application monitoring

Network and
• Content capture for deep insight and forensics
Application Visibility
• Physical and virtual environments

• Configurable network traffic analysis for

Network Insights real time threat detection and long-term
retrospective analysis

Risk & Vulnerability • Network security configuration monitoring

Management • Vulnerability scanning and prioritization
• Predictive threat modeling and simulation

• Event processors for remote site

Scalability • High Availability and Disaster Recovery (HADR)
• Data node to increase storage and performance

• Reconstructs network sessions

Network Forensics Incident Forensics
• Data pivoting and visualization tools
• Accelerated clarity around who, what, and when

Component architecture and data flows © Copyright IBM Corporation 2017

Scalable appliance/software/virtual architecture

Security Intelligence can be delivered through a family of QRadar products.

• For many organizations, the starting point is to address the log management challenge, which
is why IBM offers a family of “log management only” appliances. These log management
appliances can be upgraded to full SIEM capability by configuring an additional license key.
• The full SIEM implementation provides integration of log management with threat, fraud,
network, and security intelligence. Network activity data, vulnerability assessment, and external
threat data are added as data sources along with sophisticated correlation and behavioral
analytics.
• For application layer visibility and forensic content capture, the QFlow and VFlow flow collectors
can be deployed in physical or virtual infrastructures. These appliances provide extensive
application-level surveillance of all activity at key locations.
• QRadar Network Insights can provide configurable network traffic analysis for real time threat
detection and long-term retrospective analysis to detect insider threats, data exfiltration and
malware activity.
• Risk and Vulnerability management capabilities can be activated by configuring an additional
license keys. Risk Manager requires an additional dedicated appliance as well, while
Vulnerability Manager can be deployed on existing appliances. Risk Manager provides network
security configuration monitoring, while Vulnerability Manager focuses on vulnerability scanning
and prioritization. Together they can be used for predictive threat modeling and simulation.
• For some organizations, the full SIEM scale can be met with a single appliance; for others who
have higher scale, or remote collection and storage requirements, QRadar processors enable

© Copyright IBM Corp. 2017 43

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty
massive deployments. This horizontal, stackable expansion supports a massive scale and
geographic distribution, while maintaining exactly the same user experience.
• Network Forensics appliances allow you to fully reconstruct network sessions that can provide
clarity around questions like “who”, “what”, and “when” in great detail.

© Copyright IBM Corp. 2017 44

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 1 QRadar functional architecture and deployment models

Uempty

Deployment models

All-in-One
(2100/31XX) Flow Processor
Console
(17XX)
(31XX)

Event Processor
QFlow (16XX)
Collector
(12XX/13XX)

All-in-One is a single appliance used to collect events and flow A Distributed deployment consists of multiple appliances for different purposes
data from various security and network devices, perform data • Event Processor to collect, process, and store log events
correlation and rule matching, report on alerts and threats, and • Flow Processor to collect, process, and store several kinds of flow data generated from network
provide all administrative functions through a web browser devices; optional QFlow Collector is used to collect Layer 7 application data
• Console to correlate data from managed processors, generate alerts and reports, and provide all
administrative functions

Component architecture and data flows © Copyright IBM Corporation 2017

Deployment models

Based on the previously introduced functional requirements and the layout of an organization’s IT
infrastructure, different types of appliances are available to address different deployment models.
The selection depends on the amount of collected and processed events, data storage estimations,
high availability and disaster recovery requirements, organizational network topology, and other
factors.

An all-in-one deployment uses a single appliance to collect events and flow data from various
security and network devices, perform data correlation and rule matching, report on alerts and
threats, and provide all administrative functions through a web browser.

A distributed deployment consists of multiple appliances for different purposes. You can deploy
Event Collectors and Processors to collect, process, and store log events. Flow Collectors and
Processors are used to collect, process, and store several kinds of flow data generated from
network devices, and optionally, you can deploy QFlow Collectors to collect Layer 7 application
data. A Console is used to correlate data from managed processors, generate alerts and reports,
and provide all administrative functions.

This remainder of this course material does not pay any closer attention to currently available exact
appliance configurations and models.

© Copyright IBM Corp. 2017 45

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty
Lesson 2 QRadar SIEM component
architecture

Lesson: QRadar SIEM component

architecture

Component architecture and data flows © Copyright IBM Corporation 2017

This lesson describes the high-level architecture of the major IBM QRadar SIEM components,
including the flow collector, event collector, event processor, and console. You also learn about the
flow of a captured event.

© Copyright IBM Corp. 2017 46

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty

Architecture overview
• High-level architecture
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console

Component architecture and data flows © Copyright IBM Corporation 2017

Architecture overview

© Copyright IBM Corp. 2017 47

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty

High-level component architecture and data stores

• Flow and event data is stored in the Ariel database on the
Identities event processors
Assets
Offenses ƒ If accumulation is required, accumulated data is stored in Ariel
Configuration accumulation data tables
ƒ As soon as data is stored, it cannot be changed (tamper proof)
ƒ Data can be selectively indexed
Console services
User interface
Magistrate
• Offenses, assets, and identity information are stored in
Reporting the master PostgreSQL database on the Console
ƒ Provides one master database with copies on each processor
Flows for backup and automatic restore
Events Event processor
Accumulations • Secure SSH communication between appliances in a
distributed environment is supported

Flow collector Event collector

Network packet Events from log

interface, sFlow, sources
and 3rd party

Component architecture and data flows © Copyright IBM Corporation 2017

High-level component architecture and data stores

Let us begin by looking at the high level architecture one more time. (We have already done this
briefly on slide 5)

Events from individual log sources and network flow data is collected by the QRadar Event and
Flow collectors. Once the flow and event data is forwarded to the Event Processor it is stored in the
Ariel database on the Event Processor. If accumulation is required, the accumulated data is stored
in Ariel accumulation data tables. To fulfill the tamper proof data storage aspects for compliance
mandates, data cannot be changed as soon as it is stored in the Ariel database. At any point in
time, data can be selectively indexed to support specific search and report requirements.

Once the Event Processor is finished processing, the data is passed on to the QRadar Console,
where further consolidated processing occurs. Offenses, assets, identity, and configuration
information are stored in the master PostgreSQL database on the Console. There is one master
database with optional copies on each processor for backup and automatic restore.

Secure SSH communication between appliances in a distributed environment is supported.

© Copyright IBM Corp. 2017 48

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty

Flow collector architecture

Event Processor • A flow is a record of a conversation between
To Event Processor every 60 seconds two devices on a network

Flow reporting and routing - Create superflows

• Flow data packets are collected from a variety
of network device vendors and directly from the
Application Detection Module (appId = eventId)
network interface
• Collected flow data can update asset profiles
Aggregator with the ports and services that are running on
(enforce license limit)
each host
Raw data packets received • If the flow license limit is exceeded, an overflow
(NetFlow, sFlow, NIC, and so on)
record is created with SRC/DST address
QFlow
127.0.0.4/5
Flow data packets
• (Custom) applications are detected
• Superflows are created
• QFlow provides Layer 7 insights into the
payload if it is unencrypted
Component architecture and data flows © Copyright IBM Corporation 2017

Flow collector architecture

A network flow record provides information about a conversation between two devices using a
specific protocol, and can include fields that provide details about the conversation. Examples
include the source and destination IP addresses, the port, and other fields.

Flow data packets can be collected from a variety of network device vendors, and directly from the
network interface. Collected flow data can update asset profiles with the ports and services that are
running on each host. If a new host is detected through network flow data, a new asset is created in
the QRadar Asset database.

Next in line is the Aggregator. This component enforces the license limit for the Flow Collector,
which is measured in “flows per minute”, or FPM. If the license limit is exceeded, flows are
temporarily stored in an overflow buffer, which will be processed with the next set of flows. Every
log source protocol has an overflow buffer of 5 GB, and if the overflow buffer fills up, the additional
flows are dropped.

The Application Detection Module uses four methods of determining the application of the flow.
• The first is the User Defined method.
This method is mainly used when users have a proprietary application running on their network.
For example, all traffic going to host 10.100.100.42 on port 443 is recognized to be
MySpecialApplication.
• The second method uses State-based decoders.

© Copyright IBM Corp. 2017 49

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty
This method is implemented by looking at the source code. It determines the application by
analyzing the payload for multiple markers, for example, if you see A followed by B, then
application = X; and if you see A followed by C, then application = Y.
• The next method uses Signature matching.
This method relies on basic string matching in the payload (see the Application Configuration
Guide for signature customization).
• The final method uses Port-based matching.
In this case, applications are matched based on their port use, for example, port 80 = http.

Finally, the flow data packets reach the Flow reporting and routing component. This component
is responsible to create superflows. Superflows only store one single flow with the collection of IP
addresses, which allows processing of flows to be faster, and require less storage space. There are
three types of superflows.
• Type A superflows contain a single source and multiple destination addresses with the same
destination port, byte count, and source flags or ICMP codes. An example for a type A
superflow is a network sweep.
• Type B superflows contain multiple source and a single destination address with the same
destination port, byte count, and source flags or ICMP codes. An example for a type B
superflow is a Distributed Denial of Service attack.
• Type C superflows contain a single source and destination address with changing source and
destination ports. An example for a type C superflow is a port scan.

Specific rule tests can leverage the flow type to determine if an offense needs to be created. The
creation of superflows can be disabled.

Up to a configurable number of bytes, QFlow provides layer 7 insights into the payload if it is
unencrypted. Using a tap or span port, QFlow collects raw packets and places them into 60-second
chunks. QFlow can also receive layer 4 flows from other network devices in IPFIX/NetFlow, sFlow,
J-Flow, Packeteer, and Flowlog file accounting technologies.

© Copyright IBM Corp. 2017 50

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty

Event collector architecture

Event processor
• Each event collector gathers events from local
and remote sources
Coalescing filter
• EPS license is checked
• Log Sources are automatically discovered after
record analysis in the Traffic Analysis module Device Support Module (DSM)
Parser threads
• The event collector normalizes events and DSM normalization filter
classifies them into low- and high-level
categories Traffic Analysis
(Log source detection)

• Events are parsed by log source parser threads

Overflow filter
• The event collector bundles identical events to (enforce license limit)

conserve system usage through a process that

is known as coalescing Raw data packets received
Event collector

Log Sources

Component architecture and data flows © Copyright IBM Corporation 2017

Event collector architecture

Each Event Collector gathers events from local and remote log sources. Once the raw data packets
have been received, the license limit is checked first. On the Event Collector, this limit is measured
in Events per Second, or EPS. Events are temporarily stored in an overflow buffer if the EPS
license is exceeded, and those events are processed during the next cycle. Should the overflow
buffer fill up, the additional events are dropped, and a message is logged for the administrators.

Log Sources are automatically discovered after record analysis in the Traffic Analysis module. This
is an essential module for automating a successful evaluation or deployment, because it
categorizes traffic from devices that are unknown to the system. Log source detection creates a
new QRadar log source, if detection is successful on an IP address. The Traffic Analyses module
only carries out detection on event protocols that are “pushed” to the event collector, for example,
syslog.

After the correct log source has been detected, such as a Checkpoint Firewall, the individual
Device Support Modules begin to parse the events. First, the events are normalized, where source
specific data fields are mapped into QRadar terminology for further processing. The log source
parser then extracts the log source event ID from the log record and maps that to the QRadar
Identifier, or QID. This is a unique ID that links the extracted log source event ID to a QID. Each QID
relates to a custom event name and description, as well as severity and event category information.
The event category information is structured into High Level Categories (HLC) and Low Level
Categories (LLC). Every QID is linked to one of the low-level categories, for example, a valid
category combination is "Authentication” (being a High Level Category) and “Admin Login
Successful” being a Low Level Category.

© Copyright IBM Corp. 2017 51

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty
Finally, the coalescing filter can optionally bundle identical events to conserve system usage before
handing the data off to the Event Processor.

© Copyright IBM Corp. 2017 52

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty

Event processor architecture Anomaly New host

Magistrate
Detection Engine or port event
• EPS license is checked and enforced
• Every single event and flow is tested against all
Accumulator Host profiler Exit filter
enabled rules in the rules engine Accumulations

• New offenses can be triggered and sent to the Flows Event storage filter
Events
Magistrate (see Console)
• Events and flows are stored in the events or flows
Custom Rules Engine (CRE)
Ariel database
• If a new port or host is detected, an asset profile is Overflow filter
(enforce license limit)
updated or created in the PostgreSQL database
(see Console) Event or flow sources received
• Events are accumulated every minute and stored Event processor
in the accumulator Ariel database
Event Processor Event Processor Event Processor
Event processor Event collector Flow collector

Component architecture and data flows © Copyright IBM Corporation 2017

Event processor architecture

The Event Processor can receive event and flow data from Event and Flow Collectors as well as
other Event Processors that may be distributed throughout the organizations IT deployment. First,
the Overflow Filter enforces the license in a similar way to the collectors.

Next, the Custom Rule Engine, or CRE, tests every single event or flow against all enabled rules.
Matched rules can have responses or results. For example, a matched rule might trigger the
creation of an offense, or create a new CRE event that triggers the creation of an offense. However,
actual offenses are not created here at the Event Processor, but rather at the Console.

It is possible that multiple matched events, flows, and matched rules might correlate into a single
offense. On the other hand, a single event or flow can also be correlated into multiple offenses.

By default, rules are tested against events or flows received by a single event processor (local
rules). The Exit Filter sends on any events or flows that have been marked for further processing by
the Magistrate component on the Console.

Every event and flow is then sent on to the Event Storage Filter, where they are stored in the events
or flows Ariel database.

If a new port or host is detected at this time, an asset profile needs to be updated or created in the
PostgreSQL database. The Host Profiler, or Host Profiling Filter, sends the collected information
about the new host to the Console, so that a new asset can be created or updated.

Finally, if an analyst has defined any searches to collect and investigate specific sets of data,
events and flow records are accumulated every minute and stored in the accumulator Ariel
database. These accumulations create time-series statistical metadata that is used for Dashboards,

© Copyright IBM Corp. 2017 53

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty
event and flow forensics and searching, reporting, and the Anomaly Detection Engine on the
Console. Accumulated time intervals can be defined as 1 minute, 1 hour, and 1 day. The
Accumulator is a distributed component that operates on each Event Processor.

© Copyright IBM Corp. 2017 54

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty

Console architecture
• The Magistrate creates and stores offenses
in the PostgreSQL database; these offenses Offenses

are then brought to the analyst’s attention in

the interface
• The Magistrate instructs the Ariel Proxy Magistrate
Custom rule
engine
Server to gather information about all events Assets
and flows that triggered the creation of an
offense Overflow filter
Ariel Vulnerability Anomaly
Proxy Information Detection
(enforce license limit)
• The Vulnerability Information Server (VIS) Server Server Engine

creates new assets or adds open ports to

Event Sources received
existing assets based on information from the
Console
EPs
• The Anomaly Detection Engine (ADE) Ariel Host
Exit Filter Accumulators
searches the Accumulator databases for Query Server profiler

anomalies, which are then used for offense Event

Eventprocessor
processor
evaluation
Component architecture and data flows © Copyright IBM Corporation 2017

Console architecture

The Console receives data from the deployed Event Processors for further analysis by the
Magistrate component, which creates and stores offenses in the PostgreSQL database. These
offenses are then brought to the analyst’s attention in the user interface. The Magistrate instructs
the Ariel Proxy Server to gather information about all related events and flows that triggered the
creation of an offense. The collected data is then available for further investigation by the analyst.

If data is collected from multiple Event Processors, the Console’s Custom Rules Engine can utilize
Global Cross Correlation to test rules on data from all deployed Event Processors. This helps to
locate more complex attacks, which can span across the overall IT infrastructure and are not
confined to being detected by a single Event Processor.

The Vulnerability Information Server (VIS) creates new assets, or adds open ports or discovered
services to existing assets, based on information from the Host Profiler on the Event Processors.
This happens when hosts, services, or vulnerabilities that cannot be mapped to existing assets are
discovered.

© Copyright IBM Corp. 2017 55

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Lesson 2 QRadar SIEM component architecture

Uempty
The Anomaly Detection Engine (ADE) searches the Accumulator databases for anomalies, which
are then used for offense evaluation. There are three categories of Anomaly Detection Rule types.
• The Threshold rule examines a numeric range, such as greater than, less than, or a particular
range. This rule can help detect the bandwidth of an application, the number of users connected
to a VPN, or a large and unusual outbound data transfer.
• The Anomaly rule looks at a change in short term when comparing against a longer time frame.
This can help to locate new service activity or a change in the bandwidth volume on a specific
link.
• The Behavioral rule can detect changes from the same time yesterday or last week. This
includes mail traffic, for example, the increase on external SMTP server traffic, which could be a
relay. This rule can also be used for regular IT services, such as backup monitoring, where the
rule would trigger if a backup failed.

Let us take one closer look at how Offenses are being managed by the Magistrate component.

Events and flows that have been tagged by the Custom Rules Engine for further processing in the
Event Processors are being handed over to the Console through the Exit Filter.

Until now, we have examined the QRadar component structure from a deployment viewpoint. Let
us now take a final look into dissecting the flow of a captured event.

© Copyright IBM Corp. 2017 56

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Describe QRadar functional architecture and deployment models
• Describe QRadar SIEM component architecture

Component architecture and data flows © Copyright IBM Corporation 2017

Summary

In this unit we covered the functional architecture level and explained how IBM QRadar was
designed as a modular Security Intelligence solution from the grounds up. After taking a look at this
modular design, its extensibility and deployment pattern, we examined the component architecture
so that the analyst understands how data is ingested and processed.

When the analysts now examine bits and pieces of a larger security incident investigation, this
architectural understanding should substantially enhance their capability for detailed and fast
analysis.

© Copyright IBM Corp. 2017 57

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3 Using the QRadar SIEM User
Interface

Using the QRadar SIEM User Interface

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

The user interface of QRadar SIEM is your workbench to gain visibility into your environment from
an security perspective. This lesson teaches you how to operate the interface, such as pausing and
refreshing the displayed data, changing your password and accessing help.

Reference:
• QRadar SIEM User Guide: http://www.ibm.com/support/docview.wss?uid=swg27049537

© Copyright IBM Corp. 2017 58

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Using the QRadar SIEM User Interface
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Leverage the QRadar SIEM user interface

Using the QRadar SIEM User Interface © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 59

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Using the QRadar SIEM User Interface
Objectives

Uempty

Instructor demonstration of the QRadar SIEM User Interface

Using the QRadar SIEM User Interface © Copyright IBM Corporation 2017

Instructor demonstration of the QRadar SIEM User Interface

© Copyright IBM Corp. 2017 60

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Using the QRadar SIEM User Interface
Objectives

Uempty

Tabs
To leverage QRadar, use its tabs
• Dashboard: Monitor various activities in your environment
• Offenses: Query and display suspicious activities
• Log Activity: Query and display events
• Network Activity: Query and display flows
• Assets: Query and display information about systems in your environment
• Reports: Create templates and generate reports
• Admin: Administrative system management

To reset a tab to its default settings, double-click it.

Using the QRadar SIEM User Interface © Copyright IBM Corporation 2017

Tabs

The QRadar SIEM user interface provides tabs that let you navigate and focus on specific slices of
the collected, analyzed, and displayed data.

Two more tabs become available with a license for QRadar Vulnerability and Risk Manager
installed:
• Risks: Query and display risks in your environment
• Vulnerabilities: Query and display vulnerabilities in your environment

© Copyright IBM Corp. 2017 61

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Using the QRadar SIEM User Interface
Objectives

Uempty

Managing the displayed data

Every minute QRadar SIEM automatically
refreshes the data on the following tabs
• Dashboard
• Log Activity
• Network Activity
• Reports
Pause:
Click to pause automatic
display refresh
Refresh:
Display the latest
available data
Play:
Resume the automatic
display refresh

Using the QRadar SIEM User Interface © Copyright IBM Corporation 2017

Managing the displayed data

QRadar SIEM works in 1-minute cycles. When a 1-minute cycle finishes, event and flow processors
send to the Console the data from the passed minute, that is needed there. Clicking the Refresh
button resets the displayed countdown to 60 seconds, but results returned can still come from the
prior minute. The countdown in the user interface does not necessarily run in sync with the
1-minute cycles.

The Pause button stops only refreshes of the display. QRadar SIEM continues to process data in
the background.

© Copyright IBM Corp. 2017 62

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Using the QRadar SIEM User Interface
Objectives

Uempty

Managing your QRadar user

Click your user name in the top bar to change
properties of your QRadar user and to log out

Using the QRadar SIEM User Interface © Copyright IBM Corporation 2017

Managing your QRadar user

User Preferences:

Users can change their password in the Preferences, if they authenticate with the local system
authentication of QRadar SIEM. Users cannot change the password in the User Preferences if
QRadar SIEM uses RADIUS, TACACS, Active Directory, or LDAP for their authentication.

In most deployments, the user admin authenticates with the local system authentication of QRadar
SIEM even if other users use external authentication. Therefore, the user admin usually changes
passwords in QRadar SIEM User Preferences.

© Copyright IBM Corp. 2017 63

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Using the QRadar SIEM User Interface
Objectives

Uempty

Accessing help

QRadar Help Contents:

Open the IBM Knowledge Center in a new browser
tab. The browser requires internet access

Question mark icon:

Open context-sensitive
help for the currently
displayed feature in a
new browser window.
The browser does not
require internet access
because the Console
appliance provides the
context-sensitive help
Using the QRadar SIEM User Interface © Copyright IBM Corporation 2017

Accessing help

© Copyright IBM Corp. 2017 64

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Using the QRadar SIEM User Interface
Objectives

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Log in to the QRadar User Interface
• Discover the User Interface
• Sending sample data to QRadar

Using the QRadar SIEM User Interface © Copyright IBM Corporation 2017

Exercise introduction

© Copyright IBM Corp. 2017 65

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Using the QRadar SIEM User Interface
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Leverage the QRadar SIEM user interface

Using the QRadar SIEM User Interface © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 66

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4 Investigating an Offense
Triggered by Events

Investigating an Offense Triggered by

Events

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

QRadar SIEM correlates events and flows into an offense if it assumes suspicious activity. This unit
teaches you how to investigate the information that is contained in an offense.

References:
• IBM Knowledge Center: Event Categories
http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_ad
m_event_categories.html
• QRadar SIEM Users Guide http://www.ibm.com/support/docview.wss?uid=swg27049537

© Copyright IBM Corp. 2017 67

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Explain the concept of offenses
• Investigate an offense, which includes this information
ƒ Summary information
ƒ The details of an offense
• Respond to an offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 68

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 1 Offenses overview

Uempty
Lesson 1 Offenses overview

Lesson: Offenses overview

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

By creating an offense, QRadar SIEM alerts to suspicious activities. In this lesson, you learn the
significance of offenses and how to view your threat landscape from different perspectives.

© Copyright IBM Corp. 2017 69

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 1 Offenses overview

Uempty

Definition offense

Offense
--noun
An offense alerts to a suspicious activity,
and links to helpful information to
investigate it.

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Definition offense

© Copyright IBM Corp. 2017 70

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 1 Offenses overview

Uempty

Introduction to offenses
• The prime benefit of QRadar SIEM for security analysts is that it detects suspected attacks or policy
violations and ties helpful information together into offenses to investigate them
• Some common offenses include these examples
ƒ Multiple login failures
ƒ Malware infection
ƒ P2P traffic
ƒ Scanner reconnaissance
• Treat offenses as security incidents and have a security analyst investigate them

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Introduction to offenses

More examples of offenses include:

• Clear Text Application Usage
• Remote Desktop Access from the Internet
• Connection to a remote proxy or anonymization service
• SSH or Telnet detected on Non-Standard Port
• Large outbound data transfer
• Communication to a known Bot Command and Control
• Local IRC Server detected

© Copyright IBM Corp. 2017 71

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 1 Offenses overview

Uempty

Creating and rating offenses

• QRadar SIEM creates an offense when events, flows, or both meet the test conditions specified in
changeable rules that analyze the following information
ƒ Incoming events and flows
ƒ Organizational context
í User information, such as admin, newhire, CFO-team
í Network and server information, such as: web server, PCI network, crown jewels
ƒ Threat intelligence
í IP addresses and domain names of malicious hosts, such as
> spam senders
> malware hosts
> anonymous proxies
> IP address ranges dynamically assigned by ISPs

• The magistrate component running on the Console appliance maintains all offenses; it rates each
offense by its magnitude, which has these characteristics
ƒ Ranges from 1 to 10, with 1 being low and 10 being high
ƒ Prioritizes each offense by its relative importance

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Creating and rating offenses

Commonly the term crown jewels refers to the servers that are most critical for an organization's
mission. Typically, crown jewels store and process customer, employee and financial data, as well
as intellectual property.

© Copyright IBM Corp. 2017 72

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 1 Offenses overview

Uempty

Offenses on Dashboard
Dashboard items can display offenses

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offenses on Dashboard

• The Risks and Vulnerabilities tabs are only available if QRadar Risk Manager and QRadar
Vulnerability Manager are licensed.
• Double-click a particular offense to display the detailed Offense Summary of that offense.

© Copyright IBM Corp. 2017 73

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 1 Offenses overview

Uempty

Offenses tab
The Offenses tab provides many navigation options to view offenses from different perspectives

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offenses tab

• To sort offenses, click a column header.

• Use the Search menu to find offenses according to search criteria.

© Copyright IBM Corp. 2017 74

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 1 Offenses overview

Uempty

Offenses overview by category

To view offenses from the perspective of the nature of the detected suspicious activity, list offenses By
Category

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offenses overview by category

© Copyright IBM Corp. 2017 75

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 1 Offenses overview

Uempty

Offenses overview by source IP

To locate repeat offenders, view offenses By Source IP

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offenses overview by source IP

Select By Destination IP to identify systems that are continually under attack.

© Copyright IBM Corp. 2017 76

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 1 Offenses overview

Uempty

Offenses overview by network

You can also survey your threat landscape Number of offenses Number of offenses with
from the perspective of your networks with one or more one or more attackers
targets in the network in the network

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offenses overview by network

QRadar SIEM administrators configure local networks in the Network Hierarchy. You find the
Network Hierarchy on the Admin tab. The Network Hierarchy is introduced later in this course.

© Copyright IBM Corp. 2017 77

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty
Lesson 2 Using summary information to
investigate an offense

Lesson: Using summary information

to investigate an offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

An offense bundles a wealth of information about a suspicious activity. In this lesson, you learn how
to use offense summary information to begin investigating an offense.

© Copyright IBM Corp. 2017 78

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Instructor demonstration of offense parameters

This demonstration uses an example offense
Investigating offenses is a typical part of a security analyst's job

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Instructor demonstration of offense parameters

Note: At least an hour before this lesson, run the /labfiles/sendCheckpoint.sh script in order
to have QRadar SIEM create the example offense. On the Offenses tab, navigate to this offense
and use it as an example to illustrate the topics in this lesson.

© Copyright IBM Corp. 2017 79

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense Summary window

• The Offense Summary provides a single view into all
the evidence that QRadar SIEM has tied together in
the offense
• The remainder of the unit examines the window
sections in the same way as the security analyst
investigates an offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense Summary window

The sections of the Offense Summary window include:

• Offense Parameters
• Offense Source Summary
• Last 5 Notes
• Last 5 Search Results
• Top 5 Source IPs
• Top 5 Destination IPs
• Top 5 Log Sources
• Top 5 Users
• Top 5 Categories
• Top 10 Events
• Top 10 Flows
• Top 5 Annotations

We will review these sections in the remainder of the unit.

© Copyright IBM Corp. 2017 80

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense parameters
Investigating an offense begins with the parameters at the top of the offense summary window

Magnitude: Credibility:
Relative importance of the offense How valid is information from that source?

Relevance: Severity:
How significant is the destination? How high is the potential damage?

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense parameters (1 of 4)

• Connections and View Attack Path:

These two buttons are only available if QRadar Risk Manager is licensed.
• Magnitude:
Prioritizes an offense by its importance relative to other offenses. However, security analysts
cannot ignore less important offenses, because they could indicate a real attack or policy
violation.
A proprietary algorithm calculates the magnitude based on a number of values, such as:
– number of involved log sources
– categories
– age of offense
– relevance, severity, credibility, number and frequency of events and flows
• Status:
The offense on the slide is in status active. QRadar SIEM does not display a status icon for the
active status. Other statuses are indicated with an icon in the Status field.
• Relevance:

© Copyright IBM Corp. 2017 81

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty
Indicates the relative impact that the suspected attack or policy violation would have. QRadar
SIEM determines the relevance from the asset weights of the destinations of the offense.
QRadar SIEM administrators configure the asset weight in asset profiles.
• Severity:
Indicates the amount of threat a suspicious activity poses. Each event categorization configures
a severity rating.
• Credibility:
Indicates the reliability of the witness. Credibility increases if multiple sources report the same
attack. QRadar SIEM administrators configure a credibility rating for each log source.

© Copyright IBM Corp. 2017 82

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense parameters (continued)

Offense Type:
General root cause of the offense; the offense
type determines which information is displayed in
the next section of the Offense Summary

Description: Event count: Flow count:

Reflects the causes for the offense; the Number of events Number of flows
description can change when new events associated with this associated with this
or flows are associated with the offense offense offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense parameters (2 of 4)

Offense Type:

The rule that created the offense determines the Offense Type. Example offense types include:
• Source IP
• Destination IP
• Event Name
• Username
• Source MAC Address
• Destination MAC Address
• Log Source
• Host Name
• Source Port
• Destination Port
• Source IPv6
• Destination IPv6
• Rule
• App ID
• Custom properties

© Copyright IBM Corp. 2017 83

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense parameters (continued)

Source IP(s): Start:

Origin of the ICMP Date and time when the first event or flow
scanning associated with the offense was created

Destination IP(s): Duration:

Targets of the ICMP Amount of time elapsed since the first event or
scanning flow associated with the offense was processed

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense parameters (3 of 4)

• Source IP(s):
To get more information about the IP address, right-click, left-click, or hold the mouse over the
address.
Offenses of type Source IP always have exactly only one source IP address. Offenses of other
types can have more than one source IP address. In those cases, the Source IP(s) field
displays Multiple(n), where n indicates the number of source IP addresses.
Left-click Multiple(n) to view a list of the source IP addresses.
• Destinations IP(s):
If the offense has only one target, its IP address is displayed. To get more information about the
IP address, right-click, left-click, or hold the mouse over it.
If the offense has multiple targets, the following terms are displayed:
– Local (n): Local IP addresses that were targeted.
– Remote (n): Remote IP addresses that were targeted.
Left-click an option to view a list of the local or remote IP addresses.

© Copyright IBM Corp. 2017 84

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense parameters (continued)

Network(s): Assigned to:

Local networks of the QRadar SIEM user
local Destination IPs that assigned to investigate
have been scanned this offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense parameters (4 of 4)

Network(s):

QRadar SIEM considers all networks specified in the Network Hierarchy on the Admin tab as local.
The Network Hierarchy is introduced later in this course.

