Professional Documents
Culture Documents
Course Guide
.R ial
IBM QRadar SIEM Foundations
.N c
Course code BQ103 ERC 1.2
C pe
to es
ec n
oy cio
pr a
rm
Fo
IBM Training
December 2017 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
.R ial
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
.N c
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
C pe
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
to es
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
ec n
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
oy cio
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
pr a
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
Fo
.R ial
About this course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
.N c
Course agenda and description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
C pe
Unit 1 Introduction to IBM QRadar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Lesson 1 The security immune system and why we need Security Intelligence . . . . . . . . . . . . . . . . . . . . . 3
Today’s security drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
to es
Attackers break through conventional safeguards every day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
How do I get started when all I see is chaos? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
An integrated and intelligent security immune system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
IBM security immune system portfolio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Lesson 2 The QRadar Ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Best practices: Intelligent detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
ec n
What is Security Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Ask the right questions – The exploit timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
oy cio
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Uempty
Lesson 2 QRadar SIEM component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
High-level component architecture and data stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Flow collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Event collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Event processor architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
.R ial
Console architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
.N c
Instructor demonstration of the QRadar SIEM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
C pe
Managing the displayed data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Managing your QRadar user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Accessing help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
to es Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Uempty
Top 5 Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Top 5 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Top 5 Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Last 10 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Last 10 Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
.R ial
Offense Summary toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Lesson 4 Acting on an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Offense actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Offense status and flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
.N c
Offense lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
C pe
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Uempty
Finding and loading a saved search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Search actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
.R ial
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Lesson 1 Asset profiles overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Definition asset profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
About asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Data sources for asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
.N c
Identity information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Lesson 2 Investigating asset profile details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
C pe
Navigating from an IP address to an asset profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Assets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Asset summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Network Interface Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
to es Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Display additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Lesson 3 Navigating the Assets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
ec n
Locating asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Filtering asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Searching asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
oy cio
Uempty
Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Lesson 4 False positives overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Preventing false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
False positive flow or event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Lesson 5 Investigating superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
About superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
.R ial
Superflow source and destination information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Superflow additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
.N c
Unit 8 Using Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
C pe
Lesson 1 Rules overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Definition rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Testing for indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Finding the rules that fired for an event or flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Uempty
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
.R ial
Purpose Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Navigating to the Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Predefined Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Crown jewels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Tree structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
.N c
CIDR ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
About the Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
C pe
Lesson 2 Using networks in investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Network of an IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Filtering by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Grouping by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Lesson 1 Using the Index Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Instructor demonstration of the Index management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Index Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Index information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Fo
Uempty
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
.R ial
Instructor demonstration of the Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Adding a saved search as a dashboard item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Adding a saved search as a dashboard item (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
.N c
Adding a saved search as a dashboard item (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Enabling a search to be used as a dashboard item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
C pe
Lesson 2 Customizing a dashboard item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Configuring dashboard items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Select what to display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Select how to display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
Lesson 1 Navigating the Reports tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
rm
Uempty
Selecting the type of the bottom chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Configuring the bottom chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Layout preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Choosing a format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Distributing the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Adding a description and assigning to groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
.R ial
Verifying the report summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Viewing the generated report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Best practices when creating reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Student exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
.N c
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
C pe
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Lesson 1 Filters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Filters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Filters introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches. . . . . . . . . . . . . . . . . . . 368
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Lesson 1 Describe the basics of AQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Ariel Query Language overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
AQL query flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Structure of an AQL query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
Uempty
SELECT statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Examples for SELECT statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
WHERE clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Examples of WHERE clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
GROUP BY clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Examples of GROUP BY clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
.R ial
HAVING clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Examples of HAVING clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
ORDER BY clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Examples of ORDER BY clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
.N c
Single or Double quotation marks in AQL queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Instructor demonstration of advanced searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
C pe
Lesson 2 Build AQL queries in advanced searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Build AQL queries from the QRadar GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Prepare the search window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Instructor demonstration of advanced searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
to es Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Anatomy of an attack - Lions at the watering hole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Anatomy of an attack - Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Anatomy of an attack - Vulnerable hosts were infected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Anatomy of an attack - Host response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
Anatomy of an attack - The risk of delaying a response to an attack . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Apply Big Data to Security Intelligence and threat management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
A dynamic, integrated system to help detect and stop advanced threats . . . . . . . . . . . . . . . . . . . . . . . .420
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Uempty
Appendix B IBM QRadar architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Lesson 1 QRadar functional architecture and deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Functional solution requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
An integrated, unified architecture in a single console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Identifying suspected attacks and policy violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
.R ial
Providing functional context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Network flow analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Extensible functional architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Cognitive Analytics: Revolutionizing how security analysts work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
.N c
Open Ecosystem and Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Deep Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439
C pe
Scalable appliance/software/virtual architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
Deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442
Lesson 2 QRadar SIEM component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
High-level component architecture and data stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
.R ial
.N c
C pe
IBM QRadar SIEM Foundations
to es
ec n
oy cio
IBM QRadar SIEM provides deep visibility into network, user, and application activity. It provides
pr a
collection, normalization, correlation, and secure storage of events, flows, asset profiles, and
vulnerabilities. QRadar SIEM classifies suspected attacks and policy violations as offenses.
rm
Fo
Uempty
In this 3-day instructor-led course, you learn how to perform the following tasks:
• Describe how QRadar SIEM collects data to detect suspicious activities
• Describe the QRadar SIEM component architecture and data flows
• Navigate the user interface
• Investigate suspected attacks and policy violations
.R ial
• Search, filter, group, and analyze security data
• Investigate events and flows
.N c
• Investigate asset profiles
• Describe the purpose of the network hierarchy
C pe
• Determine how rules test incoming data and create offenses
• Use index and aggregated data management
• Navigate and customize dashboards and dashboard items
Extensive lab exercises are provided to allow students an insight into the routine work of an IT
oy cio
Security Analyst operating the IBM QRadar SIEM platform. The exercises cover the following
topics:
• Using the QRadar SIEM user interface
• Investigating an Offense triggered by events
pr a
The lab environment for this course uses the IBM QRadar SIEM 7.3 platform with a QRadar SIEM
server and a Linux based client that provides web based access to the QRadar SIEM server.
Uempty
Details
Delivery method Classroom or instructor-led Online (ILO)
Course level ERC 1.2
This course is a new course.
.R ial
Product and version IBM QRadar SIEM 7.3
Skill level Basic
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
Audience
This course is designed for security analysts, security technical architects, offense managers,
network administrators, and system administrators using QRadar SIEM.
.R ial
Prerequisites
.N c
Before taking this course, make sure that you have the following skills:
• IT infrastructure
C pe
• IT security fundamentals
• Linux
• Windows
to es • TCP/IP networking
• Syslog
ec n
oy cio
pr a
rm
Fo
.R ial
1. Introduction to IBM QRadar
Every organization must consider a Security Intelligence solution at the center of their overall IT
Security strategy because too many IT security related point solutions, and the ever growing
.N c
sophistication of the attackers, demand a consolidation and analysis of events and network
traffic in a close to real-time manner.
C pe
This introduction covers the overall IBM QRadar ecosystem and shows how it is anchored at
the center of an overall security immune system.
to es Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
Security who is concerned with solutions in the overall security immune system. By learning
how the central Security Intelligence components are designed to take in and process log
events and flow data, you will be better equipped to holistically work as a Security Analyst.
In this unit we start at the functional architecture level and explain how IBM QRadar was
ec n
designed as a modular Security Intelligence solution from the ground up. After taking a look at
this modular design, its extensibility and deployment pattern, we closely examine the
oy cio
component architecture so that the analyst understands how data is ingested and processed.
When the analysts later examine bits and pieces of a larger security incident investigation, this
architectural understanding can substantially enhance their capability for detailed and fast
analysis.
pr a
from an security perspective. This lesson teaches you how to operate the interface, such as
pausing and refreshing the displayed data, changing your password and accessing help.
QRadar SIEM correlates events and flows into an offense if it assumes suspicious activity. This
unit teaches you how to investigate the information that is contained in an offense.
Uempty
QRadar SIEM stores security-relevant information about systems in your network in asset
profiles. This unit teaches you how asset profiles are created and updated, and how to use
them as part of an offense investigation.
.R ial
unit teaches you how to investigate the flows that contribute to an offense. You also learn how
to create and tune false positives and investigate superflows.
8. Using Rules
.N c
Rules and building blocks test and correlate incoming events, flows, and offenses in QRadar
SIEM for indicators of an attack or policy violation. Building blocks are used as variables in
C pe
other rules or reports. Unlike building blocks, rules can perform an action or response if they
evaluate to true. This unit teaches you the significance of rules and building blocks, and how to
locate and understand their tests, actions and responses.
to es The Network Hierarchy reflects your environment from a security perspective. This unit teaches
you the significance of the Network Hierarchy and the many ways that QRadar SIEM uses and
displays its information.
14. Using the Ariel Query Language (AQL) for Advanced Searches
Ariel Query Language (AQL) queries can retrieve stored data more flexibly than interactively
built searches. This unit teaches you how to build use AQL.
Uempty
This unit evaluates a large-scale advanced persistent attack against a US retailer. You will
evaluate how a properly implemented Security Intelligence solution could have helped to fend
off the attackers.
This unit is based on the “Kill Chain” Analysis of the 2013 Target Data Breach study by the
Committee On Commerce, Science and Transportation, which is available at the following URL:
.R ial
16. A real-world scenario introduction to IBM QRadar SIEM
In this appendix you can study a real world attack scenario to explain the following details:
.N c
Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
Security who is concerned with solutions in the overall security immune system. By learning
C pe
how the central Security Intelligence components are designed to take in and process log
events and flow data, you will be better equipped to holistically work as a Security Analyst.
In this unit we start at the functional architecture level and explain how IBM QRadar was
to es designed as a modular Security Intelligence solution from the ground up. After taking a look at
this modular design, its extensibility and deployment pattern, we closely examine the
component architecture so that the analyst understands how data is ingested and processed.
When the analysts later examine bits and pieces of a larger security incident investigation, this
architectural understanding can substantially enhance their capability for detailed and fast
ec n
analysis.
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Introduction to IBM QRadar
to es
ec n
oy cio
Every organization must consider a Security Intelligence solution at the center of their overall IT
pr a
Security strategy because too many IT security related point solutions, and the ever growing
sophistication of the attackers, demand a consolidation and analysis of events and network traffic in
rm
This introduction covers the overall IBM QRadar ecosystem and shows how it is anchored at the
center of an overall security immune system.
Fo
Note: You can expand this deck by utilizing the Appendix Unit
“BQ103_A1_Introduction_Real_World_Scenario”, which walks you through a real world attack
scenario explaining the attack vectors and how a Security Intelligence solution could have stopped
this attack from being successful.
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Describe why we need Security Intelligence and a security immune system
.R ial
• Describe the QRadar ecosystem
.N c
C pe
to es Introduction to IBM QRadar
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 The security immune system and
why we need Security Intelligence
.R ial
.N c
Lesson: The security immune system
and why we need Security
C pe
Intelligence
to es
ec n
oy cio
It is important to understand today’s IT security drivers that every organization is confronted with.
The problem is not only rooted in the large amount of attacks, but in the immense diversity in how
an individual attack can be carried out.
pr a
Uempty
.R ial
ADVANCED
INNOVATION SKILLS GAP
ATTACKS
HUMAN
COMPLIANCE
ERROR
.N c
C pe
to es Introduction to IBM QRadar
almost every industry. Let us look at some of the most prevalent drivers.
• Advanced Attacks
Cybercrime will become a $2.1 trillion dollar problem by 20191 . It takes companies an average
of 229 days to detect advanced persistent threats2 .
pr a
Sources:
rm
1
Juniper Research:
https://www.juniperresearch.com/researchstore/innovation-disruption/cybercrime-security/enter
prise-threats-mitigation
2
Ponemon Study:
Fo
https://www.ponemon.org/blog/new-ponemon-study-on-malware-detection-prevention-released
• Human error
More than half of data breaches are caused by insiders, including employees, third-party
contractors and partners. Inside attacks happen across all industries and are caused from both
inadvertent actors and malicious insiders. The financial services industry was hit hard in 2016
and experienced a greater percentage (58%) of insider attacks versus outsider attacks (42%).
Note: 53% inadvertent actors and 5% malicious insiders.
Uempty
Source: IBM X-Force Threat Intelligence Report – 2017:
https://www.ibm.com/marketing/iwm/dre/signup?source=urx-13655&S_PKG=ov57325
• Innovation
Cloud, mobile, and IOT create unprecedented risks to organizations. 44% of security leaders
expect a major cloud provider to suffer a significant security breach in the future. 33% of
.R ial
organizations do not even test their mobile apps. CISCO estimates that by 2020, there will be
50 billion devices connected.
