QRadar Workshop LAB Exercises

IBM Security Qradar SIEM Workshop
Self-Paced Virtual Course

LAB Exercises
All files and material for this course are IBM copyright property cov ered by the following copyright
notice. © Copyright IBM Corp. 2017. All Rights Reserved.
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM
Corp.
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks
is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now
part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium,
and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other
countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is
registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is
used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the
U.S. and other countries.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the
completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express
or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM
without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication
or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties
or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software.
References in this publication to IBM products, programs, or services do not imply that they will be available in all countries in which
IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature
availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that
any activities undertaken by you will result in any specific sales, revenue growth, savings or other results.
© Copyright IBM Corp. 2017 Student Exercises

Course materials may not be reproduced in whole or in part without the prior written permission of IBM
Contents
Starting your Class Environment ............................................................................................................... 4
LAB 1 - Discovering a Log Source Automatically ............................................................................... 5
LAB 2 - Create a Search .......................................................................................................................... 8
LAB 3 - Saving a Search and adding it to the Dashboard...................................................................11
LAB 4 – Viewing Offenses .....................................................................................................................15
LAB 5 – Creating Reports ......................................................................................................................18
LAB 6 – Creating Rules ..........................................................................................................................23
LAB 7 - Extension Management Exercises........................................................................................31
LAB 8 - DSM Editor ...................................................................................................................................36

Course materials may not be reproduced in whole or in part without the prior written permission of IBM
Starting your Class Environment
1. Access the IBM Qradar 7.3.0 Virtual Image using the .vmx file provided by the
instructor. With login details as below.
2. Your URL should be https://172.16.60.10
3. Login to the UI by using the following credentials Username: admin Password:

q1d3m0
4. To access the QRadar Console via the command line, click on Putty (located on
your desktop)

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
44
Select QRadar Console -> Open
Use the following credentials to
login to the QRadar Console via
Putty
Username: root
Password: q1d3m0
LAB 1 - Discovering a Log Source

Automatically
In this exercise you will send data to QRadar and see how QRadar
automatically discovers a log source
Discovering a Log Source Automatically

To discover a new log source perform the following steps:
1. Open your web browser and login to QRadar - https://172.16.60.10
2. Click the Admin Tab
3. Double click in the Log Source Icon
4. Verify that there are no log sources currently in the system

5
5. On the QRadar UI click on the “Log Activity Tab”
6. Verify if there are any events running (at this point you should only be seeing
“System Audit Messages”
7. Double click on PuTTY to open a session to the QRadar SIEM server.
8. Double click on the QRadar SIEM and enter the credentials username root
and password q1d3m0
9. Generate events
From the PuTTY command line, type the following commands:
cd /labfiles
./sendevents start
Wait a couple minutes until the service starts
8. In the User Interface -> Log Activity Tab view the events being fed into
QRadar
First events come in as type “Unknown log event” from log source SIM Generic Log
DSM-7 but change to several Log Source types once QRadar finishes
autodiscovering these log sources
9. Click the Admin
Tab Repeat Steps
3 and 4.
Verify that there several Log Sources listed and Autodiscovery =

True

6
Once a Log Source is discovered (or explicitly configured) it remains in the
system unless it is disabled or removed

7
LAB 2 - Create a Search
In this exercise you will learn the basics of searching for data
(This lab works best if you let the script from the previous lab run for at least 5 mins)
Create a Search
1. Double click the Log Activity tab
(double clicking resets the tab to its default state)
2. Open the QuickSearches pulldown and select
Firewall Deny by DST IP – Last 6 Hours
Hint: Clicking (Hide Charts) below the charts lets you see more
events. Which IP is responsible for the majority of your firewall denies?
3. Rightclick on the destination IP responsible for the most events and

select Filter on Destination IP is <IP addr>

8
4. Open the Display pulldown and select Source IP
5. Open the View pulldown and select Last 5 Minutes. Note how the display
changes
6. Double click any row to open a new window that expands the events aggregated
in that row.
7. Continue double clicking until you get to the event details

window. Look at the information in the event details window
Normalized properties (fields) including Custom Properties

