SlideShare a Scribd company logo

Q radar architecture deep dive

Kamal Mouline
Kamal Mouline

QRadar collects security data from various sources using event collectors and flow collectors. The data is normalized, coalesced, and forwarded to event processors where it is stored, indexed, and processed using the custom rules engine. Offenses and related data are stored in a PostgreSQL database while events and flows are stored in an Ariel database. Asset and vulnerability information is gathered from scanners and passive profiling to build profiles in the PostgreSQL database. The magistrate generates offenses which are then available in the user interface.

1 of 27
Downloaded 16 times
How QRadar SIEM Collects Security Data Luis Latas WW Technical Sales Enablement
QRadar Data Flow - Overall
From an Appliance Perspective Event Collector Capabilities Event Collector (ecs-ec-ingress) Event Collector (ecs-ec)
From an Appliance Perspective Event/Flow Processor Capabilities Event Collector (ecs-ec-ingress) + Event Collector (ecs-ec) Event Processor (ecs-ep)
From an Appliance Perspective AIO/Console Capabilities Event Collector (ecs-ec-ingress) + Event Collector (ecs-ec) Event Processor (ecs-ep) Magistrate
High-level component architecture and data stores Flow and event data is stored in the Ariel database on the event processors – If accumulation is required, accumulated data is stored in Ariel accumulation data tables – As soon as data is stored, it cannot be changed (tamper proof) – Data can be selectively indexed Offenses, assets, and identity information are stored in the master PostgreSQL database on the Console – Provides one master database with copies on each processor for backup and automatic restore Secure SSH communication between appliances in a distributed environment is supported Console services User interface Magistrate Reporting Event processor Flow collector Event collector Identities Assets Offenses Configuration Flows Events Accumulations Network packet interface, sFlow, and 3rd party Events from log sources 6
QRadar Data Flow - Overall IBM Security / © 2020 IBM Corporation 7
Collecting and Normalizing raw events An event is a record from a device that describes an action on a network or host. QRadar SIEM normalizes the varied information found in raw events. – Normalizing means to map information to common field names, for example: • SRC_IP, Source, IP, and others are normalized to Source IP. • user_name, username, login, and others are normalized to Username. – Normalized events are mapped to high-level and low-level categories to facilitate further processing. – After raw events are normalized, it is easy to search, report, and cross-correlate these normalized events.
9 Event data pipeline IBM Security / © 2020 IBM Corporation Event data is sent to or pulled by QRadar Event Collector Ingress – Responsible for collecting data at all times (zero event loss) Data is collected and buffered during patch and deploys and processed once the operation is complete Protocols – Reads or pulls raw data from network devices (e.g: Windows Servers, Firewalls, etc) Throttle Filter - Licensing - On a second-by- second basis, slows down the incoming rate so it does not exceed the license on the appliance. Events are sent to ecs-ec-parse to be parsed Event Data Protocols Throttle Filter Licensing Event Collector – Ingress (ecs- ec-ingress) Event Collector (ecs-ec)
10 Event data pipeline IBM Security / © 2020 IBM Corporation Parsing (DSM, LSX, CEP) Coalescing Forwarding Log Only/Data Sore Event Collector (ecs-ec) Event Processor Event data is received from the ecs-ec-ingress Parsing – DSMs / LSX / CEP – take the raw data and normalize it into a common structure. Coalescing - “Event Compression”. Find nearly identical events and delete one and increase the event count on the record. Key is: source IP, dest IP, dest port, QID, username Forwarding - Applies routing rules for the system, such as sending event data to offsite targets, external Syslog systems, JSON systems, and other SIEMs. Log Only/Data Store supports the storage of an unlimited number of logs without counting against the EPS License Event Collector – Ingress (ecs- ec-ingress) Events are then sent to the Event Processor component and pass through the Custom Rules Engine (CRE).
Events not counted against the EPS licenses - The list of log source types that do not incur EPS hits are as follows: - System Notification - Custom Rule Engine (CRE) - SIM Audit - Anomaly Detection Engine - Asset Profiler - Search Results from scheduled searches - Health Metrics - Sense DSM - Risk Manager questions, Simulations and internal logging - Log Only/Data Store - Supports the storage of an unlimited number of logs without counting against the EPS QRadar SIEM license - Enables an organization to build custom apps and reports based on this stored data to gain deeper insights into IT environments.
Event Coalescing - Event Coalescing is a method of reducing the data going through the pipeline. - As data arrives in the pipeline QRadar will attempt to group like events together into a single event. - Coalescing occurs after licensing and parsing - Coalescing is indexed by Log Source, QID, Source IP, Destination IP, Destination Port and Username. - If more than 4 events arrive within a 10 second window with these properties being identical any additional events beyond the 4th will be collapsed together. - Coalesced events can be identified by looking at the Event Count column in the log viewer, if the Event Count is >1 the event has been coalesced. - Coalescing can be turned on or off per log source or by changing the default setting in the system setting page.