Sources:
.N c
https://www.ibm.com/press/us/en/pressrelease/45326.wss
https://securityintelligence.com/mobile-insecurity/
C pe
http://blogs.cisco.com/diversity/the-internet-of-things-infographic
• Compliance
Adapting to a threat-aware, risk based approach vs. compliance based, box checking
to es approach. General Data Protection Regulation (GDPR) is a new data protection framework that
takes effect across Europe starting May 2018. GDPR does not just impact European
companies, any organization that stores, accesses, processes or uses EU residents’ personal
data is subject to the regulation. Fines for violations have the potential to reach the billions for
large, global companies — anywhere from 2 to 4 percent of a company’s gross revenue.
ec n
Source:
https://securityintelligence.com/prepared-for-the-general-data-protection-regulation-gdpr-top-10
oy cio
-findings-from-hurwitz-associates-survey/
• Skills gap
The shortage in skilled cyber security professionals is growing, with the projected talent gap
reaching 1.8 million jobs by 2022. This skills shortage has left many companies stuck: A recent
pr a
report from ISACA found that 55% of organizations reported that open cyber positions take at
least three months to fill, while 32% said they take six months or more. And, 27% of US
rm
companies said they are unable to fill cyber security positions at all.
Source:
http://www.techrepublic.com/article/4-tips-to-help-your-business-recruit-and-keep-cybersecurity
Fo
-pros/
Uempty
.R ial
.N c
C pe
average time to identify data breach average cost of a U.S. data breach
Organized criminals, hacktivists, governments and adversaries are compelled by financial gain,
politics, and notoriety to attack your most valuable assets. Their operations are well-funded and
business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their
methods are extremely targeted ‒ they use social media and other entry points to track down
pr a
people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile,
negligent employees inadvertently put the business at risk via human error. Even worse, security
rm
investments of the past can fail to protect against these new classes of attacks. The result is more
severe security breaches happening more and more frequently.
In fact, according to the latest IBM X-Force Threat Intelligence Report, the amount of data records
and variety of attacks have expanded to more than 4 billion!
Fo
Note: The size of the circle indicates the estimated relative impact.
Cyber criminals’ targets are now bigger and their rewards greater as they fine-tune efforts to obtain
and leverage higher value data than years past.
The demand for leaked data is trending toward higher-value records such as health-related
personally identifiable information (PII) and other highly sensitive data, with less emphasis on the
Uempty
emails, passwords, and even credit card data that were the targets of years past. This PII can be
used for social engineering to gain access to valuable financial targets.
You see this in both the breach trends and the evolution of malware to target high value bank
accounts.
.R ial
https://securityintelligence.com/media/ibm-x-force-threat-intelligence-index-2017/
According to a recent Ponemon study, 201 days is the average time it takes companies to identify a
.N c
data breach; and it costs U.S. organizations an average of $7million per data breach
Source: Key findings from the 2017 Cost of Data Breach Study: Global Analysis
C pe
https://ibm.biz/BdjqHG
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
Incident response Data monitoring
Sandboxing
Access management
Content security Application security management
IP reputation
.N c
Threat sharing Firewalls Endpoint patching
and management
Criminal detection
Network forensics and threat management
C pe
Entitlements and roles
Privileged identity management
Malware protection Fraud protection Vulnerability management
to es protection
Application scanning
Cloud access
security broker
these different and scattered technologies over the years to address the many challenges that their
complex environments face. The average enterprise has 85 tools from 45 vendors.
Once you start a conversation with them, you will hear them say, “Oh yeah, we have got that…”
Which is fine, but are they INTEGRATED? Are they working together across your multiple teams,
pr a
locations, and platforms? Or is just creating more complexity, risk and cost, and as a result, are they
losing visibility into their network?
rm
How can a CISO, or frankly any security professional, gain any valuable insight and control over
their security environments when all they see is this type of scattered chaos in the technologies
they themselves are already using?
Fo
Hint: If you want to examine a typical cyber attack that depicts some of these challenges, you can
now load and study Appendix 1: BQ103_A1_Introduction_Real_World_Scenario.pptx. Once
you’re done, you can resume your studies here.
Uempty
.R ial
Endpoint patching Firewalls
and management Sandboxing
Malware protection Virtual patching
Network visibility and segmentation
.N c
Transaction protection Vulnerability management Incident response Fraud protection
Device management Criminal detection
Content security
C pe
Cognitive security Threat hunting and investigation
to es Application scanning
Application security management
core is enabled by cognitive intelligence that continuously understands, reasons, and learns the
many variables that are affecting their environments and feeds the entire ecosystem of connected
capabilities.
This is where the immune system metaphor really comes into play where you can start to imagine...
pr a
Different organs as your layers of defense, all working together to automate policies and block
rm
threats. Much like when you get sick, these are the organs that understand the threat and send data
up through your central nervous system (security analytics) to create white blood cells / antibodies
to gather information, prioritize and take actions. This is what is called the “Immune Response”.
And by the way, this is just part of the story. It is really not fully integrated until it is integrated with
Fo
the extended partner ecosystem. Integration that enables collaboration across companies and
competitors, to understand global threats and data, and adapt to new threats.
Integration can help increase visibility. Notice how capabilities organize around their domains. You
will start to get an idea of how this immune system works. Like a body fighting a virus, there are
different parts of a security portfolio working at once.
Uempty
.R ial
BigFix QRadar Network Security (XGS)
QRadar Incident Forensics
SECURITY OPERATIONS
AND RESPONSE
QRadar SIEM QRadar User Behavior Analytics
.N c
QRadar Vulnerability / Risk Manager Resilient Incident Response Trusteer Pinpoint
C pe
QRadar Advisor with Watson i2 Enterprise Insight Analysis Trusteer Rapport
INFORMATION RISK
AND PROTECTION
Guardium Identity Governance and Access
Key Manager Privileged Identity Manager
Cloud Identity Service
SECURITY
SECUR
CUR
URRITY TRANTRA
TRANSFORMATION
S
SFORMA
SFORMATI O SER
ON
Cloud Security
SERVICES
S secuRV
RVI
RVICES
Management consulting | Systems integration | Managed security
rity
zSecure
• First is the Security Operations and Response domain that helps organizations orchestrate their
defenses throughout the attack lifecycle.
rm
• The second is the Information Risk and Protection domain that helps organizations protect their
most critical information and risks.
• And the third is the Security Transformation Services which help organizations transform their
Fo
security program. All of the IBM Security offerings are backed by an extensive business partner
ecosystem which consists of industry-leading technology, sales and service partners.
Uempty
Security Operations and Response
.R ial
• IBM BigFix: Find, fix, and secure endpoint threats and vulnerabilities
• IBM QRadar Network Security (XGS): Prevent network exploits and limit malware
communications
.N c
• IBM QRadar Security Intelligence: Use advanced analytics to discover and eliminate threats
• IBM Resilient Incident Response Platform: Generate response playbooks and coordinate
C pe
activity
• IBM QRadar User Behavior Analytics: Helps detect insider threat and risks
• IBM Security Services: Deliver operations consulting to help implement processes and
• IBM Identity Governance and Access Management: Govern and enforce context-based access
to critical assets
• IBM Guardium: Protect crown jewels across the enterprise and cloud
pr a
• IBM Security Services: Deliver governance, risk and compliance consulting, systems
integration and managed security services
Fo
Uempty
Security Transformation Services
• Security Strategy, Risk and Compliance: Automate governance, risk and compliance programs
• Security Intelligence and Operations: Build security operations and security fusion centers
• Cyber Security Assessment and Response: Establish robust security testing and incident
management programs
.R ial
• Identity Governance and Management: Modernize identity and access management for the
cloud and mobile era
.N c
• Data and Application Security: Deploy robust critical data protection programs
• Infrastructure and Endpoint Security: Redefine infrastructure and endpoint solutions with secure
C pe
software-defined networks
to es
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 2 The QRadar Ecosystem
.R ial
Lesson: The QRadar Ecosystem
.N c
C pe
to es
ec n
Introduction to IBM QRadar © Copyright IBM Corporation 2017
oy cio
This lesson explains how Security Intelligence works and how IBM defines it. Realizing that the
overall goal is to detect, or even prevent any vulnerability exploit, we examine the exploit timeline,
and how IBM QRadar solutions can help.
pr a
rm
Fo
Uempty
.R ial
Manage vulnerabilities and risks
Augment vulnerability scan data with context for optimized prioritization
Manage device configurations (firewalls, switches, routers, IPS/IDS)
.N c
Establish baseline behaviors
Monitor and investigate anomalies
C pe
Monitor network flows
anomaly detection, and vulnerability management are needed. That statement defines the problem,
and offers some capabilities that can help, but exactly what can you do about it? What are the best
practices that you should follow?
• The first best practice is proactive in nature. Identify, predict, and prioritize your security
pr a
weaknesses so you can take actions to prevent a breach. Use resources such as X-Force and
the US National Vulnerability Database (https://nvd.nist.gov/) to gather threat information,
rm
address vulnerabilities and risks based on priorities, add network context, and manage device
configurations to improve security. You could improve security, for example, by removing
ineffective firewall rules and adding new rules that are more effective.
• Use tools that can detect unusual behavior for follow-up. Deploy solutions that can find network
Fo
anomalies and provide visibility to network flows for the reasons mentioned earlier.
• Use Security Intelligence solutions that use integrations, automation, and context to provide a
complete view of what is happening in your network. Automation is key so that you can utilize
existing staff more efficiently, and reduce the large amount of collected data into a small number
of events that can be acted upon by existing personnel.
Uempty
Security Intelligence
.R ial
--noun
The real-time collection, normalization, and
analytics of the data generated by users,
.N c
applications, and infrastructure that impacts
the IT security and risk posture of an
C pe
enterprise
much the same way they do the outputs produced from other business functions, such as
marketing.
This term is being used more and more by customers, vendors, and industry experts, but they do
not seem to be describing the same concept. To avoid confusion, IBM’s definition is stated on the
pr a
slide. The goal of Security Intelligence is to provide actionable and comprehensive insight that
reduces risk and operational effort for any organization, regardless of its size.
rm
Data collected and warehoused by security intelligence solutions includes logs, events, network
flows, user identities and activities, asset profiles and locations, vulnerabilities, asset configurations
and external threat data.
Fo
Security Intelligence provides analytics to answer fundamental questions that cover the full
“before-during-and-after” timeline of risk and threat management.
Uempty
.R ial
Vulnerability Pre-Exploit Exploit Post-Exploit Remediation
.N c
• Gain visibility over the organization’s security posture • Automatically detect threats with prioritized workflow to
and identify security gaps quickly analyze impact
• Detect deviations from the norm that indicate early • Gather full situational awareness through advanced
C pe
warnings of APTs security analytics
• Prioritize vulnerabilities to optimize remediation • Perform forensic investigation, reducing time to find the
processes and close critical exposures before exploit root cause; use results to drive faster remediation
to es Vulnerability
Manager
The IBM Security Intelligence solution helps customers react and respond to exploits as they occur
in a network. IBM solutions that help to model risk, evaluate configurations, and prioritize
vulnerabilities also provide much-needed value to customers as they seek to predict and prevent
incidents in the first place.
pr a
To IBM, Security Intelligence can be characterized in two ways. First, Security Intelligence is the
rm
result of advanced analytics. It is the wisdom gained from reviewing every available bit of data and
normalizing, correlating, indexing, and pivoting it to discover the dozen things your team needs to
investigate as soon as possible. Alternatively, Security Intelligence characterizes the iterative
process of eliminating false positive results by continuously tuning the system analytics and rules to
remove an increasing number of interesting but nonthreatening incidents.
Fo
Adding QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Incident Forensics
modules to the core Security Information and Event Management (SIEM) engine improves
accuracy and provides context throughout the entire security event timeline, from detection and
protection through investigation and remediation. Working together, these solutions can help you
both reduce exposures and recognize attacks as early as possible.
Uempty
.R ial
vulnerabilities
• Integrates into the QRadar ecosystem
• Is present on all QRadar event and flow collector and processor
appliances (QRadar 7.2 and up) as well as QRadar data nodes
.N c
(QRadar 7.2.8 and up)
C pe
security (IBM AppScan), database security (IBM Guardium), and
network management (IBM Security SiteProtector)
It is fully integrated with the QRadar Security Intelligence platform, and enriches the results of both
scheduled and dynamic vulnerability scans with network asset information, security configurations,
flow data, logs, and threat intelligence to manage vulnerabilities and achieve compliance.
QRadar Vulnerability Manager helps you develop an optimized plan for addressing security
pr a
exposures. Unlike stand-alone tools, the solution integrates vulnerability information to help
security teams gain the visibility they need to work more efficiently and reduce costs. It is part of the
rm
QRadar SIEM architecture. It can be quickly activated with a licensing key and requires no new
hardware or software appliances.
• Helps prevent security breaches by discovering and highlighting over 70,000 known dangerous
default settings, misconfigurations, software features, and vendor flaws.
• Provides a consolidated vulnerability view across major vulnerability products and technologies.
• Adds context to identify key vulnerabilities and reduce false positives.
• Integrates with IBM QRadar Security Intelligence Platform for easy installation, faster time to
value, and reduced deployment cost.
• Performs intelligent, customizable scheduled and event-driven scanning, asset discovery, and
asset profiling for 360-degree, enterprise wide visibility to your network.