9
Raw payload
Rules Matched
8. Close the event details window, and all child windows, until you return to the main
Log Activity Window
9. Click the (Clear Filter) link next to the Dest IP is <addr> at the top
10. Open the View pulldown and again select last 6 hours
© Copyright IBM Corp. 2017 Student

Exercises
10
LAB 3 - Saving a Search and adding it to the
Dashboard
In this exercise you will learn the basics of saving a search and make it available
to the Dashboard
You will save the criteria from the previous search
Save a Search
1. Click Save Criteria at the top of your search window
a. For Search Name: type AAA<Your Name>
b. Set the checkboxes for Include in my

Quicksearches, Share with everyone, Include in
My Dashboard
c. Click OK
2. Add the search to The Dashboard

11
a. Click the Dashboard tab, click New Dashboard, and name the
new dashboard – “My New Dashboard”
b. Click OK
c. Click Add Item > Log Activity > Event Searches
Select the search name you saved in the previous steps Hint: if you don’t
see any data in the item, you may have to restart the script in Lab 1
d. Open the configuration button and toggle between Bar Chart, Pie Chart
and Table
e. Change the Value To Graph to “Event Count (Sum)”
f. Click Capture Time Series Data check box and click Save
g. Once you receive a warning, select Log Activity Tab and click
“Save Criteria” from the top tool bar.
h. Dashboard should start displaying data within a couple of minutes

12
i. Add additional items: Offenses > Offenses > Most Severe
Offenses and System Summary
j. Reposition the items on the dashboard by dragging them by their title

bars
k. Select different dashboards to see sample arrangements

13
14
LAB 4 – Viewing Offenses
In this exercise you will learn what information you can gather by viewing the offenses in
detail.
Viewing Offenses
1. Click the Offenses tab.
2. Locate an offense with “Multiple Login Failures for the Same User
preceded by Login Failures Followed By Success from the same
Username containing LOGON failed” and double click it
3. Examine the information presented in the Offense Details Screen
a) How many events are associated with this offense?
b) What are the specific events are associated with this offense?

15
c) Is the username involved with any other offenses?
d) When did this offense begin, and how long has it been going on?
4. Click All Offenses (on the left menu) to see all the offenses
5. Ctrl-click to select Offenses 2 and 3
6. Pull down Actions and select Close
7. In “Close Offense” Select Non-Issue and type in “Non-issue” in the Note

field.
8. Click OK
9. Click OK in the Close Offense popup
10. To see closed offenses, clear Exclude Closed Offenses filter at top

16
17
LAB 5 – Creating Reports
In this exercise you will learn how to create a report from a saved search
Creating Reports
1. Click Reports tab
2. Uncheck Hide Inactive Reports checkbox at top
3. Open Reporting Groups pulldown and review the report groups
Before starting the Report wizard, make note of

system date and time by hovering over System
Time in the upper right of the GUI.
4. Start the report wizard. Open Actions pulldown
and select Create

18
5. In the Report Wizard, click Next, select Manually, and click Next
6. Leave orientation as Landscape, select two-container layout. Click Next
7. Enter My Report as the report title

8. Select Chart Type Events/Logs in the top container
9. Enter FW Denies – Pie as the Chart Title
Under Manual Scheduling
10. Set the Start Date / Time to 1 day before the current system time
11. Set the End Date / Time to the current system time
12. Under Saved Searches -> Select the search you saved in Lab 3 from the list
of saved searches

19
13. Scroll down to Additional Details – > Choose Graph Type Pie, and Limit
Events/Logs to Top 20
14. Click Save Container Details