QRadar Data Flow - Overall 13 © Copyright IBM Corporation 2017
Flow collection and processing A flow is a communication session between two hosts QFlow Collectors read packets from the wire or receive flows from other devices QFlow Collectors convert all gathered network data to flow records similar normalized events; they include such details as: – when, who, how much, protocols, and options.
Flow pipeline Flows Qflow Asymmetric Recombination De-Duplication Flow Governor (Licensing) CFP Parsing Flow Forwarding Event Collector Event Processor The QFlow component collects and creates flow information from internal and external flow sources Event Collector – Responsible for parsing and normalizing incoming flows Asymmetric recombination - Responsible for combining two sides of each flow when data is provided asymmetrically Deduplication - Flow deduplication is a process that removes duplicate flows when multiple Flow Collectors provide data to Flow Processors appliances. Flow Governor - Monitors the number of incoming flows to the system to manage input queues and licensing. Custom flow properties – extracts any properties defined in the Custom Flow Properties Forwarding - Applies routing rules for the system, such as sending flow data to offsite targets, external Syslog systems, JSON systems, and other SIEMs. Flows are then sent to the Event Processor component and pass through the Custom Rules Engine (CRE). They are tested and correlated against the rules that are configured
16 IBM Security / © 2020 IBM Corporation QRadar Data Flow - Overall
Event & Flow Correlation and Processing Event Collector Licensing CRE Storage and Indexing Host Profiling Real Time streaming Event Processor Magistrate Asset Profiler Ariel Licensing is applied again on ingress to the EP After Events and Flows are normalized they are then sent to the Event Processor for processing The CRE or Custom Rules Engine Applies the correlation rules that were created in the UI. Flow data is then sent to the Ariel Database for storage. Host Profiling – Also called passive profiling or passive scanning. Watches flows on the network in order to make educated guesses about which IPs/assets exist and what ports are open. Streaming – Responsible for the “real time (streaming)” view in User Interface If an event matches a rule, the Magistrate component generates the response that is configure in the custom rule
QRadar Data Flow - Overall IBM Security / © 2020 IBM Corporation 18
Magistrate • The Magistrate creates and stores offenses in the PostgreSQL database; these offenses are then brought to the analyst’s attention in the interface • The Magistrate instructs the Ariel Proxy Server to gather information about all events and flows that triggered the creation of an offense • The Vulnerability Information Server (VIS) creates new assets or adds open ports to existing assets based on information from the EPs • The Anomaly Detection Engine (ADE) searches the Accumulator databases for anomalies, which are then used for offense evaluation
Ariel Components Ariel Ariel Event Processor Accumulator Historical Correlation Ariel Proxy Server Ariel Query Server Offline Forwarder Report Runner
Ariel Components Ariel Proxy Server Console Ariel query Server Managed Host Ariel query Server Managed Host Ariel Components Ariel Ariel Ariel
Asset and Vulnerability Flow ecs-ep Event Processor Scanners/QVM/3rd Party ecs-ec (event collector Asset Profiler vis (Vulnerability integration service) Identity Data Passive Profiling POSTGRES
Gathering asset information Active scanners QRadar Vulnerability Manager scanner, Nessus, Nmap, Qualys, and others Provide: • List of hosts with risks and potential vulnerabilities • IP and MAC addresses • Open ports • Services and versions • Operating system Pros • Detailed host information • Policy and compliance information Cons • Out of date quickly • Full network scans can take weeks • Active scanners cannot scan past firewalls • User can hide from active scans Passive detection Flows from QFlow, or other flow sources in accounting technologies such as IPFIX/NetFlow, sFlow, and others Provide: • IP addresses in use • Open ports in use Pros • Real-time asset profile updates • Firewalls have no impact • End system cannot hide • Policy and compliance information Cons • Not as detailed as active scans • Does not detect installed but unused services or ports
Hostcontext Reporting Executor Report Runner Tomcat “Owns” the host it is responsible for starting and stopping processes and for overall system health and backups. A stopwatch responsible for keeping track of reports and when they should run and then instantiating the report runner The process that actually generates the reports, querying postgres, Ariel, etc. Process that drives our web UI and serves up web pages. Historical Correlation Processor Process that is responsible for historical correlation. Runs a specified search, runs the results through CRE rules (based on QRadar time or device time) and generates offenses The Remainder
QRadar Data Flow - Overall
© Copyright IBM Corporation 2020. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty, of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. Thank you Follow us on: ibm.com/security securityintelligence.com ibm.com/security/community xforce.ibmcloud.com @ibmsecurity youtube.com/ibmsecurity
Q radar architecture deep dive
Ad