Uempty
.R ial
potential network traffic patterns
• Policy engine correlates network topology, asset
vulnerabilities and configuration, and actual network
traffic to quantify and prioritize risk, enabling risk-
.N c
prioritized remediation and compliance checking,
alerting, and reporting
C pe
• Centralizes network security device configuration data
Asset risk
isk quantification
and discovers configuration errors; monitors firewall
rule activity Remediation prioritization
Threat simulations
A key area to emphasize is the ability of the product to risk-prioritize vulnerable machines based on
network reachability, and to provide detailed device configuration information that can be used to
rm
quickly shut down network paths that attackers may use to exploit vulnerabilities. This is key, as
many vulnerabilities either cannot be rapidly remediated due to change windows or technological
limitations, or remediation might not be available because many vulnerabilities never have patches
available. In either case, the ability to rapidly pinpoint the precise firewall rules that enable the
Fo
Uempty
.R ial
probability incidents
Employs rules-based correlation of events, flows, assets, topologies, and
vulnerabilities
.N c
other solutions
Consolidates “big data” security incidents within purpose-built, federated
database repository
C pe
Optimized threat analysis
• Provides anomaly detection to complement existing
perimeter defenses Daily volume of events and flows
Calculates identity and application baseline profiles to assess abnormal 2,000,000,000
conditions automatically analyzed to find
to es activity
• Provides reliable, tamper-proof log storage for forensic
investigations and evidentiary use
Introduction to IBM QRadar
activities on raw data to distinguish real threats from false positives. As an option, this software
incorporates IBM X-Force Threat Intelligence, which supplies a list of potentially malicious IP
addresses including malware hosts, spam sources, and other threats. QRadar SIEM can also
correlate system vulnerabilities with event and network data, helping to prioritize security incidents.
pr a
• Enables more effective threat management while producing detailed data access and user
activity reports
• Delivers security intelligence in cloud environments
• Produces detailed data access and user activity reports to help manage compliance
• Offers multi-tenancy and a master console to help Managed Service Providers provide security
intelligence solutions in a cost-effective manner
Uempty
.R ial
hours to minutes
Employs Internet search engine technology to close security
team skill gaps
• Compiles evidence against malicious entities breaching
.N c
secure systems and deleting or stealing sensitive data
Creates rich “digital impression” visualizations of related content
C pe
• Helps determine root cause of successful breaches to
Wins
prevent or reduce recurrences the
Adds full packet captures to complement SIEM security data race
collection and analytics against
time
security incidents. It reduces the time it takes security teams to investigate offense records, in many
cases from days to hours, or even minutes. It can also help you remediate a network security
breach and prevent it from happening again.
The solution offers an optional QRadar Packet Capture appliance to store and manage data used
pr a
by QRadar Incident Forensics if no other network packet capture (PCAP) device is deployed. Any
number of these appliances can be installed as a tap on a network or subnetwork to collect the raw
rm
packet data.
Uempty
.R ial
Security devices
S
Correlation
• Logs/events Suspected
Servers and mainframes incidents
• Flows
• IP reputation
Network and virtual activity
• G
Geographic location Prioritized incidents
.N c
Data activity
Offense identification
• Credibility
Application activity
A Secure archive • Severity
C pe
• Relevance
Configuration information A
Activity baselining and
anomaly detection
• User activity
Vulnerabilities and threats
• Database activity
• Application activity
Users and identities • Network activity Embedded
dded
d
to es Introduction to
Global threat intelligence
G
o IBM QRadar
For security threat management, the key challenge is to reduce millions of logs to actionable
intelligence that identify key threats. Traditional first generation SIEM systems achieve this by
leveraging correlation, for example, “five failed logins followed by a successful login,” to identify
pr a
suspected security incidents. Event correlation is a very important tool, but it is not enough.
rm
There are two problems. First, consider a 100k to 1 reduction ratio of events to correlated incidents.
On the surface, this sounds impressive, but for companies generating 2 billion events per day (and
you do not need to be a massive company to do that), it will leave that company’s security team
with 20,000 incidents per day to investigate. Traditional SIEM correlation cannot get the data
reduced enough and of course Log Managers cannot even get a 10,000 to 1 reduction ratio.
Fo
Secondly, an exclusive reliance on event correlation assumes that the criminals will not figure out
ways to disable or bypass logging infrastructure. However, that is practically their entire focus and
you cannot correlate logs that are not there. This limitation results in missed threats or a very poor
understanding of the impact of a breach.
QRadar vastly expands the capabilities of traditional SIEM systems by incorporating new analytics
techniques and broader intelligence. Unlike any other SIEM system in the market today, QRadar
captures all activity on the network for assets, users, and attackers before, during, and after an
exploit and analyzes all suspected incidents in this context. New analytical techniques such as
behavioral analysis are applied. QRadar notifies analysts about offenses, where an offense is a
correlated set of incidents with all of the essential, associated network, asset, vulnerability, and
Uempty
identity context. By adding business and historical context to suspected incidents and applying new
analytic techniques, massive data reduction is realized and threats otherwise missed will be
detected.
IBM delivers real-time correlation and anomaly detection across a distributed and scalable
repository of security information enable more accurate security monitoring and better visibility for
.R ial
any organization, small or large.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
Suspected
incidents
.R ial
Prioritized incidents
Directed forensics investigations
.N c
• Use intuition more than technical training
• Determine root cause and prevent recurrences
C pe
Embedded
intelligence
to es Introduction
duction to IB
IBMMQ
QR
QRadar
Radar
ad
dar
a
Uempty
.R ial
Vulnerability and Incident Forensics
Risk Management and Response
.N c
C pe
User Behavior Analytics Compliance
Reporting
platform of capabilities that work together to provide the broadest visibility of any platform on the
market – and QRadar is at the center of attention.
Uempty
Cognitive Security
• Automated analysis of security incidents and anomalies powered by Watson for Cyber Security
to help transform security operations
• Powerful cognitive analytics that help security teams address skills shortages, alert overloads,
incident response delays, currency of security information and process risks
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Describe why we need Security Intelligence and a security immune system
.R ial
• Describe the QRadar ecosystem
.N c
C pe
to es Introduction to IBM QRadar
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
IBM QRadar SIEM Component
Architecture and Data Flows
to es
ec n
oy cio
pr a
Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
Security who is concerned with solutions in the overall security immune system. By learning how
the central Security Intelligence components are designed to take in and process log events and
flow data, you will be better equipped to holistically work as a Security Analyst.
Fo
In this unit we start at the functional architecture level and explain how IBM QRadar was designed
as a modular Security Intelligence solution from the ground up. After taking a look at this modular
design, its extensibility and deployment pattern, we closely examine the component architecture so
that the analyst understands how data is ingested and processed. When the analysts later examine
bits and pieces of a larger security incident investigation, this architectural understanding can
substantially enhance their capability for detailed and fast analysis.
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Describe QRadar functional architecture and deployment models
.R ial
• Describe QRadar SIEM component architecture
.N c
C pe
to es Component architecture and data flows
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 QRadar functional architecture and
deployment models
.R ial
.N c
Lesson: QRadar functional
architecture and deployment models
C pe
to es
ec n
oy cio
This lessons explains the QRadar functional architecture and deployment models. It shows how
IBM QRadar was designed as a modular Security Intelligence solution from the ground up.
pr a
rm
Fo
Uempty
.R ial
• IT Regulatory Compliance
Collect and securely archive log records for audit and compliance
Generate reports required by internal or external regulations to succesfully pass compliance audits
• IT Internal monitoring
.N c
Frequently collect, correlate, and analyze data to alert on security policy violations
• Threat detection
C pe
Analyze event log and network flow data to detect and alert on IT security risk management related
issues
The first requirement addresses IT log management for forensic analysis. The archived event and
network flow records are used to analyze incidents and gather evidence. The data must be
collected and stored reliably in its original format to stand up as evidence in a court of law or to be
used for compliance reporting. Also, the data must be archived for several years and it must be
pr a
searchable.
rm
To fulfill the compliance audit requirement, the archived data is used to prove that relevant audit
information has been collected and securely stored. Furthermore, the data must be used to create
reports required by the regulation, and the regulatory compliance reports must be stored for a
period of time.
Fo
The next requirement addresses IT internal monitoring to alert on security policy violations. This in
itself requires an organizational IT Security Policy that defines appropriate use of the IT
environment. High risk offenses to the policy must be identified and reported upon, and offenses
must be managed. IT usage that is not in compliance with the policy must be reported upon.
The most prevalent requirement today, however, revolves around IT security risk management for
the overall organization. All of the previously described functional requirements apply here as well.
In addition, an extensive knowledge of the IT environment, and the threats to which it is exposed, is
required. To perform anomaly detection it is also necessary to understand data patterns within the
captured events and network flows.
Uempty
.R ial
.N c
C pe
to es Component architecture and data flows
No matter how many QRadar applications are leveraged, or how many appliances constitute a
deployment, all capabilities are leveraged through a single, Web-based console, with all the
associated benefits that a common interface delivers in terms of speed of operation, transference of
skills, ease of adoption, and a universal learning curve.
pr a
• Dashboard
rm
The Dashboard tab allows an organization to define many different views into the collected and
processed data. QRadar provides many predefined dashboards, but you can create and
maintain your own.
• Offenses
Fo
Use the Offenses tab to view all the offenses that occur on your network and complete the
following tasks:
– Investigate offenses, source and destination IP addresses, network behaviors, and
anomalies on your network
– Correlate events and flows that are sourced from multiple networks to the same destination
IP address
– Go to the various pages of the Offenses tab to investigate event and flow details
– Determine the unique events that caused an offense
• Log Activity
Uempty
The Log Activity tab displays event information as records from a log source, such as a firewall
or router device. Use the Log Activity tab to do the following tasks:
– Investigate event data
– Investigate event logs that are sent to QRadar SIEM in real time
– Search event
.R ial
– Monitor log activity by using configurable time-series charts
– Identify false positives to tune QRadar SIEM
.N c
• Network Activity
If the content capture option is enabled, the Network Activity tab displays information about
C pe
how network traffic is communicated and what was communicated. Here, you can do the
following tasks:
– Investigate the flows that are sent to QRadar SIEM in real time
to es –
–
Search network flows
Monitor network activity by using configurable time-series charts
• Assets
QRadar automatically creates asset profiles by using passive flow data and vulnerability data to
ec n
discover your network servers and hosts.
Asset profiles provide information about each known asset in your network, including the
oy cio
services that are running. Asset profile information is used for correlation purposes, which helps
to reduce false positives.
Use the Assets tab to do the following tasks:
– Search for assets
pr a
Uempty
Report templates are grouped into report types, such as compliance, device, executive, and
network reports. Use the Reports tab to complete the following tasks:
– Create, distribute, and manage reports for QRadar SIEM data
– Create customized reports for operational and executive use
– Combine security and network information into a single report
.R ial
– Use or edit preinstalled report templates
– Brand your reports with customized logos. Branding is beneficial for distributing reports to
different audiences
.N c
– Set a schedule for generating both custom and default reports
C pe
– Publish reports in various formats
• Vulnerabilities
If the QRadar Vulnerability Manager license has been deployed, you will see a Vulnerabilities
• Admin
The Admin tab provides all tools to manage and maintain the QRadar deployment. Analysts
typically do not have access to these tools.
The example in this screen shot depicts the integration of the QRadar console with QRadar
pr a
Designed to integrate Log Management, SIEM, Vulnerability and Risk Management, Incident
rm
Forensics, and an extensible application framework into one solution, QRadar Security Intelligence
can deliver a large log management scale without any compromise on SIEM “Intelligence.”
As a QRadar analyst you can switch from log events, to network flows, to risk and compliance
Fo
policy reports and prioritized lists of network wide vulnerabilities, and complete analysis of incidents
after an offense has occurred. This allows an organization to reduce the time before an initial
breach is detected and avoid the actual exploit.
Uempty
.R ial
Is the attack credible?
How
valuable are Where are they located?
.N c
the targets
to the Who was responsible
business? for the attack?
C pe
What was
stolen and
where is the
evidence?
Here is what you can see as a security analyst when you begin to investigate an offense record that
was triggered by a correlation rule. You can quickly investigate the who, what, and where behind an
offense and quickly determine if it is a legitimate threat or a false positive.
pr a
IBM QRadar SIEM provides strong event-management and analysis capabilities and is very
effective in detecting threats because it can leverage a broad range of data, analyze it, and apply
rm
context from an extensive range of sources. This helps to reduce false positives, report on actual
exploits, and show what kind of activity is taking place. This can result in faster threat detection and
response.
QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context
Fo
in which systems are operating. That context includes security and network device logs,
vulnerabilities, configuration data, network traffic telemetry, application events and activities, user
identities, assets, geolocation, and application content. This activity generates a staggering amount
of data, which makes the automation in QRadar very important because it can correlate this large
amount of data down to a small number of actionable offenses.
QRadar SIEM leverages this data to establish very specific context around each potential area of
concern, and uses sophisticated analytics to accurately detect more and different types of threats.
For example, a potential exploit of a web server reported by an intrusion detection system can be
validated by unusual outbound network activity detected by QRadar.
Uempty
QRadar uses intelligence, automation, and analytics to provide actionable security information
including the number of targets involved in a threat, who was responsible, what kind of attack
occurred, whether it was successful, vulnerabilities, evidence for forensics, and so on.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• Offending users
• Origins
• Targets
.N c
• Asset information
• Vulnerabilities
C pe
• Known threats
• Behavioral analytics
• Cognitive analytics
This slide provides an overview where all this data is coming from.
• Point in time
Everything that QRadar investigates needs to provide an exact point in time. This timestamp
pr a
allows QRadar to correlate the most complex relationships between disparate log sources and
network flows to present those as one connected event.
rm
• Offending users
QRadar extracts user information wherever possible allowing an analyst to further investigate
individual users. QRadar also uses this information for user behavioral analytics.