15. Select Chart Type Events/Logs in the bottom container
16. Enter FW Denies – Table as the Chart Title
17. Set the Start Date / Time to 1 day before the current system time
18. Set the End Date / Time to the current system time
19. Choose the search you saved in Lab 3 from the list of saved searches
20. Scroll down to Additional Details -> Choose Graph Type Table, and Limit
Events/Logs to Top 30
21. Click Save Container Details
22. Click Next. Click Next again at the Layout Preview

20
23. Click Next, Next and Finish
24. Check PDF, HTML, and RTF for the output format. Click Next
25. Click Next at the Report Distribution Channels screen
26. Click Next, Next and Finish
27. The report will start automatically. Click the refresh icon on the main report
screen.
28. When the report is completed, click the HTML icon next to the report to view
your output

21
22
LAB 6 – Creating Rules
In this lab, you will create and test a rule to launch an offense
Creating Rules
1. From the Admin Tab double click on the Reference Set Management Icon
2. Click on Add button and name the Reference Set “Watchlist User”
3. Select Alphanumeric as the Type of the reference set
4. Click Create
5. Locate the Watchlist User” reference set and double-click to open it.
6. Click Add
7. Enter the following usernames
luigi, fred_arliss, roy.fulmer, kbujak
Make sure that you use the separator character comma (,)

23
8. Click Add
9. Your reference set should look like the image below
10. Double click the Log Activity tab
11. Open the Rules pulldown and select Rules

24
12. In the Rules List window open Actions pulldown and select New Event
Rule
13. In the Rule Wizard, click Next twice
14. In the Type to filter window (below the Test Group) type ref
a.
b.
c.
15. Double click test “when any of these event properties are contained in any of
these reference set(s)” to add it to the middle window.
16. In the middle window, type “AAA <Your Name> Watchlist User Activity” in
the (enter rule name here) field

25
17. Click the green “these event properties” in the test In the popup
window, find the Username property, select it and click Add and Submit
18. Click the green, underlined “these reference set(s)” in the test. In the
popup window, find “Watchlist User” reference set, select and click Add
and Submit
19. In the Group window, add the rule to the Suspicious group, and in the notes
window, add the description “Rule tracks activity of terminated users”
20. Click Next
21. In the Rule Response window -> Rule Action, check “Ensure the detected
event is part of an offense”. Index the Offense based on Username.
Check “Annotate this offense” and add the annotation “Watchlist user
activity”

26
22. In the Rule Response -> Rule Response window, check “Dispatch New Event”.
23. In the Event Name box type “Login Activity Detected for Terminated User”
24. In the Event Description box type “Login Activity Detected for Terminated
User”.
25. Change the High Level Category to Authentication and Low-Level Category to
User Login Attempt.
26. Check “Annotate this offense” and add the annotation “Watchlist user activity”.
27. Check the box Ensure the dispatched event is part of an offense.
28. Index Offense based on Username.
29. In offense Naming check the button This information should contribute to the name
of the associated offense(s).

27
30. Review Rule Summary prior to saving it
a.

28
31. Click Next and Finish
32. Test the Rule - In your PuTTy window, type:
a. cd /labfiles
b. ./sendWindows.sh
c. (allow at least five minutes for the offenses to create)
d. Verify that your rule is generating offenses
33. Click the Offenses tab, Click Rules on the left side
a. In the Rule you created, verify Event/Flow and Offense counts are nonzero
34. Go to the Log Activity tab, open the View: pulldown and select Last Hour
35. Click Add Filter
Select Parameter=Custom Rule (Indexed), Operator
=Equals, Rule Group=Suspicious,
and Rule = AAA <Your Name> Watchlist User Activity
36. Note the usernames that triggered the rules

29
37. Click the offense icon in the left side of an event to be taken to the offense
details. Examine the offense details and note the offense number
38. Double click Offenses tab. Locate the offense in the context of other offenses

30
LAB 7 - Extension Management Exercises
In this lab, you will install an extension to QRadar
Extension Management Exercises
In this exercise, you learn how to manage QRadar Extensions. After you download your
app from the IBM Security App Exchange, you can use the IBM Security
QRadar Extension Management tool to install and manage it on your QRadar Console.
Use the QRadar Extension Management tool on the Admin tab to do the following app
management tasks:
• Upload and install your app to your QRadar Console

• Using your installed App
• Assigning required capabilities for your app
• Uninstall your app
Exercise 1 Uploading and installing your app
1. Double click the folder App Extension located on your Virtual Desktop
environment.
2. You should see he IncidentOverview-1.0.1.zip in App Extension folder.
3. On the Admin tab, click Extension Management.
4. In the Extension Management window, click Add and browse to select the app
IncidentOverview-1.0.1.zip archive to upload to the console.