QRadar SIEM does not associate remote networks to an offense, even if they are specified as
Remote Network or Remote Service on the Admin tab.

© Copyright IBM Corp. 2017 85

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense Source Summary

To the security analyst, the Offense Source Summary provides information about the origin of the
ICMP scanning

IP: Location:
Origin of the Network of the source
ICMP scanning IP address if it is local

Magnitude: Vulnerabilities:
Indication about the level of risk that an IP A known vulnerability of a local host can have
address poses relative to other IP addresses been exploited and turned into an attacker

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense Source Summary (1 of 6)

The example offense on the slide is of the type Source IP. For an offense of type Destination IP, the
fields display information about the destination.

© Copyright IBM Corp. 2017 86

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense Source Summary (continued)

When you right-click the IP, you View By Network:
see navigation options for further Open a separate window with
statistical information about the
investigation network of the IP address

View Source Summary:

Open a separate window with
a list of the offenses that the
IP address is involved in
Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense Source Summary (2 of 6)

© Copyright IBM Corp. 2017 87

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense Source Summary (continued)

WHOIS Lookup:
Port Scan: Find registered
nmap scans the owner of the IP
IP address address

Search Flows:
Find flows
associated with
the IP address
Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense Source Summary (3 of 6)

The last three menu items are only available if QRadar Risk Manager is licensed.
• WHOIS Lookup:
By default, whois.arin.net is configured as the WHOIS server. It does not have the owners of
local IP addresses registered. QRadar SIEM must be able to reach whois.arin.net to lookup
registered owners of remote IP addresses.
• Port Scan:
On the Console, QRadar SIEM runs the command nmap -A for the IP address. Nmap is always
installed with QRadar SIEM.
QRadar SIEM displays the Nmap scan results in a popup window. In addition to open ports and
services, Nmap detects operating system versions, and a few potential vulnerabilities, such as
anonymous FTP login. However, Nmap does not check for vulnerabilities provided by threat
intelligence feeds.
The result of the Port Scan does not create or update the asset profile in QRadar SIEM. Port
Scan is separate from vulnerability scanners, that QRadar SIEM administrators can configure
and run. The results of vulnerability scanners update asset profiles.
A QRadar SIEM user can run a Port Scan for a remote IP address, but the owner of the remote
system could consider this scan an attack. Therefore, do not scan remote IP addresses.

© Copyright IBM Corp. 2017 88

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense Source Summary (continued)

• Selecting Run Vulnerability Scan open a popup window to scan the IP address
• The Run Vulnerability Scan menu item is only available if QRadar Vulnerability Manager is licensed
• Only scan IP addresses that your organization owns

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense Source Summary (4 of 6)

QRadar SIEM administrators can configure Domains to separate IP addresses if they are used for
multiple hosts. This happens typically when organization merge and when a single QRadar SIEM
deployment serves multiple tenants with overlapping private IP address ranges.

© Copyright IBM Corp. 2017 89

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense Source Summary (continued)

• Selecting Plugin options > X-Force
Exchange Lookup loads the X-Force
IP Report for the IP address in new
browser tab
• The X-Force IP Report contains a
variety of information about the IP
address, including its history of Spam
and botnet activity

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense Source Summary (5 of 6)

• The example IP address is part of a range that is reserved for private use.
• The X-Force Exchange Lookup requires Internet access for the browser but not for the QRadar
Console appliance.

© Copyright IBM Corp. 2017 90

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 2 Using summary information to investigate an offense

Uempty

Offense Source Summary (continued)

Weight:
Relevance of the
asset with this
source IP address

Offenses: Events/Flows:
Number of offenses Number of events
associated with this and flows associated
source IP address with this offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense Source Summary (6 of 6)

• User:
User associated to this source IP address. If no user is identified, the field shows Unknown.
• MAC:
MAC address with the source IP address when the offense began. If unknown, the field shows
Unknown NIC.
• Host Name:
Host name associated with the source IP address. If unidentified, the field shows Unknown.
• Asset Name:
Asset name associated with the source IP address. If unidentified, the field shows Unknown.
• Weight:
Asset weight of the source IP address, as configured by QRadar SIEM administrators in the
asset profile. The levels range from 0 (not important) to 10 (very important).

© Copyright IBM Corp. 2017 91

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty
Lesson 3 Investigating offense details

Lesson: Investigating offense details

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Many details help the security analyst to investigate an offense. In this lesson, you learn how to use
further details to investigate an offense.

Reference:
• IBM Knowledge Center: Event Categories
http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_ad
m_event_categories.html

© Copyright IBM Corp. 2017 92

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Last 5 Notes
• QRadar SIEM users can document their investigation findings and actions as notes
• You cannot edit or delete notes
Notes: Add Note:
• The maximum length of a note is 2000 characters View all notes Create new
of the offense note

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Last 5 Notes

When closing an offense, you can enter a reason. QRadar SIEM adds the reason as a note to the
offense.

© Copyright IBM Corp. 2017 93

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Last 5 Search Results

• Record of the most recent search results for offenses of type Scheduled Search
• Such offenses do not indicate any suspicious activity
• Their purpose is to record results of complex searches

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Last 5 Search Results

• Not used by other offense types.

• Configure the creation of Scheduled Search offenses in the Report Wizard on the Reports tab.

© Copyright IBM Corp. 2017 94

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Top 5 Source IPs

• Of the IP addresses, from which the suspected attack or policy violation originates, QRadar SIEM lists
the five with the highest magnitudes
• The table contains only one row because the example offense has only one source IP address

Location: Sources:
Hover the mouse over a View all source
shortened field value to IP addresses of
display the full value the offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Top 5 Source IPs

The example offense on this slide is of type Source IP. Therefore, the Offense Source Summary
displays the same information as the columns in the Top 5 Source IPs. Refer to the previous lesson
for explanations of the columns.

© Copyright IBM Corp. 2017 95

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Top 5 Destination IPs

• QRadar SIEM lists the five local IP addresses with the highest magnitude, which are targets of the
suspected attack
Destinations:
• The table contains only two rows because only two local IP addresses were affected View all
destinations IP
Destination IP: Chained: addresses of
Hover the mouse over the asset name or Indicates whether the destination IP address the offense
IP address to display further information is the source IP address in another offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Top 5 Destination IPs

• Chained:
The field shows Yes if the destination IP address is the source IP address of other offenses.
Then, an attacker has taken control over the system with this IP address and uses it to attack
other systems. Click Yes to view the chained offenses.
• Magnitude:
The column displays the Aggregate CVSS Score if this value exists. If it does not exist, the
column displays the highest offense magnitude of all the offenses that the IP address is a part
of.
• Destination Magnitude:
The bar displays the Aggregate CVSS Score if this value exists. If it does not exist, just 0 is
displayed.

© Copyright IBM Corp. 2017 96

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Top 5 Log Sources

A firewall provided the log messages about firewall denies; this firewall is the major log source of the
offense

Events: Log Sources:

Number of events sent by the View all log sources
log source added to the offense adding to the offense

Custom Rule Engine (CRE): Offenses: Total Events:

The QRadar SIEM CRE creates Number of offenses Sum of all events received from this
events and adds them to offenses related to the log source log source while the offense is active

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Top 5 Log Sources

• Name and Description:

QRadar SIEM administrators can choose the name and description of a log source. They also
choose the credibility for events received from the log source.
• Group:
Optionally, QRadar SIEM administrators can create log source groups.

© Copyright IBM Corp. 2017 97

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Top 5 Users
QRadar SIEM lists the five users with the most events added to the offense

Users:
View all users associated
to the offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Top 5 Users

For the example offense QRadar SIEM did not receive an event or flow with user information and
therefore does not list a user. The screen capture displays a user from a different offense.

© Copyright IBM Corp. 2017 98

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Top 5 Categories
QRadar SIEM categorized most events Categories:
into the Firewall Deny category View all low-level categories of the
events contributing to the offense

Name: Local Destination Count:

Low-level category Number of local destination IP
of the event addresses affected by offenses
with events in this category

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Top 5 Categories

• QRadar SIEM classifies events into categories. Categories cannot be added, deleted, or
renamed.
Refer to the QRadar SIEM product documentation about event categories
(http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_a
dm_event_categories.html) for a list of high-level categories (HLC) and low-level categories
(LLC).
Rules executed by the Custom Rules Engine (CRE) fired for the suspicious Firewall Deny
events. As an action of the rules, the CRE created the events in the Network Sweep and ICMP
Reconnaissance categories, and created the offense tying these events together.
• Local Destination Count:
Displays 0 if all destination IP addresses are remote.
• Events/Flows:
Displays the number of events per low-level category that the CRE added to the offense.

© Copyright IBM Corp. 2017 99

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Last 10 Events
Double-click anywhere on a row to open a window with details about the event
Dst Port: Events:
The destination port is 0 for layer View all events
3 protocol traffic such as ICMP added to the offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Last 10 Events

The last 10 events added to the offense provide the security analyst information about the latest
developments in the offense.

© Copyright IBM Corp. 2017 100

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Last 10 Flows
The table does not display any flows, because QRadar SIEM did not detect flows relevant for the
offense

Total Bytes: Flows:

Sum of bytes transferred View all flows added
in both directions to the offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Last 10 Flows

© Copyright IBM Corp. 2017 101

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Annotations
• Annotations provide insight into why QRadar SIEM considers the event or observed traffic threatening
• QRadar SIEM can add annotations when it adds events and flows to an offense
• Read the oldest annotation first, because it was added when the offense was created Annotations:
View all annotations
of the offense

Annotation:
Hold the mouse
over a shortened
annotation to show
the full annotation

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Annotations

The QRadar SIEM rules add annotations when they create or update an offense, whereas QRadar
SIEM users cannot add, edit, or delete annotations.

© Copyright IBM Corp. 2017 102

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 3 Investigating offense details

Uempty

Offense Summary toolbar

The Offense Summary toolbar provides direct links to the
information that you just investigated
Events:
View all events
Summary: added to the offense
View the Offense
Summary

Flows:
View all flows added
Display: to the offense
View offense
information introduced
on previous slides

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense Summary toolbar

• In order to review information about offense related Connections, or to use the View Attack
Path option you have to have QRadar Risk Manager deployed, which is not subject to this
course.
• In the next Lesson we take a look at the possible Actions.

© Copyright IBM Corp. 2017 103

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 4 Acting on an offense

Uempty
Lesson 4 Acting on an offense

Lesson: Acting on an offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Security analysts draw conclusions from investigating an offense and can act accordingly. In this
lesson, you learn how to take action on an offense in QRadar SIEM.

© Copyright IBM Corp. 2017 104

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 4 Acting on an offense

Uempty

Offense actions
After investigating an offense, click Actions at the top of the Offense Summary page to set flags and
status
Follow up:
Choose if you want to
revisit the offense

Hide:
Use with caution because
QRadar SIEM still
updates the offense;
alarming updates can
stay hidden

Protect Offense:
Prevent QRadar SIEM
from deleting the offense

Close:
When you have resolved
the offense, close it

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense actions

• All actions on the Offense Summary page are also available on the Offense list with the
exception of Email and Add Note.
• The Actions menu includes the following options:
– Hide:
An offense hidden by a QRadar SIEM user is also hidden for all other users.
The Offense Manager on the Offenses tab does not list hidden offenses by default.
To display hidden offenses, clear the Exclude Hidden Offenses filter.
An inactive offense can be hidden, but a closed offense cannot be hidden.
If a user closes a hidden offense, QRadar SIEM displays it.
– Email and Add Note:
The Email and Add Note actions are available only on the Offense Summary page.
– Assign:
Delegate the offense to a QRadar SIEM user.

© Copyright IBM Corp. 2017 105

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 4 Acting on an offense

Uempty

Offense status and flags

The actions available depend on the status of the offense

Status: Icon indicates

- Protected - Follow up
- Inactive - Notes
- Closed - Assigned

Unprotect Offense:
Allow QRadar SIEM to
delete this protected offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense status and flags

• This slide displays how the Status field and the Actions menu look after you have performed
the following actions:
– Follow up
– Protect Offense
– Close
– Add Note
– Assign
• Field descriptions:
– Status:
No icon exists for status active. An icon exists for status hidden, but it is not displayed in the
slide.
– Follow up, Email, Add Note, and Assign:
These actions are available for all offenses in any status, including the inactive status.
If you select Follow up for an offense with the Follow up flag already set, QRadar SIEM
removes the flag.
– Assigned to:
The offense is assigned to a QRadar SIEM user.

© Copyright IBM Corp. 2017 106

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 4 Acting on an offense

Uempty
The Actions menu of the Offense Manager on the Offenses tab allows you to export offenses. You
can export offenses to keep records outside of QRadar SIEM. Exported offenses cannot be
imported back into QRadar SIEM.

© Copyright IBM Corp. 2017 107

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 4 Acting on an offense

Uempty

Offense lifecycle
• A newly created offense is in status active
ƒ QRadar SIEM maintains up to 2,500 active offenses
• QRadar SIEM changes the status from active to dormant when the offense has not received an event
or flow for 30 minutes
• QRadar SIEM changes the status from dormant to recalled when the offense receives an event or
flow
ƒ QRadar SIEM maintains up to 500 recalled offenses
ƒ QRadar SIEM changes the status from recalled back to dormant when the offense has not received an event or
flow for 30 minutes
• QRadar SIEM changes the status to inactive under the following occurrences
ƒ A user closes the offense
ƒ When the offense has not received an event or flow for five days
ƒ When the QRadar SIEM installation is upgraded
• If a rule fires, that would add an event or flow to an inactive offense, a new offense is created
• QRadar SIEM deletes unprotected offenses in inactive status after the retention period elapses;
administrators can change the default retention period of three days
Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Offense lifecycle

• Offenses tab:
The search on the Offenses tab allows to exclude active offenses from the search result. There
the Active Offenses checkbox includes the statuses active, dormant and recalled.
• Protect Offense and the inactive status:
A protected active offense can become inactive but QRadar SIEM does not delete it. QRadar
SIEM stores a protected inactive offense indefinitely until a QRadar SIEM user unprotects it.
Only QRadar SIEM, but not users, can turn an offense inactive.
Only users, but not QRadar SIEM, can protect, unprotect, hide, or close an offense.
• Close:
When a QRadar SIEM user closes an offense, the offense turns from the status of active to
inactive and closed.
• Maximum:
QRadar SIEM stores up to 100,000 offenses. However, any QRadar SIEM deployment with
more than one or two dozens of offenses requires tuning.

© Copyright IBM Corp. 2017 108

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Lesson 4 Acting on an offense

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Investigating the local DNS scanner offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Exercise introduction

© Copyright IBM Corp. 2017 109

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 4 Investigating an Offense Triggered by Events
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Explain the concept of offenses
• Investigate an offense, which includes this information
ƒ Summary information
ƒ The details of an offense
• Respond to an offense

Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 110

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5 Investigating the Events of an
Offense

Investigating the Events of an

Offense

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

The investigation of an offense usually leads to the investigation of the events that contributed to
the offense. This unit teaches you how to find, filter, and group events in order to gain critical
insights about the offense. You also learn how to create and edit a search that monitors the events
of suspicious hosts.

References:
• QRadar SIEM Users Guide http://www.ibm.com/support/docview.wss?uid=swg27049537
• Technote: Searching your QRadar data efficiently
http://www.ibm.com/support/docview.wss?uid=swg21689803
• Technote: QRadar: How does the Log Activity and Network Activity Real Time (streaming)
option work? http://www.ibm.com/support/docview.wss?uid=swg21622826

© Copyright IBM Corp. 2017 111

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Use the list of events to navigate event details
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
• Modify a saved search

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 112

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 1 Investigating event details

Uempty
Lesson 1 Investigating event details

Lesson: Investigating event details

Investigating the Events of an Offense © Copyright IBM Corporation 2017

One of the first steps when investigating the events of an offense is to examine the event data at a
high level. In this lesson, you learn how to navigate the event details that are displayed in the list of
events.

© Copyright IBM Corp. 2017 113

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 1 Investigating event details

Uempty

Definition event

Event
--noun
A event is a record of an action on a
machine.

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Definition event

© Copyright IBM Corp. 2017 114

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 1 Investigating event details

Uempty

Navigating to the events

In the Offense Summary, click Events to open the list of events Events:
View all events
added to the offense

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Navigating to the events

You can also use the Log Activity tab to view events.

© Copyright IBM Corp. 2017 115

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 1 Investigating event details

Uempty

List of events

Hide graphical charts

View event details by

double-clicking a row
Investigating the Events of an Offense © Copyright IBM Corporation 2017

List of events

• To sort events, click a column header.

• To investigate suspicious activity, you must locate the information associated with the offense,
such as its events.

© Copyright IBM Corp. 2017 116

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 1 Investigating event details

Uempty

Event details: Base information

The event information is similar the offense parameters

Start Time: Storage Time: Log Source Time:

The time when a QRadar The time when a QRadar Event The time stamp that the
Event Collector started Processor stored the normalized log source recorded in
working with the raw event event in its database the raw event
Investigating the Events of an Offense © Copyright IBM Corporation 2017

Event details: Base information

© Copyright IBM Corp. 2017 117

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 1 Investigating event details

Uempty

Event details: Source and destination information

Typically, only a few fields under the source and destination information include data

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Event details: Source and destination information

© Copyright IBM Corp. 2017 118

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 1 Investigating event details

Uempty

Event details: Reviewing the raw event

Each normalized event carries its raw event as the payload

Review the raw event for information that

QRadar SIEM has not normalized into
fields, which therefore does not display in
the UI.

An example is the firewall profile name

Default_Atlantis.

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Event details: Reviewing the raw event

© Copyright IBM Corp. 2017 119

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 1 Investigating event details

Uempty

Event details: Additional details

QID:
A QID map specifies event name,
Protocol: description, severity rating, and links
Network protocol to low-level and high-level category

Log Source: Event Count:

This log source provided the Number of raw
raw event that QRadar SIEM events bundled into
normalized into this event this normalized event

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Event details: Additional details

• The Event Details window provides more event information. This information is discussed in
more depth later in this course.
• Field descriptions:
– Protocol:
In this example, the protocol is icmp_ip. ICMP is encapsulated into IP. Both are layer 3
protocols.
– QID:
A QID number identifies a QID map. A QID map identifies an action of a software system or
network device that it logs as a raw event.
– Log Source:
A system on your network is a log source if QRadar SIEM receives raw events from it.
– Event Count:
For each individual log source, QRadar SIEM administrators can enable or disable
coalescing of multiple similar raw event into one normalized event. The number indicates
how many raw events have been coalesced into one normalized event. A coalesced,
normalized event contains only the first raw event in the payload.

© Copyright IBM Corp. 2017 120

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 1 Investigating event details

Uempty

Returning to the list of events

After investigating the event details, click Return to Event List, in the upper-left corner of the event
details window, to return to the event list

Return to Event List: Offense:

Navigate to the list of Navigate to the offense to
events for the offense which the event was added

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Returning to the list of events

© Copyright IBM Corp. 2017 121

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 2 Using filters to investigate events

Uempty
Lesson 2 Using filters to investigate events

Lesson: Using filters to investigate

events

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Filters can temporarily hide events from the user interface, which makes it easier to focus on more
significant events. When investigating events, it can be helpful to filter the events. In this lesson,
you learn how to filter events.

References:
• QRadar SIEM Users Guide http://www.ibm.com/support/docview.wss?uid=swg27049537
• Technote: Searching your QRadar data efficiently
http://www.ibm.com/support/docview.wss?uid=swg21689803

© Copyright IBM Corp. 2017 122

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 2 Using filters to investigate events

Uempty

Filtering events
• In the list of events, you can use filters to explore the offense further
• Most events in this offense are Firewall Deny
• Because other events provide more insight, right-click the event name to filter for events that are not
Firewall Deny

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Filtering events (1 of 3)

• You can right-click most fields to filter them.

• Use the False Positive option to prevent that the CRE adds this and similar events to offenses.
• The menu item beginning with View path is only available if QRadar Risk Manager is licensed.

© Copyright IBM Corp. 2017 123

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 2 Using filters to investigate events

Uempty

Filtering events (continued)

By filtering Firewall Deny events, you can focus on other events

The Custom Rule Engine (CRE) in QRadar SIEM created the events in this list to alert you to suspicious
activity

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Filtering events (2 of 3)

© Copyright IBM Corp. 2017 124

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 2 Using filters to investigate events

Uempty

Filtering events (continued)

The user interface displays the applied filters

Clear Filter:
Click to view the Firewall
Deny events again

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Filtering events (3 of 3)

© Copyright IBM Corp. 2017 125

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 2 Using filters to investigate events

Uempty

Applying a Quick Filter to the payload

• The raw Firewall Deny events contain the
firewall profile that denied the connection
• The firewall profile is not available as event
property
• To verify that the company's main profile,
Atlantis, was always active, filter events
without profile: Default_Atlantis in
the payload

Quick Filter:
Filter for events that do not contain
profile: Default_Atlantis in the payload

Clear Filter:
Click to view all events
of the offense again
Investigating the Events of an Offense © Copyright IBM Corporation 2017

Applying a Quick Filter to the payload

Quick Filter supports expressions with AND, OR, and NOT. For example, when you apply the NOT
"profile: Default_Atlantis" Quick Filter and no events show, you can assume that all the event's
payloads mention the firewall profile Atlantis because no other firewall profile was active.

Refer to the QRadar SIEM Users Guide

(http://www.ibm.com/support/docview.wss?uid=swg27049537) for more information about the
expressions Quick Filter supports.

A coalesced event contains only the payload of one of the raw events bundled together. Therefore,
quick filtering looks into only the one payload.

© Copyright IBM Corp. 2017 126

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 2 Using filters to investigate events

Uempty

Using another filter option

• To create a filter, click the Add Filter icon
• You can use each
event property as
a filter

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Using another filter option

• Instead of an IP address, you can enter a range of IP addresses, in CIDR notation, such as
10.100.0.0/16.
• To build an OR expression, use Equals any of.

© Copyright IBM Corp. 2017 127

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 2 Using filters to investigate events

Uempty

Using another filter option

A wide variety of Parameters and
Operators are available for filtering

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Using another filter option

© Copyright IBM Corp. 2017 128

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 2 Using filters to investigate events

Uempty

Optimizing search execution efficiency

Searches can consume a lot of resources and run for a long time. To run searches efficiently, utilize the
following recommendations:
• An index on a filtered property significantly reduces the run-time of a search
ƒ [Indexed] behind a property in the Parameter drop-down list indicates that QRadar SIEM maintains an index
for values of the property
ƒ If you search for a property without index, add indexed properties as filter to lower the number of events that
QRadar SIEM needs to search
• Narrow the time range
ƒ The relationship between time range and resource consumption is nearly linear
• If you know which appliances store the relevant events and flows, select from the Parameters drop-
down list the Event Processor parameter and then the names of the appliances
ƒ The Event Processor parameter is not only available for events but also for flows because the same event and
flow processor functionality is provided by the same software component
• The Log Activity and Network Activity tabs always display the result of a search; if you add a filter,
QRadar SIEM performs the test of the filter only to this search result

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Optimizing search execution efficiency

In deployments with more than one appliance, network bandwidth and latency can be a bottleneck.
Therefore, narrow the time range and add filters to limit the size of the search result that event and
flow processor appliances transfer to the Console appliance.

Refer to the Searching your QRadar data efficiently technote

(http://www.ibm.com/support/docview.wss?uid=swg21689803) for more information about search
optimization.

© Copyright IBM Corp. 2017 129

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 3 Using grouping to investigate events

Uempty
Lesson 3 Using grouping to investigate events

Lesson: Using grouping to

investigate events

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Grouping events arranges the events so you can view them from different perspectives. In this
lesson, you learn how to group the events of an offense.

Reference:
• Technote: QRadar: How does the Log Activity and Network Activity Real Time (streaming)
option work? http://www.ibm.com/support/docview.wss?uid=swg21622826

© Copyright IBM Corp. 2017 130

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 3 Using grouping to investigate events

Uempty

Grouping events

Default (Normalized):
By default, QRadar SIEM shows Raw Events:
normalized events without grouping Instead of grouping, QRadar SIEM
shows the raw events stored in the
payload of each normalized event

Low Level Category:

Explore the events further by
grouping them; for example, group
them by their Low Level Category

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Grouping events

After changing the grouping, events are organized accordingly. All filters are retained.

© Copyright IBM Corp. 2017 131

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 3 Using grouping to investigate events

Uempty

Grouping events by low-level category

In this example, exploring by grouping indicates a second protocol

Grouping By:
QRadar SIEM shows the Protocol:
currently selected Some events recorded an additional
grouping above the filters protocol; click Multiple (2)

All events are aggregated

by their low-level category

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Grouping events by low-level category

• Grouping summarizes all events by the chosen field. In this example, grouping events by
low-level category displays a column of all the unique low level categories and summary
information of the other columns, such as the number of unique protocols for each low-level
category.
• In the Protocol column, Multiple (x) is displayed, where x is the number of unique protocols. If
only one protocol exists for a low-level category, that value displays instead of Multiple (x).
When you double-click the Multiple (x) protocols, a browser window that groups these
protocols opens. The new window displays the unique protocols summarized by the previous
grouping of low-level category.

© Copyright IBM Corp. 2017 132

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 3 Using grouping to investigate events

Uempty

Grouping events by protocol

In the Protocol column, click Multiple (2) to open a window with events grouped by protocol; you learn
that the firewall denied udp_ip in addition to icmp_ip

Grouping By:
QRadar SIEM can group
by Protocol

Current Filters:
The previous grouping,
Low Level Category,
became a filter

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Grouping events by protocol

To explore the event further, click Multiple (2) to view the two destinations IP addresses that the
source IP address wanted to contact using udp_ip. When finished, close the window.

© Copyright IBM Corp. 2017 133

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 3 Using grouping to investigate events

Uempty

Removing grouping criteria

Display:
Group by Default
(Normalized) to
remove the grouping by
Low Level Category

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Removing grouping criteria

© Copyright IBM Corp. 2017 134

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 3 Using grouping to investigate events

Uempty

Pause/Play Refresh
Viewing a range of events
If events are still added to the
investigated offenses, view them
• Real Time (streaming):
Shows events as they arrive;
grouping and sorting are not
available
• Last Interval (auto refresh):
Shows the last minute of
events; refreshes
automatically after 1 minute

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Viewing a range of events

• In addition to viewing incoming events, you can select a time range from the View drop-down
list. When you open the List of events window from the Offense Summary, QRadar SIEM
automatically sets a time range to include all events added to the offense.
• Last Interval (auto refresh):
The last minute of events can be delayed by up to 1 minute from the time the event reached the
Event Processor refresh cycle.
• Real Time (streaming):
To view the details of an event, pause streaming and double-click the event.
Refer to the QRadar: How does the Log Activity and Network Activity Real Time (streaming)
option work? technote (http://www.ibm.com/support/docview.wss?uid=swg21622826) for more
information about Real Time (streaming).

© Copyright IBM Corp. 2017 135

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 4 Saving a search

Uempty
Lesson 4 Saving a search

Lesson: Saving a search

Investigating the Events of an Offense © Copyright IBM Corporation 2017

The event list is the result of the search criteria that you chose. In this lesson, you learn how to save
a search and use it to investigate the events that are included in an offense. The scenario that is
used as an example in this lesson monitors a possibly compromised host.

© Copyright IBM Corp. 2017 136

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 4 Saving a search

Uempty

Monitoring the offending host

The event list always displays search
results; to view traffic to and from the
offending host, edit this search, save
it, and add it to the dashboard

Clear Filter:
To monitor all traffic,
remove the offense filter

Filter:
Right-click a Source IP to
see the filter pop-up

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Monitoring the offending host (1 of 3)

To monitor a offending host, filter on the IP address and then clear the offense filter. If you clear the
offense filter first, all the events in the given time range show, making it difficult to find the IP
address of interest.

© Copyright IBM Corp. 2017 137

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 4 Saving a search

Uempty

Monitoring the offending host (continued)

Display:
View: Group by High
List events of the Level Category
last 24 hours

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Monitoring the offending host (2 of 3)

© Copyright IBM Corp. 2017 138

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 4 Saving a search

Uempty

Save Criteria: Save Results:

Monitoring the offending host (continued) Save the criteria of Save the results of
the current search the current search
Now the screen shows
the selected time range,
grouping, and filtering

Time Range

Grouping

Filtering

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Monitoring the offending host (3/3)

• The key components of a search are time range, grouping, and filtering.
• You can save the search criteria, save the results, or both.

© Copyright IBM Corp. 2017 139

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 4 Saving a search

Uempty

Saving search criteria Prepend name with

department or organization
Save the search with name for easy identification

the criteria specified

Assign to group

Add the saved search to the

Quick Searches drop-down list

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Saving search criteria

• Manage Groups:
Add, edit, or remove search groups.
• Include in Quick Searches:
Add the saved search to the Quick Searches drop-down list.
• Share with Everyone:
Include this search in other users' lists of available searches.
• Set as Default:
The Log Activity tab shows the result of this search by default.
• Include in my Dashboard:
Allows you to add the search as an item to a dashboard.
Only grouped searches can be included in the dashboard. The checkbox is grayed out if the
search is not grouped.

© Copyright IBM Corp. 2017 140

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 4 Saving a search

Uempty

Event list using the saved search

Using Search:
The event list shows the
result of the saved search

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Event list using the saved search

© Copyright IBM Corp. 2017 141

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 5 Modifying saved searches

Uempty
Lesson 5 Modifying saved searches

Lesson: Modifying saved searches

Investigating the Events of an Offense © Copyright IBM Corporation 2017

To use QRadar SIEM effectively, manage and modify saved searches. In this lesson, you learn how
to work with saved searches.

© Copyright IBM Corp. 2017 142

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 5 Modifying saved searches

Uempty

About Quick Searches

When you select Include in
my Quick Searches when
saving a search, QRadar
SIEM lists the saved search
in the Quick Searches
drop-down list

Investigating the Events of an Offense © Copyright IBM Corporation 2017

About Quick Searches

© Copyright IBM Corp. 2017 143

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 5 Modifying saved searches

Uempty

Using alternative methods to create and edit searches

• Most predefined saved searches are not listed under Quick Searches
• To find, use, and edit saved searches, select Search in the top menu bar

New Search:
Load a saved search; edit the loaded Edit Search:
search or create a new search The Event List is the result of a
search; edit this current search
or edit another saved search

Manage Search Results:

QRadar SIEM stores the result from
each search for 24 hours; you can
revisit, save, or delete results

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Using alternative methods to create and edit searches

• The New Search and Edit Search menu items are about search criteria.
• The Manage Search Results menu item is about search results.
• Managing Search Results:
QRadar SIEM might delete unsaved search results earlier than 24 hours if it requires the disk
space.
You can use the Manage Search Results option, to complete the following tasks:
– Save results for auditing or forensics
– Delete previously saved search results
– Cancel long running searches
– Send an email when the search in progress finishes

Note: Users see only the searches they create in the Manage Search Results window.
Administrators see all searches.