Recommended

Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
Qradar - Reports.pdf
Qradar - Reports.pdfQradar - Reports.pdf
Qradar - Reports.pdf
PencilData
 
QRadar Architecture.pdf
QRadar Architecture.pdfQRadar Architecture.pdf
QRadar Architecture.pdf
PencilData
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cns
mmubashirkhan
 
Bài tập kerberos
Bài tập kerberosBài tập kerberos
Bài tập kerberos
Trần Thanh
 
Globalization
GlobalizationGlobalization
Globalization
H.
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
IBM Security
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
Prime Infoserv
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Sirius
 
Siem ppt
Siem pptSiem ppt
Siem ppt
kmehul
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
ArcSight Basics.ppt
ArcSight Basics.pptArcSight Basics.ppt
ArcSight Basics.ppt
neoalt
 
[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale
[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale
[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale
DataScienceConferenc1
 
Ad

More Related Content

What's hot (20)

IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
Prime Infoserv
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Sirius
 
Siem ppt
Siem pptSiem ppt
Siem ppt
kmehul
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
Prime Infoserv
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
Aurélie Henriot
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Sirius
 
Siem ppt
Siem pptSiem ppt
Siem ppt
kmehul
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 

Similar to Q radar architecture deep dive (20)

ArcSight Basics.ppt
ArcSight Basics.pptArcSight Basics.ppt
ArcSight Basics.ppt
neoalt
 
[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale
[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale
[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale
DataScienceConferenc1
 
ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdf
Protect724v2
 
ESM 101 (ESM v6.9.1c)
ESM 101 (ESM v6.9.1c)ESM 101 (ESM v6.9.1c)
ESM 101 (ESM v6.9.1c)
Protect724tk
 
5.2 QRadar_Architecture_-_General123.pdf
5.2 QRadar_Architecture_-_General123.pdf5.2 QRadar_Architecture_-_General123.pdf
5.2 QRadar_Architecture_-_General123.pdf
MuhammadAmir785555
 
Opmanager Workshop - Middle East
Opmanager Workshop - Middle EastOpmanager Workshop - Middle East
Opmanager Workshop - Middle East
ManageEngine, Zoho Corporation
 
Data Streaming in Kafka
Data Streaming in KafkaData Streaming in Kafka
Data Streaming in Kafka
SilviuMarcu1
 
Why and how to engage a Complex Event Processor from a Java Web Application
Why and how to engage a Complex Event Processor from a Java Web ApplicationWhy and how to engage a Complex Event Processor from a Java Web Application
Why and how to engage a Complex Event Processor from a Java Web Application
Lucas Jellema
 
TechEd NZ 2014: Intelligent Systems Service - Concept, Code and Demo
TechEd NZ 2014: Intelligent Systems Service - Concept, Code and DemoTechEd NZ 2014: Intelligent Systems Service - Concept, Code and Demo
TechEd NZ 2014: Intelligent Systems Service - Concept, Code and Demo
Intergen
 
NFA - Middle East Workshop
NFA - Middle East WorkshopNFA - Middle East Workshop
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
Service Assurance Constructs for Achieving Network Transformation - Sunku Ran...
Service Assurance Constructs for Achieving Network Transformation - Sunku Ran...Service Assurance Constructs for Achieving Network Transformation - Sunku Ran...
Service Assurance Constructs for Achieving Network Transformation - Sunku Ran...
Liz Warner
 
Service Assurance Constructs for Achieving Network Transformation by Sunku Ra...
Service Assurance Constructs for Achieving Network Transformation by Sunku Ra...Service Assurance Constructs for Achieving Network Transformation by Sunku Ra...
Service Assurance Constructs for Achieving Network Transformation by Sunku Ra...
Liz Warner
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
Splunk
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
csching
 
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Kevin Mao
 
Monitoring With Alterpoint And Cs Mars
Monitoring With Alterpoint And Cs MarsMonitoring With Alterpoint And Cs Mars
Monitoring With Alterpoint And Cs Mars
amit_monty
 
Core intel
Core intelCore intel
Core intel
Krzysztof Adamski
 
Application Programming Interface
Application Programming InterfaceApplication Programming Interface
Application Programming Interface
Seculert
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
Enabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid ChowEnabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid Chow
MyNOG
 