31
5. Select the Install immediately check box, if you want QRadar to install the app
right away.
Before the app is installed, a preview list of the content items is displayed.
6. To preview the contents of an app after it is added and before it is installed,

select it from the list of extensions, and click More Details. Expand the folders
to view the individual content items in each group.
7. Click Install to install the app. This process may take a few minutes to
complete.
8. Once the app is installed you should receive the following notice.
9. Click OK.

32
Exercise 2 Using your installed app
1. Log back on to QRadar User interface using admin as user and q1d3m0 as
password.
2. From the Admin Tab, double click on the Authorized Services Icon
3. Click on “Add Authorized Service”
4. Type in “Incident_Overview” in the Service Name
5. Select User Role and Security Profile Admin
6. Check the box for “No Expiry”
7. Click on Create Service
8. From the Admin Tab select Deploy Changes
9. Copy the Selected token for Incident_Overview onto a notepad
10. Click on the Offenses Tab
11. The Incident Overview Tab should now be visible
12. Click on the Incident Overview button

13. Click on the Configure link
14. Paste the Selected Token using the

33
15. Click Save
16. From your putty PuTTy window, type:
cd /labfiles
./sendevents start
17. Wait a few minutes until you start seeing Recent Incidents page being populated
with Incident information.
18. Click on any offense to see more details

34
35
LAB 8 - DSM Editor
In this lab, you will learn how to use the DSM Editor to create a Log Source Extension
DSM Editor Exercises

In this exercise, you learn how to use the DSM Editor to create a log source extension to
extend support for new log source types.
Scenario:
A customer has an IPS device, Reflex Command Center, which we do not have a DSM
for, but they want to collect events from.
This involves an extra step at the beginning to create a new custom log source type, but
is otherwise a similar exercise of:
- Defining standard/normalized property parsing (IPs, ports, MACs,
username, log source time, etc, plus event ID and event category for
QIDmap lookups)
- Setting any desired identity association for specific events (event
ID/event category combinations)
- Mapping the event ID/event category combinations to QIDs
- This can be existing system-provided QIDs, or new custom ones
- Adding custom property parsing
1. Double-click the Firefox icon on the desktop.
2. Log in to the QRadar Console with username admin and password q1d3m0.
3. Navigate to the Admin tab and click the DSM Editor icon in the Data Sources
section.
4. Click the Create New button in the bottom left of the Select Log Source Type
dialog.

36
5. Use the name 'Reflex Command Center' and click Save. Select your new log
source type from the list.
6. Put the Workspace in Edit mode by clicking on
7. On the Student machine desktop, double-click on the DSM Editor Sample

Files Folder.
8. Navigate until you find the file CEI-Reflex-Events2.txt
9. Open the file CEI-Reflex-Events2.txt
10. Copy and paste the contents of CEI-Reflex-Events2.txt into the DSM Editor
Workspace
a. Select all events from the file CEI-Reflex-Events2.txt
11. You may need to use the Virtual Keyboard to copy and paste the contents of
this file.
a. Click on the Keyboard and then “Show Keyboard”

37
b. Select CTRL C to copy the contents of the file
c. Paste the contents in the Workspace using CTRL V (using the virtual Keyboard)

38
d. The contents should now be pasted on the DSM Editor Workspace
12. Click on the to commit the events
13. In Log Activity Preview, select the to hide all columns except:
- Event ID
- Event Category
- Log Source Time
- Source MAC
- Source IP
- Source Port
- Destination MAC
- Destination IP
- Destination Port
- Event Name
- Low Level Category
- Severity
- QID
- Username
- Identity IP
- Identity Mac

39
• Click update
14. You should now be able to start configuring the different properties.