Fo
• Origins
The origin represents the starting point for all QRadar correlation activity. The origin is captured
as an IP address.
• Targets
The target represents the final point for all QRadar correlation activity. The target is captured as
an IP address.
• Asset information
QRadar maintains a centralized asset database that is used to record a variety of details for
each asset that has been discovered. Assets can be discovered in two ways. Actively, by using
Uempty
vulnerability scans with QRadar Vulnerability Manager, or passively through network flow
records. Asset data can also be imported by using other enterprise tools for asset management.
Details can include IP address, host name, running applications and services, as well as
vulnerabilities.
• Vulnerabilities
.R ial
QRadar maintains a list of vulnerabilities for each asset. These can either be discovered by
using QRadar Vulnerability Manager or any other 3rd party vulnerability management solution.
Asset related vulnerabilities are being used for QRadar correlations and analytics, and they can
influence several factors throughout the incident management process.
.N c
• Known threats
C pe
QRadar is able to connect to external threat feeds, such as the IBM X-Force Exchange. This
threat information can also be used for QRadar correlations and analytics to influence the
incident management process.
• Behavioral analytics
to es Utilizing some of the above mentioned data in combination with other enterprise wide collected
information QRadar can analyze user behavior to alert whenever abnormal activity has been
detected.
• Cognitive analytics
ec n
After all this data has been correlated it is presented to the analysts in the QRadar Console. If a
particularly important threat is discovered, an analyst has to investigate it with an utmost
oy cio
urgency. To support this task QRadar now provides Cognitive Analytics. This capability
augments a security analyst's ability to identify and understand sophisticated threats, by tapping
into unstructured data (such as blogs, websites, research papers) and correlating it with local
security offenses.
pr a
rm
Fo
Uempty
.R ial
• Allows deep packet inspection for Layer 7 flow data
Pivoting, drill-down, and data-mining activities on flow sources
allow for advanced detection and forensics
• Helps to detect anomalies that might otherwise be missed
.N c
• Helps to detect zero-day attacks that have no signature
• Provides visibility into all attacker communications
C pe
• Uses passive monitoring to build asset profiles and classify
hosts
• Improves network visibility and helps resolve traffic
problems
However, no attacker can disable the network, or they cut themselves off as well.
Network flow analytics in QRadar allows deep packet inspection for OSI Layer 7 flow data, which
can contain very helpful information for advanced forensics. Network flow information helps to
detect communication flow anomalies, zero-day attacks that have no signature yet, and provides
pr a
Using passive monitoring, flow analytics builds up an asset database and profiles your assets. For
example, an IT system that has responded to a connection on port 53 UDP is obviously a DNS
server. Another IT system that has accepted connections on ports 139 or 445 TCP is a Windows
server.
Fo
Adding application detection can confirm this not only at a port level, but the application data level
as well.
Source: To learn more about the OSI Layer model please visit:
http://searchnetworking.techtarget.com/definition/OSI
Uempty
.R ial
Deep Threat Intelligence
Cognitive Analytics Open Ecosystem
and Analysis
• QRadar Sense Analytics • IBM Security App Exchange • IBM X-Force Exchange
allows you to inspect events, provides access to apps from helps you stay ahead of the
flows, users, and more latest threats and attacks
.N c
leading security partners
• Speed analysis with visuals, • Out-of-the-box integrations • Extend investigations to cyber
query, and auto-discovery for 500+ third-party security threat analysis with i2
C pe
across the platform products Enterprise Insight Analysis
• Augment your analysts’ • Open APIs allow for custom • Powered by the X-Force
knowledge and insights with integrations and apps Research team and 700TB+ of
QRadar Advisor with threat data
Watson
• Share data with a collaborative
Security Analysts today are more and more overwhelmed by the amount of data that requires
investigation and by the mounting time pressure to act. Cognitive analytics augments your analysts’
knowledge and insights with QRadar Advisor with Watson to speed up analysis with visuals, query,
and auto-discovery across the platform where you can inspect events, flows, users, and more by
pr a
tapping into unstructured data (such as blogs, websites, research papers) and correlating it with
local security offenses.
rm
QRadar provides open APIs to allow for custom integrations and applications, which can be found
at the IBM Security App Exchange. One example here is the User Behavior Analytics app, which is
available free of charge and provides early visibility to insider threats.
Fo
You can further extend the QRadar functionality with threat intelligence data and analytic functions
from the IBM X-Force Exchange and the IBM i2 Enterprise Insight Analysis solution.
These functional extensions greatly support the security analysts in their daily tasks. Let us take a
closer look at some of these extensions now.
Uempty
.R ial
.N c
C pe
to es Watson determines the specific campaign (Locky),
discovers more infected endpoints, and sends results
to the incident response team
establish a relationship between machines and humans. The role of technology can now change
from enabler to advisor. We are ushering in this new era of cognitive security to out-think and
outpace threats with security that understands, reasons, and learns.
IBM Watson enables fast and accurate analysis of security threats, saving precious time and
pr a
resources. This empowers the analysts to perform faster investigations and clear their backlog
easier. It will also help to increase the investigative skills for individual analysts over time.
rm
With the help of IBM Watson, security analysts will be able to spend less time on the mundane
tasks of manual and time consuming threat analysis, and more time being human.
Fo
Uempty
.R ial
.N c
C pe
to es Component architecture and data flows
On the defensive side, organizations have to deal with a large number of siloed security solutions
from an equally large number of vendors. It is estimated that an average enterprise can have up the
85 security products from 40 vendors. With this mix, it is difficult to link the products together so
they can support each other.
pr a
To fill this gap, IBM has introduced the IBM Security App Exchange. The exchange is a marketplace
for the security community to create and share applications that integrate with IBM Security
rm
solutions. The first offering in which customers, business partners, and other developers can build
custom apps is QRadar.
Releasing application programming interfaces (APIs) and software development kits for QRadar
fosters the integration with third-party technologies. This provides organizations with better visibility
Fo
into more types of data, and also offers new automated search and reporting functions that can
help security specialists focus on the most pressing threats.
The IBM Security App Exchange has a number of customized apps that extend security analytics
into areas like user behavior, endpoint data, and incident visualization.
Before releasing the app IBM Security tests them to will be closely testing every application to
ensure the integrity of these community contributions.
In the future the App Exchange will offer the opportunity to produce apps for additional IBM Security
products.
Uempty
.R ial
.N c
C pe
to es Component architecture and data flows
form of organized activity. Cyber criminals have learned to collaborate. They share vulnerability,
targeting, and countermeasure information. They also share tools to ensure that their attacks can
be successful. Collaboration is a force multiplier for the hacking community. Organizations have
been using threat intelligence in an effort to stay abreast of the threats, but these efforts are limited.
pr a
To succeed requires much more information, shared among security professionals, researchers,
and practitioners.
rm
IBM has built a collaboration platform called the X-Force Exchange to facility the collaboration that
will allow organizations to have a much greater understanding of threats and actors. X-Force
Exchange is a cloud-based threat intelligence sharing platform that enables users to rapidly
research the latest global security threats, aggregate actionable intelligence, consult with experts
Fo
and collaborate with peers. IBM X-Force Exchange provides timely, curated threat intelligence
insights, which adds context to machine-generated data. The platform facilitates making
connections with industry peers to validate findings and research threat indicators.
Leveraging the open and powerful infrastructure of the cloud, users can collaborate and tap into
over 700 terabytes of information from multiple data sources. This includes one of the largest and
most complete catalogs of vulnerabilities in the world, threat information based on monitoring of
more than 15 billion monitored security events per day, and malware threat intelligence from a
network of 270 million endpoints. This threat information is based on over 25 billion web pages and
images and deep intelligence on more than 8 million spam and phishing attacks.
Source: https://exchange.xforce.ibmcloud.com
Uempty
.R ial
• Layer 7 application monitoring
Network and
• Content capture for deep insight and forensics
Application Visibility
• Physical and virtual environments
.N c
Network Insights real time threat detection and long-term
retrospective analysis
C pe
Risk & Vulnerability • Network security configuration monitoring
Management • Vulnerability scanning and prioritization
• Predictive threat modeling and simulation
to es Network Forensics
• For many organizations, the starting point is to address the log management challenge, which
is why IBM offers a family of “log management only” appliances. These log management
appliances can be upgraded to full SIEM capability by configuring an additional license key.
• The full SIEM implementation provides integration of log management with threat, fraud,
network, and security intelligence. Network activity data, vulnerability assessment, and external
pr a
threat data are added as data sources along with sophisticated correlation and behavioral
analytics.
rm
• For application layer visibility and forensic content capture, the QFlow and VFlow flow collectors
can be deployed in physical or virtual infrastructures. These appliances provide extensive
application-level surveillance of all activity at key locations.
Fo
• QRadar Network Insights can provide configurable network traffic analysis for real time threat
detection and long-term retrospective analysis to detect insider threats, data exfiltration and
malware activity.
• Risk and Vulnerability management capabilities can be activated by configuring an additional
license keys. Risk Manager requires an additional dedicated appliance as well, while
Vulnerability Manager can be deployed on existing appliances. Risk Manager provides network
security configuration monitoring, while Vulnerability Manager focuses on vulnerability scanning
and prioritization. Together they can be used for predictive threat modeling and simulation.
• For some organizations, the full SIEM scale can be met with a single appliance; for others who
have higher scale, or remote collection and storage requirements, QRadar processors enable
Uempty
massive deployments. This horizontal, stackable expansion supports a massive scale and
geographic distribution, while maintaining exactly the same user experience.
• Network Forensics appliances allow you to fully reconstruct network sessions that can provide
clarity around questions like “who”, “what”, and “when” in great detail.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
Deployment models
All-in-One
.R ial
(2100/31XX) Flow Processor
Console
(17XX)
(31XX)
Event Processor
QFlow (16XX)
.N c
Collector
(12XX/13XX)
C pe
All-in-One is a single appliance used to collect events and flow A Distributed deployment consists of multiple appliances for different purposes
Deployment models
• Event Processor to collect, process, and store log events
• Flow Processor to collect, process, and store several kinds of flow data generated from network
devices; optional QFlow Collector is used to collect Layer 7 application data
• Console to correlate data from managed processors, generate alerts and reports, and provide all
administrative functions
The selection depends on the amount of collected and processed events, data storage estimations,
high availability and disaster recovery requirements, organizational network topology, and other
factors.
An all-in-one deployment uses a single appliance to collect events and flow data from various
pr a
security and network devices, perform data correlation and rule matching, report on alerts and
threats, and provide all administrative functions through a web browser.
rm
A distributed deployment consists of multiple appliances for different purposes. You can deploy
Event Collectors and Processors to collect, process, and store log events. Flow Collectors and
Processors are used to collect, process, and store several kinds of flow data generated from
network devices, and optionally, you can deploy QFlow Collectors to collect Layer 7 application
Fo
data. A Console is used to correlate data from managed processors, generate alerts and reports,
and provide all administrative functions.
This remainder of this course material does not pay any closer attention to currently available exact
appliance configurations and models.
Uempty
Lesson 2 QRadar SIEM component
architecture
.R ial
.N c
Lesson: QRadar SIEM component
architecture
C pe
to es
ec n
oy cio
This lesson describes the high-level architecture of the major IBM QRadar SIEM components,
including the flow collector, event collector, event processor, and console. You also learn about the
flow of a captured event.
pr a
rm
Fo
Uempty
Architecture overview
• High-level architecture
• Flow collector (FC)
.R ial
• Event collector (EC)
• Event processor (EP)
• Console
.N c
C pe
to es Component architecture and data flows
Architecture overview
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
Offenses If accumulation is required, accumulated data is stored in Ariel
Configuration accumulation data tables
As soon as data is stored, it cannot be changed (tamper proof)
Data can be selectively indexed
Console services
User interface
Magistrate
• Offenses, assets, and identity information are stored in
.N c
Reporting the master PostgreSQL database on the Console
Provides one master database with copies on each processor
for backup and automatic restore
C pe
Flows
Events Event processor
Accumulations • Secure SSH communication between appliances in a
distributed environment is supported
to es Network packet
interface, sFlow,
and 3rd party
Events from individual log sources and network flow data is collected by the QRadar Event and
Flow collectors. Once the flow and event data is forwarded to the Event Processor it is stored in the
Ariel database on the Event Processor. If accumulation is required, the accumulated data is stored
in Ariel accumulation data tables. To fulfill the tamper proof data storage aspects for compliance
pr a
mandates, data cannot be changed as soon as it is stored in the Ariel database. At any point in
time, data can be selectively indexed to support specific search and report requirements.
rm
Once the Event Processor is finished processing, the data is passed on to the QRadar Console,
where further consolidated processing occurs. Offenses, assets, identity, and configuration
information are stored in the master PostgreSQL database on the Console. There is one master
database with optional copies on each processor for backup and automatic restore.
Fo
Uempty
.R ial
Flow reporting and routing - Create superflows
• Flow data packets are collected from a variety
of network device vendors and directly from the
Application Detection Module (appId = eventId)
network interface
• Collected flow data can update asset profiles
.N c
Aggregator with the ports and services that are running on
(enforce license limit)
each host
C pe
Raw data packets received • If the flow license limit is exceeded, an overflow
(NetFlow, sFlow, NIC, and so on)
record is created with SRC/DST address
QFlow
127.0.0.4/5
Flow data packets
• (Custom) applications are detected
include the source and destination IP addresses, the port, and other fields.
