Professional Documents
Culture Documents
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM
Corp.
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks
is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now
part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium,
and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other
countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is
registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is
used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the
U.S. and other countries.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the
completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express
or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM
without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication
or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties
or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software.
References in this publication to IBM products, programs, or services do not imply that they will be available in all countries in which
IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature
availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that
any activities undertaken by you will result in any specific sales, revenue growth, savings or other results.
4. To access the QRadar Console via the command line, click on Putty (located on
your desktop)
44
Select QRadar Console -> Open
Use the following credentials to
login to the QRadar Console via
Putty
Username: root
Password: q1d3m0
5
5. On the QRadar UI click on the “Log Activity Tab”
6. Verify if there are any events running (at this point you should only be seeing
“System Audit Messages”
7. Double click on PuTTY to open a session to the QRadar SIEM server.
8. Double click on the QRadar SIEM and enter the credentials username root
and password q1d3m0
9. Generate events
cd /labfiles
./sendevents start
8. In the User Interface -> Log Activity Tab view the events being fed into
QRadar
First events come in as type “Unknown log event” from log source SIM Generic Log
DSM-7 but change to several Log Source types once QRadar finishes
autodiscovering these log sources
3 and 4.
6
Once a Log Source is discovered (or explicitly configured) it remains in the
system unless it is disabled or removed
7
LAB 2 - Create a Search
In this exercise you will learn the basics of searching for data
(This lab works best if you let the script from the previous lab run for at least 5 mins)
Create a Search
Hint: Clicking (Hide Charts) below the charts lets you see more
events. Which IP is responsible for the majority of your firewall denies?
8
4. Open the Display pulldown and select Source IP
5. Open the View pulldown and select Last 5 Minutes. Note how the display
changes
6. Double click any row to open a new window that expands the events aggregated
in that row.
Rules Matched
8. Close the event details window, and all child windows, until you return to the main
Log Activity Window
9. Click the (Clear Filter) link next to the Dest IP is <addr> at the top
10. Open the View pulldown and again select last 6 hours
10
LAB 3 - Saving a Search and adding it to the
Dashboard
In this exercise you will learn the basics of saving a search and make it available
to the Dashboard
Save a Search
c. Click OK
11
a. Click the Dashboard tab, click New Dashboard, and name the
new dashboard – “My New Dashboard”
b. Click OK
Select the search name you saved in the previous steps Hint: if you don’t
see any data in the item, you may have to restart the script in Lab 1
d. Open the configuration button and toggle between Bar Chart, Pie Chart
and Table
f. Click Capture Time Series Data check box and click Save
g. Once you receive a warning, select Log Activity Tab and click
“Save Criteria” from the top tool bar.
12
i. Add additional items: Offenses > Offenses > Most Severe
Offenses and System Summary
13
© Copyright IBM Corp. 2017 Student Exercises
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
14
LAB 4 – Viewing Offenses
In this exercise you will learn what information you can gather by viewing the offenses in
detail.
Viewing Offenses
1. Click the Offenses tab.
2. Locate an offense with “Multiple Login Failures for the Same User
preceded by Login Failures Followed By Success from the same
Username containing LOGON failed” and double click it
b) What are the specific events are associated with this offense?
15
c) Is the username involved with any other offenses?
d) When did this offense begin, and how long has it been going on?
4. Click All Offenses (on the left menu) to see all the offenses
5. Ctrl-click to select Offenses 2 and 3
6. Pull down Actions and select Close
16
© Copyright IBM Corp. 2017 Student Exercises
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
17
LAB 5 – Creating Reports
In this exercise you will learn how to create a report from a saved search
Creating Reports
1. Click Reports tab
18
5. In the Report Wizard, click Next, select Manually, and click Next
10. Set the Start Date / Time to 1 day before the current system time
11. Set the End Date / Time to the current system time
12. Under Saved Searches -> Select the search you saved in Lab 3 from the list
of saved searches
19
13. Scroll down to Additional Details – > Choose Graph Type Pie, and Limit
Events/Logs to Top 20
20
23. Click Next, Next and Finish
24. Check PDF, HTML, and RTF for the output format. Click Next
25. Click Next at the Report Distribution Channels screen
26. Click Next, Next and Finish
27. The report will start automatically. Click the refresh icon on the main report
screen.