• Canceling a search:
When a search is queued or in progress, you can cancel the search in the Manage Search
Results window or by clicking the Cancel button in the top menu bar. Any search results
computed before the cancellation are maintained.

© Copyright IBM Corp. 2017 144

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 5 Modifying saved searches

Uempty

Finding and loading a saved search

If you select New Search or Edit Search, the Event Search window opens

Type Saved Search:

To find saved searches easily, type
your department name, if you
prepended your saved searches with it

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Finding and loading a saved search

The Event Search window provides more search features, such as custom time range, grouping by
two or more fields, and column arrangement for the results.

© Copyright IBM Corp. 2017 145

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 5 Modifying saved searches

Uempty

Search actions

Show All:
Export: Clear all filters
You can resend exported events as
raw events to QRadar SIEM
Delete:
Notify: Delete the result of the currently
Send an email when the search in displayed search;
progress finishes only the search result as a
collection is deleted but not the
events included in the search
result

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Search actions

• Export to XML, Export to CSV and Print:

These menu items are not available when viewing Real Time (streaming) or viewing partial
results from a canceled search.
• Delete:
This menu item is available only when no search is in progress.
• Notify:
This menu item is available only when a search is in progress.

© Copyright IBM Corp. 2017 146

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Lesson 5 Modifying saved searches

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Look for events contributing to an offense
• Save search criteria and search results
• Investigate event details

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Exercise introduction

© Copyright IBM Corp. 2017 147

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 5 Investigating the Events of an Offense
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Use the list of events to navigate event details
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
• Modify a saved search

Investigating the Events of an Offense © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 148

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6 Using Asset Profiles to
Investigate Offenses

Using Asset Profiles to Investigate

Offenses

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

QRadar SIEM stores security-relevant information about systems in your network in asset profiles.
This unit teaches you how asset profiles are created and updated, and how to use them as part of
an offense investigation.

References:
• Forum of Incident Response and Security Teams (FIRST): Common Vulnerability Scoring
System SIG https://www.first.org/cvss/
• PCI Security Standards Council https://www.pcisecuritystandards.org
• Technote: Vulnerability results and how they display in QRadar SIEM
http://www.ibm.com/support/docview.wss?uid=swg21665232
• QRadar SIEM Administration Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537
• QRadar SIEM Vulnerability Assessment Configuration Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537

© Copyright IBM Corp. 2017 149

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Describe how asset profiles are identified, created, and updated
• Investigate asset profile details
• Navigate the Assets tab

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 150

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 1 Asset profiles overview

Uempty
Lesson 1 Asset profiles overview

Lesson: Asset profiles overview

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

The asset profiles of QRadar SIEM store security-relevant data of systems in your network. In this
lesson, you are introduced into asset profiles and also learn how QRadar SIEM creates and
updates asset profiles.

© Copyright IBM Corp. 2017 151

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 1 Asset profiles overview

Uempty

Definition asset profile

Asset profile
--noun
An asset profile maintains technical and
organizational information about a system
in your organization's network.

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Definition asset profile

© Copyright IBM Corp. 2017 152

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 1 Asset profiles overview

Uempty

About asset profiles

• Asset profiles store a wealth of information about a system in your local network, such as these
examples
ƒ Name
ƒ IP addresses
ƒ MAC addresses
ƒ Operating system
ƒ Services
ƒ Owner
ƒ Other resource information
• Asset profiles are used to investigate local source and destination IP addresses of an offense

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

About asset profiles

QRadar SIEM is not a full-fledged asset management system. For example, it does not show which
computer hosts a virtual machine. QRadar SIEM also cannot represent storage in asset profiles.

© Copyright IBM Corp. 2017 153

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 1 Asset profiles overview

Uempty

Data sources for asset profiles

• QRadar SIEM automatically creates and updates asset profiles for systems found in incoming data
• DHCP, DNS, VPN, proxy, firewall NAT, and wireless access point logs
• Passively gathered bidirectional flows
• Results from vulnerability scanners
Only flows and vulnerability scan data add and update information about ports and services to asset
profiles
• QRadar SIEM administrators can create assets by using these methods
• Manually in the user interface
• Importing a CSV file in this format
IP address, Name, Weight (1-10), Description

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Data sources for asset profiles

QRadar SIEM Administrators can delete asset profiles. A previously deleted asset profile is
re-created if a vulnerability scanner finds the system, or QRadar SIEM detects it in flows.

The REST API of QRadar SIEM allows you to list and update asset profiles. It cannot create or
delete asset profiles.

© Copyright IBM Corp. 2017 154

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 1 Asset profiles overview

Uempty

Identity information
• To provide gathered data to the right profile, the Asset Profiler uses the following identity information
in priority order to identify an asset uniquely
• MAC address
• NetBIOS name
• DNS name
• IP address

For example, if a detected MAC address is not known to any asset profile, the Asset Profiler creates a new
profile, even if the IP address belonging to this new MAC address is already assigned to an existing profile
because the Asset Profiler assumes the system of the existing asset profile has been replaced

• The Asset Profiler can merge asset profiles if it determines that the same system is represented

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Identity information

© Copyright IBM Corp. 2017 155

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 2 Investigating asset profile details

Uempty
Lesson 2 Investigating asset profile details

Lesson: Investigating asset profile

details

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Information regarding a system in your network is often beneficial to an offense investigation. In this
lesson, you learn how to browse details of an asset profile.

References:
• Forum of Incident Response and Security Teams (FIRST): Common Vulnerability Scoring
System SIG https://www.first.org/cvss/
• PCI Security Standards Council https://www.pcisecuritystandards.org
• Technote: Vulnerability results and how they display in QRadar SIEM
http://www.ibm.com/support/docview.wss?uid=swg21665232

© Copyright IBM Corp. 2017 156

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 2 Investigating asset profile details

Uempty

Navigating from an IP address to an asset profile

To investigate the asset profile of an IP address of an offense, perform the following steps:
1. Right-click the IP address
2. Click Information > Asset Profile

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Navigating from an IP address to an asset profile

© Copyright IBM Corp. 2017 157

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 2 Investigating asset profile details

Uempty

Assets tab
You can also click the Assets tab to locate asset profiles

Click the Id or IP address to open the Double-click a row to open the

Asset Details in a separate window Asset Details in the Assets tab

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Assets tab

© Copyright IBM Corp. 2017 158

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 2 Investigating asset profile details

Uempty

Asset summary
The Asset
Details
open with
the Asset
Summary

Aggregate
CVSS Score:
Level of
concern
about this
asset

All Users:
Display previous users of the host
Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Asset summary

• The Asset Weight measures the importance of the asset. The levels range from 0 (not
important) to 10 (very important). QRadar SIEM administrators configure the Asset Weight
manually.
• The Forum of Incident Response and Security Teams (FIRST) maintains the Common
Vulnerability Scoring System (CVSS). It maintains only the specification, not the scores
themselves. Refer to https://www.first.org/cvss/ for further information about CVSS.

© Copyright IBM Corp. 2017 159

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 2 Investigating asset profile details

Uempty

Network Interface Summary

Collapse the Asset

Summary to view
more asset profile
details

An asset profile
can have multiple
network interfaces

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Network Interface Summary

• MAC Address:
A MAC address can be provided in two ways to an asset profile:
– It is manually entered by a QRadar SIEM administrator, or
– It is populated by the scan result of a vulnerability scanner.
Flows do not provide MAC addresses.
• History:
Click this button to open the event search.
• Applications:
Click this button to open the flow search.
• Search Connections and View Topology:
These two buttons are only available if QRadar Risk Manager is licensed.

© Copyright IBM Corp. 2017 160

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 2 Investigating asset profile details

Uempty

Vulnerabilities
• Verify the vulnerability
instances to determine
to which degree the
investigated offense is Risk: Details:
a concern Likelihood of Hover the mouse to Risk Score:
exploitation learn more about the Level of concern about
• Vulnerability instances and impact vulnerability instance this vulnerability instance
are provided by
QRadar Vulnerability
Manager or third-party
vulnerability scanners

Severity:
Payment Card
Industry (PCI)
severity level

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Vulnerabilities

• Following are the Severity levels:

Low, Medium, High, Critical, Urgent
Refer to https://www.pcisecuritystandards.org for further information on PCI severity levels.
• The Risk rating is provided by IBM. Following are the Risk levels:
Warning, Low, Medium, High
• QRadar SIEM stores information about known vulnerabilities. QRadar SIEM usually downloads
updates every night. Still, a third-party vulnerability scanner can already know about a new
vulnerability and detect it, when QRadar SIEM has not yet received this vulnerability
information. QRadar SIEM only displays instances of this vulnerability after it has received the
information. It matches its stored vulnerability information with the scan results from third-party
vulnerability scanners by common vulnerability identifiers, such as CVE, Bugtraq ID, and
X-Force ID. So if third-party vulnerability scanners detect issues without identifier, such as
misconfigurations, QRadar SIEM cannot display them.
Refer to the Vulnerability results and how they display in QRadar SIEM technote
(http://www.ibm.com/support/docview.wss?uid=swg21665232) for more information.

© Copyright IBM Corp. 2017 161

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 2 Investigating asset profile details

Uempty

Display additional information

• By default, the asset details display the vulnerability instances of the asset
• Use the Display drop-down
menu to select additional
information
• If available, QRadar Risk
Gathered from flows
Manager provides or vulnerability scanners
Risk Policies information
• All other information is
provided by vulnerability
scanners Provided by
QRadar Risk
• Information about Services Manager
can QRadar SIEM get from
both vulnerability scanners
and flows

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Display additional information

The following items of the Display drop-down list only provide information for assets running
Microsoft Windows:
• Windows Services
• Windows Patches
• Properties

The following item of the Display drop-down list only provides information for assets running Linux:
• Packages

© Copyright IBM Corp. 2017 162

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 2 Investigating asset profile details

Uempty

Services
In the Display menu, click Services to investigate the known
services of the asset

Last Seen Passive: Last Seen Active:

Services detected in passively Services detected actively by
gathered network flows scanners

Last Seen Passive: Last Seen Active:

Services detected in Services detected
passively gathered by vulnerability
network flows scanners

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Services

• SSH:
Vulnerability scanners only detect services that are running when they scan the asset. In the
example on the slide, SSH was not running during scanning,
Sometimes vulnerability scanners are not configured to scan less commonly used ports. These
services are also only found in flows.
• Web:
Vulnerability scanners detect unused services. In the example on the slide, the service listening
on port 8080 did not have any network activity. Best practice is to stop unused services.

© Copyright IBM Corp. 2017 163

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 2 Investigating asset profile details

Uempty

Products
QRadar SIEM
displays only
these items:
• Operating
systems
• Products
providing a
service

To learn why a product

is vulnerable, hover the
mouse over Multiple
Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Products

© Copyright IBM Corp. 2017 164

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 3 Navigating the Assets tab

Uempty
Lesson 3 Navigating the Assets tab

Lesson: Navigating the Assets tab

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Searching, filtering, and sorting of asset profiles can make it easier to focus an investigation on the
most relevant asset profiles. In this lesson, you learn how to leverage the features of the Assets
tab.

References:
• QRadar SIEM Administration Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537
• QRadar SIEM Vulnerability Assessment Configuration Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537

© Copyright IBM Corp. 2017 165

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 3 Navigating the Assets tab

Uempty

Locating asset profiles

You can search, filter, and sort asset profiles in a similar way as on other tabs

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Locating asset profiles

If a system has two IP addresses on two different networks and a QRadar SIEM user is granted
permission to view only one of the networks, the user does not see the system's asset profile at all.

© Copyright IBM Corp. 2017 166

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 3 Navigating the Assets tab

Uempty

Filtering asset profiles

You can use most asset profile
properties as a filter

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Filtering asset profiles

© Copyright IBM Corp. 2017 167

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 3 Navigating the Assets tab

Uempty

Searching asset profiles

QRadar SIEM provides predefined searches and
search options in a similar way as on other tabs

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Searching asset profiles

© Copyright IBM Corp. 2017 168

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Lesson 3 Navigating the Assets tab

Uempty

Server Discovery and VA Scan

• Security analysts use the Assets tab to investigate asset profiles
• QRadar SIEM administrators can use asset profiles to approve services and run vulnerability
assessment (VA) scans

QRadar SIEM administrators can approve IP addresses for one or more server types, such as web, mail,
and Windows. Services of such server types listen on standard ports, such as 80 and 443 for web.

To help QRadar SIEM administrators finding IP addresses matching a server type, the Server Discovery
lists asset profiles with one of the server type's standard ports open.

The Server Discovery does not probe the IP address for open ports. It also does not look for open ports
in events, flows, and scan results. The Server Discovery only looks in asset profiles for open ports.

QRadar SIEM administrators can schedule the import of results from vulnerability assessments (VA)
scans of systems on the network. QRadar SIEM ingests scan results from vulnerability scanners other
than QRadar Vulnerability Manager. They create and update asset profiles.

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Server Discovery and VA Scan

• Depending on your permissions, you might not see all three options.
• Refer to the QRadar Administration Guide
(http://www.ibm.com/support/docview.wss?uid=swg27049537) for more information about
Server Discovery.
• Refer to the QRadar Vulnerability Assessment Configuration Guide
(http://www.ibm.com/support/docview.wss?uid=swg27049537) for more information about
Vulnerability Assessment Scanning.

© Copyright IBM Corp. 2017 169

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Describe how asset profiles are identified, created, and updated
• Investigate asset profile details
• Navigate the Assets tab

Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 170

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7 Investigating an Offense
Triggered by Flows

Investigating an Offense Triggered by

Flows

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

QRadar SIEM correlates flows into an offense if it determines suspicious network activities. This
unit teaches you how to investigate the flows that contribute to an offense. You also learn how to
create and tune false positives and investigate superflows.

References:
• QRadar SIEM Administration Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537
• QRadar SIEM Default Applications Configuration Guide
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/kc_gen/toc-gen25.html

© Copyright IBM Corp. 2017 171

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Describe flows
• Investigate the summary of an offense that is triggered by flows
• Investigate flow details
• Tune false positives
• Investigate superflows

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 172

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 1 Flows overview

Uempty
Lesson 1 Flows overview

Lesson: Flows overview

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

A flow provides information about a network activity between two or more systems. In this lesson,
you learn from which data QRadar SIEM creates flows and which information they provide.

© Copyright IBM Corp. 2017 173

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 1 Flows overview

Uempty

Definition flow

Flow
--noun
A flow is a record of the communication
between network sockets.

IP address, port, and transport protocol uniquely identify a network socket.

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Definition flow

© Copyright IBM Corp. 2017 174

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 1 Flows overview

Uempty

About flows
• From the network activity information that QRadar SIEM receives, it creates flows
• Like a phone bill, QRadar SIEM records in flows who talked to whom, at which time, but not the
content of the conversation
ƒ From unencrypted communications, QFlow can capture layer 7 payload up to a configurable number of bytes
• A flow can include information about the conversation, such as these examples
ƒ Start Time
ƒ End Time
ƒ Source and destination IP addresses
ƒ Source and destination ports
ƒ Number of bytes transferred
ƒ Number of packets transferred
ƒ Network protocol
ƒ Application protocol
ƒ TCP flags

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

About flows

• While an event occurs at a single point of time, a flow has a start and end time. Most flows have
only a short duration, but flows representing the transfer of a huge file or streaming of a movie
can last for hours.
• Flows update asset profiles of servers with the ports and services that are running on them.

© Copyright IBM Corp. 2017 175

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 1 Flows overview

Uempty

Creating flows from network activity information

• External sources: Network devices
ƒ Flow collectors create flows from IPFIX/NetFlow, sFlow, J-Flow, Packeteer, and Flowlog file received from
network devices
ƒ Network devices provide only a subset of the control information in network packet headers and no payload
ƒ To determine the application protocol, flow collectors look up which application protocol commonly uses the
recorded network protocol and destination port
• Internal sources: QFlow and QRadar Network Insights (QNI)
ƒ Flow collectors create flows from network activity monitored by QFlow and QNI similar a network sniffer
ƒ Both provide the first bytes of packets to QRadar SIEM in order to detect the application protocol without
regard to the network protocol and destination port being used
ƒ Both extract the same control information that is available in network activity information from external sources
ƒ QFlow can capture layer 7 payload up to a configurable number of bytes unless it is encrypted
í QFlow can extract user-defined Custom Flow Properties from the part of the payload that it captured
í QFlow stores the part of the payload that it captured
ƒ QNI analyzes complete layer 7 payload unless it is encrypted
í QNI can extract pre-defined properties, such as DNS queries, HTTP headers, and MD5 checksums of transferred files
í QNI does not store payload other than the extracted properties

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Creating flows from network activity information

For flows created from IPFIX/NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files QRadar SIEM
cannot detect the Skype application protocol because Skype uses many ports. QFlow and QNI
detect Skype because they analyze the first bytes of packets. QFlow and QNI perform the same
application protocol detection.

The QFlow application detection is unrelated to its ability to capture and store a configurable
number of bytes from each packet. Therefore, the QFlow application detection still works if a
QRadar administrator configures QFlow to capture and store 0 bytes from packets. However,
Custom Flow Properties are not extracted any more if payload capture is disabled.

© Copyright IBM Corp. 2017 176

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 1 Flows overview

Uempty

Network Activity tab

• Click the Network Activity tab to perform these tasks
ƒ Investigate flows
ƒ Perform detailed searches
ƒ View network
activity

To navigate to the
offense a flow
contributes to,
click this icon

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Network Activity tab

• In addition to the Dashboard and Offenses tabs, you can navigate to offenses from the Network
Activity and Log Activity tabs.
• If rules added a flow or event to more than one offense, clicking its red icon does have an effect.
• About the Source and Destination Bytes columns:
– The (C) behind the number of bytes indicates that the flow contains captured layer 7
payload.
– The number of captured bytes is not displayed. By default, QRadar SIEM captures 64 bytes
in each direction.
– The number of bytes in the Source Bytes and Destination Bytes columns indicates how
many bytes the source and destination sent.

© Copyright IBM Corp. 2017 177

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 1 Flows overview

Uempty

Network specific properties

• Flows on the Network Activity tab are shown in a similar way as events are on the Log Activity tab
• The Network Activity tab displays properties specific to network communication

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Network specific properties

Protocol:

Only flows, but not events, have the properties shown in the screen capture with the exception of
Protocol. However, only events from firewalls and other network systems usually carry protocol
information.

© Copyright IBM Corp. 2017 178

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 1 Flows overview

Uempty

Grouping flows
Some flow grouping options differ from event grouping options

Display:
Group by Application for an
overview of the application data
transported in the flows

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Grouping flows

• Display > Default (Normalized):

To remove a grouping, select Default (Normalized).
• Display > Application:
QRadar SIEM detects the kind of application data transported in flows.
• Display > Geographic:
To summarize flows by the geographic country/region of their destination IP addresses, group
by Geographic.
• Display > Flow Bias:
To summarize flows by the ratio between bytes leaving from and arriving at your organization's
perimeter, group by Flow Bias.
• QRadar SIEM works in 1-minute cycles. With QFlow and QNI, QRadar SIEM can update flows
that it created in previous cycles. For network activity, that spans more than once cycle and is
received in IPFIX/NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files, QRadar SIEM creates a
new flow during each 1-minute cycle. To display such flows together, group By Source IP,
Source port, Destination IP, Destination port, Protocol, and enable capturing of time series data.

© Copyright IBM Corp. 2017 179

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 2 Using summary information to investigate an offense

Uempty
Lesson 2 Using summary information to
investigate an offense

Lesson: Using summary information

to investigate an offense

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

An offense bundles information about a suspicious activity, including flows. In this lesson, you learn
how to use offense summary information related to flows to begin your offense investigation.

References:
• QRadar SIEM Administration Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537
• QRadar SIEM Default Applications Configuration Guide
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/kc_gen/toc-gen25.html

© Copyright IBM Corp. 2017 180

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 2 Using summary information to investigate an offense

Uempty

Offense parameters
The parameter at the top of the offense summary provides the first clues to investigate the offense

Description:
From suspicious DNS traffic, QRadar SIEM concluded Flows added to
botnet activity; rules compile the description this offense

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Offense parameters

Description:

Misc.domain refers to domain name resolution traffic.

Refer to the QRadar SIEM Default Applications Configuration Guide

(https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/kc_gen/toc-gen25.html) for
further information.

© Copyright IBM Corp. 2017 181

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 2 Using summary information to investigate an offense

Uempty

Top 5 Source and Destination IPs

• Source and destination IP addresses provide information about the origin of the offense and its local
targets
• Remote source IP addresses are displayed, but remote destination IP addresses are not

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Top 5 Source and Destination IPs

Right-click anywhere in the row to view more information about the source IP address.

© Copyright IBM Corp. 2017 182

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 2 Using summary information to investigate an offense

Uempty

Top 5 Log Sources

Events:
The Custom Rule Engine (CRE) of QRadar
SIEM created all events of this offense

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Top 5 Log Sources

In the example on the slide, no events created from log messages contribute to the offense. Only
events created by the Custom Rules Engine (CRE) contribute to the offense.

© Copyright IBM Corp. 2017 183

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 2 Using summary information to investigate an offense

Uempty

Top 5 Categories
QRadar SIEM classified the events and the flows into categories

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Top 5 Categories

Each flow and event is classified into one category.

Refer to the QRadar Administration Guide

(http://www.ibm.com/support/docview.wss?uid=swg27049537) for a list of high-level categories
(HLC) and low-level categories (LLC).

© Copyright IBM Corp. 2017 184

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 2 Using summary information to investigate an offense

Uempty

Last 10 Events
The Custom Rule Engine (CRE) created events with information about suspicious activities

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Last 10 Events

© Copyright IBM Corp. 2017 185

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 2 Using summary information to investigate an offense

Uempty

Last 10 Flows
• This table provides information about what happened most recently
• Double-click a row to open a window with details about the flow

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Last 10 Flows

© Copyright IBM Corp. 2017 186

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 3 Navigating flow details

Uempty
Lesson 3 Navigating flow details

Lesson: Navigating flow details

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

A flow in QRadar SIEM provides much information about the network activity it represents. In this
lesson, you learn how to navigate the details of a flow.

© Copyright IBM Corp. 2017 187

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 3 Navigating flow details

Uempty

Base information
Flow base information is
similar to event base information

QRadar SIEM extracted only the

HTTP version; you have two
options to extract more
properties:

• For QFlow, QRadar SIEM

administrators can increase
the content capture length to
capture more payload so that
QRadar SIEM can extract
more properties
• Use QRadar Network Insights
instead QFlow
Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Base information

• In the example on the slide, the Event Description, Application detected with state based
decoding, means that QFlow or QRadar Network Insights provided the first bytes of network
packets to QRadar SIEM's state-based decoder so that it was able to detect the application
protocol of this flow. QRadar SIEM applies the following methods ordered by priority to
determine which kind of application data a network connection transports:
a. user defined application mapping

b. state-based decoder

c. signature matching

d. matching protocol and destination port against defaults

For flows created from IPFIX/NetFlow, sFlow, J-Flow, Packeteer, and Flowlog file, QRadar
SIEM can only perform the last method. These accounting technologies do not provide the first
bytes of network packets, and therefore QRadar SIEM can only use the port number to take a
guess about the application protocol.
• QRadar SIEM administrators can create Custom Flow Properties. Their field names in the
example on the slide end with (Custom). Only QFlow and QNI can extract Custom Flow
Properties from network activity. QFlow only captures from the limited number of payload bytes
that it captures and therefore might miss information. QNI examines the complete payload.

© Copyright IBM Corp. 2017 188

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 3 Navigating flow details

Uempty

Source and destination information

QRadar SIEM provides
network connection
details about the flow

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Source and destination information

© Copyright IBM Corp. 2017 189

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 3 Navigating flow details

Uempty

Layer 7 payload
This example shows the layer 7 payloads for an HTTP GET request and response; both show only the
first 64 bytes of payload by default

Note: QRadar SIEM administrators can increase the content capture length to provide more layer 7
payload

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Layer 7 payload

A layer 7 content capture length greater than 1024 bytes negatively impacts QRadar SIEM's
performance.

© Copyright IBM Corp. 2017 190

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 3 Navigating flow details

Uempty

Additional information

Custom Rules:
Rules fired for this flow

Custom Rules Partially Matched:

At least one test condition of a rule
was met and an occurrence
counter was incremented but the
rule did not fire

Annotations:
Added by rules

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Additional information

The Flow Direction field can include the following values:

L2L: Traffic from a local network to a local network

L2R: Traffic from a local network to a remote network

R2L: Traffic from a remote network to a local network

R2R: Traffic from a remote network to a remote network

QRadar SIEM considers all networks local that are configured in the Network Hierarchy. You find
the Network Hierarchy on the Admin tab. The Network Hierarchy is introduced later in this course.

© Copyright IBM Corp. 2017 191

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 4 False positives overview

Uempty
Lesson 4 False positives overview

Lesson: False positives overview

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Each organization has legitimate network activity that can trigger false positive flows and events.
This traffic creates noise that makes it difficult to identify true security incidents. In this lesson, you
learn how to tune a flow or event as false positive.

© Copyright IBM Corp. 2017 192

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 4 False positives overview

Uempty

Preventing false positives

• If an event or flow is legitimate, you can
order the CRE to ignore similar events and
flows in the future
• In the top menu bar, click the False
Positive icon

The QID uniquely identifies the kind of

application data that the flow transports

This option is rarely useful because it

eliminates every occurrence of the
above selection every time

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Preventing false positives

The example on the slide removes any event and flow that includes the specified QID and targets
the 93.158.65.201 IP address without regard for the origin.

For events, the QID uniquely identifies a specific action of a device. For example, firewall denies
issued from different firewall models have different QIDs. For flows, the QID uniquely identifies
which kind of application data is transported by the flow.

To edit a false positive, edit the User-BB-FalsePositive: User Defined False Positives Tunings
building block. To locate this building block, navigate to Rules on the Offenses tab. Rules and
building blocks are introduced later in this course.

© Copyright IBM Corp. 2017 193

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 4 False positives overview

Uempty

False positive flow or event

• QRadar SIEM ignores flows and events that you tagged as false positives for offenses, but searches
and reports still include them
• To prevent unwanted offenses, QRadar SIEM administrators must perform these tasks
ƒ Keep the Network Hierarchy up-to-date
ƒ Keep building blocks that identify approved services up-to-date
ƒ Disable rules that create numerous pointless offenses
The next modules of this course provide an introduction to these topics; QRadar SIEM administrators
perform these tasks

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

False positive flow or event

Many rules test whether the destination IP address and port of an event or flow is an approved
service of your organization. The port numbers used for services in your organization are stored in
building blocks with names beginning with BB:PortDefinition. The IP addresses of approved
services are stored in building blocks with names beginning with BB:HostDefinition. QRadar SIEM
administrators need to update these building blocks manually or run the Server Discovery on the
Assets tab.

By default, QRadar SIEM has many rules disabled. In a production environment, it may be
necessary to enable some rules. In most deployments, a professional services consultant performs
initial tuning for a new QRadar SIEM deployment.

© Copyright IBM Corp. 2017 194

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 5 Investigating superflows

Uempty
Lesson 5 Investigating superflows

Lesson: Investigating superflows

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

A superflow is an aggregate of similar network activity that otherwise would result in a large number
of separate flows. In this lesson, you learn about the three different types of superflows.

© Copyright IBM Corp. 2017 195

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 5 Investigating superflows

Uempty

About superflows
Flow processors aggregate network activity with common characteristics into superflows that indicate
common attack types
• Type A: Network sweep
one source IP address > many destination IP addresses
• Type B: Distributed denial of service (DDOS) attack
many source IP addresses > one destination IP address
• Type C: Portscan
one source IP address > many ports on one destination IP address

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

About superflows

Benefits of superflows include:

• Only a single flow stored to disk
• Reduced bandwidth usage from flow processor appliances to the console appliance

© Copyright IBM Corp. 2017 196

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 5 Investigating superflows

Uempty

Superflow source and destination information

• Navigate to the flow details to further investigate a superflow
• This example shows a Type B Superflow that indicates a DDOS

Source IP addresses and ports

from where the DDOS originates Target of the DDOS

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Superflow source and destination information

© Copyright IBM Corp. 2017 197

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 5 Investigating superflows

Uempty

Superflow additional information

Tagged by DoS
building block

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Superflow additional information

© Copyright IBM Corp. 2017 198

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Lesson 5 Investigating superflows

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Investigating an offense that is triggered by flows

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Exercise introduction

© Copyright IBM Corp. 2017 199

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 7 Investigating an Offense Triggered by Flows
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Describe flows
• Investigate the summary of an offense that is triggered by flows
• Investigate flow details
• Tune false positives
• Investigate superflows

Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 200

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 8 Using Rules

Using Rules

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Rules and building blocks test and correlate incoming events, flows, and offenses in QRadar SIEM
for indicators of an attack or policy violation. Building blocks are used as variables in other rules or
reports. Unlike building blocks, rules can perform an action or response if they evaluate to true. This
unit teaches you the significance of rules and building blocks, and how to locate and understand
their tests, actions and responses.

References:
• QRadar Administration Guide http://www.ibm.com/support/docview.wss?uid=swg27049537
• QRadar: An Example of How an Anomaly Rule Triggers Over Time technote
http://www.ibm.com/support/docview.wss?uid=swg21903306

© Copyright IBM Corp. 2017 201

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Navigate rules and rule groups
• Locate the rules that fired for an event or flow, and triggered an offense
• Investigate which test conditions caused a rule to fire
• Investigate building blocks and function tests
• Examine rule actions and responses
• Use rules in searches
• Examine for which indicators anomaly detection rules can fire

Using Rules © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 202

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 1 Rules overview

Uempty
Lesson 1 Rules overview

Lesson: Rules overview

Using Rules © Copyright IBM Corporation 2017

QRadar SIEM uses rules and building blocks to monitor for attacks and policy violations. This
lesson introduces you to custom rules and building blocks, and you learn how to locate them in
general and find specific rules and building blocks that fired for an event, flow, and offense.

© Copyright IBM Corp. 2017 203

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 1 Rules overview

Uempty

Definition rule

Rule
--noun
A rule tests for an indicator, that is a sign of
an attack or policy violation.