Flow data packets can be collected from a variety of network device vendors, and directly from the
network interface. Collected flow data can update asset profiles with the ports and services that are
running on each host. If a new host is detected through network flow data, a new asset is created in
pr a
Next in line is the Aggregator. This component enforces the license limit for the Flow Collector,
which is measured in “flows per minute”, or FPM. If the license limit is exceeded, flows are
temporarily stored in an overflow buffer, which will be processed with the next set of flows. Every
log source protocol has an overflow buffer of 5 GB, and if the overflow buffer fills up, the additional
flows are dropped.
Fo
The Application Detection Module uses four methods of determining the application of the flow.
• The first is the User Defined method.
This method is mainly used when users have a proprietary application running on their network.
For example, all traffic going to host 10.100.100.42 on port 443 is recognized to be
MySpecialApplication.
• The second method uses State-based decoders.
Uempty
This method is implemented by looking at the source code. It determines the application by
analyzing the payload for multiple markers, for example, if you see A followed by B, then
application = X; and if you see A followed by C, then application = Y.
• The next method uses Signature matching.
This method relies on basic string matching in the payload (see the Application Configuration
.R ial
Guide for signature customization).
• The final method uses Port-based matching.
In this case, applications are matched based on their port use, for example, port 80 = http.
.N c
Finally, the flow data packets reach the Flow reporting and routing component. This component
C pe
is responsible to create superflows. Superflows only store one single flow with the collection of IP
addresses, which allows processing of flows to be faster, and require less storage space. There are
three types of superflows.
• Type A superflows contain a single source and multiple destination addresses with the same
to es destination port, byte count, and source flags or ICMP codes. An example for a type A
superflow is a network sweep.
• Type B superflows contain multiple source and a single destination address with the same
destination port, byte count, and source flags or ICMP codes. An example for a type B
superflow is a Distributed Denial of Service attack.
ec n
• Type C superflows contain a single source and destination address with changing source and
destination ports. An example for a type C superflow is a port scan.
oy cio
Specific rule tests can leverage the flow type to determine if an offense needs to be created. The
creation of superflows can be disabled.
Up to a configurable number of bytes, QFlow provides layer 7 insights into the payload if it is
pr a
unencrypted. Using a tap or span port, QFlow collects raw packets and places them into 60-second
chunks. QFlow can also receive layer 4 flows from other network devices in IPFIX/NetFlow, sFlow,
rm
Uempty
.R ial
Coalescing filter
• EPS license is checked
• Log Sources are automatically discovered after
record analysis in the Traffic Analysis module Device Support Module (DSM)
Parser threads
.N c
• The event collector normalizes events and DSM normalization filter
classifies them into low- and high-level
categories Traffic Analysis
C pe
(Log source detection)
Log Sources
in Events per Second, or EPS. Events are temporarily stored in an overflow buffer if the EPS
license is exceeded, and those events are processed during the next cycle. Should the overflow
buffer fill up, the additional events are dropped, and a message is logged for the administrators.
Log Sources are automatically discovered after record analysis in the Traffic Analysis module. This
pr a
new QRadar log source, if detection is successful on an IP address. The Traffic Analyses module
only carries out detection on event protocols that are “pushed” to the event collector, for example,
syslog.
After the correct log source has been detected, such as a Checkpoint Firewall, the individual
Fo
Device Support Modules begin to parse the events. First, the events are normalized, where source
specific data fields are mapped into QRadar terminology for further processing. The log source
parser then extracts the log source event ID from the log record and maps that to the QRadar
Identifier, or QID. This is a unique ID that links the extracted log source event ID to a QID. Each QID
relates to a custom event name and description, as well as severity and event category information.
The event category information is structured into High Level Categories (HLC) and Low Level
Categories (LLC). Every QID is linked to one of the low-level categories, for example, a valid
category combination is "Authentication” (being a High Level Category) and “Admin Login
Successful” being a Low Level Category.
Uempty
Finally, the coalescing filter can optionally bundle identical events to conserve system usage before
handing the data off to the Event Processor.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
Accumulator Host profiler Exit filter
enabled rules in the rules engine Accumulations
• New offenses can be triggered and sent to the Flows Event storage filter
Events
Magistrate (see Console)
• Events and flows are stored in the events or flows
.N c
Custom Rules Engine (CRE)
Ariel database
• If a new port or host is detected, an asset profile is
C pe
Overflow filter
(enforce license limit)
updated or created in the PostgreSQL database
(see Console) Event or flow sources received
• Events are accumulated every minute and stored Event processor
in the accumulator Ariel database
the Overflow Filter enforces the license in a similar way to the collectors.
Next, the Custom Rule Engine, or CRE, tests every single event or flow against all enabled rules.
Matched rules can have responses or results. For example, a matched rule might trigger the
creation of an offense, or create a new CRE event that triggers the creation of an offense. However,
pr a
actual offenses are not created here at the Event Processor, but rather at the Console.
rm
It is possible that multiple matched events, flows, and matched rules might correlate into a single
offense. On the other hand, a single event or flow can also be correlated into multiple offenses.
By default, rules are tested against events or flows received by a single event processor (local
rules). The Exit Filter sends on any events or flows that have been marked for further processing by
Fo
Every event and flow is then sent on to the Event Storage Filter, where they are stored in the events
or flows Ariel database.
If a new port or host is detected at this time, an asset profile needs to be updated or created in the
PostgreSQL database. The Host Profiler, or Host Profiling Filter, sends the collected information
about the new host to the Console, so that a new asset can be created or updated.
Finally, if an analyst has defined any searches to collect and investigate specific sets of data,
events and flow records are accumulated every minute and stored in the accumulator Ariel
database. These accumulations create time-series statistical metadata that is used for Dashboards,
Uempty
event and flow forensics and searching, reporting, and the Anomaly Detection Engine on the
Console. Accumulated time intervals can be defined as 1 minute, 1 hour, and 1 day. The
Accumulator is a distributed component that operates on each Event Processor.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
Console architecture
• The Magistrate creates and stores offenses
in the PostgreSQL database; these offenses Offenses
.R ial
the interface
• The Magistrate instructs the Ariel Proxy Magistrate
Custom rule
engine
Server to gather information about all events Assets
and flows that triggered the creation of an
.N c
offense Overflow filter
Ariel Vulnerability Anomaly
Proxy Information Detection
(enforce license limit)
• The Vulnerability Information Server (VIS)
C pe
Server Server Engine
Console architecture
Event
Exit Filter
Eventprocessor
processor
Query Server profiler
Accumulators
offenses are then brought to the analyst’s attention in the user interface. The Magistrate instructs
the Ariel Proxy Server to gather information about all related events and flows that triggered the
creation of an offense. The collected data is then available for further investigation by the analyst.
If data is collected from multiple Event Processors, the Console’s Custom Rules Engine can utilize
pr a
Global Cross Correlation to test rules on data from all deployed Event Processors. This helps to
locate more complex attacks, which can span across the overall IT infrastructure and are not
rm
The Vulnerability Information Server (VIS) creates new assets, or adds open ports or discovered
services to existing assets, based on information from the Host Profiler on the Event Processors.
This happens when hosts, services, or vulnerabilities that cannot be mapped to existing assets are
Fo
discovered.
Uempty
The Anomaly Detection Engine (ADE) searches the Accumulator databases for anomalies, which
are then used for offense evaluation. There are three categories of Anomaly Detection Rule types.
• The Threshold rule examines a numeric range, such as greater than, less than, or a particular
range. This rule can help detect the bandwidth of an application, the number of users connected
to a VPN, or a large and unusual outbound data transfer.
.R ial
• The Anomaly rule looks at a change in short term when comparing against a longer time frame.
This can help to locate new service activity or a change in the bandwidth volume on a specific
link.
• The Behavioral rule can detect changes from the same time yesterday or last week. This
.N c
includes mail traffic, for example, the increase on external SMTP server traffic, which could be a
relay. This rule can also be used for regular IT services, such as backup monitoring, where the
C pe
rule would trigger if a backup failed.
Let us take one closer look at how Offenses are being managed by the Magistrate component.
Events and flows that have been tagged by the Custom Rules Engine for further processing in the
to es Event Processors are being handed over to the Console through the Exit Filter.
Until now, we have examined the QRadar component structure from a deployment viewpoint. Let
us now take a final look into dissecting the flow of a captured event.
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Describe QRadar functional architecture and deployment models
.R ial
• Describe QRadar SIEM component architecture
.N c
C pe
to es Component architecture and data flows
Summary
© Copyright IBM Corporation 2017
ec n
In this unit we covered the functional architecture level and explained how IBM QRadar was
designed as a modular Security Intelligence solution from the grounds up. After taking a look at this
oy cio
modular design, its extensibility and deployment pattern, we examined the component architecture
so that the analyst understands how data is ingested and processed.
When the analysts now examine bits and pieces of a larger security incident investigation, this
architectural understanding should substantially enhance their capability for detailed and fast
pr a
analysis.
rm
Fo
.R ial
.N c
C pe
Using the QRadar SIEM User Interface
to es
ec n
oy cio
pr a
The user interface of QRadar SIEM is your workbench to gain visibility into your environment from
an security perspective. This lesson teaches you how to operate the interface, such as pausing and
refreshing the displayed data, changing your password and accessing help.
Reference:
Fo
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Leverage the QRadar SIEM user interface
.R ial
.N c
C pe
to es Using the QRadar SIEM User Interface
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using the QRadar SIEM User Interface
Uempty
Tabs
To leverage QRadar, use its tabs
• Dashboard: Monitor various activities in your environment
.R ial
• Offenses: Query and display suspicious activities
• Log Activity: Query and display events
• Network Activity: Query and display flows
• Assets: Query and display information about systems in your environment
.N c
• Reports: Create templates and generate reports
• Admin: Administrative system management
C pe
to es To reset a tab to its default settings, double-click it.
Tabs
© Copyright IBM Corporation 2017
ec n
The QRadar SIEM user interface provides tabs that let you navigate and focus on specific slices of
the collected, analyzed, and displayed data.
oy cio
Two more tabs become available with a license for QRadar Vulnerability and Risk Manager
installed:
• Risks: Query and display risks in your environment
pr a
Uempty
.R ial
• Dashboard
• Log Activity
• Network Activity
.N c
• Reports
Pause:
C pe
Click to pause automatic
display refresh
Refresh:
Display the latest
available data
Play:
Resume the automatic
button resets the displayed countdown to 60 seconds, but results returned can still come from the
prior minute. The countdown in the user interface does not necessarily run in sync with the
1-minute cycles.
The Pause button stops only refreshes of the display. QRadar SIEM continues to process data in
pr a
the background.
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using the QRadar SIEM User Interface
Users can change their password in the Preferences, if they authenticate with the local system
authentication of QRadar SIEM. Users cannot change the password in the User Preferences if
QRadar SIEM uses RADIUS, TACACS, Active Directory, or LDAP for their authentication.
In most deployments, the user admin authenticates with the local system authentication of QRadar
pr a
SIEM even if other users use external authentication. Therefore, the user admin usually changes
passwords in QRadar SIEM User Preferences.
rm
Fo
Uempty
Accessing help
.R ial
Open the IBM Knowledge Center in a new browser
tab. The browser requires internet access
.N c
C pe
Question mark icon:
Open context-sensitive
help for the currently
displayed feature in a
new browser window.
Accessing help
The browser does not
require internet access
because the Console
appliance provides the
context-sensitive help
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Log in to the QRadar User Interface
.R ial
• Discover the User Interface
• Sending sample data to QRadar
.N c
C pe
to es Using the QRadar SIEM User Interface
Exercise introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Leverage the QRadar SIEM user interface
.R ial
.N c
C pe
to es Using the QRadar SIEM User Interface
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Investigating an Offense Triggered by
Events
to es
ec n
oy cio
pr a
QRadar SIEM correlates events and flows into an offense if it assumes suspicious activity. This unit
teaches you how to investigate the information that is contained in an offense.
References:
• IBM Knowledge Center: Event Categories
Fo
http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_ad
m_event_categories.html
• QRadar SIEM Users Guide http://www.ibm.com/support/docview.wss?uid=swg27049537
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Explain the concept of offenses
.R ial
• Investigate an offense, which includes this information
Summary information
The details of an offense
• Respond to an offense
.N c
C pe
to es Investigating an Offense Triggered by Events
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Offenses overview
.R ial
Lesson: Offenses overview
.N c
C pe
to es
ec n
Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017
oy cio
By creating an offense, QRadar SIEM alerts to suspicious activities. In this lesson, you learn the
significance of offenses and how to view your threat landscape from different perspectives.
pr a
rm
Fo
Uempty
Definition offense
.R ial
Offense
--noun
An offense alerts to a suspicious activity,
.N c
and links to helpful information to
investigate it.