40
a. Configure Event ID
Note: In the Property Configuration check the box “Override system

behavior” to enter the expression (make sure you check this box for
all the properties you need to define)
Regex: name=""(.*?)""
Format String: $1
b. Configure Event Category
Regex: (Reflex)
Format String: $1
c. Configure Log Source Time
Regex: timestamp=""(.*?)""
Format String: $1
Date Format: EEE, d MMM yyyy HH:mm:ss Z
d. Configure Source MAC
Regex: srcMac=""(.*?)""
Format String: $1
e. Configure Source IP
Regex: srcIp=""(.*?)""
Format String: $1
f. Configure Source Port
Regex: srcPort=""(.*?)""
Capture Group: 1
g. Configure Dest MAC

41
Regex: dstMac=""(.*?)""
Format String: $1
h. Configure Dest IP
Regex: dstIp=""(.*?)""
Format String: $1
i. Configure Dest Port
Regex: dstPort=""(.*?)""
Capture Group: 1
j. Configure custom property "Interface"

Click on the Plus sign to create a custom property
Select “Create New”

Type in name “interface” (without double quotes)
Click Save
Select Property “interface” and then click “Select”
Enter the following regular expression
Regex: interface=""(.*?)""
Capture Group: 1
k. Configure second expression for Event ID, to handle audit event
Click on and enter the following regular expression
Regex: (logged in)

Format String: $1
42
l. Configure Username
Regex: user (\S+)

Format String: $1
m. Configure Identity IP
Regex: IP: \s(.*?)\)

Format String: $1
n. Configure Identity MAC
Regex: MAC: (\S+?);

Format String: $1
o. Add QID/mapping for each unique event

p. Click on the tab event mappings and then on the Plus sign
Type in the Event ID and Event Category shown below for each event
Click on Choose event and then select create new
Use the information below for each event
After creating event select the event and click OK
Event ID: 'SNMP Public'

Event Category: 'Reflex'
Name: SNMP Public

Desc: SNMP Public Community string detected
Log Source Type: Reflex Command Center
High Level Category: Suspicious Activity
Low Level Category: Potential SNMP Vulnerability
43
Severity: 4
Event ID: 'Microsoft MSDTC DoS'

Name: Microsoft MSDTC DoS

Desc: Microsoft MSDTC Denial-of-Service attack detected
High Level Category: DoS
Low Level Category: Windows DoS
Severity: 8
Event ID: 'DNS AXFR Query'

Name: DNS AXFR Query

Desc: DNS Asynchronous Transfer Full Range zone transfer request
vulnerability detected
High Level Category: Potential Exploit
Low Level Category: Potential DNS Exploit
Severity: 7
Event ID: 'Windows Workstation Service BO'

Name: Windows Workstation Service BO

Desc: Windows Workstation Service Buffer Overflow attack detected
High Level Category: Exploit
Low Level Category: Windows Exploit
Severity: 9
Event ID: 'logged in'

Name: Reflex login

Desc: Reflex login event
High Level Category: Authentication
Low Level Category: User Login Success
Severity: 1

44
q. Add Identity to the 'logged in' mapping. Select both Identity IP and
Identity MAC.
Click on the Identity Check box

Click select and then highlight both Identity IP and Identity Mac
r. Save your work and create a log source:

Protocol Configuration: Syslog
Log Source Identifier: ReflexIMC
Log Source Extension: ReflexCommandCenterCustom_ext
s. Deploy Changes.
t. On the Student machine desktop, double-click the PuTTY SSH Client

icon.
u. Load the QRadar Saved Session and click Open
v. Log in as root with password q1d3m0