ArcSight Basics.ppt
ArcSight Basics.pptArcSight Basics.ppt
ArcSight Basics.ppt
neoalt
 
[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale
[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale
[DSC Europe 23] Pramod Immaneni - Real-time analytics at IoT scale
DataScienceConferenc1
 
ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdf
Protect724v2
 
ESM 101 (ESM v6.9.1c)
ESM 101 (ESM v6.9.1c)ESM 101 (ESM v6.9.1c)
ESM 101 (ESM v6.9.1c)
Protect724tk
 
5.2 QRadar_Architecture_-_General123.pdf
5.2 QRadar_Architecture_-_General123.pdf5.2 QRadar_Architecture_-_General123.pdf
5.2 QRadar_Architecture_-_General123.pdf
MuhammadAmir785555
 
Opmanager Workshop - Middle East
Opmanager Workshop - Middle EastOpmanager Workshop - Middle East
Opmanager Workshop - Middle East
ManageEngine, Zoho Corporation
 
Data Streaming in Kafka
Data Streaming in KafkaData Streaming in Kafka
Data Streaming in Kafka
SilviuMarcu1
 
Why and how to engage a Complex Event Processor from a Java Web Application
Why and how to engage a Complex Event Processor from a Java Web ApplicationWhy and how to engage a Complex Event Processor from a Java Web Application
Why and how to engage a Complex Event Processor from a Java Web Application
Lucas Jellema
 
TechEd NZ 2014: Intelligent Systems Service - Concept, Code and Demo
TechEd NZ 2014: Intelligent Systems Service - Concept, Code and DemoTechEd NZ 2014: Intelligent Systems Service - Concept, Code and Demo
TechEd NZ 2014: Intelligent Systems Service - Concept, Code and Demo
Intergen
 
NFA - Middle East Workshop
NFA - Middle East WorkshopNFA - Middle East Workshop
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
Service Assurance Constructs for Achieving Network Transformation - Sunku Ran...
Service Assurance Constructs for Achieving Network Transformation - Sunku Ran...Service Assurance Constructs for Achieving Network Transformation - Sunku Ran...
Service Assurance Constructs for Achieving Network Transformation - Sunku Ran...
Liz Warner
 
Service Assurance Constructs for Achieving Network Transformation by Sunku Ra...
Service Assurance Constructs for Achieving Network Transformation by Sunku Ra...Service Assurance Constructs for Achieving Network Transformation by Sunku Ra...
Service Assurance Constructs for Achieving Network Transformation by Sunku Ra...
Liz Warner
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
Splunk
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
csching
 
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Achieving Real-time Ingestion and Analysis of Security Events through Kafka a...
Kevin Mao
 
Monitoring With Alterpoint And Cs Mars
Monitoring With Alterpoint And Cs MarsMonitoring With Alterpoint And Cs Mars
Monitoring With Alterpoint And Cs Mars
amit_monty
 
Core intel
Core intelCore intel
Core intel
Krzysztof Adamski
 
Application Programming Interface
Application Programming InterfaceApplication Programming Interface
Application Programming Interface
Seculert
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
Enabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid ChowEnabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid Chow
MyNOG
 
Ad

Recently uploaded (20)

Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
James Francis Paradigm Asset Management
 
CTS EXCEPTIONSPrediction of Aluminium wire rod physical properties through AI...
CTS EXCEPTIONSPrediction of Aluminium wire rod physical properties through AI...CTS EXCEPTIONSPrediction of Aluminium wire rod physical properties through AI...
CTS EXCEPTIONSPrediction of Aluminium wire rod physical properties through AI...
ThanushsaranS
 
chapter3 Central Tendency statistics.ppt
chapter3 Central Tendency statistics.pptchapter3 Central Tendency statistics.ppt
chapter3 Central Tendency statistics.ppt
justinebandajbn
 
IAS-slides2-ia-aaaaaaaaaaain-business.pdf
IAS-slides2-ia-aaaaaaaaaaain-business.pdfIAS-slides2-ia-aaaaaaaaaaain-business.pdf
IAS-slides2-ia-aaaaaaaaaaain-business.pdf
mcgardenlevi9
 
Ch3MCT24.pptx measure of central tendency
Ch3MCT24.pptx measure of central tendencyCh3MCT24.pptx measure of central tendency
Ch3MCT24.pptx measure of central tendency
ayeleasefa2
 
DPR_Expert_Recruitment_notice_Revised.pdf
DPR_Expert_Recruitment_notice_Revised.pdfDPR_Expert_Recruitment_notice_Revised.pdf
DPR_Expert_Recruitment_notice_Revised.pdf
inmishra17121973
 