C pe
to es Investigating an Offense Triggered by Events
Definition offense
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Introduction to offenses
• The prime benefit of QRadar SIEM for security analysts is that it detects suspected attacks or policy
violations and ties helpful information together into offenses to investigate them
.R ial
• Some common offenses include these examples
Multiple login failures
Malware infection
P2P traffic
.N c
Scanner reconnaissance
• Treat offenses as security incidents and have a security analyst investigate them
C pe
to es Investigating an Offense Triggered by Events
Introduction to offenses
© Copyright IBM Corporation 2017
ec n
More examples of offenses include:
oy cio
Uempty
.R ial
Incoming events and flows
Organizational context
í User information, such as admin, newhire, CFO-team
í Network and server information, such as: web server, PCI network, crown jewels
Threat intelligence
.N c
í IP addresses and domain names of malicious hosts, such as
> spam senders
> malware hosts
C pe
> anonymous proxies
> IP address ranges dynamically assigned by ISPs
• The magistrate component running on the Console appliance maintains all offenses; it rates each
offense by its magnitude, which has these characteristics
to es
Ranges from 1 to 10, with 1 being low and 10 being high
Prioritizes each offense by its relative importance
as intellectual property.
pr a
rm
Fo
Uempty
Offenses on Dashboard
Dashboard items can display offenses
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Events
Offenses on Dashboard
© Copyright IBM Corporation 2017
ec n
• The Risks and Vulnerabilities tabs are only available if QRadar Risk Manager and QRadar
Vulnerability Manager are licensed.
oy cio
• Double-click a particular offense to display the detailed Offense Summary of that offense.
pr a
rm
Fo
Uempty
Offenses tab
The Offenses tab provides many navigation options to view offenses from different perspectives
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Events
Offenses tab
© Copyright IBM Corporation 2017
ec n
• To sort offenses, click a column header.
oy cio
Uempty
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Events
Uempty
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Events
Uempty
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Events
Uempty
Lesson 2 Using summary information to
investigate an offense
.R ial
.N c
Lesson: Using summary information
to investigate an offense
C pe
to es
ec n
oy cio
An offense bundles a wealth of information about a suspicious activity. In this lesson, you learn how
to use offense summary information to begin investigating an offense.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Events
Note: At least an hour before this lesson, run the /labfiles/sendCheckpoint.sh script in order
to have QRadar SIEM create the example offense. On the Offenses tab, navigate to this offense
and use it as an example to illustrate the topics in this lesson.
pr a
rm
Fo
Uempty
.R ial
• The remainder of the unit examines the window
sections in the same way as the security analyst
investigates an offense
.N c
C pe
to es Investigating an Offense Triggered by Events
• Offense Parameters
• Offense Source Summary
• Last 5 Notes
• Last 5 Search Results
pr a
• Top 5 Categories
• Top 10 Events
• Top 10 Flows
• Top 5 Annotations
Uempty
Offense parameters
Investigating an offense begins with the parameters at the top of the offense summary window
.R ial
Magnitude: Credibility:
Relative importance of the offense How valid is information from that source?
.N c
C pe
Relevance: Severity:
Offense parameters (1 of 4)
How significant is the destination? How high is the potential damage?
These two buttons are only available if QRadar Risk Manager is licensed.
• Magnitude:
Prioritizes an offense by its importance relative to other offenses. However, security analysts
cannot ignore less important offenses, because they could indicate a real attack or policy
pr a
violation.
A proprietary algorithm calculates the magnitude based on a number of values, such as:
rm
Uempty
Indicates the relative impact that the suspected attack or policy violation would have. QRadar
SIEM determines the relevance from the asset weights of the destinations of the offense.
QRadar SIEM administrators configure the asset weight in asset profiles.
• Severity:
Indicates the amount of threat a suspicious activity poses. Each event categorization configures
.R ial
a severity rating.
• Credibility:
Indicates the reliability of the witness. Credibility increases if multiple sources report the same
.N c
attack. QRadar SIEM administrators configure a credibility rating for each log source.
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
the next section of the Offense Summary
.N c
C pe
Description: Event count: Flow count:
Reflects the causes for the offense; the Number of events Number of flows
Offense parameters (2 of 4)
associated with this
offense
associated with this
offense
The rule that created the offense determines the Offense Type. Example offense types include:
• Source IP
• Destination IP
• Event Name
pr a
• Username
rm
• Host Name
• Source Port
• Destination Port
• Source IPv6
• Destination IPv6
• Rule
• App ID
• Custom properties
Uempty
.R ial
scanning associated with the offense was created
.N c
C pe
to es Destination IP(s):
Targets of the ICMP
scanning
Offense parameters (3 of 4)
Duration:
Amount of time elapsed since the first event or
flow associated with the offense was processed
To get more information about the IP address, right-click, left-click, or hold the mouse over the
address.
Offenses of type Source IP always have exactly only one source IP address. Offenses of other
types can have more than one source IP address. In those cases, the Source IP(s) field
displays Multiple(n), where n indicates the number of source IP addresses.
pr a
• Destinations IP(s):
If the offense has only one target, its IP address is displayed. To get more information about the
IP address, right-click, left-click, or hold the mouse over it.
Fo
If the offense has multiple targets, the following terms are displayed:
– Local (n): Local IP addresses that were targeted.
– Remote (n): Remote IP addresses that were targeted.
Left-click an option to view a list of the local or remote IP addresses.
Uempty
.R ial
.N c
C pe
Network(s): Assigned to:
Local networks of the QRadar SIEM user
Offense parameters (4 of 4)
assigned to investigate
this offense
QRadar SIEM considers all networks specified in the Network Hierarchy on the Admin tab as local.
The Network Hierarchy is introduced later in this course.
QRadar SIEM does not associate remote networks to an offense, even if they are specified as
Remote Network or Remote Service on the Admin tab.
pr a
rm
Fo
Uempty
.R ial
IP: Location:
Origin of the Network of the source
ICMP scanning IP address if it is local
.N c
C pe
to es Magnitude:
Indication about the level of risk that an IP
address poses relative to other IP addresses
Uempty
.R ial
network of the IP address
.N c
C pe
to es Investigating an Offense Triggered by Events
Uempty
.R ial
.N c
C pe
WHOIS Lookup:
Port Scan: Find registered
nmap scans the owner of the IP
IP address address
• WHOIS Lookup:
By default, whois.arin.net is configured as the WHOIS server. It does not have the owners of
local IP addresses registered. QRadar SIEM must be able to reach whois.arin.net to lookup
registered owners of remote IP addresses.
pr a
• Port Scan:
On the Console, QRadar SIEM runs the command nmap -A for the IP address. Nmap is always
rm
intelligence feeds.
The result of the Port Scan does not create or update the asset profile in QRadar SIEM. Port
Scan is separate from vulnerability scanners, that QRadar SIEM administrators can configure
and run. The results of vulnerability scanners update asset profiles.
A QRadar SIEM user can run a Port Scan for a remote IP address, but the owner of the remote
system could consider this scan an attack. Therefore, do not scan remote IP addresses.
Uempty
.R ial
• Only scan IP addresses that your organization owns
.N c
C pe
to es Investigating an Offense Triggered by Events
Uempty
.R ial
browser tab
• The X-Force IP Report contains a
variety of information about the IP
address, including its history of Spam
.N c
and botnet activity
C pe
to es Investigating an Offense Triggered by Events
• The X-Force Exchange Lookup requires Internet access for the browser but not for the QRadar
Console appliance.
pr a
rm
Fo
Uempty
.R ial
Weight:
Relevance of the
asset with this
source IP address
.N c
C pe
Offenses: Events/Flows:
to es Number of offenses
associated with this
source IP address
User associated to this source IP address. If no user is identified, the field shows Unknown.
• MAC:
MAC address with the source IP address when the offense began. If unknown, the field shows
Unknown NIC.
pr a
• Host Name:
Host name associated with the source IP address. If unidentified, the field shows Unknown.
rm
• Asset Name:
Asset name associated with the source IP address. If unidentified, the field shows Unknown.
• Weight:
Fo
Asset weight of the source IP address, as configured by QRadar SIEM administrators in the
asset profile. The levels range from 0 (not important) to 10 (very important).
Uempty
Lesson 3 Investigating offense details
.R ial
Lesson: Investigating offense details
.N c
C pe
to es
ec n
Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017
oy cio
Many details help the security analyst to investigate an offense. In this lesson, you learn how to use
further details to investigate an offense.
Reference:
• IBM Knowledge Center: Event Categories
pr a
http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_ad
m_event_categories.html
rm
Fo
Uempty
Last 5 Notes
• QRadar SIEM users can document their investigation findings and actions as notes
• You cannot edit or delete notes
.R ial
Notes: Add Note:
• The maximum length of a note is 2000 characters View all notes Create new
of the offense note
.N c
C pe
to es Investigating an Offense Triggered by Events
Last 5 Notes
© Copyright IBM Corporation 2017
ec n
When closing an offense, you can enter a reason. QRadar SIEM adds the reason as a note to the
offense.
oy cio
pr a
rm
Fo
Uempty
.R ial
• Their purpose is to record results of complex searches
.N c
C pe
to es Investigating an Offense Triggered by Events
• Configure the creation of Scheduled Search offenses in the Report Wizard on the Reports tab.
pr a
rm
Fo
Uempty
.R ial
• The table contains only one row because the example offense has only one source IP address
Location: Sources:
Hover the mouse over a View all source
shortened field value to IP addresses of
.N c
display the full value the offense
C pe
to es Investigating an Offense Triggered by Events
Uempty
.R ial
• The table contains only two rows because only two local IP addresses were affected View all
destinations IP
Destination IP: Chained: addresses of
Hover the mouse over the asset name or Indicates whether the destination IP address the offense
IP address to display further information is the source IP address in another offense
.N c
C pe
to es Investigating an Offense Triggered by Events
The field shows Yes if the destination IP address is the source IP address of other offenses.
Then, an attacker has taken control over the system with this IP address and uses it to attack
other systems. Click Yes to view the chained offenses.
• Magnitude:
pr a
The column displays the Aggregate CVSS Score if this value exists. If it does not exist, the
column displays the highest offense magnitude of all the offenses that the IP address is a part
rm
of.
• Destination Magnitude:
The bar displays the Aggregate CVSS Score if this value exists. If it does not exist, just 0 is
displayed.
Fo
Uempty
.R ial
Events: Log Sources:
Number of events sent by the View all log sources
log source added to the offense adding to the offense
.N c
C pe
Custom Rule Engine (CRE): Offenses: Total Events:
QRadar SIEM administrators can choose the name and description of a log source. They also
choose the credibility for events received from the log source.
• Group:
Optionally, QRadar SIEM administrators can create log source groups.
pr a
rm
Fo
Uempty
Top 5 Users
QRadar SIEM lists the five users with the most events added to the offense
.R ial
Users:
View all users associated
to the offense
.N c
C pe
to es Investigating an Offense Triggered by Events
Top 5 Users
© Copyright IBM Corporation 2017
ec n
For the example offense QRadar SIEM did not receive an event or flow with user information and
therefore does not list a user. The screen capture displays a user from a different offense.
oy cio
pr a
rm
Fo
Uempty
Top 5 Categories
QRadar SIEM categorized most events Categories:
into the Firewall Deny category View all low-level categories of the
events contributing to the offense
.R ial
.N c
C pe
Name: Local Destination Count:
to es Low-level category
of the event
Top 5 Categories
Number of local destination IP
addresses affected by offenses
with events in this category
Rules executed by the Custom Rules Engine (CRE) fired for the suspicious Firewall Deny
events. As an action of the rules, the CRE created the events in the Network Sweep and ICMP
rm
Reconnaissance categories, and created the offense tying these events together.
• Local Destination Count:
Displays 0 if all destination IP addresses are remote.
Fo
• Events/Flows:
Displays the number of events per low-level category that the CRE added to the offense.
Uempty
Last 10 Events
Double-click anywhere on a row to open a window with details about the event
Dst Port: Events:
.R ial
The destination port is 0 for layer View all events
3 protocol traffic such as ICMP added to the offense
.N c
C pe
to es Investigating an Offense Triggered by Events
Last 10 Events
© Copyright IBM Corporation 2017
ec n
The last 10 events added to the offense provide the security analyst information about the latest
developments in the offense.
oy cio
pr a
rm
Fo
Uempty
Last 10 Flows
The table does not display any flows, because QRadar SIEM did not detect flows relevant for the
offense
.R ial
Total Bytes: Flows:
Sum of bytes transferred View all flows added
in both directions to the offense
.N c
C pe
to es Investigating an Offense Triggered by Events
Last 10 Flows
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Annotations
• Annotations provide insight into why QRadar SIEM considers the event or observed traffic threatening
• QRadar SIEM can add annotations when it adds events and flows to an offense
.R ial
• Read the oldest annotation first, because it was added when the offense was created Annotations:
View all annotations
of the offense
Annotation:
Hold the mouse
.N c
over a shortened
annotation to show
the full annotation
C pe
to es Investigating an Offense Triggered by Events
Annotations
© Copyright IBM Corporation 2017
ec n
The QRadar SIEM rules add annotations when they create or update an offense, whereas QRadar
SIEM users cannot add, edit, or delete annotations.
oy cio
pr a
rm
Fo
Uempty
.R ial
View all events
Summary: added to the offense
View the Offense
Summary
.N c
C pe
Flows:
View all flows added
Display: to the offense
View offense
information introduced
on previous slides
course.