28. When the report is completed, click the HTML icon next to the report to view
your output
21
© Copyright IBM Corp. 2017 Student Exercises
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
22
LAB 6 – Creating Rules
In this lab, you will create and test a rule to launch an offense
Creating Rules
1. From the Admin Tab double click on the Reference Set Management Icon
2. Click on Add button and name the Reference Set “Watchlist User”
3. Select Alphanumeric as the Type of the reference set
4. Click Create
5. Locate the Watchlist User” reference set and double-click to open it.
6. Click Add
7. Enter the following usernames
luigi, fred_arliss, roy.fulmer, kbujak
Make sure that you use the separator character comma (,)
23
8. Click Add
9. Your reference set should look like the image below
24
12. In the Rules List window open Actions pulldown and select New Event
Rule
13. In the Rule Wizard, click Next twice
14. In the Type to filter window (below the Test Group) type ref
a.
b.
c.
15. Double click test “when any of these event properties are contained in any of
these reference set(s)” to add it to the middle window.
16. In the middle window, type “AAA <Your Name> Watchlist User Activity” in
the (enter rule name here) field
25
17. Click the green “these event properties” in the test In the popup
window, find the Username property, select it and click Add and Submit
18. Click the green, underlined “these reference set(s)” in the test. In the
popup window, find “Watchlist User” reference set, select and click Add
and Submit
19. In the Group window, add the rule to the Suspicious group, and in the notes
window, add the description “Rule tracks activity of terminated users”
20. Click Next
21. In the Rule Response window -> Rule Action, check “Ensure the detected
event is part of an offense”. Index the Offense based on Username.
Check “Annotate this offense” and add the annotation “Watchlist user
activity”
26
22. In the Rule Response -> Rule Response window, check “Dispatch New Event”.
23. In the Event Name box type “Login Activity Detected for Terminated User”
24. In the Event Description box type “Login Activity Detected for Terminated
User”.
25. Change the High Level Category to Authentication and Low-Level Category to
User Login Attempt.
26. Check “Annotate this offense” and add the annotation “Watchlist user activity”.
27. Check the box Ensure the dispatched event is part of an offense.
28. Index Offense based on Username.
29. In offense Naming check the button This information should contribute to the name
of the associated offense(s).
27
30. Review Rule Summary prior to saving it
a.
28
31. Click Next and Finish
32. Test the Rule - In your PuTTy window, type:
a. cd /labfiles
b. ./sendWindows.sh
c. (allow at least five minutes for the offenses to create)
d. Verify that your rule is generating offenses
33. Click the Offenses tab, Click Rules on the left side
a. In the Rule you created, verify Event/Flow and Offense counts are nonzero
34. Go to the Log Activity tab, open the View: pulldown and select Last Hour
35. Click Add Filter
Select Parameter=Custom Rule (Indexed), Operator
=Equals, Rule Group=Suspicious,
and Rule = AAA <Your Name> Watchlist User Activity
29
37. Click the offense icon in the left side of an event to be taken to the offense
details. Examine the offense details and note the offense number
38. Double click Offenses tab. Locate the offense in the context of other offenses
30
LAB 7 - Extension Management Exercises
In this lab, you will install an extension to QRadar
In this exercise, you learn how to manage QRadar Extensions. After you download your
app from the IBM Security App Exchange, you can use the IBM Security
QRadar Extension Management tool to install and manage it on your QRadar Console.