45
w. In the PuTTY CLI, type the following text:
Change Directory to “Sample Logs” Directory
cd Sample\ Logs/
x. Replay the events into QRadar using:
/opt/qradar/bin/logrun.pl -f CEI-Reflex-Events2.syslog -d 172.16.60.10 -l 1

Or
/opt/qradar/bin/logrun.pl -f CEI-Reflex-Events2.txt -u 172.16.60.10 -l 10 2>
/dev/null &
y. The events should be parsed properly. Drill into the login event and
observe that all three of Identity IP, Identity MAC, and Identity Username
are populated.
z. Now return to the DSM Editor and edit the Identity configuration for the
login event, removing Identity MAC. Save, and observe that now only
Identity Username and Identity IP are populated for the login event.

46

QRadar Workshop LAB Exercises

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

QRadar Workshop LAB Exercises

Uploaded by

Copyright:

Available Formats

IBM Security Qradar SIEM Workshop

Self-Paced Virtual Course

© Copyright IBM Corp. 2017 Student Exercises

© Copyright IBM Corp. 2017 Student Exercises

2. Your URL should be https://172.16.60.10

3. Login to the UI by using the following credentials Username: admin Password:

© Copyright IBM Corp. 2017 Student Exercises

LAB 1 - Discovering a Log Source

Discovering a Log Source Automatically

4. Verify that there are no log sources currently in the system

© Copyright IBM Corp. 2017 Student Exercises

From the PuTTY command line, type the following commands:

Wait a couple minutes until the service starts

9. Click the Admin

Tab Repeat Steps

Verify that there several Log Sources listed and Autodiscovery =

© Copyright IBM Corp. 2017 Student Exercises

© Copyright IBM Corp. 2017 Student Exercises

1. Double click the Log Activity tab

(double clicking resets the tab to its default state)

2. Open the QuickSearches pulldown and select

Firewall Deny by DST IP – Last 6 Hours

3. Rightclick on the destination IP responsible for the most events and

© Copyright IBM Corp. 2017 Student Exercises

7. Continue double clicking until you get to the event details

Normalized properties (fields) including Custom Properties

© Copyright IBM Corp. 2016 Student Exercises

© Copyright IBM Corp. 2017 Student

You will save the criteria from the previous search

1. Click Save Criteria at the top of your search window

a. For Search Name: type AAA<Your Name>

b. Set the checkboxes for Include in my

2. Add the search to The Dashboard

c. Click Add Item > Log Activity > Event Searches

e. Change the Value To Graph to “Event Count (Sum)”

h. Dashboard should start displaying data within a couple of minutes

© Copyright IBM Corp. 2017 Student Exercises

j. Reposition the items on the dashboard by dragging them by their title

k. Select different dashboards to see sample arrangements

© Copyright IBM Corp. 2017 Student Exercises

3. Examine the information presented in the Offense Details Screen

a) How many events are associated with this offense?

© Copyright IBM Corp. 2017 Student Exercises

7. In “Close Offense” Select Non-Issue and type in “Non-issue” in the Note

© Copyright IBM Corp. 2017 Student Exercises

2. Uncheck Hide Inactive Reports checkbox at top

3. Open Reporting Groups pulldown and review the report groups

Before starting the Report wizard, make note of

4. Start the report wizard. Open Actions pulldown

and select Create

© Copyright IBM Corp. 2017 Student Exercises

6. Leave orientation as Landscape, select two-container layout. Click Next

7. Enter My Report as the report title

Under Manual Scheduling

© Copyright IBM Corp. 2017 Student Exercises

14. Click Save Container Details

© Copyright IBM Corp. 2017 Student Exercises

© Copyright IBM Corp. 2017 Student Exercises

© Copyright IBM Corp. 2017 Student Exercises

10. Double click the Log Activity tab

11. Open the Rules pulldown and select Rules

© Copyright IBM Corp. 2017 Student Exercises

© Copyright IBM Corp. 2017 Student Exercises

© Copyright IBM Corp. 2017 Student Exercises