• In the next Lesson we take a look at the possible Actions.
pr a
rm
Fo
Uempty
Lesson 4 Acting on an offense
.R ial
Lesson: Acting on an offense
.N c
C pe
to es
ec n
Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017
oy cio
Security analysts draw conclusions from investigating an offense and can act accordingly. In this
lesson, you learn how to take action on an offense in QRadar SIEM.
pr a
rm
Fo
Uempty
Offense actions
After investigating an offense, click Actions at the top of the Offense Summary page to set flags and
status
.R ial
Follow up:
Choose if you want to
revisit the offense
Hide:
.N c
Use with caution because
QRadar SIEM still
updates the offense;
alarming updates can
C pe
stay hidden
Protect Offense:
Prevent QRadar SIEM
from deleting the offense
Offense actions
Close:
When you have resolved
the offense, close it
The Offense Manager on the Offenses tab does not list hidden offenses by default.
To display hidden offenses, clear the Exclude Hidden Offenses filter.
rm
The Email and Add Note actions are available only on the Offense Summary page.
– Assign:
Delegate the offense to a QRadar SIEM user.
Uempty
.R ial
Status: Icon indicates
- Protected - Follow up
- Inactive - Notes
- Closed - Assigned
.N c
Unprotect Offense:
Allow QRadar SIEM to
delete this protected offense
C pe
to es Investigating an Offense Triggered by Events
– Follow up
– Protect Offense
– Close
pr a
– Add Note
– Assign
rm
• Field descriptions:
– Status:
No icon exists for status active. An icon exists for status hidden, but it is not displayed in the
Fo
slide.
– Follow up, Email, Add Note, and Assign:
These actions are available for all offenses in any status, including the inactive status.
If you select Follow up for an offense with the Follow up flag already set, QRadar SIEM
removes the flag.
– Assigned to:
The offense is assigned to a QRadar SIEM user.
Uempty
The Actions menu of the Offense Manager on the Offenses tab allows you to export offenses. You
can export offenses to keep records outside of QRadar SIEM. Exported offenses cannot be
imported back into QRadar SIEM.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
Offense lifecycle
• A newly created offense is in status active
QRadar SIEM maintains up to 2,500 active offenses
.R ial
• QRadar SIEM changes the status from active to dormant when the offense has not received an event
or flow for 30 minutes
• QRadar SIEM changes the status from dormant to recalled when the offense receives an event or
flow
.N c
QRadar SIEM maintains up to 500 recalled offenses
QRadar SIEM changes the status from recalled back to dormant when the offense has not received an event or
C pe
flow for 30 minutes
• QRadar SIEM changes the status to inactive under the following occurrences
A user closes the offense
When the offense has not received an event or flow for five days
When the QRadar SIEM installation is upgraded
to es • If a rule fires, that would add an event or flow to an inactive offense, a new offense is created
• QRadar SIEM deletes unprotected offenses in inactive status after the retention period elapses;
administrators can change the default retention period of three days
Investigating an Offense Triggered by Events
Offense lifecycle
© Copyright IBM Corporation 2017
ec n
• Offenses tab:
oy cio
The search on the Offenses tab allows to exclude active offenses from the search result. There
the Active Offenses checkbox includes the statuses active, dormant and recalled.
• Protect Offense and the inactive status:
A protected active offense can become inactive but QRadar SIEM does not delete it. QRadar
pr a
SIEM stores a protected inactive offense indefinitely until a QRadar SIEM user unprotects it.
Only QRadar SIEM, but not users, can turn an offense inactive.
rm
Only users, but not QRadar SIEM, can protect, unprotect, hide, or close an offense.
• Close:
When a QRadar SIEM user closes an offense, the offense turns from the status of active to
Fo
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Investigating the local DNS scanner offense
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Events
Exercise introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Explain the concept of offenses
.R ial
• Investigate an offense, which includes this information
Summary information
The details of an offense
• Respond to an offense
.N c
C pe
to es Investigating an Offense Triggered by Events
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Investigating the Events of an
Offense
to es
ec n
oy cio
pr a
The investigation of an offense usually leads to the investigation of the events that contributed to
the offense. This unit teaches you how to find, filter, and group events in order to gain critical
insights about the offense. You also learn how to create and edit a search that monitors the events
of suspicious hosts.
Fo
References:
• QRadar SIEM Users Guide http://www.ibm.com/support/docview.wss?uid=swg27049537
• Technote: Searching your QRadar data efficiently
http://www.ibm.com/support/docview.wss?uid=swg21689803
• Technote: QRadar: How does the Log Activity and Network Activity Real Time (streaming)
option work? http://www.ibm.com/support/docview.wss?uid=swg21622826
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Use the list of events to navigate event details
.R ial
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
.N c
• Modify a saved search
C pe
to es Investigating the Events of an Offense
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Investigating event details
.R ial
Lesson: Investigating event details
.N c
C pe
to es
ec n
Investigating the Events of an Offense © Copyright IBM Corporation 2017
oy cio
One of the first steps when investigating the events of an offense is to examine the event data at a
high level. In this lesson, you learn how to navigate the event details that are displayed in the list of
events.
pr a
rm
Fo
Uempty
Definition event
.R ial
Event
--noun
A event is a record of an action on a
.N c
machine.
C pe
to es Investigating the Events of an Offense
Definition event
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Investigating the Events of an Offense
Uempty
List of events
.R ial
.N c
C pe
to es Investigating the Events of an Offense
List of events
Hide graphical charts
• To investigate suspicious activity, you must locate the information associated with the offense,
such as its events.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Start Time:
The time when a QRadar
Event Collector started
working with the raw event
Investigating the Events of an Offense
Uempty
.R ial
.N c
C pe
to es Investigating the Events of an Offense
Uempty
.R ial
Review the raw event for information that
QRadar SIEM has not normalized into
fields, which therefore does not display in
.N c
the UI.
C pe
Default_Atlantis.
Uempty
QID:
A QID map specifies event name,
Protocol: description, severity rating, and links
.R ial
Network protocol to low-level and high-level category
.N c
C pe
Log Source: Event Count:
• Field descriptions:
– Protocol:
In this example, the protocol is icmp_ip. ICMP is encapsulated into IP. Both are layer 3
pr a
protocols.
– QID:
rm
A QID number identifies a QID map. A QID map identifies an action of a software system or
network device that it logs as a raw event.
– Log Source:
Fo
A system on your network is a log source if QRadar SIEM receives raw events from it.
– Event Count:
For each individual log source, QRadar SIEM administrators can enable or disable
coalescing of multiple similar raw event into one normalized event. The number indicates
how many raw events have been coalesced into one normalized event. A coalesced,
normalized event contains only the first raw event in the payload.
Uempty
.R ial
Return to Event List: Offense:
Navigate to the list of Navigate to the offense to
events for the offense which the event was added
.N c
C pe
to es Investigating the Events of an Offense
Uempty
Lesson 2 Using filters to investigate events
.R ial
Lesson: Using filters to investigate
events
.N c
C pe
to es
ec n
Investigating the Events of an Offense © Copyright IBM Corporation 2017
oy cio
Filters can temporarily hide events from the user interface, which makes it easier to focus on more
significant events. When investigating events, it can be helpful to filter the events. In this lesson,
you learn how to filter events.
References:
pr a
http://www.ibm.com/support/docview.wss?uid=swg21689803
Fo
Uempty
Filtering events
• In the list of events, you can use filters to explore the offense further
• Most events in this offense are Firewall Deny
.R ial
• Because other events provide more insight, right-click the event name to filter for events that are not
Firewall Deny
.N c
C pe
to es Investigating the Events of an Offense
Filtering events (1 of 3)
© Copyright IBM Corporation 2017
ec n
• You can right-click most fields to filter them.
oy cio
• Use the False Positive option to prevent that the CRE adds this and similar events to offenses.
• The menu item beginning with View path is only available if QRadar Risk Manager is licensed.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
The Custom Rule Engine (CRE) in QRadar SIEM created the events in this list to alert you to suspicious
activity
Filtering events (2 of 3)
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
Clear Filter:
Click to view the Firewall
Deny events again
Filtering events (3 of 3)
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• The firewall profile is not available as event
property
• To verify that the company's main profile,
Atlantis, was always active, filter events
.N c
without profile: Default_Atlantis in
the payload
C pe
Quick Filter:
Filter for events that do not contain
profile: Default_Atlantis in the payload
payloads mention the firewall profile Atlantis because no other firewall profile was active.
A coalesced event contains only the payload of one of the raw events bundled together. Therefore,
rm
Uempty
.R ial
event property as
a filter
.N c
C pe
to es Investigating the Events of an Offense
Uempty
.R ial
.N c
C pe
to es Investigating the Events of an Offense
Uempty
.R ial
• An index on a filtered property significantly reduces the run-time of a search
[Indexed] behind a property in the Parameter drop-down list indicates that QRadar SIEM maintains an index
for values of the property
If you search for a property without index, add indexed properties as filter to lower the number of events that
QRadar SIEM needs to search
.N c
• Narrow the time range
The relationship between time range and resource consumption is nearly linear
C pe
• If you know which appliances store the relevant events and flows, select from the Parameters drop-
down list the Event Processor parameter and then the names of the appliances
The Event Processor parameter is not only available for events but also for flows because the same event and
flow processor functionality is provided by the same software component
to es • The Log Activity and Network Activity tabs always display the result of a search; if you add a filter,
QRadar SIEM performs the test of the filter only to this search result
Uempty
Lesson 3 Using grouping to investigate events
.R ial
Lesson: Using grouping to
investigate events
.N c
C pe
to es
ec n
Investigating the Events of an Offense © Copyright IBM Corporation 2017
oy cio
Grouping events arranges the events so you can view them from different perspectives. In this
lesson, you learn how to group the events of an offense.
Reference:
• Technote: QRadar: How does the Log Activity and Network Activity Real Time (streaming)
pr a
Uempty
Grouping events
Default (Normalized):
By default, QRadar SIEM shows Raw Events:
.R ial
normalized events without grouping Instead of grouping, QRadar SIEM
shows the raw events stored in the
payload of each normalized event
.N c
grouping them; for example, group
them by their Low Level Category
C pe
to es Investigating the Events of an Offense
Grouping events
© Copyright IBM Corporation 2017
ec n
After changing the grouping, events are organized accordingly. All filters are retained.
oy cio
pr a
rm
Fo
Uempty
.R ial
Grouping By:
QRadar SIEM shows the Protocol:
Some events recorded an additional
.N c
currently selected
grouping above the filters protocol; click Multiple (2)
C pe
All events are aggregated
by their low-level category
information of the other columns, such as the number of unique protocols for each low-level
category.
• In the Protocol column, Multiple (x) is displayed, where x is the number of unique protocols. If
only one protocol exists for a low-level category, that value displays instead of Multiple (x).
pr a
When you double-click the Multiple (x) protocols, a browser window that groups these
protocols opens. The new window displays the unique protocols summarized by the previous
rm
Uempty
.R ial
Grouping By:
QRadar SIEM can group
.N c
by Protocol
C pe
Current Filters:
The previous grouping,
Low Level Category,
became a filter
Uempty
Display:
.R ial
Group by Default
(Normalized) to
remove the grouping by
Low Level Category
.N c
C pe
to es Investigating the Events of an Offense
Uempty
Pause/Play Refresh
Viewing a range of events
If events are still added to the
investigated offenses, view them
.R ial
• Real Time (streaming):
Shows events as they arrive;
grouping and sorting are not
available
.N c
• Last Interval (auto refresh):
Shows the last minute of
C pe
events; refreshes
automatically after 1 minute
automatically sets a time range to include all events added to the offense.
• Last Interval (auto refresh):
The last minute of events can be delayed by up to 1 minute from the time the event reached the
Event Processor refresh cycle.
pr a
To view the details of an event, pause streaming and double-click the event.
Refer to the QRadar: How does the Log Activity and Network Activity Real Time (streaming)
option work? technote (http://www.ibm.com/support/docview.wss?uid=swg21622826) for more
information about Real Time (streaming).
Fo
Uempty
Lesson 4 Saving a search
.R ial
Lesson: Saving a search
.N c
C pe
to es
ec n
Investigating the Events of an Offense © Copyright IBM Corporation 2017
oy cio
The event list is the result of the search criteria that you chose. In this lesson, you learn how to save
a search and use it to investigate the events that are included in an offense. The scenario that is
used as an example in this lesson monitors a possibly compromised host.
pr a
rm
Fo
Uempty
.R ial
it, and add it to the dashboard
Clear Filter:
To monitor all traffic,
.N c
remove the offense filter
C pe
Filter:
Right-click a Source IP to
see the filter pop-up
address of interest.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
Display:
View: Group by High
List events of the Level Category
last 24 hours
Uempty
.R ial
Time Range
.N c
Grouping
C pe
Filtering
• You can save the search criteria, save the results, or both.
pr a
rm
Fo
Uempty
.R ial
.N c
Assign to group
C pe
Add the saved search to the
• Set as Default:
The Log Activity tab shows the result of this search by default.
• Include in my Dashboard:
Fo
Uempty
.R ial
.N c
Using Search:
The event list shows the
C pe
result of the saved search
Uempty
Lesson 5 Modifying saved searches
.R ial
Lesson: Modifying saved searches
.N c
C pe
to es
ec n
Investigating the Events of an Offense © Copyright IBM Corporation 2017
oy cio
To use QRadar SIEM effectively, manage and modify saved searches. In this lesson, you learn how
to work with saved searches.
pr a
rm
Fo
Uempty
.R ial
saving a search, QRadar
SIEM lists the saved search
in the Quick Searches
drop-down list
.N c
C pe
to es Investigating the Events of an Offense
Uempty
.R ial
New Search:
.N c
Load a saved search; edit the loaded Edit Search:
search or create a new search The Event List is the result of a
search; edit this current search
C pe
or edit another saved search
You can use the Manage Search Results option, to complete the following tasks:
– Save results for auditing or forensics
rm
Note: Users see only the searches they create in the Manage Search Results window.