Using Rules © Copyright IBM Corporation 2017

Definition rule

© Copyright IBM Corp. 2017 204

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 1 Rules overview

Uempty

Testing for indicators

• The tests of rules correlate information to monitor for the following kind of indicators
ƒ Indicator of Compromise
For example
í Reconnaissance from local hosts
í Beaconing
ƒ Indicator of Concern
For example
í Reconnaissance from remote hosts
í DDOS attack ramping up
• This module follows the common practice to use the following terms, instead of using the rule evaluate
to true
ƒ a rule fires
ƒ a rule matches
ƒ a rule tags an event or flow
ƒ a rule contributes to an offense

Using Rules © Copyright IBM Corporation 2017

Testing for indicators

© Copyright IBM Corp. 2017 205

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 1 Rules overview

Uempty

Finding the rules that fired for an event or flow

QRadar SIEM shows the rules that fired for an event or flow on its details page

To navigate to the rule

details, double-click the row

Using Rules © Copyright IBM Corporation 2017

Finding the rules that fired for an event or flow

© Copyright IBM Corp. 2017 206

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 1 Rules overview

Uempty

Finding the rules that triggered an offense

Select Display > Rules menu of the Offense Summary to navigate to the rules that triggered the offense

To navigate
to the rule
details,
double-click
the row

Using Rules © Copyright IBM Corporation 2017

Finding the rules that triggered an offense

• QRadar SIEM displays only the rules that added an event or flow to the offense. The event and
flow details display all rules that fired for their event or flow regardless of whether they added it
to an offense or not.
• To view and manage custom rules, the user must have the View Custom Rules or Maintain
Custom Rules role permissions.

© Copyright IBM Corp. 2017 207

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 1 Rules overview

Uempty

Navigating to rules
Select Rules in the Actions menu on the Log Activity tab or Network Activity tab

Using Rules © Copyright IBM Corporation 2017

Navigating to rules

The Rules List opens in a separate window.

© Copyright IBM Corp. 2017 208

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 1 Rules overview

Uempty

Navigating to rules (continued)

Select Rules on the Offenses tab to navigate to rules

Using Rules © Copyright IBM Corporation 2017

Navigating to rules (continued)

• Rules are organized in groups.

• You can click the column headers to sort rules.

© Copyright IBM Corp. 2017 209

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 1 Rules overview

Uempty

Navigating to rules (continued)

Click the Groups button to open the Groups window

Using Rules © Copyright IBM Corporation 2017

Navigating to rules (continued)

© Copyright IBM Corp. 2017 210

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty
Lesson 2 Using rule definitions during an
investigation

Lesson: Using rule definitions during

an investigation

Using Rules © Copyright IBM Corporation 2017

Rules and building blocks define what QRadar SIEM considers an attack or policy violation. As part
of an offense investigation, you might need to find out in detail QRadar SIEM created an offense. In
this lesson, you learn how to understand what a rule or building block tests for.

Reference:
• QRadar Administration Guide http://www.ibm.com/support/docview.wss?uid=swg27049537

© Copyright IBM Corp. 2017 211

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty

Rule Wizard demonstration

Using Rules © Copyright IBM Corporation 2017

Rule Wizard demonstration

© Copyright IBM Corp. 2017 212

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty

Rule Wizard
Double-click a rule to open
the Rule Test Stack Editor
in the Rule Wizard

Learn from the rule's tests what it detects;

Refer to the next slide for more information

To navigate to the rule's actions

and responses, click Next

Learn about the rule's purpose

Using Rules © Copyright IBM Corporation 2017

Rule Wizard

If you have the Maintain Custom Rules permission, QRadar SIEM opens the Rule Test Stack Editor
to edit the rule as shown on the slide. If you have the View Custom Rules permission, but not the
Maintain Custom Rules permission, QRadar SIEM displays the rule summary read only.

Refer to the QRadar Administration Guide

(http://www.ibm.com/support/docview.wss?uid=swg27049537) for more information about
developing rules.

© Copyright IBM Corp. 2017 213

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty

Rule tests
To find out in detail why a rule fired, investigate what it tests

Logical operators Test conditions

Simple tests with one

test condition each

• The Custom Rules Engine (CRE) executes the tests

• When a CRE receives a flow, the CRE evaluates the example rule in the following steps
1. Test whether the context of the flow is Local to Local
2. If true, stop evaluating this rule for the flow
3. If false, move to the next test
4. Test whether the flow duration is greater than 48 hours
5. If true, the rule fires
6. If false, the rule does not fire
Using Rules © Copyright IBM Corporation 2017

Rule tests

• CRE instances run on the Console appliance and on each event and flow processor appliance.
• All CRE instances in a QRadar SIEM deployment share the same rules.

© Copyright IBM Corp. 2017 214

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty

Custom rules
• The tests of more complex rules correlate events and flows that by themselves record only one
unsuspicious activity in your IT environment
• Many policy violations can be detected without correlation by only a single event or flow, such as
unencrypted telnet traffic
Also, an event from an IDS, IPS, or other security service can notify about an attack without further
correlation
• If a rule fires for an event or flow, the CRE performs the actions and responses configured for the rule,
such as these examples
ƒ Adding the event or flow to an offense
í If the appropriate offense does not yet exist it is created
ƒ Creating a new event
ƒ Adding an annotation
ƒ Sending an email
ƒ Generating system notifications
Rule actions and responses are introduced later in this module

Using Rules © Copyright IBM Corporation 2017

Custom rules

© Copyright IBM Corp. 2017 215

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty

Building blocks
• Building blocks are the same
as custom rules, but they do
not have actions or
responses
• Select Display > Building
Blocks to display them

Using Rules © Copyright IBM Corporation 2017

Building blocks

© Copyright IBM Corp. 2017 216

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty

Building blocks and function tests

Custom rules and building blocks can use other custom rules and building blocks in function tests for
the following purposes
• Combine custom rules and building blocks in complex tests
• Reuse existing test logic and information
• Improve efficiency because the CRE executes a custom rule or building block only one time per event
or flow regardless of how many custom rules and building blocks use it

Using Rules © Copyright IBM Corporation 2017

Building blocks and function tests

© Copyright IBM Corp. 2017 217

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty

Function tests
• For function tests, the CRE keeps track of matches to test conditions
• Most function tests use more than one test condition
• Function tests primarily serve the following two purposes
ƒ Monitoring frequency: Keep count whether conditions become true as many times as a triggering value in a
time frame

- In the example, only if the first test evaluates to true is the function test evaluated and can increment its
counters
- If the first test evaluates to false, the function test is not evaluated and cannot increment its counters
ƒ Monitoring order: Monitor whether conditions become true in a certain sequence and time frame

Using Rules © Copyright IBM Corporation 2017

Function tests

• Under the Functions - Simple section, the Rule Test Stack Editor provides the following function
test:
when an event matches any of the following rules
This is the only function test that does not require the CRE to keep track of an occurrence.
• Stateless tests operate only on the current event or flow.
• Stateful tests operate on the current event or flow, and information from previous events and
flows.

© Copyright IBM Corp. 2017 218

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty

Partial match
• For function tests, the CRE
maintains counters to track how
many events or flows meet a
condition in a time frame
• If an event or flow meets such a
condition and a counter is
incremented, but the custom rule
does not fire, the event or flow
records the custom rule under
Custom Rules Partially Matched

Using Rules © Copyright IBM Corporation 2017

Partial match

© Copyright IBM Corp. 2017 219

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation

Uempty

Custom rule and building block types

• Each custom rule and building block falls into one of the following four rule types
ƒ Event
í Test only incoming events
í Example test: when the user name matches the following regex
ƒ Flow
í Test only incoming flows
í Example test: when the destination TCP flags are exactly these flags
ƒ Common
í Test only incoming events and flows
í Example test: when the source is located in this geographic location
ƒ Offense
í Test only offenses
í Example test: when the number of categories involved in the offense is greater than

Using Rules © Copyright IBM Corporation 2017

Custom rule and building block types

The type of a custom rule or building block chosen during its creation cannot be changed
afterwards.

© Copyright IBM Corp. 2017 220

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 3 Custom rule actions and responses

Uempty
Lesson 3 Custom rule actions and responses

Lesson: Custom rule actions and

responses

Using Rules © Copyright IBM Corporation 2017

Like the if-then statement in programming languages, a custom rule executes actions and
responses if it evaluates to true. In this lesson, you learn about some of the available rule actions
and responses.

© Copyright IBM Corp. 2017 221

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 3 Custom rule actions and responses

Uempty

Rule actions
When a rule fires, QRadar SIEM executes its actions
The CRE requests
the Magistrate to
add the tested
event or flow to the
offense

If an offense with
the chosen Source
IP Index and the IP
address value, that
A rule can change the
is the same as the
magnitude of the event or flow
source IP address
of the tested flow,
does not yet exist,
the Magistrate
creates such an The rule specifies the offense type
offense

Refer to the next

slide for more
information about
the Magistrate and
offense creation
Using Rules © Copyright IBM Corporation 2017

Rule actions

Dropping an event or flow prevents the CRE from executing any further rules that have not already
been executed. At this point, some of the rules that have already been executed might have fired
and the CRE has already executed or initiated their actions and responses.

Dropping an event or flow does not delete it. The event or flow is still stored and searchable;
therefore, it shows up in search results and reports.

© Copyright IBM Corp. 2017 222

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 3 Custom rule actions and responses

Uempty

Based on the index, the Magistrate maintains offenses

• The Magistrate component of QRadar SIEM maintains all offenses and determines whether to add an
event or flow to an existing offense or create a new offense
• The Magistrate assumes that rules firing for the same index property and property value relate to the
same security issue; therefore, the Magistrate maintains only one active offense indexed on the same
property and property value at any given time
Example: A rule fires and requests that the Magistrate add the event or flow to an offense indexed on
source IP address 192.168.10.10
ƒ If such an offense already exists, the Magistrate adds the event or flow to it
ƒ If such an offense does not exist, the Magistrate creates an offense indexed on the source IP address
192.168.10.10, and adds the event or flow to it
• A rule should index its offense on the key property in its tests; for example, the Username property is
the appropriate index for a rule that tests for 5 login failures with same user name
• More than one rule can fire for an event or flow
ƒ For rules firing with the same index property and property value, the Magistrate adds the event or flow to the
same offense; therefore, more than one rule can add events and flows to one single offense
ƒ For each rule firing with different index properties or property values, the Magistrate adds the event or flow to
each of the separate offenses
Using Rules © Copyright IBM Corporation 2017

Based on the index, the Magistrate maintains offenses

• To identify an offense uniquely, the Magistrate requires both the property and its value. The
value alone is not enough. For example, an offense can be indexed on the source IP address
192.168.10.10, and another offense can be indexed on the same IP address 192.168.10.10, but
as the destination IP address. This happens when a compromised machine attacks other
targets. QRadar SIEM chains such offenses.
• The difference between the CRE and Magistrate is as follows:
– The CRE tests events and flows. It tags each event and flow with each custom rule and
building block that fires for it, regardless of the Rule Action and Rule Response.
– The Magistrate maintains offenses. It adds events and flows to offenses if told so by the
Rule Action and Rule Response. The Magistrate only runs on the Console.

© Copyright IBM Corp. 2017 223

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 3 Custom rule actions and responses

Uempty

Rule response

The CRE
requests the
Magistrate to
create an
offense, if an
offense with the
same property The rule requests the
chosen as CRE to create a new
index and same event for these purposes:
property value • Name the offense
as the tested appropriately
flow does not • Simplify searching and
already exist reporting on the
detected indicator
The Magistrate
adds the new
event to the
existing or
newly created
offense
Using Rules © Copyright IBM Corporation 2017

Rule response

• The Custom Rule Engine (CRE) is the log source of the new event, because the CRE creates
all events that are triggered by custom rules.
• The user interface often refers to the name of an offense as the description.

© Copyright IBM Corp. 2017 224

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 3 Custom rule actions and responses

Uempty

Rule response (continued)

Send email to addresses

Limit how often

the CRE
executes the
configured rule
responses

Using Rules © Copyright IBM Corporation 2017

Rule response (continued)

• Each CRE in a QRadar SIEM deployment maintains the counter and time frame separately.
Therefore, you can, for example, receive more emails than the configured limit if a rule fires with
separate CREs.
• The Response Limiter configuration limits every option under Rule Response, including the
frequency of dispatched or forwarded events.

© Copyright IBM Corp. 2017 225

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 3 Custom rule actions and responses

Uempty

Adding and removing property values to and from reference sets

A Reference Set
is a collection of
unique values,
such as a
watchlist of IP Click to manage
reference sets
addresses that
can be looked up

Add property
value to
reference set

Remove property
value from
reference set

Using Rules © Copyright IBM Corporation 2017

Adding and removing property values to and from reference sets

© Copyright IBM Corp. 2017 226

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 4 Using rules as search parameters

Uempty
Lesson 4 Using rules as search parameters

Lesson: Using rules as search

parameters

Using Rules © Copyright IBM Corporation 2017

The custom rules engine tags each offense with the rules that added an event or flows to it. The
custom rules engine also tags each event and flow with the custom rules and building blocks that
fired for it. In this lesson, you learn how to search for tagged offenses, events and flows.

© Copyright IBM Corp. 2017 227

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 4 Using rules as search parameters

Uempty

Searching offenses by contributing rules

Find all offenses to which the selected rule has contributed an event or flow

Using Rules © Copyright IBM Corporation 2017

Searching offenses by contributing rules

The drop-down list can contain building blocks and custom rules that are not configured to
contribute an event or flow to an offense. Searching for those does not find any offenses because
this search only finds offenses for which the selected rule contributed an event or flow.

© Copyright IBM Corp. 2017 228

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 4 Using rules as search parameters

Uempty

Searching events and flows

Find all events and flows that the
selected rules have fired

Using Rules © Copyright IBM Corporation 2017

Searching events and flows

© Copyright IBM Corp. 2017 229

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 4 Using rules as search parameters

Uempty

Disabled custom rules and unused building blocks

• The CRE evaluates a custom rule only if it is enabled
• The CRE evaluates a building block only if at least one test of an enabled custom rule uses it
• If you search for events or flows for which a disabled custom rule or unused building block has fired,
the CRE will not find any
• To make the CRE evaluate a custom rule, enable it
• Add any unused building blocks required by searches used in report templates to the
Load Basic Building Blocks custom rule

Using Rules © Copyright IBM Corporation 2017

Disabled custom rules and unused building blocks

The following information pertains to the Load Basic Building Blocks rule:
• It does not have any actions or responses.
• It already contains many building blocks because many predefined report templates rely on
saved searches that filter on matching custom rules and building blocks.
• It is of type event. Therefore, you can add building blocks of types event and common, but not
building blocks of type flow.
• The CRE evaluates its building blocks of type common on both events and flows.

© Copyright IBM Corp. 2017 230

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 5 Anomaly detection rules

Uempty
Lesson 5 Anomaly detection rules

Lesson: Anomaly Detection rules

Using Rules © Copyright IBM Corporation 2017

Anomaly Detection rules alert to deviations from recorded past activities. This lesson introduces
you to the differences to custom rules and the purposes of the three types of anomaly detection
rules.

References:
1. QRadar: An Example of How an Anomaly Rule Triggers Over Time technote
http://www.ibm.com/support/docview.wss?uid=swg21903306

© Copyright IBM Corp. 2017 231

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 5 Anomaly detection rules

Uempty

About anomaly detection rules

• An anomaly detection rule tests the results of a saved event or flow search to detect deviations from
usual activity patterns
• The saved search needs to be grouped and needs to have capturing of time series data enabled
• The Anomaly Detection Engine (ADE) executes the anomaly detection rules
• An anomaly detection rule only tags the event that it creates as a rule response but not the event or
flow that triggered it; this has two implications
ƒ It is not possible to search and report on events and flows that triggered an anomaly detection rule
ƒ In the Rule Wizard, an anomaly detection rule has only a Rule Response but not a Rule Action because the
Rule Action only works on the triggering event or flow
• Typically anomaly detection rules monitor over longer timespans than custom rules

Using Rules © Copyright IBM Corporation 2017

About anomaly detection rules

Like CRE instances, ADE instances run on the Console appliance and on each event and flow
processor appliance.

© Copyright IBM Corp. 2017 232

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 5 Anomaly detection rules

Uempty

Navigating to anomaly detection rules

• QRadar SIEM displays both anomaly detection rules and custom rules under on the Offenses tab
• Three types of anomaly detection rules are available

Using Rules © Copyright IBM Corporation 2017

Navigating to anomaly detection rules

Rule groups can contain custom rules and anomaly detection rules. The predefined rule group with
the name Anomaly is not restricted to anomaly detection rules.

© Copyright IBM Corp. 2017 233

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 5 Anomaly detection rules

Uempty

Threshold rules
Test whether a property Rule Triggers
value surpasses an upper
or lower boundary
Threshold

value

time

Using Rules © Copyright IBM Corporation 2017

Threshold rules

© Copyright IBM Corp. 2017 234

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 5 Anomaly detection rules

Uempty

Anomaly rules
Test whether the average
property value during the Rule Triggers
current short time range
deviates above the
configured percentage from
the baseline over a longer
time range

Average over long period

value

Average over short period

time

Using Rules © Copyright IBM Corporation 2017

Anomaly rules

Refer to the QRadar: An Example of How an Anomaly Rule Triggers Over Time technote
(http://www.ibm.com/support/docview.wss?uid=swg21903306) for more information.

© Copyright IBM Corp. 2017 235

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 5 Anomaly detection rules

Uempty

Behavioral rules
• Test whether current
property values deviate
from seasonal patterns
• A behavior rule learns the
rate or volume of a
property value over the Rule Triggers
configured time to
establish a baseline
value

M T W T F S SM T W T F S S M T W T F S SM T W T F S S
time

Using Rules © Copyright IBM Corporation 2017

Behavioral rules

© Copyright IBM Corp. 2017 236

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Lesson 5 Anomaly detection rules

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Create an event rule
• Analyze the rule that contributed to the Local DNS Scanner offense
• Work with rule parameters
• Delete changes made to a rule
• Search for a rule

Using Rules © Copyright IBM Corporation 2017

Exercise introduction

© Copyright IBM Corp. 2017 237

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 8 Using Rules
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Navigate rules and rule groups
• Locate the rules that fired for an event or flow, and triggered an offense
• Investigate which test conditions caused a rule to fire
• Investigate building blocks and function tests
• Examine rule actions and responses
• Use rules in searches
• Examine for which indicators anomaly detection rules can fire

Using Rules © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 238

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 9 Using the Network Hierarchy

Using the Network Hierarchy

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

The Network Hierarchy reflects your environment from a security perspective. This unit teaches you
the significance of the Network Hierarchy and the many ways that QRadar SIEM uses and displays
its information.

© Copyright IBM Corp. 2017 239

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Locate and explain the structure of the Network Hierarchy
• Use networks in investigations
• Use Flow Bias and Direction in investigations
• Use the Network Hierarchy in rules

Using the Network Hierarchy © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 240

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 1 Network Hierarchy overview

Uempty
Lesson 1 Network Hierarchy overview

Lesson: Network Hierarchy overview

Using the Network Hierarchy © Copyright IBM Corporation 2017

The network information, that QRadar SIEM displays and uses, is configured in the Network
Hierarchy. This lesson introduces you to the Network Hierarchy including its tree structure.

© Copyright IBM Corp. 2017 241

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 1 Network Hierarchy overview

Uempty

Purpose Network Hierarchy

• QRadar SIEM displays and uses network information, such as
ƒ IP address in the DMZ
ƒ Network connections initiated from an IP address belonging to your organization
ƒ The subnet storing and processing customer data that is the target of more offenses than any other subnet

• QRadar SIEM draws such network information from the Network Hierarchy
• QRadar SIEM considers every IP address that is part of a network configured in the Network
Hierarchy as local to your organization's network
• QRadar SIEM considers any other IP address as remote
• Many rules, searches, and reports use the Network Hierarchy

Using the Network Hierarchy © Copyright IBM Corporation 2017

Purpose Network Hierarchy

© Copyright IBM Corp. 2017 242

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 1 Network Hierarchy overview

Uempty

Navigating to the Network Hierarchy

Click the Network Hierarchy icon on the Admin tab to open the Network Hierarchy

Using the Network Hierarchy © Copyright IBM Corporation 2017

Navigating to the Network Hierarchy

© Copyright IBM Corp. 2017 243

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 1 Network Hierarchy overview

Uempty

Predefined Network Hierarchy

A newly installed QRadar SIEM comes with
some network objects predefined that are
used by predefined rules, searches, and
reports

The Network Hierarchy comes preconfigured

with the IP address ranges reserved for private
use because they cannot be routed through the
public internet and therefore can only be local

Using the Network Hierarchy © Copyright IBM Corporation 2017

Predefined Network Hierarchy

© Copyright IBM Corp. 2017 244

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 1 Network Hierarchy overview

Uempty

Crown jewels
• Many organizations specify their crown
jewels in the Network Hierarchy and monitor
them more granularly for indicators, and run
specific searches and reports
• The term crown jewels refers to the hosts that
store and process data most critical for an
organization's mission
• Crown jewels handle the following kinds of
data:
ƒ Customer
ƒ Employee
ƒ Financial
ƒ Intellectual property

Using the Network Hierarchy © Copyright IBM Corporation 2017

Crown jewels

© Copyright IBM Corp. 2017 245

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 1 Network Hierarchy overview

Uempty

Tree structure
• If an IP address is part of a CIDR range of
a network object, QRadar SIEM tags the IP
address with this network object and its
groups
Parent nodes are called Groups.
They cannot have CIDR ranges configured

Leaf nodes are called Network Objects

They represent one or more CIDR ranges

• If an IP address matches more than one

network object, QRadar SIEM tags the IP
address with the network object with the
smallest IP range

Using the Network Hierarchy © Copyright IBM Corporation 2017

Tree structure

© Copyright IBM Corp. 2017 246

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 1 Network Hierarchy overview

Uempty

CIDR ranges
• The CIDR ranges do not need to
match the tree structure
• A CIDR of a network object can
include a CIDR range of another
network object regardless of its
location in the hierarchy
• The primary purpose of the
hierarchy is to provide a
structure for CIDR ranges that
rules, searches, and reports can
use

Using the Network Hierarchy © Copyright IBM Corporation 2017

CIDR ranges

© Copyright IBM Corp. 2017 247

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 1 Network Hierarchy overview

Uempty

About the Network Hierarchy

• The Network Hierarchy structures your network according security policies, requirements and
concerns
• The Network Hierarchy does not need to reflect your technical network layout
• Usually the names of groups and network objects reflect purpose, department, and location because
they determine security requirements
• QRadar SIEM's Asset Profiler creates and updates asset profiles only for IP addresses that are part of
any of the CIDR ranges in the Network Hierarchy

Using the Network Hierarchy © Copyright IBM Corporation 2017

About the Network Hierarchy

© Copyright IBM Corp. 2017 248

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 2 Using networks in investigations

Uempty
Lesson 2 Using networks in investigations

Lesson: Using networks in

investigations

Using the Network Hierarchy © Copyright IBM Corporation 2017

The network hierarchy is often beneficial to security related analysis, including offense
investigation. In this lesson, you learn how to locate and use network information.

© Copyright IBM Corp. 2017 249

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 2 Using networks in investigations

Uempty

Network of an IP address
• Hover the mouse over an IP
address to learn its groups and
network object
• The remainder of this module
refers to both groups and network
objects as network

Using the Network Hierarchy © Copyright IBM Corporation 2017

Network of an IP address

© Copyright IBM Corp. 2017 250

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 2 Using networks in investigations

Uempty

Filtering by network
• You can use
networks in many
ways for
investigations, for
example for
filtering
• If you select a
group, QRadar
SIEM filters for all
CIDR ranges of
the group's
descendants

Using the Network Hierarchy © Copyright IBM Corporation 2017

Filtering by network

© Copyright IBM Corp. 2017 251

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 2 Using networks in investigations

Uempty

Grouping by network
Log Network
Activity Activity
tab tab

Using the Network Hierarchy © Copyright IBM Corporation 2017

Grouping by network

© Copyright IBM Corp. 2017 252

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 2 Using networks in investigations

Uempty

Number of offenses Number of offenses with

Offenses overview by network with one or more one or more attackers
targets in the network in the network
Survey your threat landscape from the perspective of your networks

other includes all IP

addresses that are
not part of a network
configured in the
Network Hierarchy
Using the Network Hierarchy © Copyright IBM Corporation 2017

Offenses overview by network

© Copyright IBM Corp. 2017 253

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 2 Using networks in investigations

Uempty

Networks of Source and Destination IP addresses in Offense Summary

The Offense Summary
enriches local Source
and Destination IP
addresses with
network information
from the Network
Hierarchy

Using the Network Hierarchy © Copyright IBM Corporation 2017

Networks of Source and Destination IP addresses in Offense Summary

© Copyright IBM Corp. 2017 254

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 2 Using networks in investigations

Uempty

Networks in the Offense Summary

Investigate the
networks under
attack of an offense

Using the Network Hierarchy © Copyright IBM Corporation 2017

Networks in the Offense Summary

© Copyright IBM Corp. 2017 255

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 3 Using Flow Bias and Direction in Investigations

Uempty
Lesson 3 Using Flow Bias and Direction in
Investigations

Lesson: Using Flow Bias and

Direction in Investigations

Using the Network Hierarchy © Copyright IBM Corporation 2017

Most importantly the Network Hierarchy defines which IP addresses are local because they belong
to your organization. In this lesson, you learn how QRadar SIEM uses this information to measure
the Flow Bias and Direction which can hint to suspicious activities.

© Copyright IBM Corp. 2017 256

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 3 Using Flow Bias and Direction in Investigations

Uempty

Flow Bias
• A flow records characteristics
of the network activity that it
represents, including its Flow
Bias
• The bias of a flow marks the
ratio between bytes leaving
from and arriving at your
organization's perimeter
• QRadar SIEM uses the
Network Hierarchy to
determine whether bytes
transfer inbound or outbound

Using the Network Hierarchy © Copyright IBM Corporation 2017

Flow Bias

© Copyright IBM Corp. 2017 257

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 3 Using Flow Bias and Direction in Investigations

Uempty

Flow Bias (continued)

QRadar SIEM distinguishes between the following flow biases
ƒ Out only: Unidirectional outbound
This bias indicates outbound connection attempts that are being blocked by a firewall, such as beaconing
attempts by a malware to its command-and-control (C&C) servers
ƒ In only: Unidirectional inbound
This bias indicates inbound connection attempts that are being blocked by a firewall or a port scan attempt of a
publicly reachable IP address of your organization
ƒ Mostly out: 70% to 99% of bytes outbound
This bias indicates data leaving your organization. Only your publicly reachable servers should have many flows
with this bias
ƒ Mostly in: 70% to 99% of bytes inbound
This bias is typical for end-user machines
ƒ Near same: inbound-outbound byte ratio between 31% and 69%
This bias is typical for VOIP, chat, and SSH
ƒ Other
This bias usually indicates traffic between local machines. It can also indicate traffic between two remote
machines that either points to a misconfiguration of an organization’s network or notifies you that a local network
is missing in the Network Hierarchy
Using the Network Hierarchy © Copyright IBM Corporation 2017

Flow Bias (continued)

© Copyright IBM Corp. 2017 258

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 3 Using Flow Bias and Direction in Investigations

Uempty

Flow Direction

For the network activity that a

flow represents, the Flow
Direction indicates
ƒ Whether the network activity
has been initiated from inside
or outside your organization's
network perimeter
ƒ Whether a host inside or
outside your organization's
network perimeter is the destination of the network activity
• The Flow Direction takes the following values
ƒ L2L: Traffic from a local network to another local network
ƒ L2R: Traffic from a local network to a remote network
ƒ R2L: Traffic from a remote network to a local network
ƒ R2R: Traffic from a remote network to another remote network
Usually R2R indicates a network misconfiguration or a local network missing in the Network Hierarchy

Using the Network Hierarchy © Copyright IBM Corporation 2017

Flow Direction

© Copyright IBM Corp. 2017 259

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 3 Using Flow Bias and Direction in Investigations

Uempty

Flow Bias and Direction difference

• The difference between Flow Direction and Flow Bias is as follows
ƒ Flow Bias marks the ratio between bytes leaving from and arriving at your organization's perimeter regardless
of where the network activity has been initiated
ƒ Flow Direction indicates whether source and destination are located inside or outside your organization's
network perimeter regardless of the number of bytes transferred in each direction
• Events cannot have the equivalent of a Flow Bias, but events have a Direction
The Source and Destination IP addresses of an event determine its Direction in the same way as for
flows

Using the Network Hierarchy © Copyright IBM Corporation 2017

Flow Bias and Direction difference

© Copyright IBM Corp. 2017 260

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 4 Using the Network Hierarchy in rules

Uempty
Lesson 4 Using the Network Hierarchy in rules

Lesson: Using the Network Hierarchy

in rules

Using the Network Hierarchy © Copyright IBM Corporation 2017

Network information is crucial to detect indicators of compromise and concern. In this lesson, you
learn how rules and building blocks can use the Network Hierarchy, and how they can tag events
and flows based on CIDR ranges.

© Copyright IBM Corp. 2017 261

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 4 Using the Network Hierarchy in rules

Uempty

Rule test conditions

Rules can perform the following tests
• IP address belongs to network
• Flow Bias
ƒ Only available for rules of type Flow
• Context
ƒ The Event and Flow Direction are equivalent to the Context

Using the Network Hierarchy © Copyright IBM Corporation 2017

Rule test conditions

© Copyright IBM Corp. 2017 262

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 4 Using the Network Hierarchy in rules

Uempty

Tagging by custom rules and building blocks

• Custom rules and building blocks can tag by CIDR range, too
• While the Network Hierarchy tag IP addresses, custom rules and building blocks tag events and flows

Using the Network Hierarchy © Copyright IBM Corporation 2017

Tagging by custom rules and building blocks

© Copyright IBM Corp. 2017 263

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Lesson 4 Using the Network Hierarchy in rules

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Create a network object
• View network objects in flows

Using the Network Hierarchy © Copyright IBM Corporation 2017

Exercise introduction

© Copyright IBM Corp. 2017 264

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 9 Using the Network Hierarchy
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Locate and explain the structure of the Network Hierarchy
• Use networks in investigations
• Use Flow Bias and Direction in investigations
• Use the Network Hierarchy in rules

Using the Network Hierarchy © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 265

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 10 Index and Aggregated Data
Management

Index and Aggregated Data

Management

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Searches leverage indexes and data aggregation. This unit teaches you about indexes and
aggregated data.

© Copyright IBM Corp. 2017 266

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Use the Index Management administration tool to enable, disable, and configure an index
• Use the Aggregated Data Management administration tool to see Aggregated Data View statistics and
manage the data that QRadar SIEM accumulates
• Use the information provided by the Aggregated Data Management tool in combination with Index
Management to optimize search and rule performance

Index and aggregated data management © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 267

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 1 Using the Index Management tool

Uempty
Lesson 1 Using the Index Management tool

Lesson: Using Index Management

tool

Index and aggregated data management © Copyright IBM Corporation 2017

Indexes can significantly reduce the run-time of a searches on the expense of storage space. In this
lesson, you learn how to manage indexes.