Thingyan is now a global treasure! See how people around the world are search...
Thingyan is now a global treasure! See how people around the world are search...Thingyan is now a global treasure! See how people around the world are search...
Thingyan is now a global treasure! See how people around the world are search...
Pixellion
 
183409-christina-rossetti.pdfdsfsdasggsag
183409-christina-rossetti.pdfdsfsdasggsag183409-christina-rossetti.pdfdsfsdasggsag
183409-christina-rossetti.pdfdsfsdasggsag
fardin123rahman07
 
Calories_Prediction_using_Linear_Regression.pptx
Calories_Prediction_using_Linear_Regression.pptxCalories_Prediction_using_Linear_Regression.pptx
Calories_Prediction_using_Linear_Regression.pptx
TijiLMAHESHWARI
 
Molecular methods diagnostic and monitoring of infection - Repaired.pptx
Molecular methods diagnostic and monitoring of infection - Repaired.pptxMolecular methods diagnostic and monitoring of infection - Repaired.pptx
Molecular methods diagnostic and monitoring of infection - Repaired.pptx
7tzn7x5kky
 
computer organization and assembly language.docx
computer organization and assembly language.docxcomputer organization and assembly language.docx
computer organization and assembly language.docx
alisoftwareengineer1
 
Cleaned_Lecture 6666666_Simulation_I.pdf
Cleaned_Lecture 6666666_Simulation_I.pdfCleaned_Lecture 6666666_Simulation_I.pdf
Cleaned_Lecture 6666666_Simulation_I.pdf
alcinialbob1234
 
Minions Want to eat presentacion muy linda
Minions Want to eat presentacion muy lindaMinions Want to eat presentacion muy linda
Minions Want to eat presentacion muy linda
CarlaAndradesSoler1
 
Ppt. Nikhil.pptxnshwuudgcudisisshvehsjks
Ppt. Nikhil.pptxnshwuudgcudisisshvehsjksPpt. Nikhil.pptxnshwuudgcudisisshvehsjks
Ppt. Nikhil.pptxnshwuudgcudisisshvehsjks
panchariyasahil
 
AI Competitor Analysis: How to Monitor and Outperform Your Competitors
AI Competitor Analysis: How to Monitor and Outperform Your CompetitorsAI Competitor Analysis: How to Monitor and Outperform Your Competitors
AI Competitor Analysis: How to Monitor and Outperform Your Competitors
Contify
 
Stack_and_Queue_Presentation_Final (1).pptx
Stack_and_Queue_Presentation_Final (1).pptxStack_and_Queue_Presentation_Final (1).pptx
Stack_and_Queue_Presentation_Final (1).pptx
binduraniha86
 
Defense Against LLM Scheming 2025_04_28.pptx
Defense Against LLM Scheming 2025_04_28.pptxDefense Against LLM Scheming 2025_04_28.pptx
Defense Against LLM Scheming 2025_04_28.pptx
Greg Makowski
 
GenAI for Quant Analytics: survey-analytics.ai
GenAI for Quant Analytics: survey-analytics.aiGenAI for Quant Analytics: survey-analytics.ai
GenAI for Quant Analytics: survey-analytics.ai
Inspirient
 
FPET_Implementation_2_MA to 360 Engage Direct.pptx
FPET_Implementation_2_MA to 360 Engage Direct.pptxFPET_Implementation_2_MA to 360 Engage Direct.pptx
FPET_Implementation_2_MA to 360 Engage Direct.pptx
ssuser4ef83d
 
Simple_AI_Explanation_English somplr.pptx
Simple_AI_Explanation_English somplr.pptxSimple_AI_Explanation_English somplr.pptx
Simple_AI_Explanation_English somplr.pptx
ssuser2aa19f
 
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
Safety Innovation in Mt. Vernon A Westchester County Model for New Rochelle a...
James Francis Paradigm Asset Management
 
CTS EXCEPTIONSPrediction of Aluminium wire rod physical properties through AI...
CTS EXCEPTIONSPrediction of Aluminium wire rod physical properties through AI...CTS EXCEPTIONSPrediction of Aluminium wire rod physical properties through AI...
CTS EXCEPTIONSPrediction of Aluminium wire rod physical properties through AI...
ThanushsaranS
 
chapter3 Central Tendency statistics.ppt
chapter3 Central Tendency statistics.pptchapter3 Central Tendency statistics.ppt
chapter3 Central Tendency statistics.ppt
justinebandajbn
 