Use the QRadar Extension Management tool on the Admin tab to do the following app
management tasks:
1. Double click the folder App Extension located on your Virtual Desktop
environment.
4. In the Extension Management window, click Add and browse to select the app
IncidentOverview-1.0.1.zip archive to upload to the console.
31
5. Select the Install immediately check box, if you want QRadar to install the app
right away.
Before the app is installed, a preview list of the content items is displayed.
9. Click OK.
32
Exercise 2 Using your installed app
1. Log back on to QRadar User interface using admin as user and q1d3m0 as
password.
2. From the Admin Tab, double click on the Authorized Services Icon
3. Click on “Add Authorized Service”
4. Type in “Incident_Overview” in the Service Name
5. Select User Role and Security Profile Admin
6. Check the box for “No Expiry”
7. Click on Create Service
8. From the Admin Tab select Deploy Changes
9. Copy the Selected token for Incident_Overview onto a notepad
10. Click on the Offenses Tab
11. The Incident Overview Tab should now be visible
33
15. Click Save
16. From your putty PuTTy window, type:
cd /labfiles
./sendevents start
17. Wait a few minutes until you start seeing Recent Incidents page being populated
with Incident information.
34
© Copyright IBM Corp. 2017 Student Exercises
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
35
LAB 8 - DSM Editor
In this lab, you will learn how to use the DSM Editor to create a Log Source Extension
2. Log in to the QRadar Console with username admin and password q1d3m0.
3. Navigate to the Admin tab and click the DSM Editor icon in the Data Sources
section.
4. Click the Create New button in the bottom left of the Select Log Source Type
dialog.
36
5. Use the name 'Reflex Command Center' and click Save. Select your new log
source type from the list.
10. Copy and paste the contents of CEI-Reflex-Events2.txt into the DSM Editor
Workspace
11. You may need to use the Virtual Keyboard to copy and paste the contents of
this file.
37
b. Select CTRL C to copy the contents of the file
c. Paste the contents in the Workspace using CTRL V (using the virtual Keyboard)
38
d. The contents should now be pasted on the DSM Editor Workspace
13. In Log Activity Preview, select the to hide all columns except:
- Event ID
- Event Category
- Log Source Time
- Source MAC
- Source IP
- Source Port
- Destination MAC
- Destination IP
- Destination Port
- Event Name
- Low Level Category
- Severity
- QID
- Username
- Identity IP
- Identity Mac
39
• Click update
14. You should now be able to start configuring the different properties.
40
a. Configure Event ID
Regex: name=""(.*?)""
Format String: $1
Regex: (Reflex)
Format String: $1
Regex: timestamp=""(.*?)""
Format String: $1
Date Format: EEE, d MMM yyyy HH:mm:ss Z
Regex: srcMac=""(.*?)""
Format String: $1
e. Configure Source IP
Regex: srcIp=""(.*?)""
Format String: $1
Regex: srcPort=""(.*?)""
Capture Group: 1
41
Regex: dstMac=""(.*?)""
Format String: $1
h. Configure Dest IP
Regex: dstIp=""(.*?)""
Format String: $1
Regex: dstPort=""(.*?)""
Capture Group: 1
Regex: interface=""(.*?)""
Capture Group: 1
42
l. Configure Username
m. Configure Identity IP
Type in the Event ID and Event Category shown below for each event
Click on Choose event and then select create new
Use the information below for each event
After creating event select the event and click OK
43
Severity: 4
44
q. Add Identity to the 'logged in' mapping. Select both Identity IP and
Identity MAC.
s. Deploy Changes.
45
w. In the PuTTY CLI, type the following text:
cd Sample\ Logs/
y. The events should be parsed properly. Drill into the login event and
observe that all three of Identity IP, Identity MAC, and Identity Username
are populated.
z. Now return to the DSM Editor and edit the Identity configuration for the
login event, removing Identity MAC. Save, and observe that now only
Identity Username and Identity IP are populated for the login event.
46