© Copyright IBM Corp. 2017 268

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 1 Using the Index Management tool

Uempty

Instructor demonstration of the Index management tool

Index and aggregated data management © Copyright IBM Corporation 2017

Instructor demonstration of the Index management tool

© Copyright IBM Corp. 2017 269

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 1 Using the Index Management tool

Uempty

Index Management tool

Use the Index Management tool to analyze the effectiveness of indexes and the need for extra indexes
Enable/Disable Indexes or search
for an index in the Display context

Define a display context based on the

time window, status, or type

Index and aggregated data management © Copyright IBM Corporation 2017

Index Management tool

© Copyright IBM Corp. 2017 270

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 1 Using the Index Management tool

Uempty

Index information
• You can search for indexes by name using the query window
• Use the Quick Filter property to create indexes for the free text
payload searches

Properties that already

By default, index include an index display
information is a green bullet icon; to
updated every hour enable an index for a
property, right-click the
property and select
Enable Index

% of Searches fields
• Using Property: Indicates how many executed searches use the property
• Hitting Index: Indicates how many executed searches benefit from the
property index
• Missing Index: Indicates how many executed searches might benefit if the
property was indexed
Benchmark numbers generate every hour and are combined in wider views
Index and aggregated data management © Copyright IBM Corporation 2017

Index information

© Copyright IBM Corp. 2017 271

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 2 Using the Aggregated Data Management tool

Uempty
Lesson 2 Using the Aggregated Data
Management tool

Lesson: Using the Aggregated Data

Management tool

Index and aggregated data management © Copyright IBM Corporation 2017

Time-series charts and reports use aggregated data. In this lesson, you learn how to manage
aggregated data.

© Copyright IBM Corp. 2017 272

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 2 Using the Aggregated Data Management tool

Uempty

Instructor demonstration of the Aggregated data management tool

Index and aggregated data management © Copyright IBM Corporation 2017

Instructor demonstration of the Aggregated data management tool

© Copyright IBM Corp. 2017 273

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 2 Using the Aggregated Data Management tool

Uempty

Aggregated Data Management tool

• Use the Aggregated Data Management tool to analyze the organization of data used for
Aggregated Data Views
• Aggregated Data Views contain accumulated data that is used by the saved searches that include a
Group By Column clause

Index and aggregated data management © Copyright IBM Corporation 2017

Aggregated Data Management tool

© Copyright IBM Corp. 2017 274

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 2 Using the Aggregated Data Management tool

Uempty

Enable or disable a view

• By default, every
aggregated data view
is enabled after it is
created
• When you disable a
view, searches no
longer use the
aggregated data
• Disabled views can be
enabled again
• When you enable or
disable a view, a list of
the searches, reports,
ADE rules, and Time
Series that depend on
the view is displayed
Index and aggregated data management © Copyright IBM Corporation 2017

Enable or disable a view

© Copyright IBM Corp. 2017 275

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 2 Using the Aggregated Data Management tool

Uempty

Aggregated view of report data

Aggregated data views in reports display the following information
• Which aggregated data views are used in which reports
• Charts in the reports that use the aggregated data view
• Searches that generate the aggregated data view
• How often the view was triggered
• Disk space used by the view in the event database
• If unique count is enabled for the search; views with unique count enabled require more disk space

Index and aggregated data management © Copyright IBM Corporation 2017

Aggregated view of report data

© Copyright IBM Corp. 2017 276

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 2 Using the Aggregated Data Management tool

Uempty

Aggregated view of time series data

• When displaying Time Series data, the result shows aggregated data that includes captured time
series data
• The Time Series view displays the accumulated field or fields used by the search

The saved search Event

Category Distribution
accumulates across two
properties: count and
SUM eventCount

Index and aggregated data management © Copyright IBM Corporation 2017

Aggregated view of time series data

© Copyright IBM Corp. 2017 277

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 2 Using the Aggregated Data Management tool

Uempty

Aggregated view of ADE rules data

Anomaly Detection Engine (ADE) rules use aggregated data

and this view shows what view is used by each ADE rule

This view displays the aggregated data views by

ID and how often the view is referenced and was
triggered

Index and aggregated data management © Copyright IBM Corporation 2017

Aggregated view of ADE rules data

© Copyright IBM Corp. 2017 278

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 3 Gathering index statistics

Uempty
Lesson 3 Gathering index statistics

Lesson: Gathering index statistics

Index and aggregated data management © Copyright IBM Corporation 2017

Statistics about the use and resource consumption of indexes help you decide whether to enable or
disable them. In this lesson, you learn how to locate index statistics.

© Copyright IBM Corp. 2017 279

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 3 Gathering index statistics

Uempty

Instructor demonstration of gathering index statistics

Index and aggregated data management © Copyright IBM Corporation 2017

Instructor demonstration of the index management tool

© Copyright IBM Corp. 2017 280

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 3 Gathering index statistics

Uempty

Creating a custom event property and using it in a search

• The Logon Type property captures the
Windows Logon Type value in authentication
events
• This property is used in the search to filter
authentication events that relate to the console
or network logon (values 2 or 3) attempts on
Windows hosts

Index and aggregated data management © Copyright IBM Corporation 2017

Creating a custom event property and using it in a search

RegEx: Logon Type: (\d+)

© Copyright IBM Corp. 2017 281

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 3 Gathering index statistics

Uempty

Analyze the Search and Index metrics

• Run a search, check the Current Statistics, and ask the
system to provide more details so you can view the
data comprehensively
• Pay attention to the number of Data Files searched,
Index Files searched, and how many results are
returned

Check Index Management for the % of Searches performed that missed the index for the property

After enabling an index for the Logon

Type property that was missed by
almost 80% of all performed searches
using this property, searches using the
property can now start using the index

Index and aggregated data management © Copyright IBM Corporation 2017

Analyze the Search and Index metrics

© Copyright IBM Corp. 2017 282

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Lesson 3 Gathering index statistics

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Manage indexes

Index and aggregated data management © Copyright IBM Corporation 2017

Exercise introduction

© Copyright IBM Corp. 2017 283

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 10 Index and Aggregated Data Management
Unit summary

Uempty

Unit summary
• Use the Index Management administration tool to enable, disable, and configure an index
• Use the Aggregated Data Management administration tool to see Aggregated Data View statistics and
manage the data that QRadar SIEM accumulates
• Use the information provided by the Aggregated Data Management tool in combination with Index
Management to optimize search and rule performance

Index and aggregated data management © Copyright IBM Corporation 2017

Unit summary

© Copyright IBM Corp. 2017 284

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 11 Using Dashboards

Using Dashboards

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

QRadar SIEM displays the Dashboard tab after you have signed in. Items on a dashboard display
information about activities in your network. The items enable you to focus on specific areas of
interest. You can customize and add new items and dashboards. This unit teaches you how to
navigate and customize the Dashboard tab.

© Copyright IBM Corp. 2017 285

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Navigate the Dashboard tab
• Customize dashboard items
• Utilize time-series charts

Using Dashboards © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 286

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 1 Navigating the Dashboard tab

Uempty
Lesson 1 Navigating the Dashboard tab

Lesson: Navigating the Dashboard

tab

Using Dashboards © Copyright IBM Corporation 2017

A dashboard hosts several dashboard items in order to provide real-time visibility into activity in
your environment. In this lesson, you learn how to manage dashboards and how to add a saved
search as an item to a dashboard.

© Copyright IBM Corp. 2017 287

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 1 Navigating the Dashboard tab

Uempty

Instructor demonstration of the Dashboard tab

Using Dashboards © Copyright IBM Corporation 2017

Instructor demonstration of the Dashboard tab

© Copyright IBM Corp. 2017 288

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 1 Navigating the Dashboard tab

Uempty

Dashboard tab

The Dashboard
tab displays
Dashboard
items.

Using Dashboards © Copyright IBM Corporation 2017

Dashboard tab

© Copyright IBM Corp. 2017 289

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 1 Navigating the Dashboard tab

Uempty

Dashboards
ƒ Dashboards are like a canvas for dashboard items
ƒ You can create custom dashboards to focus on your security or operations responsibilities
ƒ Each dashboard is associated with a user; changes that you make to a dashboard do not affect the
dashboards of other users

Show Dashboard: New Dashboard: Rename Dashboard: Delete Dashboard:

Select a dashboard to Create a new empty Rename the currently Delete the currently
display its items dashboard selected dashboard selected dashboard

Using Dashboards © Copyright IBM Corporation 2017

Dashboards

Use multiple dashboards to better organize data; for example create dashboards for the following
purposes:
• Databases
• Critical Applications

© Copyright IBM Corp. 2017 290

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 1 Navigating the Dashboard tab

Uempty

Adding a saved search as a dashboard item

• You can only add a saved search, that has a grouping, as a dashboard item
• More than 15 items on a dashboard can negatively impact performance

Using Dashboards © Copyright IBM Corporation 2017

Adding a saved search as a dashboard item

© Copyright IBM Corp. 2017 291

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 1 Navigating the Dashboard tab

Uempty

Adding a saved search as a dashboard item (continued)

You can add searches with a grouping that you created yourself

Using Dashboards © Copyright IBM Corporation 2017

Adding a saved search as a dashboard item (continued)

© Copyright IBM Corp. 2017 292

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 1 Navigating the Dashboard tab

Uempty

Adding a saved search as a dashboard item (continued)

• Items are added at the bottom of dashboards
• Press the header of an item to move it

Using Dashboards © Copyright IBM Corporation 2017

Adding a saved search as a dashboard item (continued)

© Copyright IBM Corp. 2017 293

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 1 Navigating the Dashboard tab

Uempty

Enabling a search to be used as a dashboard item

Include in my Dashboard:
Add the search to the Add
item drop-down list on the
Dashboard tab

Using Dashboards © Copyright IBM Corporation 2017

Enabling a search to be used as a dashboard item

© Copyright IBM Corp. 2017 294

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 2 Customizing a dashboard item

Uempty
Lesson 2 Customizing a dashboard item

Lesson: Customizing a dashboard

item

Using Dashboards © Copyright IBM Corporation 2017

You can customize which data a dashboard item displays in which way. In this lesson, you learn
about the options to leverage dashboard items for your needs and responsibilities.

© Copyright IBM Corp. 2017 295

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 2 Customizing a dashboard item

Uempty

Configuring dashboard items Delete item from dashboard.

Use the Add item drop-
Settings provides a wide variety of down list if you want it back
options to configure items for their
purpose Open settings of item

Open item in separate

browser window

Using Dashboards © Copyright IBM Corporation 2017

Configuring dashboard items

QRadar SIEM keeps updating items in separate browser windows, even if you close the main
window without logging out from QRadar SIEM.

© Copyright IBM Corp. 2017 296

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 2 Customizing a dashboard item

Uempty

Select what to display

Using Dashboards © Copyright IBM Corporation 2017

Select what to display

© Copyright IBM Corp. 2017 297

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 2 Customizing a dashboard item

Uempty

Select how to display

Using Dashboards © Copyright IBM Corporation 2017

Select how to display

© Copyright IBM Corp. 2017 298

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty
Lesson 3 Utilize time-series charts

Lesson: Utilize time-series charts

Using Dashboards © Copyright IBM Corporation 2017

A time-series chart plots data against time in order to observe trends. To provide time-series charts,
QRadar SIEM needs to keep track of data over time. In this lesson, you learn how to leverage
time-series charts.

© Copyright IBM Corp. 2017 299

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty

Enabling time-series data

• Capturing time-series data
means that QRadar SIEM
counts incoming events or
flows according your search
criteria, grouping, and chosen
value to graph
• Most of the predefined
searches capture time-series
data
The asterisk (*) Select Capture
• Capturing time-series data indicates that Time Series
increases resource QRadar SIEM Data and click
accumulates Save to
consumption of QRadar SIEM time-series data accumulate time-
for this value series data to
count events or
flows
Only some time-series
data accumulations
are pre-configured

Using Dashboards © Copyright IBM Corporation 2017

Enabling time-series data

• The settings do not display the asterisk and checkmark for Capture Time Series Data, if
time-series data accumulation for a property has been enabled elsewhere, for example by a
report. Therefore, time-series charts can display without asterisk and checkmark.
• User permissions control the ability to configure and view time-series data.

© Copyright IBM Corp. 2017 300

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty

Investigating data trends

• Time-series charts are graphical representations of
log or network activity over time
• Peaks and valleys displayed in the chart depict
high- and low-volume activity
• Time-series charts are useful to investigate short-
term and long-term data trending

Using Dashboards © Copyright IBM Corporation 2017

Investigating data trends

© Copyright IBM Corp. 2017 301

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty

Details one-minute time interval

To investigate the details of a particular one-minute
time interval, hover the mouse pointer over the chart

Using Dashboards © Copyright IBM Corporation 2017

Details one-minute time interval

© Copyright IBM Corp. 2017 302

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty

Zooming in
To zoom in to a shorter chart interval, hold the left
mouse button pressed while moving the mouse
pointer to the left or right; release the mouse button
when you have highlighted the interval that you want
to zoom in to

Using Dashboards © Copyright IBM Corporation 2017

Zooming in

© Copyright IBM Corp. 2017 303

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty

Focusing on less prevalent data

To hide a dominating kind of data from the chart, click its legend

Using Dashboards © Copyright IBM Corporation 2017

Focusing on less prevalent data

• To unhide, click the legend again.

• Hiding and unhiding works with and without zoom.

© Copyright IBM Corp. 2017 304

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty

Resetting the zoom

To return to the original time range, click Reset
Zoom in the upper-left corner

Using Dashboards © Copyright IBM Corporation 2017

Resetting the zoom

© Copyright IBM Corp. 2017 305

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty

Navigating to activity tabs

• To investigate the flows further on the Network
Activity tab of the QRadar SIEM web interface,
click the View in Network Activity link at the
bottom
• Items displaying event data provide the View in
Log Activity link

Using Dashboards © Copyright IBM Corporation 2017

Navigating to activity tabs

© Copyright IBM Corp. 2017 306

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty

Activity tabs
• The same way as
with the charts in
the dashboard
items, you can
zoom in, hover
over, and hide data
• If you want to
configure what the
chart displays, click
the yellow icon in
the header

Using Dashboards © Copyright IBM Corporation 2017

Activity tabs

The Log Activity and Network Activity tabs display only one time-series chart. QRadar SIEM
displays this chart even if it did not capture time-series data for the chart. Any missing time-series
data is computed as needed. This can require considerable processing time.

© Copyright IBM Corp. 2017 307

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Lesson 3 Utilize time-series charts

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Creating a new dashboard

Using Dashboards © Copyright IBM Corporation 2017

Exercise introduction

© Copyright IBM Corp. 2017 308

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 11 Using Dashboards
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Navigate the Dashboard tab
• Customize dashboard items
• Utilize time-series charts

Using Dashboards © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 309

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 12 Creating Reports

Creating Reports

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Reports condense data to statistical views on your environment for various purposes, in particular
to meet compliance requirements. This unit teaches you how to generate a report using a
predefined template and create a report template.

Reference:
• IBM App Exchange https://exchange.xforce.ibmcloud.com/hub

© Copyright IBM Corp. 2017 310

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Navigate and use the Reports tab
• Generate and view a report
• Use the Report Wizard to create a custom report template

Creating Reports © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 311

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 1 Navigating the Reports tab

Uempty
Lesson 1 Navigating the Reports tab

Lesson: Navigating the Reports tab

Creating Reports © Copyright IBM Corporation 2017

QRadar SIEM and extensions provide many templates you can use to generate reports. In this
lesson, you learn how to access the report templates and generate a report.

Reference:
• IBM App Exchange https://exchange.xforce.ibmcloud.com/hub

© Copyright IBM Corp. 2017 312

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 1 Navigating the Reports tab

Uempty

Reporting introduction
• A QRadar SIEM report is a means of scheduling and automating one or more saved searches
• QRadar SIEM reports perform the following tasks
ƒ Present measurements and statistics
ƒ Provide users the ability to create custom reports
ƒ Can brand reports and distribute them
• Predefined report templates serve a multitude of purposes, such as the following examples
ƒ Regulatory compliance
ƒ Authentication activity
ƒ Operational status
ƒ Network status
ƒ Executive summaries

Creating Reports © Copyright IBM Corporation 2017

Reporting introduction

QRadar SIEM administrators can install extensions to add report templates for the following
regulatory schemas:
• HIPAA: Health Insurance Portability and Accountability Act
• COBIT: Control Objectives for Information and Related Technology
• SOX: Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act
• PCI: Visa Payment Card Industry Data Security Standard
• GLBA: Gramm-Leach-Bliley Privacy Act
• FISMA: Federal Information Security Management Act
• NERC: The North American Electric Reliability Council
• GSX: Government Secure Extranet

© Copyright IBM Corp. 2017 313

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 1 Navigating the Reports tab

Uempty

Reporting demonstration

Creating Reports © Copyright IBM Corporation 2017

Reporting demonstration

Demonstrate finding a template and generating a report and have the students follow along. Make
sure your QRadar SIEM contains security data to generate a report. The
/labfiles/sendCheckpoint.sh script provided the events displayed in the screen captures in this
unit.

© Copyright IBM Corp. 2017 314

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 1 Navigating the Reports tab

Uempty

Reports tab
You can search and sort report templates in a similar way as events and flows

Creating Reports © Copyright IBM Corporation 2017

Reports tab

QRadar SIEM administrators can select Branding on the left side to upload logos for your reports.
Once a logo is uploaded, users can use the logo when creating or editing report templates.

© Copyright IBM Corp. 2017 315

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 1 Navigating the Reports tab

Uempty

Finding a report
• QRadar SIEM and extensions provide many report templates
ƒ Before you create a new template, check the installed templates and the templates provided by extensions
available on the IBM App Exchange

Hide Inactive Reports: IBM App Exchange:

Disable to display all QRadar SIEM administrators can add
inactive report templates more report templates by downloading
and installing extensions

Reporting Groups: Search:

Display report Display report templates whose title,
templates of a description, group name, or author user
reporting group name matches the search criteria

Creating Reports © Copyright IBM Corporation 2017

Finding a report

• Inactive reports: QRadar SIEM does not automatically generate reports for inactive templates.
• Active reports: QRadar SIEM generates reports for active templates automatically according
to the schedule, unless the schedule is set to Manual. QRadar SIEM lists active templates with
a manual schedule if the Hide Inactive Reports check box is enabled.
• To learn about available extensions, visit the IBM App Exchange
(https://exchange.xforce.ibmcloud.com/hub)

© Copyright IBM Corp. 2017 316

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 1 Navigating the Reports tab

Uempty

Running a report

Run Report:
Generate a report for the
selected report template
immediately, regardless of
its schedule or
active/inactive state
Toggle scheduling:
Run Report on Raw Data: Toggle the active and
Generate a report on raw inactive state of the
data if QRadar SIEM has selected template
not captured the required
time-series data Delete Generated
Content:
Delete any generated
report for the selected
template
Creating Reports © Copyright IBM Corporation 2017

Running a report

• Exclamation mark:
The leftmost column with the exclamation mark includes an error icon when a report fails to
generate
• Run Report:
Initiate the generation of a report for the selected template. The generation uses accumulated
time series data. If no accumulated data is available when the report runs, the generated report
displays the message that accumulated data is not available. Refer to the next lesson to learn
more about time series data for report generation.
• Run Report on Raw Data:
You can choose this option if QRadar SIEM has not accumulated time series data for your
required reporting period. When a report runs on raw data, QRadar SIEM queries the data in its
data store to generate the report. Running a report on raw data takes a longer time to process
than running a report on accumulated time series data.

© Copyright IBM Corp. 2017 317

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 1 Navigating the Reports tab

Uempty

Selecting the generated report

Estimated 34 seconds until

the report is generated

Select a generated report from the list

and click the PDF icon to view it
Creating Reports © Copyright IBM Corporation 2017

Selecting the generated report

QRadar SIEM generates reports one at a time. When you start a report generation while another
report is already generating, the your report displays Queued in the Next Run Time column.

© Copyright IBM Corp. 2017 318

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 1 Navigating the Reports tab

Uempty

Viewing a report

Creating Reports © Copyright IBM Corporation 2017

Viewing a report

© Copyright IBM Corp. 2017 319

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty
Lesson 2 Creating a report template

Lesson: Creating a report template

Creating Reports © Copyright IBM Corporation 2017

If the provided default report templates do not meet your specific needs, you can create a
customized report template. In this lesson, you learn how to use the Report Wizard to create a new
report template and generate the report.

© Copyright IBM Corp. 2017 320

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Reporting demonstration

Creating Reports © Copyright IBM Corporation 2017

Reporting demonstration

Demonstrate creating a new report template and have the students follow along.

© Copyright IBM Corp. 2017 321

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Creating a new report template

To watch specific activity in a daily report, Click Create to start
create a custom report template the Report Wizard

Creating Reports © Copyright IBM Corporation 2017

Creating a new report template

© Copyright IBM Corp. 2017 322

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Choosing a schedule and data time range

Configure the following settings
• When QRadar SIEM generates the report
The selection in the example screen capture configures QRadar SIEM
to generate a report on each Monday, Tuesday, Wednesday, Thursday
and Friday at 2:00 am
• Default data time range to use
Regardless of when a report template is configured to run, it uses the
data from the previous time period by default
ƒ Hourly uses the data from the previous hour
ƒ Daily uses data from the previous day, 12:00 am through 11:59 pm
ƒ Weekly uses the data from the previous week, Monday 12:00 am through
Sunday 11:59 pm
ƒ Monthly uses data from the previous month, 1st of the month 12:00 am
through last day of the month 11:59 pm
ƒ For Daily, Weekly and Monthly, a later wizard page allows to change the
default time ranges stated above
Creating Reports © Copyright IBM Corporation 2017

Choosing a schedule and data time range

Manually uses the data from the time range configured on a later wizard page.

QRadar SIEM generates a report for a template configured to be started Manually only when a
QRadar user initiates a run.

The screen capture displays the default configuration for Daily. By default Daily reports use the data
from the previous day. Therefore, the configuration generates reports that use data from Sunday
through Thursday but not Friday and Saturday.

© Copyright IBM Corp. 2017 323

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Time series data for report generation

• With the exception of Manually, all time ranges start time
series data accumulation for the saved searches that you
choose on a later wizard page
• While Hourly reports substitute missing time series data by
directly using raw data, Daily, Weekly, and Monthly reports
can only use time series data and therefore have only
complete time series data available on their second or third
scheduled run; example:
ƒ On a Tuesday, you configure a report to run weekly on each
Wednesday; time series accumulation begins
ƒ 1st Wednesday: The generated report is empty because data
accumulation started after the previous week had ended
ƒ 2nd Wednesday: The generated report displays incomplete data
because data accumulation started only on Tuesday in the
previous week
ƒ 3rd Wednesday: The generated report displays data from the
previous week because accumulated data is available for the
whole week
Creating Reports © Copyright IBM Corporation 2017

Time series data for report generation

If you need to generate a report for a time period without time series data, select in the Actions
drop-down list Run Report on Raw Data.

If you select Run Report, the report generates from time series data. If time series data is not
available for the required reporting period, the generated report displays the message that
accumulated data is not available.

Templates configured be started Manually do not kick off time series data accumulation implicitly
like the other scheduling options do.

© Copyright IBM Corp. 2017 324

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Choosing a layout
QRadar SIEM uses
containers to separate
report pages so that
different data sets can
display on the same
report page

Creating Reports © Copyright IBM Corporation 2017

Choosing a layout

When you select the layout of a report, consider the type of report you want to create. For example,
do not choose a small chart container for graph content that displays a large number of objects.
Choose a container large enough to hold the data.

© Copyright IBM Corp. 2017 325

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Selecting the type of the top chart

The report saves with the name

entered in the Report Title field

Creating Reports © Copyright IBM Corporation 2017

Selecting the type of the top chart

On the Reports tab under Branding, QRadar SIEM administrators can upload logos. All uploaded
logos are available from the Logo drop-down list.

© Copyright IBM Corp. 2017 326

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Configuring the top chart

Enter chart title

Select the previously

saved search to report
firewall activity
Creating Reports © Copyright IBM Corporation 2017

Configuring the top chart

© Copyright IBM Corp. 2017 327

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Configuring the top chart (continued)

Select the graph type.

The available graph types
depend on the chart type

Select the property to

graph for both axis

Optionally record the

runs of the selected
saved search in an
offense of type
Scheduled Search

Creating Reports © Copyright IBM Corporation 2017

Configuring the top chart (continued)

The Offense Summary lists the most recent search results under Last 5 Search Results.

© Copyright IBM Corp. 2017 328

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Selecting the type of the bottom chart

Creating Reports © Copyright IBM Corporation 2017

Selecting the type of the bottom chart

© Copyright IBM Corp. 2017 329

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Configuring the bottom chart

Select graph type Table to list

the reported data in a table

Select which kind of offenses

you want to report

Creating Reports © Copyright IBM Corporation 2017

Configuring the bottom chart

© Copyright IBM Corp. 2017 330

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Layout preview
• The Layout Preview
provides only the layout of
the report; it does not show
the actual data
• Reports can take a long
time to generate. Therefore,
the preview helps you
configure the layout
correctly before running a
potentially large amount of
real data for a long time

Creating Reports © Copyright IBM Corporation 2017

Layout preview

Reports can take a long time to generate. Therefore, the preview helps you configure the layout
correctly before running a potentially large amount of real data for a long time.

© Copyright IBM Corp. 2017 331

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Choosing a format
Select any or all of the available output
formats for your report

Creating Reports © Copyright IBM Corporation 2017

Choosing a format

You will most likely use the PDF format for most of your reports, but you can also generate reports
in HTML and RTF format. XML and RTF facilitate further processing and the extraction of report
data.

© Copyright IBM Corp. 2017 332

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Distributing the report

Allow users to view

the generated report

Distribute the report

by email

Creating Reports © Copyright IBM Corporation 2017

Distributing the report

You can distribute the report to multiple email addresses. Use commas to separate email
addresses listed in the Enter the report destination email address(es) field.

© Copyright IBM Corp. 2017 333

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Adding a description and assigning to groups

• Organize report templates by groups much like
rules and log sources
• Use reporting groups to sort report templates
by purpose, such as a specific regulatory or
executive requirement

Creating Reports © Copyright IBM Corporation 2017

Adding a description and assigning to groups

© Copyright IBM Corp. 2017 334

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Verifying the report summary

Creating Reports © Copyright IBM Corporation 2017

Verifying the report summary

© Copyright IBM Corp. 2017 335

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Viewing the generated report

Creating Reports © Copyright IBM Corporation 2017

Viewing the generated report

© Copyright IBM Corp. 2017 336

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Best practices when creating reports

• For comparison and review, present charts and event tables together
• Consider the purpose of the report and choose the least number of page containers necessary to
communicate the data
• Do not choose a small page division for a graph that might contain a large number of objects
• Executive summary reports use one-page or two-page divisions to simplify the report focus

Creating Reports © Copyright IBM Corporation 2017

Best practices when creating reports

© Copyright IBM Corp. 2017 337

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Lesson 2 Creating a report template

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• View an existing report
• Create a new event report
• Create a new search and report

Creating Reports © Copyright IBM Corporation 2017

Student exercises

© Copyright IBM Corp. 2017 338

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 12 Creating Reports
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Navigate and use the Reports tab
• Generate and view a report
• Use the Report Wizard to create a custom report template

Creating Reports © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 339

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 13 Using Filters

Using Filters

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Filters limit a search result to the data that meets the conditions of the applied filters. Use filters to
look for specific activities or to view your environment from various angles. This unit teaches you
about some of the many available filters.

Reference:
• Technote: Searching your QRadar data efficiently
http://www.ibm.com/support/docview.wss?uid=swg21689803

© Copyright IBM Corp. 2017 340

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Apply filters that include or exclude specific events and flows

Using Filters © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 341

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 1 Filters overview

Uempty
Lesson 1 Filters overview

Lesson: Filters overview

Using Filters © Copyright IBM Corporation 2017

Filters overview

QRadar SIEM provides filters so that you can focus on specific data. This lesson introduces you to
operators and indexes.

Reference:
• Technote: Searching your QRadar data efficiently
http://www.ibm.com/support/docview.wss?uid=swg21689803

© Copyright IBM Corp. 2017 342

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 1 Filters overview

Uempty

Filters introduction
• Filters are a search criteria
• Use filters to look for specific activities and narrow down search results
• Right-click a property value in a list of events or flows to open a menu with a few filter options
To use other filters, click the Add Filter icon

• A wide variety of parameters is available for filtering. Previous course modules have already
introduced the following parameters
ƒ Source and Destination IP addresses
ƒ Source and Destination port numbers
ƒ Event and Flow Direction
ƒ Rules and building blocks that have fired
ƒ Groups and network objects as defined in the Network Hierarchy

Using Filters © Copyright IBM Corporation 2017

Filters introduction

© Copyright IBM Corp. 2017 343

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 1 Filters overview

Uempty

Using Filters demonstration

Using Filters © Copyright IBM Corporation 2017

Using Filters demonstration

Navigate the Log Activity and Network Activity tabs and point out the topics in this unit.

© Copyright IBM Corp. 2017 344

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 1 Filters overview

Uempty

Operators
• A wide variety of
operators is available
for filtering
• The nature of the
parameters determines
which kind of operators
are available

Using Filters © Copyright IBM Corporation 2017

Operators

To build an OR expression, use Equals any of.

© Copyright IBM Corp. 2017 345

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 1 Filters overview

Uempty

Indexes
• [Indexed] behind a property in the Parameter drop-down list indicates
that QRadar SIEM maintains an index for values of the property
• An index on a filtered property significantly reduces the run-time of a
search
• If you use a property without index in a filter, add additional filters with
indexed properties to lower the number of events or flows that QRadar
SIEM needs to search

Using Filters © Copyright IBM Corporation 2017

Indexes

Refer to the Searching your QRadar data efficiently technote

(http://www.ibm.com/support/docview.wss?uid=swg21689803) for more information about search
optimization.

© Copyright IBM Corp. 2017 346

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 1 Filters overview

Uempty

Source and Destination IP

The very often used Source or Destination IP filter is not appended with [Indexed] although it uses the
indexes of Source IP and Destination IP

Using Filters © Copyright IBM Corporation 2017

Source and Destination IP

Instead of an IP address, you can enter a range of IP addresses, in CIDR notation, such as
10.100.0.0/16.

© Copyright IBM Corp. 2017 347

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 2 Filtering events and flows

Uempty
Lesson 2 Filtering events and flows

Lesson: Filtering events and flows

Using Filters © Copyright IBM Corporation 2017

Use filters to focus only on data relevant for a purpose. This lesson introduces you to filters on
events and flows.