IAS-slides2-ia-aaaaaaaaaaain-business.pdf
IAS-slides2-ia-aaaaaaaaaaain-business.pdfIAS-slides2-ia-aaaaaaaaaaain-business.pdf
IAS-slides2-ia-aaaaaaaaaaain-business.pdf
mcgardenlevi9
 
Ch3MCT24.pptx measure of central tendency
Ch3MCT24.pptx measure of central tendencyCh3MCT24.pptx measure of central tendency
Ch3MCT24.pptx measure of central tendency
ayeleasefa2
 
DPR_Expert_Recruitment_notice_Revised.pdf
DPR_Expert_Recruitment_notice_Revised.pdfDPR_Expert_Recruitment_notice_Revised.pdf
DPR_Expert_Recruitment_notice_Revised.pdf
inmishra17121973
 
Thingyan is now a global treasure! See how people around the world are search...
Thingyan is now a global treasure! See how people around the world are search...Thingyan is now a global treasure! See how people around the world are search...
Thingyan is now a global treasure! See how people around the world are search...
Pixellion
 
183409-christina-rossetti.pdfdsfsdasggsag
183409-christina-rossetti.pdfdsfsdasggsag183409-christina-rossetti.pdfdsfsdasggsag
183409-christina-rossetti.pdfdsfsdasggsag
fardin123rahman07
 
Calories_Prediction_using_Linear_Regression.pptx
Calories_Prediction_using_Linear_Regression.pptxCalories_Prediction_using_Linear_Regression.pptx
Calories_Prediction_using_Linear_Regression.pptx
TijiLMAHESHWARI
 
Molecular methods diagnostic and monitoring of infection - Repaired.pptx
Molecular methods diagnostic and monitoring of infection - Repaired.pptxMolecular methods diagnostic and monitoring of infection - Repaired.pptx
Molecular methods diagnostic and monitoring of infection - Repaired.pptx
7tzn7x5kky
 
computer organization and assembly language.docx
computer organization and assembly language.docxcomputer organization and assembly language.docx
computer organization and assembly language.docx
alisoftwareengineer1
 
Cleaned_Lecture 6666666_Simulation_I.pdf
Cleaned_Lecture 6666666_Simulation_I.pdfCleaned_Lecture 6666666_Simulation_I.pdf
Cleaned_Lecture 6666666_Simulation_I.pdf
alcinialbob1234
 
Minions Want to eat presentacion muy linda
Minions Want to eat presentacion muy lindaMinions Want to eat presentacion muy linda
Minions Want to eat presentacion muy linda
CarlaAndradesSoler1
 
Ppt. Nikhil.pptxnshwuudgcudisisshvehsjks
Ppt. Nikhil.pptxnshwuudgcudisisshvehsjksPpt. Nikhil.pptxnshwuudgcudisisshvehsjks
Ppt. Nikhil.pptxnshwuudgcudisisshvehsjks
panchariyasahil
 
AI Competitor Analysis: How to Monitor and Outperform Your Competitors
AI Competitor Analysis: How to Monitor and Outperform Your CompetitorsAI Competitor Analysis: How to Monitor and Outperform Your Competitors
AI Competitor Analysis: How to Monitor and Outperform Your Competitors
Contify
 
Stack_and_Queue_Presentation_Final (1).pptx
Stack_and_Queue_Presentation_Final (1).pptxStack_and_Queue_Presentation_Final (1).pptx
Stack_and_Queue_Presentation_Final (1).pptx
binduraniha86
 
Defense Against LLM Scheming 2025_04_28.pptx
Defense Against LLM Scheming 2025_04_28.pptxDefense Against LLM Scheming 2025_04_28.pptx
Defense Against LLM Scheming 2025_04_28.pptx
Greg Makowski
 
GenAI for Quant Analytics: survey-analytics.ai
GenAI for Quant Analytics: survey-analytics.aiGenAI for Quant Analytics: survey-analytics.ai
GenAI for Quant Analytics: survey-analytics.ai
Inspirient
 
FPET_Implementation_2_MA to 360 Engage Direct.pptx
FPET_Implementation_2_MA to 360 Engage Direct.pptxFPET_Implementation_2_MA to 360 Engage Direct.pptx
FPET_Implementation_2_MA to 360 Engage Direct.pptx
ssuser4ef83d
 
Simple_AI_Explanation_English somplr.pptx
Simple_AI_Explanation_English somplr.pptxSimple_AI_Explanation_English somplr.pptx
Simple_AI_Explanation_English somplr.pptx
ssuser2aa19f
 