© Copyright IBM Corp. 2017 348

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 2 Filtering events and flows

Uempty

Continents, countries, and regions

Use filters for events or flows
to include or exclude traffic
from or to IP addresses
located in the selected
continents, countries, or
regions

Using Filters © Copyright IBM Corporation 2017

Continents, countries, and regions

© Copyright IBM Corp. 2017 349

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 2 Filtering events and flows

Uempty

Associated With Offense

Use the Associated With Offense filter to include or exclude events or flows that QRadar SIEM added to
one or more offenses

Using Filters © Copyright IBM Corporation 2017

Associated With Offense

© Copyright IBM Corp. 2017 350

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 2 Filtering events and flows

Uempty

Payload Matches Regular Expression

• When applying a regular expression (regex) to the payload of events, QRadar SIEM tests the raw
events from which the event collector created the normalized events
• When applying a regex to the payload of flows, QRadar SIEM tests the captured layer 7 content sent
by the source or destination
socket
• Performing a regex on
payloads consumes more
computational resources
than any other filter
ƒ With a regex filter, do not
select real time or last
interval viewing of log
activity or network activity
ƒ The Log Activity and
Network Activity tabs
always display the result
of a search; if you add a filter, QRadar SIEM performs the test of the filter only to this search result
Using Filters © Copyright IBM Corporation 2017

Payload Matches Regular Expression

© Copyright IBM Corp. 2017 351

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 2 Filtering events and flows

Uempty

Payload Contains
• The only difference between Payload Matches Regular Expression filters and the Payload Contains
filters is that the latter performs a substring test instead of a regular expression test
• Follow the same best practices as for regular expressions, because the substring operation is less
expensive than regular expression matching but still consumes much more computational resources
than other filters

Using Filters © Copyright IBM Corporation 2017

Payload Contains

© Copyright IBM Corp. 2017 352

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 2 Filtering events and flows

Uempty

Event Processor
• The appliances that store events and flows perform searches and transfer the result to the Console
appliance
• If you know which appliances store the relevant events and flows, add a filter on these Event
Processor appliances
• The Event Processor parameter is not only available for events but also for flows because the event
and flow processor functionality is provided by the same software component

Using Filters © Copyright IBM Corporation 2017

Event Processor

© Copyright IBM Corp. 2017 353

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 3 Filtering events

Uempty
Lesson 3 Filtering events

Lesson: Filtering events

Using Filters © Copyright IBM Corporation 2017

Use filters to focus only on data relevant for a purpose. This lesson introduces you to filters on
events.

© Copyright IBM Corp. 2017 354

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 3 Filtering events

Uempty

Log Source
Use the log source filter to include or
exclude events from a specific service

Using Filters © Copyright IBM Corporation 2017

Log Source

© Copyright IBM Corp. 2017 355

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 3 Filtering events

Uempty

Log Source (continued)

• Use the log source filter with
the Does not equal any of
operator to exclude events
from the selected log sources
• For example,
you can
exclude the
log sources
that Qradar
SIEM uses
for its own
services

Using Filters © Copyright IBM Corporation 2017

Log Source (continued)

© Copyright IBM Corp. 2017 356

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 3 Filtering events

Uempty

Log Source Type

Use the log source type filter to
include or exclude events from
services of the selected type

Using Filters © Copyright IBM Corporation 2017

Log Source Type

© Copyright IBM Corp. 2017 357

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 3 Filtering events

Uempty

Event Is Unparsed
• Use the Event Is Unparsed filter to include or exclude events that event collectors linked to a generic
log source
• Event collectors link events to a generic log source when they cannot automatically discover the kind
of software or device sending the raw events, and no log source type has been configured manually
by a QRadar administrator

Using Filters © Copyright IBM Corporation 2017

Event Is Unparsed

© Copyright IBM Corp. 2017 358

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 3 Filtering events

Uempty

AccountID Custom Event Property

• Custom event and flow
properties can be used
as filters
• Extensions and QRadar
administrators can add
custom event and flow
properties in order to
parse information specific
to certain kinds of
software or devices; for
example the HTTP
version from web servers

Using Filters © Copyright IBM Corporation 2017

AccountID Custom Event Property

© Copyright IBM Corp. 2017 359

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 4 Filtering flows

Uempty
Lesson 4 Filtering flows

Lesson: Filtering flows

Using Filters © Copyright IBM Corporation 2017

Use filters to focus only on data relevant for a purpose. This lesson introduces you to filters on
flows.

© Copyright IBM Corp. 2017 360

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 4 Filtering flows

Uempty

Flow Source and Flow Interface

Use the Flow Source and
Flow Interface filter to include
or exclude network activity
captured by the selected flow
sources or interfaces

Using Filters © Copyright IBM Corporation 2017

Flow Source and Flow Interface

© Copyright IBM Corp. 2017 361

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 4 Filtering flows

Uempty

TCP Flags
Use the Source and Destination Flags filters to include or exclude flows with the selected TCP flags

Using Filters © Copyright IBM Corporation 2017

TCP Flags

© Copyright IBM Corp. 2017 362

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 4 Filtering flows

Uempty

DSCP
Use the Source and Destination DSCP filters to include or exclude flows with the selected Quality of
Service precedence in IP headers

Using Filters © Copyright IBM Corporation 2017

DSCP

© Copyright IBM Corp. 2017 363

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 4 Filtering flows

Uempty

ICMP Type/Code
Use the
ICMP
Type/Code
filter to
include or
exclude
flows with
the selected
ICMP Type
and Code

Using Filters © Copyright IBM Corporation 2017

ICMP Type/Code

© Copyright IBM Corp. 2017 364

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 4 Filtering flows

Uempty

Data Loss
Combine filters to look for large amounts of data leaving your organization

Using Filters © Copyright IBM Corporation 2017

Data Loss

© Copyright IBM Corp. 2017 365

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Lesson 4 Filtering flows

Uempty

Applications using nonstandard port

• Combine filters to look for applications listening on non-standard ports
• Use a similar filter to look for non-web applications using the standard web ports 80 and 443

Using Filters © Copyright IBM Corporation 2017

Applications using nonstandard port

© Copyright IBM Corp. 2017 366

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 13 Using Filters
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Apply filters that include or exclude specific events and flows

Using Filters © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 367

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 14 Using the Ariel Query Language
(AQL) for Advanced Searches

Using the Ariel Query Language

(AQL) for Advanced Searches

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Ariel Query Language (AQL) queries can retrieve stored data more flexibly than interactively built
searches. This unit teaches you how to build use AQL.

Reference:

QRadar Ariel Query Language Guide http://www.ibm.com/support/docview.wss?uid=swg27049537

© Copyright IBM Corp. 2017 368

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Describe the basics of AQL
• Build AQL queries in advanced searches

Using AQL for advanced searches © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 369

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty
Lesson 1 Describe the basics of AQL

Lesson: Describe the basics of AQL

Using AQL for advanced searches © Copyright IBM Corporation 2017

In this lesson, you learn the syntax of AQL.

Reference:
• QRadar Ariel Query Language Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537

© Copyright IBM Corp. 2017 370

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

Ariel Query Language overview

• The Ariel Query Language (AQL) is a structured query language that you use to communicate with the Ariel
databases
• Use AQL to retrieve, filter, and perform actions on events and flows from the Ariel database of QRadar SIEM
• AQL is used for advanced searches to get data that might not be easily accessible from the user interface. This
provides extended functionality to the search and filtering capabilities in QRadar SIEM
• AQL V3 represents the current structure of the Ariel Database. Older versions are deprecated because property
names in the Ariel database have been changed or properties were removed. If you have queries that use these
properties, you must replace them

Using AQL for advanced searches © Copyright IBM Corporation 2017

Ariel Query Language overview

Refer to the QRadar Ariel Query Language Guide

(http://www.ibm.com/support/docview.wss?uid=swg27049537) for further information.

© Copyright IBM Corp. 2017 371

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

AQL query flow

Using AQL for advanced searches © Copyright IBM Corporation 2017

AQL query flow

© Copyright IBM Corp. 2017 372

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

Structure of an AQL query

• AQL queries begin with a SELECT statement to select event or flow data from the Ariel database
• Refine the data output of the SELECT statement by using the WHERE, GROUP BY, HAVING,
ORDER BY, LIMIT, and LAST clauses
• Operators are used in AQL statements to determine any equality or difference between values. By
using operators in the WHERE clause of an AQL statement, the results are filtered by those results
that match the conditions in the WHERE clause
• A variety of functions exists in AQL. They are used in the SELECT statement with properties where
the function returns specific data from

Using AQL for advanced searches © Copyright IBM Corporation 2017

Structure of an AQL query

Refer to the QRadar Ariel Query Language Guide

(http://www.ibm.com/support/docview.wss?uid=swg27049537) for further information.

© Copyright IBM Corp. 2017 373

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

SELECT statement
• Use the SELECT statement to select properties of events or flows
• For example, select all properties from events or flows by typing
ƒ SELECT * FROM events, or SELECT * FROM flows
• Use the SELECT statement to select the columns that you want to display in the query output
ƒ SELECT sourceip, destinationip, username FROM events
• A SELECT statement can include the following elements:
ƒ Properties from the events or flows databases
ƒ Custom properties from the events or flows databases
ƒ Functions that you use with properties to represent specific data that you want to return

Using AQL for advanced searches © Copyright IBM Corporation 2017

SELECT statement

© Copyright IBM Corp. 2017 374

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

Examples for SELECT statements

• SELECT sourceip, * FROM flows
ƒ Returns the sourceip column first, which is followed by all columns from the flows database.

• SELECT sourceip AS 'MY Source IPs', FROM events

ƒ Returns the sourceip column as the alias or renamed column 'MY Source IPs'

• SELECT ASSETHOSTNAME(sourceip) AS 'Host Name', sourceip FROM events

ƒ Returns the output of the function ASSETHOSTNAME as the column name Host Name, and the sourceip
column from the events database

Using AQL for advanced searches © Copyright IBM Corporation 2017

Examples for SELECT statements

© Copyright IBM Corp. 2017 375

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

WHERE clause
• Use the WHERE clause to insert a condition that filters the output, for example:
ƒ WHERE logsourceid='65'
• A search condition is a combination of logical and comparison operators that together make a test.
Only those input rows that pass the test are included in the result
• You can apply the following filters when you use WHERE clause in a query
ƒ Equal sign (=) , Not equal to symbol (<>)
ƒ Less than symbol (<), Greater than symbol (>)
ƒ Less that or equal to symbol (<=), Greater than or equal to symbol (>=)
ƒ BETWEEN between two values, for example (64 AND 512)
ƒ LIKE case sensitive match, ILIKE case insensitive match
ƒ IS NULL is empty
ƒ AND / OR combine conditions or either condition
ƒ TEXT SEARCH text string match

Using AQL for advanced searches © Copyright IBM Corporation 2017

WHERE clause

© Copyright IBM Corp. 2017 376

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

Examples of WHERE clauses

• The following query example shows events that have a severity level of greater than nine and are
from a specific category
ƒ SELECT sourceIP, category, credibility
FROM events
WHERE
severity > 9
AND
category = 5013
• Change the order of evaluation by using parentheses. The search conditions that are enclosed in
parentheses are evaluated first
ƒ SELECT sourceIP, category, credibility
FROM events
WHERE
(severity > 9 AND category = 5013)
OR
(severity < 5 AND credibility > 8)

Using AQL for advanced searches © Copyright IBM Corporation 2017

Examples of WHERE clauses

© Copyright IBM Corp. 2017 377

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

GROUP BY clause
• Use the GROUP BY clause to aggregate your data by one or more columns. To provide meaningful
results of the aggregation, usually, data aggregation is combined with arithmetic functions on
remaining columns
• When you use the GROUP BY clause with a column name or AQL function, only the first value is
returned for the GROUP BY column, by default, even though other values might exist

Using AQL for advanced searches © Copyright IBM Corporation 2017

GROUP BY clause

© Copyright IBM Corp. 2017 378

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

Examples of GROUP BY clauses

• The following query example shows IP addresses that sent more than 1 million bytes within all flows in
a specific time
ƒ SELECT sourceIP, SUM(sourceBytes)
FROM flows where sourceBytes > 1000000
GROUP BY sourceIP
• To view the number of average events from a source IP, use the following syntax
ƒ SELECT AVG(eventCount), PROTOCOLNAME(protocolid)
FROM events
GROUP BY sourceIP

Using AQL for advanced searches © Copyright IBM Corporation 2017

Examples of GROUP BY clauses

© Copyright IBM Corp. 2017 379

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

HAVING clause
• Use the HAVING clause in a query to apply more filters to specific data by applying filters to the
results after the GROUP BY clause
• The HAVING clause follows the GROUP BY clause
• You can apply the following filters when you use a HAVING clause in a query:
ƒ Equal sign (=) , Not equal to symbol (<>)
ƒ Less than symbol (<), Greater than symbol (>)
ƒ Less that or equal to symbol (<=), Greater than or equal to symbol (>=)
ƒ BETWEEN between two values, for example (64 AND 512)
ƒ LIKE case sensitive match, ILIKE case insensitive match
ƒ SUM/AVG total or average values
ƒ MAX/MIN maximum or minimum values

Using AQL for advanced searches © Copyright IBM Corporation 2017

HAVING clause

© Copyright IBM Corp. 2017 380

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

Examples of HAVING clauses

• The following query example shows results for users who triggered VPN events from more than four
IP addresses (HAVING 'Count of Source IPs' > 4) in the last 24 hours
ƒ SELECT username, UNIQUECOUNT(sourceip) AS 'Count of Source IPs'
FROM events
WHERE LOGSOURCENAME(logsourceid) ILIKE '%vpn%'
AND username IS NOT NULL
GROUP BY username
HAVING "Count of Source IPs" > 4
LAST 24 HOURS
• The following query groups results by source IP but displays only results where the magnitude
(HAVING magnitude > 5) is greater than five
ƒ SELECT sourceIP, magnitude
FROM events
GROUP BY sourceIP
HAVING magnitude > 5

Using AQL for advanced searches © Copyright IBM Corporation 2017

Examples of HAVING clauses

© Copyright IBM Corp. 2017 381

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

ORDER BY clause
• Use the ORDER BY clause to sort the resulting view that is based on expression results. The result is
sorted by ascending or descending order
• Note: When you type an AQL query, use single quotation marks for a string comparison, and use
double quotation marks for a property value comparison
• You can use the ORDER BY clause on one or more columns
• Use the GROUP BY and ORDER BY clauses in a single query
• Sort in ascending or descending order by appending the ASC or DESC keyword to the ORDER BY
clause

Using AQL for advanced searches © Copyright IBM Corporation 2017

ORDER BY clause

© Copyright IBM Corp. 2017 382

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

Examples of ORDER BY clauses

• To query the Ariel database to return results in descending order, use the following syntax
ƒ SELECT sourceBytes, sourceIP
FROM flows
WHERE sourceBytes > 1000000
ORDER BY sourceBytes DESC

• To determine the top abnormal events or the most bandwidth-intensive IP addresses, you can
combine GROUP BY and ORDER BY clauses in a single query. For example, the following query
displays the most traffic intensive IP address in descending order
ƒ SELECT sourceIP, SUM(sourceBytes)
FROM flows
GROUP BY sourceIP
ORDER BY SUM(sourceBytes) DESC

Using AQL for advanced searches © Copyright IBM Corporation 2017

Examples of ORDER BY clauses

© Copyright IBM Corp. 2017 383

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

Single or Double quotation marks in AQL queries

• In an AQL query, query terms and queried columns sometimes require single or double quotation
marks so that QRadar SIEM can parse the query
• When you enter an AQL query, use single quotation marks for a string comparison, and use double
quotation marks for a property value comparison
• You can call a custom property directly in your AQL statements. If the custom property contains
spaces you must use double quotation marks to encapsulate the custom property

Using AQL for advanced searches © Copyright IBM Corporation 2017

Single or Double quotation marks in AQL queries

Use single quotation mark to specify any American National Standards Institute (ANSI) VARCHAR
string to AQL such as parameters for a LIKE or equals (=) operator, or any operator that expects a
VARCHAR string.

Examples:
SELECT * from events WHERE sourceip = '173.16.152.214'
SELECT * from events WHERE userName LIKE '%james%'
SELECT * from events WHERE userName = 'james'
SELECT * FROM events WHERE INCIDR('10.45.225.14', sourceip)
SELECT * from events WHERE TEXT SEARCH 'my search term'

Use double quotation marks for the following query items to specify table and column names that
contain spaces or non-ASCII characters, and to specify custom property names that contain spaces
or non-ASCII characters.

Examples:
SELECT "username column" AS 'User name' FROM events
SELECT "My custom property name" AS 'My new alias' FROM events

Use double quotation marks to define the name of a system object such as property, function,
database, or an existing alias.

© Copyright IBM Corp. 2017 384

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty
Example:
SELECT "Application Category", sourceIP,
EventCount AS 'Count of Events'
FROM events GROUP BY "Count of Events"

Use double quotation marks to specify an existing alias that contains a space when you use a
WHERE, GROUP BY, or ORDER BY clause

Examples:
SELECT sourceIP, destinationIP, sourcePort,
EventCount AS 'Event Count',
category, hasidentity, username, payload, UtF8(payLoad),
QiD, QiDnAmE(qid) FROM events
WHERE (NOT (sourcePort <= 3003 OR hasidentity = 'True'))
AND (qid = 5000023 OR qid = 5000193)
AND (INCIDR('1.1.1.0/4', sourceIP)
OR NOT INCIDR('1.1.1.0/4', sourceIP)) ORDER BY "Event Count"
DESC LAST 60 MINUTES

SELECT sourceIP, destinationIP, sourcePort, EventCount

AS 'Event Count',
category, hasidentity, username, payload, UtF8(payLoad),
QiD, QiDnAmE(qid)
FROM events ORDER BY "Event Count"
DESC LAST 60 MINUTES

Use single quotation marks to specify an alias for a column definition in a query.

Example:
SELECT username AS 'Name of User', sourceip AS 'IP Source' FROM events

Use double quotation marks to specify an existing alias that contains a space when you use a
WHERE, GROUP BY, or ORDER BY clause.

Example:
SELECT sourceIP AS 'Source IP Address',
EventCount AS 'Event Count', QiD, QiDnAmE(qid)
FROM events
GROUP BY "Source IP Address"
LAST 60 MINUTES

© Copyright IBM Corp. 2017 385

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 1 Describe the basics of AQL

Uempty

Instructor demonstration of advanced searches

Using AQL for advanced searches © Copyright IBM Corporation 2017

Instructor demonstration of advanced searches

© Copyright IBM Corp. 2017 386

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 2 Build AQL queries in advanced searches

Uempty
Lesson 2 Build AQL queries in advanced
searches

Lesson: Build AQL queries in

advanced searches

Using AQL for advanced searches © Copyright IBM Corporation 2017

The QRadar SIEM user interface provides an easy way to create AQL queries. In this lesson, you
learn how to build an AQL query in the user interface.

© Copyright IBM Corp. 2017 387

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 2 Build AQL queries in advanced searches

Uempty

Build AQL queries from the QRadar GUI

• Go to the Log Activity tab and switch from Quick Filter, which is the default setting, to Advanced
Search using the drop-down list

Using AQL for advanced searches © Copyright IBM Corporation 2017

Build AQL queries from the QRadar GUI

You can perform AQL on flows on the Network Activity tab.

© Copyright IBM Corp. 2017 388

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 2 Build AQL queries in advanced searches

Uempty

Prepare the search window

• Long AQL statements are better readable when broken into multiple lines. Therefore it is best practice
to enlarge the search field to see more than one line, which is the default setting
• Drag the Search field on the right side and pull it down. Now you can start entering an AQL query

Using AQL for advanced searches © Copyright IBM Corporation 2017

Prepare the search window

© Copyright IBM Corp. 2017 389

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 2 Build AQL queries in advanced searches

Uempty

Instructor demonstration of advanced searches

Together with your instructor, develop AQL queries for the following scenarios:
1. Select all events from the last hour where the magnitude was 5 or higher. Order these
events by magnitude descending
2. Find all events with the ID 2 that belong to offense
3. How many events do you have in the Ariel database? (How many of these have a
magnitude of 5 or greater?)
4. List all categories and category names from events with the ID 3 that belong to the
offense. Group the events by category

Using AQL for advanced searches © Copyright IBM Corporation 2017

Instructor demonstration of advanced searches

© Copyright IBM Corp. 2017 390

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Lesson 2 Build AQL queries in advanced searches

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Using AQL in advanced searches

Using AQL for advanced searches © Copyright IBM Corporation 2017

Exercise introduction

© Copyright IBM Corp. 2017 391

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Describe the basics of AQL
• Build AQL queries in advanced searches

Using AQL for advanced searches © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 392

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 15 Analyzing a Real-World
Large-Scale Attack

Analyzing a Real-World Large-Scale

Attack

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

This unit evaluates a large-scale advanced persistent attack against a US retailer. You will evaluate
how a properly implemented Security Intelligence solution could have helped to fend off the
attackers.

This unit is based on the “Kill Chain” Analysis of the 2013 Target Data Breach study by the
Committee On Commerce, Science and Transportation, which is available at the following URL:

https://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-a3a67f183883/23
E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf

© Copyright IBM Corp. 2017 393

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

Objectives
In this unit, you focus on the following tasks:
• Analyze the provided attack scenario
• Discuss in your team how a proper centralized Security Intelligence approach could have avoided this
nightmare scenario

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Objectives

After investigating what happened during the attack, you will have an opportunity to discuss in
teams how this incident could have been mitigated or avoided by implementing properly configured
and connected security solutions from the Security Immune System.

© Copyright IBM Corp. 2017 394

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

About Target Corporation

“Target Corporation is an American retailing company, founded in 1902 and headquartered in Minneapolis,
Minnesota. It is the second-largest discount retailer in the United States, Walmart being the largest. The company is
ranked 36th on the Fortune 500 as of 2013 and is a component of the Standard & Poor's 500 index. Its bullseye
trademark is licensed to Wesfarmers, owners of the separate Target Australia chain, which is unrelated to Target
Corporation.”

“The first Target store was opened in 1962 in Roseville, Minnesota. Target grew and eventually became the largest
division of Dayton Hudson Corporation, culminating in the company being renamed as Target Corporation in August
2000. Target operates 1,916 stores in the United States; it began operations in Canada in March 2013 and operates
127 locations through its Canadian subsidiary. In December 2013, a data breach of Target's systems affected
up to 110 million customers.”

Source: Wikipedia

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

About Target Corporation

The Target Corporation is an American retailing company, founded in 1902 and headquartered in
Minneapolis, Minnesota. It is the second-largest discount retailer in the United States. Target
operates 1,916 stores in the United States. It also began operations in Canada in March 2013.

In December 2013, a data breach of Target's systems affected up to 110 million customers.

© Copyright IBM Corp. 2017 395

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

The situation

“In November and December 2013, cyber thieves executed a successful cyber attack against Target, one of the
largest retail companies in the United States. The attackers gained access to Target’s computer network, stole the
financial and personal information of as many as 110 million Target customers, and then removed this sensitive
information from Target’s network to a server in Eastern Europe.”

“John Mulligan, Target’s Executive Vice President and Chief Financial Officer, testified that his company “had in
place multiple layers of protection, including firewalls, malware detection software, intrusion detection and
prevention capabilities and data loss prevention tools.” He further stated that Target had been certified in
September 2013 as compliant with the Payment Card Industry Data Security Standards (PCI-DSS), which credit
card companies require before allowing merchants to process credit and debit card payments.”

Source: “Kill Chain” Analysis of the 2013 Target Data Breach; Committee On Commerce, Science and Transportation

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

The situation

Within a very short time period of two months, cyber thieves executed a successful cyber attack
against Target. The attackers gained access to Target’s computer network, stole the financial and
personal information of as many as 110 million Target customers, and then removed this sensitive
information from Target’s network to a server in Eastern Europe.

Target had in place multiple layers of protection, including firewalls, malware detection software,
intrusion detection and prevention capabilities, and data loss prevention tools. Additionally, target
had been certified in September 2013 as compliant with the Payment Card Industry Data Security
Standards (PCI-DSS), which credit card companies require before allowing merchants to process
credit and debit card payments.

How could this happen?

This investigative data has been made publicly available through the United States Committee On
Commerce, Science, And Transportation.

© Copyright IBM Corp. 2017 396

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

Phases of the intrusion kill chain

Source: Lockheed Martin

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Phases of the intrusion kill chain

In order to better understand the Target attack, we are going to take a look at the different phases of
an intrusion, also called an intrusion kill chain. Because most attacks follow this pattern, as
defenders, we can learn a great deal by analyzing the individual stages.

Every attack begins with a reconnaissance phase where the attackers select their main targets.
Once they have their data identified, they research and identify external and potentially vulnerable
connections. These can include direct network access points or systems, as well as employees or
third party vendors and business partners.

In the weaponization phase the attackers pair remote access malware with well known exploits into
a deliverable payload, such as Adobe PDF or Microsoft Office files.

The delivery phase consists of the actual transmission of the weapon to a target. The most
common approach is to use phishing attacks via email attachments, websites, or even physical
USB drives.

Once delivered, the weapon’s code is triggered on the target systems, exploiting vulnerable
applications or systems.

During the installation phase the weapon now installs a backdoor on a target’s system, allowing
persistent access. It is also very common for the weapon to regularly install new variants to avoid or
distract detection.

Once the weapon is activated it begins communicating with outside servers that provide real-time
system access for the attackers, who can now extend their reconnaissance from within the attacked
network and systems.

© Copyright IBM Corp. 2017 397

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty
After final weapons and communication paths are established, the attackers work to achieve the
objective of the intrusion. Most likely, this includes exfiltration, encryption or destruction of data.

Let us now investigate the Target kill chain timeline and find out what really happened.

© Copyright IBM Corp. 2017 398

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

Kill chain timeline

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Kill chain timeline

<1>

Roughly at the same time when Target was PCI-DSS certified, the first phases of the attack were
executed.

In the first reconnaissance phase the attacker gathered as much information about the victim. In
this case, the attackers were able to find information about a Target’s third-party vendor through
simple Internet searches. Target even displayed a public Internet portal for vendors, which gave
away the kind of software that was used for their online vendor billing. Equipped with this
knowledge, the attacker then started their reconnaissance on one particular vendor, Fazio.

In the weaponization phase the attackers created malware stricken emails, likely attaching a PDF
or Microsoft Office document.

In the first part of the delivery phase, the attacker sent infected emails to the vendor in a so-called
phishing attack. Once deployed, the malware started to record passwords and provided the
attackers with their key to Target’s external billing system.

© Copyright IBM Corp. 2017 399

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

Kill chain timeline

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Kill chain timeline

<2>

In the second part of the delivery phase, the attackers leveraged their access to this vendor’s
system to enter Target’s network. Weak security at the perimeter of Target’s network may have
contributed to the attackers’ success in breaching the most sensitive area of Target’s network
containing cardholder data. Using the vendor’s credentials to gain access to Target’s inner network,
it appears the attackers then directly uploaded their RAM scraping malware to POS terminals.

© Copyright IBM Corp. 2017 400

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

Kill chain timeline

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Kill chain timeline

<3>

In the exploitation phase, the RAM scraping malware and exfiltration malware began recording
millions of card swipes, and storing the stolen data for later exfiltration.

Reports suggest, that the attacker maintained access to the vendor’s systems for some time while
attempting to further breach Target’s network during the installation phase. It is unclear exactly how
the attacker could have escalated its access from the external billing system to deeper layers of
Target’s internal network. But given the installation of the Black POS malware on Target’s POS
terminals, the compromise of 70 million records of non-financial data, and the compromise of the
internal Target servers used to gather stolen data, it appears that the attackers succeeded in
moving through various key Target systems by exploiting default account names in Target’s IT
management system.

Based on the reported timeline of the breach, the attackers had access to Target’s internal network
for over a month and compromised internal servers with exfiltration malware by November 30.
While the exact method by which the attackers maintained command and control is unknown, it is
clear, that the attackers were able to maintain a line of communication between the outside Internet
and Target’s cardholder network.

The attackers transmitted the stolen data to outside servers – at least one of which was located in
Russia – in plain text via FTP (a standard method for transferring files) over the course of two
weeks.

© Copyright IBM Corp. 2017 401

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty
On December 12, the US Department of Justice notified Target that their stolen credit card
credentials have been identified on a Russian Dark Web site where they were offered for sale. At
this point in time, no one at Target had realized that there was an attack.

Target immediately started intense investigations and was able to stop further activities to exfiltrate
data, and three days later most of the malware had been removed.

It was at this time when Target found out not only about the loss of 40 million credit card records but
also an additional 70 million customer data records without financial information.

© Copyright IBM Corp. 2017 402

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

First trigger - already compromised

• Fire eye event

• False position prone
Users do not fully trust
• No additional activity
information
What traffic preceded and followed,
from and to where?
• Business context
Are critical assets exposed?
• Network context
Can the attackers reach critical
assets?
• No business process for
triaging and analyzing was
defined
• The attack was ignored

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

First trigger - already compromised

Revisiting the investigative timeline shows that the first security relevant events from FireEye and
Symantec endpoint were recorded on November 30.

Firewall and endpoint analysts may have disregarded these events as false positives, because no
action was initiated. The reason for that can be founded in the complexity, where those point
solutions do not communicate with one another. It is hard to retrieve additional activity information
about the preceding and following traffic, and to realize business and network context by just
looking at individual incidents without any correlation. The ability to include business context and
risk management can show if any high value assets are exposed by a certain attack pattern.
Network context shows if those assets can be physically reached by the malware.

Without the means for correlating the individual events the attack was ignored.

© Copyright IBM Corp. 2017 403

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

More alerts - no linkage

• More alerts
• Different areas of network
• Not correlated with other
activity or in the context of
the business or network
• Not enough visibility or
context
• Still ignored

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

More alerts - no linkage

Once the exfiltration began the Target security tools recorded more alerts. But again, without proper
correlation to the earlier events and network traffic logs, there was simply not enough visibility into
the ongoing malware deployment and data exfiltration. This resulted in the fact that the ongoing
attack was still being ignored.

© Copyright IBM Corp. 2017 404

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

DOJ notification - 40 million records gone

• Too Late
• Nightmare business
scenario unfolds

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

DOJ notification - 40 million records gone

At the time when the DOJ called the Target executive management it was too late to react. The
started forensic investigation enabled the security team to find malware on POS terminals and on
backend data servers as well as ongoing exfiltration transmissions to external FTP servers. The
communication lines were then severed and the malware removed from the systems.

© Copyright IBM Corp. 2017 405

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

Continued breaches undetected

• Nightmare
• Worst case business scenario

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Continued breaches undetected

Only within their forensic activities the security staff found out about the additional 70 million
non-financial data records that had been compromised.

It was an awakening of the worst case business scenario any organization can possibly face.

© Copyright IBM Corp. 2017 406

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

Missed opportunities

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Missed opportunities

In summary, several situational actions and reactions lead to the disaster.

First, the attackers took advantage of weak security at a Target vendor, and thus, gaining an initial
foothold in Target’s inner IT network.

This happened while Target missed initial warnings from their anti-intrusion software that attackers
were installing malware on their deployed assets.

Then the attackers took advantage of further weak controls within Target’s network and
successfully maneuvered into the network’s most sensitive areas.

During the final phase of the attack Target missed more information by its anti-intrusion software
about the attackers’ escape plan, allowing them to steal as many as 110 million customer records.

© Copyright IBM Corp. 2017 407

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

Exercise introduction
Complete the following exercises in the Course Exercises book
• Investigate the Target kill chain timeline
• Suggest improvements

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Exercise introduction

How could this scenario have been avoided?

In this exercise, you find a few dedicated questions and investigate possible solutions to improve
correlation and reaction for a security team.

Revisit the idea of the Security Immune System and apply your understanding to this exercise.
Also, revisit the “Kill Chain” Analysis of the 2013 Target Data Breach study by the Committee On
Commerce, Science and Transportation.

Source:
https://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-a3a67f183883/23
E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf

© Copyright IBM Corp. 2017 408

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives

Uempty

Potential improvements

• Security logs and events

• Network flow data
• Vulnerability data
• Network topology
• Asset profile with business
context, risk, ownerships
• Correlation rules
• User behavioral analysis

• Increased incident
relevance
• One incident case and
analysis workflow
• Integrated forensics -
Rapid confirmation of
attack
• Massive reduction of
window of exposure

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Potential improvements

Refer to the answer keys for this Exercise to discuss possible improvements.

© Copyright IBM Corp. 2017 409

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Summary

Uempty

Summary
In this unit, you performed the following tasks:
• Analyze the provided attack scenario
• Discuss in your team how a proper centralized Security Intelligence approach could have avoided this
nightmare scenario

Analyzing a real-world large-scale attack © Copyright IBM Corporation 2017

Summary

In this unit, you investigated what happened during the attack, and you have discussed how this
incident could have been mitigated or avoided by implementing properly configured and connected
security solutions from the Security Immune System.

© Copyright IBM Corp. 2017 410

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Appendix A A real-world scenario
introduction to IBM QRadar
SIEM

Appendix:
A real-world scenario introduction to
IBM QRadar SIEM

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

In this appendix you can study a real world attack scenario to explain the following details:
• How to instigate a successful attack by infecting portable computers outside of an
organization’s physical network infrastructure using a “watering hole” attack
• How this infected computer then spreads the malicious code and how it contacts a remote
command and control server once it returns to the organization’s environment
• How the overall timeline works for the bad guys
• That this type of attack can only be mitigated by correlation and collaboration (Security
Intelligence) inside an organization using a variety of detection tools across several IT
disciplines

© Copyright IBM Corp. 2017 411

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Investigate the anatomy of an attack

Appendix: A real-world scenario introduction to IBM QRadar SIEM © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 412

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives

Uempty

Anatomy of an attack - Lions at the watering hole

In July 2012, several high-profile institutions in the financial and technology sectors were
victimized by a 䇾 watering hole䇿 attack
MA
Step 1: Stake out the watering hole NY
Watering holes Metro
Insert iFrame that redirects visitors to a Regional financial
zero-day malware download services institutions

Step 2: Catch the visiting 䇾gazelles䇿 DC

… visits compromised consumer banking site …

… redirected to a zero-day malware download

Employee using
corporate laptop at
home …
Employees bring their infected laptops to work the next day …

Step 3: The prey returns to the herd

… and infected laptops siphon off
sensitive data to a command and
control server in China

Appendix: A real-world scenario introduction to IBM QRadar SIEM © Copyright IBM Corporation 2017

Anatomy of an attack - Lions at the watering hole

This slide shows an example of a watering hole attack that took place in 2012 and was
subsequently analyzed by the IBM X-Force Research team.

Note: This slide uses animation to sequentially display Steps 1-3.

Attack vectors
• Fraudulent malware download (maybe as part of a JPG, a PDF, or just by visiting a website that
downloads a malicious JavaScript) that is not detected by antivirus software
• Spear phishing - luring people to click on something “interesting”
• Network attack vectors - command and control malware uses “unusual ports” on the client’s
machine to communicate with remote control server

The next slides look at the timeline, the actual vulnerabilities that were involved, and the malicious
communication scheme.

© Copyright IBM Corp. 2017 413

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives

Uempty

Anatomy of an attack - Timeline

• July 13-15, 2012
ƒ Several regional consumer financial services websites are hacked
ƒ The hackers plant a hidden iframe on the consumer portal

• July 13-22, 2012

Customers of the bank are redirected to a malicious download site when they visit to do their online banking
• July 15-18, 2012
ƒ Infections are detected at several IBM clients
ƒ IBM Emergency Response Services are deployed for incident response
ƒ IBM collaborates with the FBI, major antivirus (AV) vendors, and others to protect its clients

Hidden iFrame

Appendix: A real-world scenario introduction to IBM QRadar SIEM © Copyright IBM Corporation 2017

Anatomy of an attack - Timeline

This slide demonstrates how fast and efficiently the attackers used a zero-day vulnerability to
infiltrate many organizations.

Note: This slide uses animation to sequentially display the bullet point groups.

The next slide talks about the specific vulnerabilities.

© Copyright IBM Corp. 2017 414

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives

Uempty

Anatomy of an attack - Vulnerable hosts were infected

Attackers used different variants of the Gh0st RAT remote access Trojan horse,
making detection very hard

Variant A Variant B

• Exploited a known Microsoft vulnerability • Exploited a known Java vulnerability (CVE-

(CVE-2012-1889, 6/12/2012) 2012-1723, 6/16/2012)
• Patch for all Microsoft operation systems was • Patch was released by Oracle 6/12/2012
released on 7/10/2012 • Variant was recognized by McAfee VSE as of
• Variant was not recognized by any AV vendor July 17, 2012
when IBM first detected it

Appendix: A real-world scenario introduction to IBM QRadar SIEM © Copyright IBM Corporation 2017

Anatomy of an attack - Vulnerable hosts were infected

Note: This slide uses animation to sequentially display the two variants sequentially.

Sources:

http://resources.infosecinstitute.com/gh0st-rat-complete-malware-analysis-part-1/#gref

http://resources.infosecinstitute.com/gh0st-rat-part-2-packet-structure-defense-measures/#gref

The next slide explains what happens after a computer has been infected.

© Copyright IBM Corp. 2017 415

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives

Uempty

Anatomy of an attack - Host response

After being infected, compromised hosts made contact with a remote command and control server in
China

• Infected machines attempt to communicate with one of two Chinese command and control (C&C) servers,
58.64.155.57 and 58.64.155.59, on ports 53, 80, and 443
• If communications are successfully established, the C&C server gains complete, real-time control of a system on
the protected network
• The malware, a remote access Trojan, allows a remote attacker to access data, log system activity, capture key
logs, take screenshots, activate the system’s camera, and record from the system’s microphone
• The remote attacker can also drop additional downloads and programs on the controlled machine, and use it as
a launching point for further attacks

Appendix: A real-world scenario introduction to IBM QRadar SIEM © Copyright IBM Corporation 2017

Anatomy of an attack - Host response

Note: This slide uses animation to sequentially display the bullet points.

© Copyright IBM Corp. 2017 416

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives

Uempty

Anatomy of an attack - The risk of delaying a response to an attack

If the attack is not detected fast enough, the infected machine becomes the new launch point of
deepening the penetration

• The infected machine “legitimately” distributes more malware inside the enterprise network to gain a stronger
foothold if detected
• The malware’s first goal is to obtain privileged user identities, which it then uses to gain access to valuable
assets inside the enterprise network
• Most attacks use ports and scans that typically are not executed from either the infected machines or user IDs
• After valuable assets are found, they are slowly exfiltrated to not raise any suspicion

Appendix: A real-world scenario introduction to IBM QRadar SIEM © Copyright IBM Corporation 2017

Anatomy of an attack - The risk of delaying a response to an attack

Note: This slide uses animation to sequentially display the bullet points. Use the details below to
address controls and counter measures for each of these attack vectors.

© Copyright IBM Corp. 2017 417

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives

Uempty
The following details describe how each of these attack vectors can be countered by proper
measures.
• The infected machine “legitimately” distributes more malware inside the enterprise network to
gain a stronger foothold if detected
– Endpoint management negation - Additional software gets installed on machine by remote
malware.
– Control: Endpoint management software should immediately detect any new software
deployments, report them, and either remove them or deny network access.
• The malware’s first goal is to obtain privileged user identities, which it then uses to gain access
to valuable assets inside the enterprise network
– Privileged user access - If a machine of a privileged user is found, that credential is going to
open many doors for the attackers.
– Control: A privileged user access control system can negate the chance of any attacker
gaining privileged access because those ID have to be signed out through a particular
process using multi-factor authentication and other security means.
– Control: If privileged user access is maliciously gained, a data access monitoring solution
can realize that large amounts of privileged data is being accessed in a behavioral pattern
that does not reflect usual routines and report on it.
• Most attacks use ports and scans that typically are not executed from either the infected
machines or user IDs
– Network anomalies - Unusual ports or scan activity is detected from IT systems that usually
do not display such activity.
– Control: The flow control system shows traffic records involving on-site and off-site IT
systems and immediately logs and reports this.
• These attacks are rarely an isolated event, and the attacked organization is one out of many
who are being probed by those remote command and control systems.
– Control: Public threat research feeds the recognized IP addresses and ports into a blacklist
of malicious hosts that can be incorporated into the organizations Security Intelligence
solution.

Only the correlation of all these single events in almost real-time enables an organization to detect
and hopefully stop threats before they can be exploited and cause any damage.

The next slide summarizes those challenges in a broader term.

© Copyright IBM Corp. 2017 418

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives

Uempty

Apply Big Data to Security Intelligence and threat management

Collection, storage, and processing

ƒ Collection and integration
Logs
Log
ogs ƒ Size and speed
Basic maturity Events
s Alerts ƒ Enrichment and correlation

Configuration Analytics and workflow

information
ƒ Visualization
System Identity ƒ Unstructured analysis
audit trails context ƒ Learning and prediction
Network flows ƒ Customization
and anomalies ƒ Sharing and export
External threat Full packet and
Global intelligence
intelligence feeds DNS captures
ƒ Campaign identification
Web pag
page Business
ƒ IP reputation covering
text process data
attacker, industry, and region
Optimized Email and Customer ƒ Comparisons
maturity social activity transactions
ƒ Anomaly detection

Appendix: A real-world scenario introduction to IBM QRadar SIEM © Copyright IBM Corporation 2017

Apply Big Data to Security Intelligence and threat management

Generally, security intelligence has focused on real-time or near-real-time security analysis, but
now new motivations exist for extending the role of security intelligence.

First, data is available to be processed; security data will need to be persisted for longer times to
detect longer-running attack patterns. New cyberdata sources have more security relevance now,
such as DNS. Business application data can be correlated with security data and unstructured
content.

Second, there is the need for more advanced analytics that does not make sense to employ in a
real-time environment. Depth of analysis performed by sophisticated algorithms, such as
regression analysis or predictive algorithms, will be longer running and might offer greater security
insights. Newer analytical behaviors on the part of security analysts need to be supported.

© Copyright IBM Corp. 2017 419

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives

Uempty

A dynamic, integrated system to help detect and stop advanced threats

Attack Chain

1 Break
ak-
k-in

2 L
Latch
ch-
h-on

3 Expand

4 Gather

5 Exfiltrate
E

Appendix: A real-world scenario introduction to IBM QRadar SIEM © Copyright IBM Corporation 2017

A dynamic, integrated system to help detect and stop advanced threats

From the previous slides, you learned about the typical “attack chain.”

Having heard about the chaos throughout the overall IT security domain, you should now
understand that you must design a proper security solution that can help you prevent some of the
break-ins, and quickly detect the remaining ones to devise proper responses to mitigate the overall
impact to your IT operations.

The IBM QRadar solution focuses mainly on the Detect phase.

From here, you can cycle back to Unit 1: Introduction

© Copyright IBM Corp. 2017 420

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Investigate the anatomy of an attack

Appendix: A real-world scenario introduction to IBM QRadar SIEM © Copyright IBM Corporation 2017

Summary

© Copyright IBM Corp. 2017 421

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Appendix B IBM QRadar architecture

IBM QRadar architecture

© Copyright IBM Corporation 2017

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
Security who is concerned with solutions in the overall security immune system. By learning how
the central Security Intelligence components are designed to take in and process log events and
flow data, you will be better equipped to holistically work as a Security Analyst.

In this unit we start at the functional architecture level and explain how IBM QRadar was designed
as a modular Security Intelligence solution from the ground up. After taking a look at this modular
design, its extensibility and deployment pattern, we closely examine the component architecture so
that the analyst understands how data is ingested and processed. When the analysts later examine
bits and pieces of a larger security incident investigation, this architectural understanding can
substantially enhance their capability for detailed and fast analysis.

© Copyright IBM Corp. 2017 422

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Objectives

Uempty

Objectives
In this unit, you learn to perform the following tasks:
• Describe QRadar functional architecture and deployment models
• Describe QRadar SIEM component architecture

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Objectives

© Copyright IBM Corp. 2017 423

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty
Lesson 1 QRadar functional architecture and
deployment models

Lesson: QRadar functional

architecture and deployment models

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

This lessons explains the QRadar functional architecture and deployment models. It shows how
IBM QRadar was designed as a modular Security Intelligence solution from the ground up.

© Copyright IBM Corp. 2017 424

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Functional solution requirements

• IT Log Management
Collect and securily archive log event and network flow records for forensic analysis
• IT Regulatory Compliance
ƒ Collect and securily archive log records a for audit and compliancy
ƒ Generate reports required by internal or external regulations to succesfully pass compliance audits
• IT Internal monitoring
Frequently collect, correlate, and analyze data to alert on security policy violations
• Security breach detection
Analyze data to detect and alert on IT security risk management related issues

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Functional solution requirements

In order to describe the functional components of the IBM QRadar solution you need to understand
the basic functional requirements for an overall SIEM solution.

The first requirement addresses IT log management for forensic analysis. The archived event and
network flow records are used to analyze incidents and gather evidence. The data must be
collected and stored reliably in its original format to stand up as evidence in a court of law or to be
used for compliance reporting. Also, the data must be archived for several years and it must be
searchable.

To fulfill the compliance audit requirement, the archived data is used to prove that relevant audit
information has been collected and securely stored. Furthermore, the data must be used to create
reports required by the regulation, and the regulatory compliance reports must be stored for a
period of time.

The next requirement addresses IT internal monitoring to alert on security policy violations. This in
itself requires an organizational IT Security Policy that defines appropriate use of the IT
environment. High risk offenses to the policy must be identified and reported upon, and offenses
must be managed. IT usage that is not in compliance with the policy must be reported upon.

The most prevalent requirement today, however, revolves around IT security risk management for
the overall organization. All of the previously described functional requirements apply here as well.
In addition, an extensive knowledge of the IT environment, and the threats to which it is exposed, is
required. To perform anomaly detection it is also necessary to understand data patterns within the
captured events and network flows.

© Copyright IBM Corp. 2017 425

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

An integrated, unified architecture in a single console

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

An integrated, unified architecture in a single console

The QRadar console is the central interface for all analyst related tasks. It provides a number of
tabs that allow insight into different views of the collected and correlated data.

No matter how many QRadar applications are leveraged, or how many appliances constitute a
deployment, all capabilities are leveraged through a single, Web-based console, with all the
associated benefits that a common interface delivers in terms of speed of operation, transference of
skills, ease of adoption, and a universal learning curve.
• Dashboard
The Dashboard tab allows an organization to define many different views into the collected and
processed data. QRadar provides many predefined dashboards, but you can create and
maintain your own.
• Offenses
Use the Offenses tab to view all the offenses that occur on your network and complete the
following tasks:
– Investigate offenses, source and destination IP addresses, network behaviors, and
anomalies on your network
– Correlate events and flows that are sourced from multiple networks to the same destination
IP address
– Go to the various pages of the Offenses tab to investigate event and flow details
– Determine the unique events that caused an offense
• Log Activity

© Copyright IBM Corp. 2017 426

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty
The Log Activity tab displays event information as records from a log source, such as a firewall
or router device. Use the Log Activity tab to do the following tasks:
– Investigate event data
– Investigate event logs that are sent to QRadar SIEM in real time
– Search event
– Monitor log activity by using configurable time-series charts
– Identify false positives to tune QRadar SIEM
• Network Activity
If the content capture option is enabled, the Network Activity tab displays information about
how network traffic is communicated and what was communicated. Here, you can do the
following tasks:
– Investigate the flows that are sent to QRadar SIEM in real time
– Search network flows
– Monitor network activity by using configurable time-series charts
• Assets
QRadar automatically creates asset profiles by using passive flow data and vulnerability data to
discover your network servers and hosts.
Asset profiles provide information about each known asset in your network, including the
services that are running. Asset profile information is used for correlation purposes, which helps
to reduce false positives.
Use the Assets tab to do the following tasks:
– Search for assets
– View all the learned assets
– View identity information for learned assets
– Tune false positive vulnerabilities
• Reports

© Copyright IBM Corp. 2017 427

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty
Report templates are grouped into report types, such as compliance, device, executive, and
network reports. Use the Reports tab to complete the following tasks:
– Create, distribute, and manage reports for QRadar SIEM data
– Create customized reports for operational and executive use
– Combine security and network information into a single report
– Use or edit preinstalled report templates
– Brand your reports with customized logos. Branding is beneficial for distributing reports to
different audiences
– Set a schedule for generating both custom and default reports
– Publish reports in various formats
• Vulnerabilities
If the QRadar Vulnerability Manager license has been deployed, you will see a Vulnerabilities
tab, which you can use for the following tasks:
– Create and manage Scan Policies and Scan Profiles
– Execute vulnerability scans for your deployed assets
– Create, distribute, and manage vulnerability reports to stake holders
– Integrate with endpoint management systems to fix vulnerabilities
• Admin
The Admin tab provides all tools to manage and maintain the QRadar deployment. Analysts
typically do not have access to these tools.

The example in this screen shot depicts the integration of the QRadar console with QRadar
Vulnerability Manager on the Dashboard tab.

Designed to integrate Log Management, SIEM, Vulnerability and Risk Management, Incident
Forensics, and an extensible application framework into one solution, QRadar Security Intelligence
can deliver a large log management scale without any compromise on SIEM “Intelligence.”

As a QRadar analyst you can switch from log events, to network flows, to risk and compliance
policy reports and prioritized lists of network wide vulnerabilities, and complete analysis of incidents
after an offense has occurred. This allows an organization to reduce the time before an initial
breach is detected and avoid the actual exploit.

© Copyright IBM Corp. 2017 428

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Identifying suspected attacks and policy violations

What was the attack?

Is the attack credible?

How
valuable are Where are they located?
the targets
to the Who was responsible
business? for the attack?

What was
stolen and
where is the
evidence?

How many targeted assets

Are any assets vulnerable?
are involved?
Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Identifying suspected attacks and policy violations

IBM QRadar SIEM can analyze large amounts of data and uses context to transform it into useful,
actionable information as is depicted in this slide.

Here is what you can see as a security analyst when you begin to investigate an offense record that
was triggered by a correlation rule. You can quickly investigate the who, what, and where behind an
offense and quickly determine if it is a legitimate threat or a false positive.

IBM QRadar SIEM provides strong event-management and analysis capabilities and is very
effective in detecting threats because it can leverage a broad range of data, analyze it, and apply
context from an extensive range of sources. This helps to reduce false positives, report on actual
exploits, and show what kind of activity is taking place. This can result in faster threat detection and
response.

QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context
in which systems are operating. That context includes security and network device logs,
vulnerabilities, configuration data, network traffic telemetry, application events and activities, user
identities, assets, geolocation, and application content. This activity generates a staggering amount
of data, which makes the automation in QRadar very important because it can correlate this large
amount of data down to a small number of actionable offenses.

QRadar SIEM leverages this data to establish very specific context around each potential area of
concern, and uses sophisticated analytics to accurately detect more and different types of threats.
For example, a potential exploit of a web server reported by an intrusion detection system can be
validated by unusual outbound network activity detected by QRadar.

© Copyright IBM Corp. 2017 429

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty
QRadar uses intelligence, automation, and analytics to provide actionable security information
including the number of targets involved in a threat, who was responsible, what kind of attack
occurred, whether it was successful, vulnerabilities, evidence for forensics, and so on.

© Copyright IBM Corp. 2017 430

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Providing functional context

To enable security analysts to perform investigations, QRadar SIEM correlates information such as:
• Point in time
• Offending users
• Origins
• Targets
• Asset information
• Vulnerabilities
• Known threats
• Behavioral analytics
• Cognitive analytics

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Providing functional context

The previous slide showed what a typical security analyst can see after QRadar SIEM analyzed
large amounts of data and used context to transform this data into useful, actionable information.

This slide provides an overview where all this data is coming from.
• Point in time
Everything that QRadar investigates needs to provide an exact point in time. This timestamp
allows QRadar to correlate the most complex relationships between disparate log sources and
network flows to present those as one connected event.
• Offending users
QRadar extracts user information wherever possible allowing an analyst to further investigate
individual users. QRadar also uses this information for user behavioral analytics.
• Origins
The origin represents the starting point for all QRadar correlation activity. The origin is captured
as an IP address.
• Targets
The target represents the final point for all QRadar correlation activity. The target is captured as
an IP address.
• Asset information
QRadar maintains a centralized asset database that is used to record a variety of details for
each asset that has been discovered. Assets can be discovered in two ways. Actively, by using

© Copyright IBM Corp. 2017 431

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty
vulnerability scans with QRadar Vulnerability Manager, or passively through network flow
records. Asset data can also be imported by using other enterprise tools for asset management.
Details can include IP address, host name, running applications and services, as well as
vulnerabilities.
• Vulnerabilities
QRadar maintains a list of vulnerabilities for each asset. These can either be discovered by
using QRadar Vulnerability Manager or any other 3rd party vulnerability management solution.
Asset related vulnerabilities are being used for QRadar correlations and analytics, and they can
influence several factors throughout the incident management process.
• Known threats
QRadar is able to connect to external threat feeds, such as the IBM X-Force Exchange. This
threat information can also be used for QRadar correlations and analytics to influence the
incident management process.
• Behavioral analytics
Utilizing some of the above mentioned data in combination with other enterprise wide collected
information QRadar can analyze user behavior to alert whenever abnormal activity has been
detected.
• Cognitive analytics

After all this data has been correlated it is presented to the analysts in the QRadar Console. If a
particularly important threat is discovered, an analyst has to investigate it with an utmost urgency.
To support this task QRadar now provides Cognitive Analytics. This capability augments a security
analyst's ability to identify and understand sophisticated threats, by tapping into unstructured data
(such as blogs, websites, research papers) and correlating it with local security offenses.

© Copyright IBM Corp. 2017 432

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Network flow analytics

• Provides insight into raw network traffic
Attackers can interfere with logging to erase their tracks, but they
cannot cut off the network (flow data)
• Allows deep packet inspection for Layer 7 flow data
Pivoting, drill-down, and data-mining activities on flow sources
allow for advanced detection and forensics
• Helps to detect anomalies that might otherwise be missed
• Helps to detect zero-day attacks that have no signature
• Provides visibility into all attacker communications
• Uses passive monitoring to build asset profiles and classify
hosts
• Improves network visibility and helps resolve traffic
problems

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Network flow analytics

While log events are critical, they can leave gaps in visibility. When attackers compromise an IT
system, they first turn off logging to obfuscate their tracks. Traditional SIEMs are blind at this point.
However, no attacker can disable the network, or they cut themselves off as well.

Network flow analytics in QRadar allows deep packet inspection for OSI Layer 7 flow data, which
can contain very helpful information for advanced forensics. Network flow information helps to
detect communication flow anomalies, zero-day attacks that have no signature yet, and provides
visibility into all attacker communications.

Using passive monitoring, flow analytics builds up an asset database and profiles your assets. For
example, an IT system that has responded to a connection on port 53 UDP is obviously a DNS
server. Another IT system that has accepted connections on ports 139 or 445 TCP is a Windows
server.

Adding application detection can confirm this not only at a port level, but the application data level
as well.

Source: To learn more about the OSI Layer model please visit:
http://searchnetworking.techtarget.com/definition/OSI

© Copyright IBM Corp. 2017 433

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Extensible functional architecture

Cognitive Analytics

• QRadar Sense Analytics

allows you to inspect events,
flows, users, and more
• Speed analysis with visuals,
query, and auto-discovery
across the platform
• Augment your analysts’
knowledge and insights with
QRadar Advisor with
Watson

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Extensible functional architecture

The QRadar functional architecture is extensible by design. The framework allows you to add on
additional functionality as needed in an organization.

Security Analysts today are more and more overwhelmed by the amount of data that requires
investigation and by the mounting time pressure to act. Cognitive analytics augments your analysts’
knowledge and insights with QRadar Advisor with Watson to speed up analysis with visuals, query,
and auto-discovery across the platform where you can inspect events, flows, users, and more by
tapping into unstructured data (such as blogs, websites, research papers) and correlating it with
local security offenses.

These functional extensions greatly support the security analysts in their daily tasks. Let us take a
closer look at the Cognitive Analytics now.

© Copyright IBM Corp. 2017 434

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Cognitive Analytics: Revolutionizing how security analysts work

• Natural language processing with security that understands, reasons, learns, and interacts

Watson determines the specific campaign (Locky),

discovers more infected endpoints, and sends results
to the incident response team

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Cognitive Analytics: Revolutionizing how security analysts work

The cognitive era is here. “Digital everything” means that technology’s number one job in business
now is handling and responding to data. Cognitive capabilities are being applied to security to
establish a relationship between machines and humans. The role of technology can now change
from enabler to advisor. We are ushering in this new era of cognitive security to out-think and
outpace threats with security that understands, reasons, and learns.

IBM Watson enables fast and accurate analysis of security threats, saving precious time and
resources. This empowers the analysts to perform faster investigations and clear their backlog
easier. It will also help to increase the investigative skills for individual analysts over time.

With the help of IBM Watson, security analysts will be able to spend less time on the mundane
tasks of manual and time consuming threat analysis, and more time being human.

© Copyright IBM Corp. 2017 435

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Extensible functional architecture

Cognitive Analytics Open Ecosystem

• QRadar Sense Analytics • IBM Security App Exchange

allows you to inspect events, provides access to apps from
flows, users, and more leading security partners
• Speed analysis with visuals, • Out-of-the-box integrations
query, and auto-discovery for 500+ third-party security
across the platform products
• Augment your analysts’ • Open APIs allow for custom
knowledge and insights with integrations and apps
QRadar Advisor with
Watson

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Extensible functional architecture

QRadar provides open APIs to allow for custom integrations and applications, which can be found
at the IBM Security App Exchange. One example here is the User Behavior Analytics app, which is
available free of charge and provides early visibility to insider threats.

These functional extensions greatly support the security analysts in their daily tasks. Let us take a
closer look at the Open Ecosystem now.

© Copyright IBM Corp. 2017 436

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Open Ecosystem and Collaboration

• Application extensions to enhance visibility and productivity

https://exchange.xforce.ibmcloud.com
Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Open Ecosystem and Collaboration

Today’s attackers share tools. They collaborate in creating malware that is difficult to discover.

On the defensive side, organizations have to deal with a large number of siloed security solutions
from an equally large number of vendors. It is estimated that an average enterprise can have up the
85 security products from 40 vendors. With this mix, it is difficult to link the products together so
they can support each other.

To fill this gap, IBM has introduced the IBM Security App Exchange. The exchange is a marketplace
for the security community to create and share applications that integrate with IBM Security
solutions. The first offering in which customers, business partners, and other developers can build
custom apps is QRadar.

Releasing application programming interfaces (APIs) and software development kits for QRadar
fosters the integration with third-party technologies. This provides organizations with better visibility
into more types of data, and also offers new automated search and reporting functions that can
help security specialists focus on the most pressing threats.

The IBM Security App Exchange has a number of customized apps that extend security analytics
into areas like user behavior, endpoint data, and incident visualization.

Before releasing the app IBM Security tests them to will be closely testing every application to
ensure the integrity of these community contributions.

In the future the App Exchange will offer the opportunity to produce apps for additional IBM Security
products.

© Copyright IBM Corp. 2017 437

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Extensible functional architecture

Deep Threat Intelligence

Cognitive Analytics Open Ecosystem
and Analysis
• QRadar Sense Analytics • IBM Security App Exchange • IBM X-Force Exchange
allows you to inspect events, provides access to apps from helps you stay ahead of the
flows, users, and more leading security partners latest threats and attacks
• Speed analysis with visuals, • Out-of-the-box integrations • Extend investigations to cyber
query, and auto-discovery for 500+ third-party security threat analysis with i2
across the platform products Enterprise Insight Analysis
• Augment your analysts’ • Open APIs allow for custom • Powered by the X-Force
knowledge and insights with integrations and apps Research team and 700TB+ of
QRadar Advisor with threat data
Watson
• Share data with a collaborative
portal and STIX / TAXII
standards

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Extensible functional architecture

You can further extend the QRadar functionality with threat intelligence data and analytic functions
from the IBM X-Force Exchange and the IBM i2 Enterprise Insight Analysis solution.

These functional extensions greatly support the security analysts in their daily tasks. Let us take a
closer look at the Deep Threat Intelligence and Analysis now.

© Copyright IBM Corp. 2017 438

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Deep Threat Intelligence

• Crowd-sourced information sharing based on 700+TB of threat intelligence

https://exchange.xforce.ibmcloud.com
Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Deep Threat Intelligence

One element that the offense have mastered is collaboration. According to the United Nations
Office on Drugs and Crime upwards to 80% of cybercrime acts are estimated to originate in some
form of organized activity. Cyber criminals have learned to collaborate. They share vulnerability,
targeting, and countermeasure information. They also share tools to ensure that their attacks can
be successful. Collaboration is a force multiplier for the hacking community. Organizations have
been using threat intelligence in an effort to stay abreast of the threats, but these efforts are limited.
To succeed requires much more information, shared among security professionals, researchers,
and practitioners.

IBM has built a collaboration platform called the X-Force Exchange to facility the collaboration that
will allow organizations to have a much greater understanding of threats and actors. X-Force
Exchange is a cloud-based threat intelligence sharing platform that enables users to rapidly
research the latest global security threats, aggregate actionable intelligence, consult with experts
and collaborate with peers. IBM X-Force Exchange provides timely, curated threat intelligence
insights, which adds context to machine-generated data. The platform facilitates making
connections with industry peers to validate findings and research threat indicators.

Leveraging the open and powerful infrastructure of the cloud, users can collaborate and tap into
over 700 terabytes of information from multiple data sources. This includes one of the largest and
most complete catalogs of vulnerabilities in the world, threat information based on monitoring of
more than 15 billion monitored security events per day, and malware threat intelligence from a
network of 270 million endpoints. This threat information is based on over 25 billion web pages and
images and deep intelligence on more than 8 million spam and phishing attacks.