Ad

Q radar architecture deep dive

  • 1. How QRadar SIEM Collects Security Data Luis Latas WW Technical Sales Enablement
  • 2. QRadar Data Flow - Overall
  • 3. From an Appliance Perspective Event Collector Capabilities Event Collector (ecs-ec-ingress) Event Collector (ecs-ec)
  • 4. From an Appliance Perspective Event/Flow Processor Capabilities Event Collector (ecs-ec-ingress) + Event Collector (ecs-ec) Event Processor (ecs-ep)
  • 5. From an Appliance Perspective AIO/Console Capabilities Event Collector (ecs-ec-ingress) + Event Collector (ecs-ec) Event Processor (ecs-ep) Magistrate
  • 6. High-level component architecture and data stores Flow and event data is stored in the Ariel database on the event processors – If accumulation is required, accumulated data is stored in Ariel accumulation data tables – As soon as data is stored, it cannot be changed (tamper proof) – Data can be selectively indexed Offenses, assets, and identity information are stored in the master PostgreSQL database on the Console – Provides one master database with copies on each processor for backup and automatic restore Secure SSH communication between appliances in a distributed environment is supported Console services User interface Magistrate Reporting Event processor Flow collector Event collector Identities Assets Offenses Configuration Flows Events Accumulations Network packet interface, sFlow, and 3rd party Events from log sources 6
  • 7. QRadar Data Flow - Overall IBM Security / © 2020 IBM Corporation 7
  • 8. Collecting and Normalizing raw events An event is a record from a device that describes an action on a network or host. QRadar SIEM normalizes the varied information found in raw events. – Normalizing means to map information to common field names, for example: • SRC_IP, Source, IP, and others are normalized to Source IP. • user_name, username, login, and others are normalized to Username. – Normalized events are mapped to high-level and low-level categories to facilitate further processing. – After raw events are normalized, it is easy to search, report, and cross-correlate these normalized events.
  • 9. 9 Event data pipeline IBM Security / © 2020 IBM Corporation Event data is sent to or pulled by QRadar Event Collector Ingress – Responsible for collecting data at all times (zero event loss) Data is collected and buffered during patch and deploys and processed once the operation is complete Protocols – Reads or pulls raw data from network devices (e.g: Windows Servers, Firewalls, etc) Throttle Filter - Licensing - On a second-by- second basis, slows down the incoming rate so it does not exceed the license on the appliance. Events are sent to ecs-ec-parse to be parsed Event Data Protocols Throttle Filter Licensing Event Collector – Ingress (ecs- ec-ingress) Event Collector (ecs-ec)
  • 10. 10 Event data pipeline IBM Security / © 2020 IBM Corporation Parsing (DSM, LSX, CEP) Coalescing Forwarding Log Only/Data Sore Event Collector (ecs-ec) Event Processor Event data is received from the ecs-ec-ingress Parsing – DSMs / LSX / CEP – take the raw data and normalize it into a common structure. Coalescing - “Event Compression”. Find nearly identical events and delete one and increase the event count on the record. Key is: source IP, dest IP, dest port, QID, username Forwarding - Applies routing rules for the system, such as sending event data to offsite targets, external Syslog systems, JSON systems, and other SIEMs. Log Only/Data Store supports the storage of an unlimited number of logs without counting against the EPS License Event Collector – Ingress (ecs- ec-ingress) Events are then sent to the Event Processor component and pass through the Custom Rules Engine (CRE).
  • 11. Events not counted against the EPS licenses - The list of log source types that do not incur EPS hits are as follows: - System Notification - Custom Rule Engine (CRE) - SIM Audit - Anomaly Detection Engine - Asset Profiler - Search Results from scheduled searches - Health Metrics - Sense DSM - Risk Manager questions, Simulations and internal logging - Log Only/Data Store - Supports the storage of an unlimited number of logs without counting against the EPS QRadar SIEM license - Enables an organization to build custom apps and reports based on this stored data to gain deeper insights into IT environments.
  • 12. Event Coalescing - Event Coalescing is a method of reducing the data going through the pipeline. - As data arrives in the pipeline QRadar will attempt to group like events together into a single event. - Coalescing occurs after licensing and parsing - Coalescing is indexed by Log Source, QID, Source IP, Destination IP, Destination Port and Username. - If more than 4 events arrive within a 10 second window with these properties being identical any additional events beyond the 4th will be collapsed together. - Coalesced events can be identified by looking at the Event Count column in the log viewer, if the Event Count is >1 the event has been coalesced. - Coalescing can be turned on or off per log source or by changing the default setting in the system setting page.
  • 13. QRadar Data Flow - Overall 13 © Copyright IBM Corporation 2017
  • 14. Flow collection and processing A flow is a communication session between two hosts QFlow Collectors read packets from the wire or receive flows from other devices QFlow Collectors convert all gathered network data to flow records similar normalized events; they include such details as: – when, who, how much, protocols, and options.
  • 15. Flow pipeline Flows Qflow Asymmetric Recombination De-Duplication Flow Governor (Licensing) CFP Parsing Flow Forwarding Event Collector Event Processor The QFlow component collects and creates flow information from internal and external flow sources Event Collector – Responsible for parsing and normalizing incoming flows Asymmetric recombination - Responsible for combining two sides of each flow when data is provided asymmetrically Deduplication - Flow deduplication is a process that removes duplicate flows when multiple Flow Collectors provide data to Flow Processors appliances. Flow Governor - Monitors the number of incoming flows to the system to manage input queues and licensing. Custom flow properties – extracts any properties defined in the Custom Flow Properties Forwarding - Applies routing rules for the system, such as sending flow data to offsite targets, external Syslog systems, JSON systems, and other SIEMs. Flows are then sent to the Event Processor component and pass through the Custom Rules Engine (CRE). They are tested and correlated against the rules that are configured
  • 16. 16 IBM Security / © 2020 IBM Corporation QRadar Data Flow - Overall
  • 17. Event & Flow Correlation and Processing Event Collector Licensing CRE Storage and Indexing Host Profiling Real Time streaming Event Processor Magistrate Asset Profiler Ariel Licensing is applied again on ingress to the EP After Events and Flows are normalized they are then sent to the Event Processor for processing The CRE or Custom Rules Engine Applies the correlation rules that were created in the UI. Flow data is then sent to the Ariel Database for storage. Host Profiling – Also called passive profiling or passive scanning. Watches flows on the network in order to make educated guesses about which IPs/assets exist and what ports are open. Streaming – Responsible for the “real time (streaming)” view in User Interface If an event matches a rule, the Magistrate component generates the response that is configure in the custom rule
  • 18. QRadar Data Flow - Overall IBM Security / © 2020 IBM Corporation 18
  • 19. Magistrate • The Magistrate creates and stores offenses in the PostgreSQL database; these offenses are then brought to the analyst’s attention in the interface • The Magistrate instructs the Ariel Proxy Server to gather information about all events and flows that triggered the creation of an offense • The Vulnerability Information Server (VIS) creates new assets or adds open ports to existing assets based on information from the EPs • The Anomaly Detection Engine (ADE) searches the Accumulator databases for anomalies, which are then used for offense evaluation
  • 20. Ariel Components Ariel Ariel Event Processor Accumulator Historical Correlation Ariel Proxy Server Ariel Query Server Offline Forwarder Report Runner
  • 21. Ariel Components Ariel Proxy Server Console Ariel query Server Managed Host Ariel query Server Managed Host Ariel Components Ariel Ariel Ariel
  • 22. Asset and Vulnerability Flow ecs-ep Event Processor Scanners/QVM/3rd Party ecs-ec (event collector Asset Profiler vis (Vulnerability integration service) Identity Data Passive Profiling POSTGRES
  • 23. Gathering asset information Active scanners QRadar Vulnerability Manager scanner, Nessus, Nmap, Qualys, and others Provide: • List of hosts with risks and potential vulnerabilities • IP and MAC addresses • Open ports • Services and versions • Operating system Pros • Detailed host information • Policy and compliance information Cons • Out of date quickly • Full network scans can take weeks • Active scanners cannot scan past firewalls • User can hide from active scans Passive detection Flows from QFlow, or other flow sources in accounting technologies such as IPFIX/NetFlow, sFlow, and others Provide: • IP addresses in use • Open ports in use Pros • Real-time asset profile updates • Firewalls have no impact • End system cannot hide • Policy and compliance information Cons • Not as detailed as active scans • Does not detect installed but unused services or ports
  • 24. Hostcontext Reporting Executor Report Runner Tomcat “Owns” the host it is responsible for starting and stopping processes and for overall system health and backups. A stopwatch responsible for keeping track of reports and when they should run and then instantiating the report runner The process that actually generates the reports, querying postgres, Ariel, etc. Process that drives our web UI and serves up web pages. Historical Correlation Processor Process that is responsible for historical correlation. Runs a specified search, runs the results through CRE rules (based on QRadar time or device time) and generates offenses The Remainder
  • 25. QRadar Data Flow - Overall
  • 26. © Copyright IBM Corporation 2020. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty, of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. Thank you Follow us on: ibm.com/security securityintelligence.com ibm.com/security/community xforce.ibmcloud.com @ibmsecurity youtube.com/ibmsecurity