Source: https://exchange.xforce.ibmcloud.com

© Copyright IBM Corp. 2017 439

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Scalable appliance/software/virtual architecture

• Log, flow, vulnerability, and identity correlation
SIEM • Sophisticated asset profiling
• Offense management and workflow

• Layer 7 application monitoring

Network and
• Content capture for deep insight and forensics
Application Visibility
• Physical and virtual environments

• Configurable network traffic analysis for

Network Insights real time threat detection and long-term
retrospective analysis

Risk & Vulnerability • Network security configuration monitoring

Management • Vulnerability scanning and prioritization
• Predictive threat modeling and simulation

• Event processors for remote site

Scalability • High Availability and Disaster Recovery (HADR)
• Data node to increase storage and performance

• Reconstructs network sessions

Network Forensics Incident Forensics
• Data pivoting and visualization tools
• Accelerated clarity around who, what, and when

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Scalable appliance/software/virtual architecture

Security Intelligence can be delivered through a family of QRadar products.

• For many organizations, the starting point is to address the log management challenge, which
is why IBM offers a family of “log management only” appliances. These log management
appliances can be upgraded to full SIEM capability by configuring an additional license key.
• The full SIEM implementation provides integration of log management with threat, fraud,
network, and security intelligence. Network activity data, vulnerability assessment, and external
threat data are added as data sources along with sophisticated correlation and behavioral
analytics.
• For application layer visibility and forensic content capture, the QFlow and VFlow flow collectors
can be deployed in physical or virtual infrastructures. These appliances provide extensive
application-level surveillance of all activity at key locations.
• QRadar Network Insights can provide configurable network traffic analysis for real time threat
detection and long-term retrospective analysis to detect insider threats, data exfiltration and
malware activity.
• Risk and Vulnerability management capabilities can be activated by configuring an additional
license keys. Risk Manager requires an additional dedicated appliance as well, while
Vulnerability Manager can be deployed on existing appliances. Risk Manager provides network
security configuration monitoring, while Vulnerability Manager focuses on vulnerability scanning
and prioritization. Together they can be used for predictive threat modeling and simulation.
• For some organizations, the full SIEM scale can be met with a single appliance; for others who
have higher scale, or remote collection and storage requirements, QRadar processors enable

© Copyright IBM Corp. 2017 440

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty
massive deployments. This horizontal, stackable expansion supports a massive scale and
geographic distribution, while maintaining exactly the same user experience.

Network Forensics appliances allow you to fully reconstruct network sessions that can provide
clarity around questions like “who”, “what”, and “when” in great detail.

© Copyright IBM Corp. 2017 441

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 1 QRadar functional architecture and deployment models

Uempty

Deployment models

All-in-One
(2100/31XX) Flow Processor
Console
(17XX)
(31XX)

Event Processor
QFlow (16XX)
Collector
(12XX/13XX)

All-in-One is a single appliance used to collect events and flow A Distributed deployment consists of multiple appliances for different purposes
data from various security and network devices, perform data • Event Processor to collect, process, and store log events
correlation and rule matching, report on alerts and threats, and • Flow Processor to collect, process, and store several kinds of flow data generated from network
provide all administrative functions through a web browser devices; optional QFlow Collector is used to collect Layer 7 application data
• Console to correlate data from managed processors, generate alerts and reports, and provide all
administrative functions

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Deployment models

Based on the previously introduced functional requirements and the layout of an organization’s IT
infrastructure, different types of appliances are available to address different deployment models.
The selection depends on the amount of collected and processed events, data storage estimations,
high availability and disaster recovery requirements, organizational network topology, and other
factors.

An all-in-one deployment uses a single appliance to collect events and flow data from various
security and network devices, perform data correlation and rule matching, report on alerts and
threats, and provide all administrative functions through a web browser.

A distributed deployment consists of multiple appliances for different purposes. You can deploy
Event Collectors and Processors to collect, process, and store log events. Flow Collectors and
Processors are used to collect, process, and store several kinds of flow data generated from
network devices, and optionally, you can deploy QFlow Collectors to collect Layer 7 application
data. A Console is used to correlate data from managed processors, generate alerts and reports,
and provide all administrative functions.

This remainder of this course material does not pay any closer attention to currently available exact
appliance configurations and models.

© Copyright IBM Corp. 2017 442

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty
Lesson 2 QRadar SIEM component
architecture

Lesson: QRadar SIEM component

architecture

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

This lesson describes the high-level architecture of the major IBM QRadar SIEM components,
including the flow collector, event collector, event processor, and console. You also learn about the
flow of a captured event.

© Copyright IBM Corp. 2017 443

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Architecture overview
• High-level architecture
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console
• Dissecting the flow of a captured event

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Architecture overview

© Copyright IBM Corp. 2017 444

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

High-level component architecture and data stores

• Flow and event data is stored in the Ariel database on the
Identities event processors
Assets
Offenses ƒ If accumulation is required, accumulated data is stored in Ariel
Configuration accumulation data tables
ƒ As soon as data is stored, it cannot be changed (tamper proof)
ƒ Data can be selectively indexed
Console services
User interface
Magistrate
• Offenses, assets, and identity information are stored in
Reporting the master PostgreSQL database on the Console
ƒ Provides one master database with copies on each processor
Flows for backup and automatic restore
Events Event processor
Accumulations • Secure SSH communication between appliances in a
distributed environment is supported

Flow collector Event collector

Network packet Events from log

interface, sFlow, sources
and 3rd party

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

High-level component architecture and data stores

Let us begin by looking at the high level architecture one more time. (We have already done this
briefly on slide 5)

Events from individual log sources and network flow data is collected by the QRadar Event and
Flow collectors. Once the flow and event data is forwarded to the Event Processor it is stored in the
Ariel database on the Event Processor. If accumulation is required, the accumulated data is stored
in Ariel accumulation data tables. To fulfill the tamper proof data storage aspects for compliance
mandates, data cannot be changed as soon as it is stored in the Ariel database. At any point in
time, data can be selectively indexed to support specific search and report requirements.

Once the Event Processor is finished processing, the data is passed on to the QRadar Console,
where further consolidated processing occurs. Offenses, assets, identity, and configuration
information are stored in the master PostgreSQL database on the Console. There is one master
database with optional copies on each processor for backup and automatic restore.

Secure SSH communication between appliances in a distributed environment is supported.

© Copyright IBM Corp. 2017 445

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Architecture overview
• High-level architecture
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console
• Dissecting the flow of a captured event

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

© Copyright IBM Corp. 2017 446

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Flow collector architecture

Event Processor • A flow is a record of a conversation between
To Event Processor every 60 seconds two devices on a network

Flow reporting and routing - Create superflows

• Flow data packets are collected from a variety
of network device vendors and directly from the
Application Detection Module (appId = eventId)
network interface
• Collected flow data can update asset profiles
Aggregator with the ports and services that are running on
(enforce license limit)
each host
Raw data packets received • If the flow license limit is exceeded, an overflow
(NetFlow, sFlow, NIC, and so on)
record is created with SRC/DST address
QFlow
127.0.0.4/5
Flow data packets
• (Custom) applications are detected
• Superflows are created
• QFlow provides Layer 7 insights into the
payload if it is unencrypted
Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Flow collector architecture

A network flow record provides information about a conversation between two devices using a
specific protocol, and can include fields that provide details about the conversation. Examples
include the source and destination IP addresses, the port, and other fields.

Flow data packets can be collected from a variety of network device vendors, and directly from the
network interface. Collected flow data can update asset profiles with the ports and services that are
running on each host. If a new host is detected through network flow data, a new asset is created in
the QRadar Asset database.

Next in line is the Aggregator. This component enforces the license limit for the Flow Collector,
which is measured in “flows per minute”, or FPM. If the license limit is exceeded, flows are
temporarily stored in an overflow buffer, which will be processed with the next set of flows. Every
log source protocol has an overflow buffer of 5 GB, and if the overflow buffer fills up, the additional
flows are dropped.

The Application Detection Module uses four methods of determining the application of the flow.
• The first is the User Defined method.
This method is mainly used when users have a proprietary application running on their network.
For example, all traffic going to host 10.100.100.42 on port 443 is recognized to be
MySpecialApplication.
• The second method uses State-based decoders.

© Copyright IBM Corp. 2017 447

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty
This method is implemented by looking at the source code. It determines the application by
analyzing the payload for multiple markers, for example, if you see A followed by B, then
application = X; and if you see A followed by C, then application = Y.
• The next method uses Signature matching.
This method relies on basic string matching in the payload (see the Application Configuration
Guide for signature customization).
• The final method uses Port-based matching.
In this case, applications are matched based on their port use, for example, port 80 = http.

Finally, the flow data packets reach the Flow reporting and routing component. This component
is responsible to create superflows. Superflows only store one single flow with the collection of IP
addresses, which allows processing of flows to be faster, and require less storage space. There are
three types of superflows.
• Type A superflows contain a single source and multiple destination addresses with the same
destination port, byte count, and source flags or ICMP codes. An example for a type A
superflow is a network sweep.
• Type B superflows contain multiple source and a single destination address with the same
destination port, byte count, and source flags or ICMP codes. An example for a type B
superflow is a Distributed Denial of Service attack.
• Type C superflows contain a single source and destination address with changing source and
destination ports. An example for a type C superflow is a port scan.

Specific rule tests can leverage the flow type to determine if an offense needs to be created. The
creation of superflows can be disabled.

Up to a configurable number of bytes, QFlow provides layer 7 insights into the payload if it is
unencrypted. Using a tap or span port, QFlow collects raw packets and places them into 60-second
chunks. QFlow can also receive layer 4 flows from other network devices in IPFIX/NetFlow, sFlow,
J-Flow, Packeteer, and Flowlog file accounting technologies.

Note: The following slides contain some additional information about the Flows per minute
burst handling, application detection, and Superflows. The explanations for these slides have
already been incorporated in this overview slide.

© Copyright IBM Corp. 2017 448

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Flows per minute (FPM) burst handling

• Flows are temporarily stored in an overflow buffer if the FPM license is exceeded

• Every log source protocol has an overflow buffer of 5 GB

• If the overflow buffer fills up, the additional flows are dropped

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Flows per minute (FPM) burst handling

© Copyright IBM Corp. 2017 449

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Application detection
Methods of determining the application of the flow
• User defined
ƒ This method is mainly used when users have a proprietary application running on their network
ƒ For example: All traffic going to host 10.100.100.42 on port 443 is recognized to be MySpecialApplication
• State-based decoders
ƒ This method is implemented in the source code and determines the application by analyzing the payload for
multiple markers
ƒ For example: If you see A followed by B then application = X; if you see A followed by C, then application = Y
• Signature matching
ƒ Basic string matching in the payload
ƒ Custom signatures are allowed (see Application Configuration Guide for signature customization)
• Port-based matching (port 80 = http, and so on)

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Application detection

© Copyright IBM Corp. 2017 450

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Superflows
• Types of superflows
ƒ Type A
Single SRC, Multiple DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
(for example, network sweeps)
ƒ Type B
Multiple SRC, Single DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
(for example, DDoS attacks)
ƒ Type C
Single SRC and DST, TCP/UDP Only, Changing SRC/DST ports
(for example, port scans)
• Only store the single flow with the collection of IP addresses
• Specific rule tests can leverage the flow type to determine if an offense needs to be created
• Creation of superflows can be disabled

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Superflows

© Copyright IBM Corp. 2017 451

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Architecture overview
• High-level architecture
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console
• Dissecting the flow of a captured event

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

© Copyright IBM Corp. 2017 452

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Event collector architecture

Event processor
• Each event collector gathers events from local and
remote sources
• EPS license is checked Coalescing filter

• Log Sources are automatically discovered after

record analysis in the Traffic Analysis module
Device Support Module (DSM)
• The event collector normalizes events and classifies Parser threads

them into low- and high-level categories DSM normalization filter

• Events are parsed by log source parser threads Traffic Analysis

(Log source detection)
• The event collector bundles identical events to
conserve system usage through a process that is Overflow filter
known as coalescing (enforce license limit)

Raw data packets received

Event collector

Log Sources

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Event collector architecture

Each Event Collector gathers events from local and remote log sources. Once the raw data packets
have been received, the license limit is checked first. On the Event Collector, this limit is measured
in Events per Second, or EPS. Events are temporarily stored in an overflow buffer if the EPS
license is exceeded, and those events are processed during the next cycle. Should the overflow
buffer fill up, the additional events are dropped, and a message is logged for the administrators.

Log Sources are automatically discovered after record analysis in the Traffic Analysis module. This
is an essential module for automating a successful evaluation or deployment, because it
categorizes traffic from devices that are unknown to the system. Log source detection creates a
new QRadar log source, if detection is successful on an IP address. The Traffic Analyses module
only carries out detection on event protocols that are “pushed” to the event collector, for example,
syslog.

After the correct log source has been detected, such as a Checkpoint Firewall, the individual
Device Support Modules begin to parse the events. First, the events are normalized, where source
specific data fields are mapped into QRadar terminology for further processing. The log source
parser then extracts the log source event ID from the log record and maps that to the QRadar
Identifier, or QID. This is a unique ID that links the extracted log source event ID to a QID. Each QID
relates to a custom event name and description, as well as severity and event category information.
The event category information is structured into High Level Categories (HLC) and Low Level
Categories (LLC). Every QID is linked to one of the low-level categories, for example, a valid
category combination is "Authentication” (being a High Level Category) and “Admin Login
Successful” being a Low Level Category.

© Copyright IBM Corp. 2017 453

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty
Finally, the coalescing filter can optionally bundle identical events to conserve system usage before
handing the data off to the Event Processor.

Note: The following slides contain some additional information about the Autodiscovery of log
sources, Log source parsing and QID mapping, and Events per second burst handling. The
explanations for these slides have already been incorporated in this overview slide.

© Copyright IBM Corp. 2017 454

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Autodiscovery of log sources

• Is an essential module for automating a successful evaluation or deployment

• Categorizes traffic from devices that are unknown to the system

• Creates a new log source if detection is successful on an IP address

• Carries out detection only on event protocols that are “pushed” to the event collector,
for example, syslog

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Autodiscovery of log sources

© Copyright IBM Corp. 2017 455

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Log source parsing uses QID mapping

• The log source parser extracts the log source event ID from the log record

• The QID (QRadar identifier) is a unique ID that links the extracted log source event ID to a QID

• Each QID number relates to a custom event name and description, as well as severity and event
category information

• The event category information is structured into High Level Categories (HLC) and Low Level
Categories (LLC); every QID is linked to one of the low-level categories

For example, "Authentication (HLC) - Admin Login Successful (LLC)" is a category combination

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Log source parsing uses QID mapping

© Copyright IBM Corp. 2017 456

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Events per second (EPS) burst handling

• Events are temporarily stored in an overflow buffer if the EPS license is exceeded

• Every log source protocol has an overflow buffer of 5 GB

• If the overflow buffer fills up, the additional events are dropped

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Events per second (EPS) burst handling

© Copyright IBM Corp. 2017 457

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Architecture overview
• High-level architecture
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console
• Dissecting the flow of a captured event

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

© Copyright IBM Corp. 2017 458

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Event processor architecture Anomaly New host

Magistrate
Detection Engine or port event
• EPS license is checked and enforced
• Every single event and flow is tested against all
Accumulator Host profiler Exit filter
enabled rules in the rules engine Accumulations

• New offenses can be triggered and sent to the Flows Event storage filter
Events
Magistrate (see Console)
• Events and flows are stored in the events or flows
Custom Rules Engine (CRE)
Ariel database
• If a new port or host is detected, an asset profile is Overflow filter
(enforce license limit)
updated or created in the PostgreSQL database
(see Console) Event or flow sources received
• Events are accumulated every minute and stored Event processor
in the accumulator Ariel database
Event Processor Event Processor Event Processor
Event processor Event collector Flow collector

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Event processor architecture

The Event Processor can receive event and flow data from Event and Flow Collectors as well as
other Event Processors that may be distributed throughout the organizations IT deployment. First,
the Overflow Filter enforces the license in a similar way to the collectors.

Next, the Custom Rule Engine, or CRE, tests every single event or flow against all enabled rules.
Matched rules can have responses or results. For example, a matched rule might trigger the
creation of an offense, or create a new CRE event that triggers the creation of an offense. However,
actual offenses are not created here at the Event Processor, but rather at the Console.

It is possible that multiple matched events, flows, and matched rules might correlate into a single
offense. On the other hand, a single event or flow can also be correlated into multiple offenses.

By default, rules are tested against events or flows received by a single event processor (local
rules). The Exit Filter sends on any events or flows that have been marked for further processing by
the Magistrate component on the Console.

Every event and flow is then sent on to the Event Storage Filter, where they are stored in the events
or flows Ariel database.

If a new port or host is detected at this time, an asset profile needs to be updated or created in the
PostgreSQL database. The Host Profiler, or Host Profiling Filter, sends the collected information
about the new host to the Console, so that a new asset can be created or updated.

Finally, if an analyst has defined any searches to collect and investigate specific sets of data,
events and flow records are accumulated every minute and stored in the accumulator Ariel
database. These accumulations create time-series statistical metadata that is used for Dashboards,

© Copyright IBM Corp. 2017 459

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty
event and flow forensics and searching, reporting, and the Anomaly Detection Engine on the
Console. Accumulated time intervals can be defined as 1 minute, 1 hour, and 1 day. The
Accumulator is a distributed component that operates on each Event Processor.

Note: The following slides contain some additional information about the Custom Rule Engine
and the Accumulator. The explanations for these slides have already been incorporated in this
overview slide.

© Copyright IBM Corp. 2017 460

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Custom Rules Engine (CRE)

• Every single event or flow is tested against all enabled rules; matched rules can have a response or
result

• Matched rules might trigger the creation of an offense or create a CRE event that triggers the creation
of an offense

• Multiple matched events, flows, and matched rules might correlate into a single offense

• A single event or flow can be correlated into multiple offenses

• By default, rules are tested against events or flows received by a single event processor (local rules)

• Global cross correlation (GCC) allows rules testing across multiple event processors in the QRadar
SIEM deployment

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Custom Rules Engine (CRE)

© Copyright IBM Corp. 2017 461

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Accumulator
• Accumulations are defined by “grouped by” searches

• Accumulations create time-series statistical metadata (counts) that is used for the following purposes
ƒ Dashboards
ƒ Event and flow forensics and searching
ƒ Reporting
ƒ Anomaly and behavior alerts

• Accumulated intervals are 1 minute, 1 hour, and 1 day

• The Accumulator is a distributed component that operates on each event processor

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Accumulator

© Copyright IBM Corp. 2017 462

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Architecture overview
• High-level architecture
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console
• Dissecting the flow of a captured event

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

© Copyright IBM Corp. 2017 463

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Console architecture
• The Magistrate creates and stores offenses
in the PostgreSQL database; these offenses Offenses

are then brought to the analyst’s attention in

the interface
• The Magistrate instructs the Ariel Proxy Magistrate
Custom rule
engine
Server to gather information about all events Assets
and flows that triggered the creation of an
offense Overflow filter
Ariel Vulnerability Anomaly
Proxy Information Detection
(enforce license limit)
• The Vulnerability Information Server (VIS) Server Server Engine

creates new assets or adds open ports to

Event Sources received
existing assets based on information from the
Console
EPs
• The Anomaly Detection Engine (ADE) Ariel Host
Exit Filter Accumulators
searches the Accumulator databases for Query Server profiler

anomalies, which are then used for offense Event

Eventprocessor
processor
evaluation
Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Console architecture

The Console receives data from the deployed Event Processors for further analysis by the
Magistrate component, which creates and stores offenses in the PostgreSQL database. These
offenses are then brought to the analyst’s attention in the user interface. The Magistrate instructs
the Ariel Proxy Server to gather information about all related events and flows that triggered the
creation of an offense. The collected data is then available for further investigation by the analyst.

If data is collected from multiple Event Processors, the Console’s Custom Rules Engine can utilize
Global Cross Correlation to test rules on data from all deployed Event Processors. This helps to
locate more complex attacks, which can span across the overall IT infrastructure and are not
confined to being detected by a single Event Processor.

The Vulnerability Information Server (VIS) creates new assets, or adds open ports or discovered
services to existing assets, based on information from the Host Profiler on the Event Processors.
This happens when hosts, services, or vulnerabilities that cannot be mapped to existing assets are
discovered.

© Copyright IBM Corp. 2017 464

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty
The Anomaly Detection Engine (ADE) searches the Accumulator databases for anomalies, which
are then used for offense evaluation. There are three categories of Anomaly Detection Rule types.
• The Threshold rule examines a numeric range, such as greater than, less than, or a particular
range. This rule can help detect the bandwidth of an application, the number of users connected
to a VPN, or a large and unusual outbound data transfer.
• The Anomaly rule looks at a change in short term when comparing against a longer time frame.
This can help to locate new service activity or a change in the bandwidth volume on a specific
link.
• The Behavioral rule can detect changes from the same time yesterday or last week. This
includes mail traffic, for example, the increase on external SMTP server traffic, which could be a
relay. This rule can also be used for regular IT services, such as backup monitoring, where the
rule would trigger if a backup failed.

Let us take one closer look at how Offenses are being managed by the Magistrate component.

Events and flows that have been tagged by the Custom Rules Engine for further processing in the
Event Processors are being handed over to the Console through the Exit Filter.

Note: The following slides contain some additional information about the Offense management
by the Magistrate, the new asset and service detection by the Vulnerability Information
Server, and Anomaly Detection Engine rule types. The explanations for these slides have
already been incorporated in this overview slide.

© Copyright IBM Corp. 2017 465

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Offense management by the Magistrate

• Rules can correlate events and flows into a single offense

• A single event or flow can belong to multiple offenses

• While rules are tested, they might lead to the creation of an offense

• Pending offenses tag the events and flows as long as the rule that triggered the creation of the offense
remains at least partially matched

• A maximum of 100,000 offenses can be stored

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Offense management by the Magistrate

© Copyright IBM Corp. 2017 466

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

New asset and service detection by Vulnerability Information Server

• Generates a new asset based on an event when hosts, services, and vulnerabilities that cannot be
mapped to existing assets are discovered
• Detects new or modifies assets and automatically checks the asset information against uploaded
vulnerability information using flow information

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

New asset and service detection by Vulnerability Information Server

© Copyright IBM Corp. 2017 467

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Anomaly Detection Engine rule types

The three categories of rule types are as follows
• Threshold: greater than, less than, and range
ƒ Bandwidth of an application
ƒ Failed service
ƒ Number of users connected to a VPN
ƒ Large outbound transfer
• Anomaly: Change in short term when comparing against a longer time frame
ƒ New service activity
ƒ Change in the bandwidth volume on a link
• Behavioral: Change from the same time yesterday or last week
ƒ Mail traffic, for example, increase on external SMTP server traffic (could be a relay)
ƒ Backup monitoring (backup failed)
ƒ Just about anything with a repetitive pattern

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Anomaly Detection Engine rule types

© Copyright IBM Corp. 2017 468

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Architecture overview
• High-level architecture
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console
• Dissecting the flow of a captured event

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Architecture overview

Until now, we have examined the QRadar component structure from a deployment viewpoint. Let
us now take a final look into dissecting the flow of a captured event.

© Copyright IBM Corp. 2017 469

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Dissecting the flow of a captured event

Recap the architectural components by examining the flow of a captured event

• How the events arrive at their first collection point, the Event Collector

• How the events proceed through correlation, accumulation, and storage on the Event Processor

• How the events end up as part of a larger offense on the Console

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Dissecting the flow of a captured event

We want to recap the architectural components by examining the flow of a captured event. This
starts at the time when the events arrive at their first collection point, the Event Collector. We will
follow the events as they proceed through correlation, accumulation, and storage on the Event
Processor and finally end up as part of a larger offense on the Console.

© Copyright IBM Corp. 2017 470

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Dissecting the flow of a captured event (2 of 4)

FW
FWDeny events Event processor
FW Deny
Denyevent
event

Overflow filter
(enforce license limit)
2
3 5

License No Traffic Analysis Log source No Create new

Coalescing Filter
exceeded? (Log source discovery) known? log source

Yes Yes

Buffer overflow events 4

and feed back into stream Device Support Module (DSM)
when input below limit Parser for firewall
DSM normalization filter

Event collector

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Dissecting the flow of a captured event (2 of 4)

In this scenario we follow a stack of Checkpoint Firewall deny events through the stack of QRadar
components.
1. The firewall denies a large amount of communication requests from an individual IP source and
logs those.
These large amounts of FW Deny events now arrive at the QRadar Event Collector.

2. The overflow filter counts all the incoming raw events to ensure the license limit for the
appliance is not exceeded.
If the license limit (here: events per second) IS exceeded, the events are buffered and fed back
into stream when the input is below the license limit.
If the buffer is already full, the new events are dropped and a special event for the console is
generated.
In our case the limit is not exceeded and the FW Deny events are passed on to the Traffic
Analysis module.

3. The Traffic Analysis module performs the autodiscovery of log sources.

If the log source is already known (like in our case: Checkpoint Firewall), the records are
handed over to the appropriate DSM module.
If the log source is not known yet but is recognized, a new log source is generated. Then the
event is handed over to the appropriate DSM module.
If the event cannot be attributed to either a known or a new log source, the event is stored as
“unknown” and listed as such on the Console.

© Copyright IBM Corp. 2017 471

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty
4. The individual FW Deny events are now parsed inside the applicable (Firewall) Device Support
Module, the Event ID is extracted from the event data, and a QID (QRadar Identifier) gets
assigned to the event.
This QID is later used in the CRE (custom rules engine) to evaluate and correlate our events
together with other events and flows.

5. Before handing the normalized data (with QID) off to the Event Processor all events are parsed
through the coalescing filter.
Here, duplicate events (examined within 10 second intervals) are combined into one event with
a counter, which helps to reduce storage space and processing capability when data is handed
to the Event Processor.

In our case many FW Deny events are being coalesced because they have occurred within 10
second intervals.

© Copyright IBM Corp. 2017 472

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Dissecting the flow of a captured event (3 of 4)

Streaming to Log Activity tab in real time
Firewall Deny 1
Firewall
Event Deny
collectors Console
Event
Event Rule fired – Console handles Offense

Normalized events

Yes
Overflow filter
2
(enforce license limit)
New host or
port found?

License No
exceeded?
Flows
Ariel DB Host Profiler Ariel DB Accumulations
Yes Events
3
Buffer overflow events 6
and feed back into stream
when input below limit
Rule Processing and
Event Storage Accumulator
Correlation
No
Custom Rule Engine (CRE) 4 5
Event processor

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Dissecting the flow of a captured event (3 of 4)

1. The Event Collector sends our normalized FW Deny events to an Event Processor for further
processing.
Events can come from multiple Event and Flow Collectors, and there can also be multiple Event
Processors in your deployment.

2. The overflow filter counts the incoming normalized events to ensure the license limit for the
appliance is not exceeded.
If the license limit IS exceeded, the events are buffered and fed back into stream when the input
is below the license limit.
If the buffer is already full, the new events are dropped and a special event for the console is
generated.

3. The CRE evaluates every single event against every active rule.
If none of the rules fires on the event, the event is dropped from further processing.
If at least one rule fires (which happens in our FW Deny events example, because the amount
of events within a certain time period exceeds a threshold value in a test rule), the event is
properly marked for further processing. This way the Magistrate on the Console knows how to
actually handle this event (create a new offense, add the event to any number of existing
offenses).
In our case, the amount of accumulated FW Deny events is sufficient evidence to instruct the
Magistrate that these events are worthy of an offense.

© Copyright IBM Corp. 2017 473

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty
The CRE can also stream every incoming event to the Log Activity tab if you have configured
any live streaming views on the Console. This way, all of our FW Deny events are displayed in
a streaming Dashboard on the Console.

4. The Event Storage component is responsible for storing all events (and flows) in the Ariel DB.
The filter then passes on the data to the Accumulator.

5. The Accumulator manages all the defined searches (Reports, Dashboards, and such) that have
been set up by an analyst on the Console.
Based on the search parameters the Accumulator stores data in the Accumulations Ariel DB.
This data is later being used by the Console to display results through the GUI or by creating
Reports.

6. The Host Profiler also receives the event data and searches for any new host or port events.

If any new hosts or ports are detected they are being sent to the Console’s Vulnerability Information
Server.

© Copyright IBM Corp. 2017 474

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty

Dissecting the flow of a captured event (4 of 4)

Ariel Query Flows

Ariel DB Accumulator Host Profiler
Server Events
Event processors

Processed events
1

Overflow filter
(enforce license limit)
2 Ariel Proxy 4 5 6

Custom Rule Engine

License No Anomaly Detection Vulnerability
(CRE)
exceeded? Engine Information Server
Magistrate
Yes

Buffer overflow events

3
and feed back into stream Offenses Assets
when input below limit (PostgreSQL) (PostgreSQL)

Console

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Dissecting the flow of a captured event (4 of 4)

1. The Event Processor(s) send(s) the processed events, including the coalesced FW Deny
events, to the Console for final processing.
Events can come from multiple Event Processors in your deployment.

2. The overflow filter counts the incoming normalized events to ensure the license limit for the
appliance is not exceeded.
If the license limit IS exceeded, the events are buffered and fed back into stream when the input
is below the license limit.
If the buffer is already full, the new events are dropped and a special event for the console is
generated.

3. The Magistrate receives our FW Deny events from the Event Collector.
Based on the Index Property and Index Property Value the Magistrate knows that these events
need to be raised as an offense.
Before creating the new offense, the CRE inside the Magistrate now makes sure if these events
should either be assigned a new offense or if they can be attributed to other existing offenses.
Collecting this additional data also helps to provide a clearer view to analysts in the GUI (by
displaying related events and flows).

4. In case the Magistrate needs to access additional event and flow records it utilizes the Ariel
Proxy to communicate with Ariel Query Servers that are located on other Event Processor
appliances.

© Copyright IBM Corp. 2017 475

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Lesson 2 QRadar SIEM component architecture

Uempty
5. In addition to the Magistrate component the Console also houses the Anomaly Detection
Engine.
It examines behavioral, anomaly, or threshold based rules that can be used to create new
offenses or add additional evidence and details to existing offenses.

6. Based on collected event and flow data the Vulnerability Information Server component on the
Console receives information about new hosts or ports that are not yet contained in its Asset
database.

Those new assets are added to the PostgreSQL Asset database.

© Copyright IBM Corp. 2017 476

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Appendix B IBM QRadar architecture
Summary

Uempty

Summary
Now you should be able to perform the following tasks:
• Describe how QRadar SIEM collects and processes events and flows
• Describe how QRadar SIEM collects vulnerability data

Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017

Summary

In this unit we covered the functional architecture level and explained how IBM QRadar was
designed as a modular Security Intelligence solution from the grounds up. After taking a look at this
modular design, its extensibility and deployment pattern, we examined the component architecture
so that the analyst understands how data is ingested and processed.

When the analysts now examine bits and pieces of a larger security incident investigation, this
architectural understanding should substantially enhance their capability for detailed and fast
analysis.

© Copyright IBM Corp. 2017 477

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0

Uempty

IBM Training

© Copyright IBM Corporation 201. All Rights Reserved.