Administrators see all searches.
• Canceling a search:
When a search is queued or in progress, you can cancel the search in the Manage Search
Results window or by clicking the Cancel button in the top menu bar. Any search results
computed before the cancellation are maintained.
Uempty
.R ial
Type Saved Search:
To find saved searches easily, type
your department name, if you
.N c
prepended your saved searches with it
C pe
to es Investigating the Events of an Offense
Uempty
Search actions
Show All:
.R ial
Export: Clear all filters
You can resend exported events as
raw events to QRadar SIEM
Delete:
Notify: Delete the result of the currently
Send an email when the search in displayed search;
.N c
progress finishes only the search result as a
collection is deleted but not the
events included in the search
result
C pe
to es Investigating the Events of an Offense
Search actions
© Copyright IBM Corporation 2017
ec n
• Export to XML, Export to CSV and Print:
oy cio
These menu items are not available when viewing Real Time (streaming) or viewing partial
results from a canceled search.
• Delete:
This menu item is available only when no search is in progress.
pr a
• Notify:
This menu item is available only when a search is in progress.
rm
Fo
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Look for events contributing to an offense
.R ial
• Save search criteria and search results
• Investigate event details
.N c
C pe
to es Investigating the Events of an Offense
Exercise introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Use the list of events to navigate event details
.R ial
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
.N c
• Modify a saved search
C pe
to es Investigating the Events of an Offense
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Using Asset Profiles to Investigate
Offenses
to es
ec n
oy cio
pr a
QRadar SIEM stores security-relevant information about systems in your network in asset profiles.
This unit teaches you how asset profiles are created and updated, and how to use them as part of
an offense investigation.
References:
Fo
• Forum of Incident Response and Security Teams (FIRST): Common Vulnerability Scoring
System SIG https://www.first.org/cvss/
• PCI Security Standards Council https://www.pcisecuritystandards.org
• Technote: Vulnerability results and how they display in QRadar SIEM
http://www.ibm.com/support/docview.wss?uid=swg21665232
• QRadar SIEM Administration Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537
• QRadar SIEM Vulnerability Assessment Configuration Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Describe how asset profiles are identified, created, and updated
.R ial
• Investigate asset profile details
• Navigate the Assets tab
.N c
C pe
to es Using Asset Profiles to Investigate Offenses
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Asset profiles overview
.R ial
Lesson: Asset profiles overview
.N c
C pe
to es
ec n
Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017
oy cio
The asset profiles of QRadar SIEM store security-relevant data of systems in your network. In this
lesson, you are introduced into asset profiles and also learn how QRadar SIEM creates and
updates asset profiles.
pr a
rm
Fo
Uempty
.R ial
Asset profile
--noun
An asset profile maintains technical and
.N c
organizational information about a system
in your organization's network.
C pe
to es Using Asset Profiles to Investigate Offenses
Uempty
.R ial
Name
IP addresses
MAC addresses
Operating system
Services
.N c
Owner
Other resource information
C pe
• Asset profiles are used to investigate local source and destination IP addresses of an offense
Uempty
.R ial
• Passively gathered bidirectional flows
• Results from vulnerability scanners
Only flows and vulnerability scan data add and update information about ports and services to asset
profiles
.N c
• QRadar SIEM administrators can create assets by using these methods
• Manually in the user interface
Importing a CSV file in this format
C pe
•
IP address, Name, Weight (1-10), Description
The REST API of QRadar SIEM allows you to list and update asset profiles. It cannot create or
delete asset profiles.
pr a
rm
Fo
Uempty
Identity information
• To provide gathered data to the right profile, the Asset Profiler uses the following identity information
in priority order to identify an asset uniquely
.R ial
• MAC address
• NetBIOS name
• DNS name
• IP address
.N c
For example, if a detected MAC address is not known to any asset profile, the Asset Profiler creates a new
profile, even if the IP address belonging to this new MAC address is already assigned to an existing profile
C pe
because the Asset Profiler assumes the system of the existing asset profile has been replaced
• The Asset Profiler can merge asset profiles if it determines that the same system is represented
Identity information
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 2 Investigating asset profile details
.R ial
Lesson: Investigating asset profile
details
.N c
C pe
to es
ec n
Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017
oy cio
Information regarding a system in your network is often beneficial to an offense investigation. In this
lesson, you learn how to browse details of an asset profile.
References:
• Forum of Incident Response and Security Teams (FIRST): Common Vulnerability Scoring
pr a
Uempty
.R ial
2. Click Information > Asset Profile
.N c
C pe
to es Using Asset Profiles to Investigate Offenses
Uempty
Assets tab
You can also click the Assets tab to locate asset profiles
.R ial
.N c
C pe
to es Using Asset Profiles to Investigate Offenses
Assets tab
Click the Id or IP address to open the
Asset Details in a separate window
Double-click a row to open the
Asset Details in the Assets tab
Uempty
Asset summary
The Asset
Details
open with
.R ial
the Asset
Summary
.N c
C pe
Aggregate
CVSS Score:
Level of
concern
about this
asset
Asset summary
All Users:
Display previous users of the host
© Copyright IBM Corporation 2017
ec n
• The Asset Weight measures the importance of the asset. The levels range from 0 (not
important) to 10 (very important). QRadar SIEM administrators configure the Asset Weight
oy cio
manually.
• The Forum of Incident Response and Security Teams (FIRST) maintains the Common
Vulnerability Scoring System (CVSS). It maintains only the specification, not the scores
themselves. Refer to https://www.first.org/cvss/ for further information about CVSS.
pr a
rm
Fo
Uempty
.R ial
Collapse the Asset
Summary to view
more asset profile
details
.N c
An asset profile
C pe
can have multiple
network interfaces
• History:
rm
Uempty
Vulnerabilities
• Verify the vulnerability
instances to determine
to which degree the
.R ial
investigated offense is Risk: Details:
a concern Likelihood of Hover the mouse to Risk Score:
exploitation learn more about the Level of concern about
• Vulnerability instances and impact vulnerability instance this vulnerability instance
are provided by
.N c
QRadar Vulnerability
Manager or third-party
C pe
vulnerability scanners
Severity:
Payment Card
Industry (PCI)
severity level
Vulnerabilities
© Copyright IBM Corporation 2017
ec n
• Following are the Severity levels:
oy cio
• QRadar SIEM stores information about known vulnerabilities. QRadar SIEM usually downloads
updates every night. Still, a third-party vulnerability scanner can already know about a new
rm
vulnerability and detect it, when QRadar SIEM has not yet received this vulnerability
information. QRadar SIEM only displays instances of this vulnerability after it has received the
information. It matches its stored vulnerability information with the scan results from third-party
vulnerability scanners by common vulnerability identifiers, such as CVE, Bugtraq ID, and
Fo
X-Force ID. So if third-party vulnerability scanners detect issues without identifier, such as
misconfigurations, QRadar SIEM cannot display them.
Refer to the Vulnerability results and how they display in QRadar SIEM technote
(http://www.ibm.com/support/docview.wss?uid=swg21665232) for more information.
Uempty
.R ial
menu to select additional
information
• If available, QRadar Risk
Gathered from flows
Manager provides or vulnerability scanners
.N c
Risk Policies information
• All other information is
C pe
provided by vulnerability
scanners Provided by
QRadar Risk
• Information about Services Manager
can QRadar SIEM get from
both vulnerability scanners
to es and flows
• Windows Services
• Windows Patches
• Properties
pr a
The following item of the Display drop-down list only provides information for assets running Linux:
• Packages
rm
Fo
Uempty
Services
In the Display menu, click Services to investigate the known
services of the asset
.R ial
Last Seen Passive: Last Seen Active:
Services detected in passively Services detected actively by
.N c
gathered network flows scanners
C pe
Services detected in Services detected
passively gathered by vulnerability
network flows scanners
Services
© Copyright IBM Corporation 2017
ec n
• SSH:
oy cio
Vulnerability scanners only detect services that are running when they scan the asset. In the
example on the slide, SSH was not running during scanning,
Sometimes vulnerability scanners are not configured to scan less commonly used ports. These
services are also only found in flows.
pr a
• Web:
Vulnerability scanners detect unused services. In the example on the slide, the service listening
rm
on port 8080 did not have any network activity. Best practice is to stop unused services.
Fo
Uempty
Products
QRadar SIEM
displays only
these items:
.R ial
• Operating
systems
• Products
.N c
providing a
service
C pe
to es Using Asset Profiles to Investigate Offenses
Products
To learn why a product
is vulnerable, hover the
mouse over Multiple
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 3 Navigating the Assets tab
.R ial
Lesson: Navigating the Assets tab
.N c
C pe
to es
ec n
Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017
oy cio
Searching, filtering, and sorting of asset profiles can make it easier to focus an investigation on the
most relevant asset profiles. In this lesson, you learn how to leverage the features of the Assets
tab.
References:
pr a
Uempty
.R ial
.N c
C pe
to es Using Asset Profiles to Investigate Offenses
Uempty
.R ial
.N c
C pe
to es Using Asset Profiles to Investigate Offenses
Uempty
.R ial
.N c
C pe
to es Using Asset Profiles to Investigate Offenses
Uempty
.R ial
assessment (VA) scans
.N c
QRadar SIEM administrators can approve IP addresses for one or more server types, such as web, mail,
and Windows. Services of such server types listen on standard ports, such as 80 and 443 for web.
C pe
To help QRadar SIEM administrators finding IP addresses matching a server type, the Server Discovery
lists asset profiles with one of the server type's standard ports open.
The Server Discovery does not probe the IP address for open ports. It also does not look for open ports
in events, flows, and scan results. The Server Discovery only looks in asset profiles for open ports.
Uempty
Summary
Now you should be able to perform the following tasks:
• Describe how asset profiles are identified, created, and updated
.R ial
• Investigate asset profile details
• Navigate the Assets tab
.N c
C pe
to es Using Asset Profiles to Investigate Offenses
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Investigating an Offense Triggered by
Flows
to es
ec n
oy cio
pr a
QRadar SIEM correlates flows into an offense if it determines suspicious network activities. This
unit teaches you how to investigate the flows that contribute to an offense. You also learn how to
create and tune false positives and investigate superflows.
References:
Fo
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Describe flows
.R ial
• Investigate the summary of an offense that is triggered by flows
• Investigate flow details
• Tune false positives
.N c
• Investigate superflows
C pe
to es Investigating an Offense Triggered by Flows
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Flows overview
.R ial
Lesson: Flows overview
.N c
C pe
to es
ec n
Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017
oy cio
A flow provides information about a network activity between two or more systems. In this lesson,
you learn from which data QRadar SIEM creates flows and which information they provide.
pr a
rm
Fo
Uempty
Definition flow
.R ial
Flow
--noun
A flow is a record of the communication
.N c
between network sockets.
C pe
to es IP address, port, and transport protocol uniquely identify a network socket.
Investigating an Offense Triggered by Flows
Definition flow
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
About flows
• From the network activity information that QRadar SIEM receives, it creates flows
• Like a phone bill, QRadar SIEM records in flows who talked to whom, at which time, but not the
.R ial
content of the conversation
From unencrypted communications, QFlow can capture layer 7 payload up to a configurable number of bytes
• A flow can include information about the conversation, such as these examples
Start Time
.N c
End Time
Source and destination IP addresses
C pe
Source and destination ports
Number of bytes transferred
Number of packets transferred
Network protocol
Application protocol
to es TCP flags
About flows
© Copyright IBM Corporation 2017
ec n
• While an event occurs at a single point of time, a flow has a start and end time. Most flows have
only a short duration, but flows representing the transfer of a huge file or streaming of a movie
oy cio
Uempty
.R ial
network devices
Network devices provide only a subset of the control information in network packet headers and no payload
To determine the application protocol, flow collectors look up which application protocol commonly uses the
recorded network protocol and destination port
• Internal sources: QFlow and QRadar Network Insights (QNI)
.N c
Flow collectors create flows from network activity monitored by QFlow and QNI similar a network sniffer
Both provide the first bytes of packets to QRadar SIEM in order to detect the application protocol without
C pe
regard to the network protocol and destination port being used
Both extract the same control information that is available in network activity information from external sources
QFlow can capture layer 7 payload up to a configurable number of bytes unless it is encrypted
í QFlow can extract user-defined Custom Flow Properties from the part of the payload that it captured
í QFlow stores the part of the payload that it captured
detect Skype because they analyze the first bytes of packets. QFlow and QNI perform the same
application protocol detection.
The QFlow application detection is unrelated to its ability to capture and store a configurable
number of bytes from each packet. Therefore, the QFlow application detection still works if a
pr a
QRadar administrator configures QFlow to capture and store 0 bytes from packets. However,
Custom Flow Properties are not extracted any more if payload capture is disabled.
rm
Fo
Uempty
.R ial
Perform detailed searches
View network
activity
.N c
C pe
To navigate to the
offense a flow
contributes to,
• If rules added a flow or event to more than one offense, clicking its red icon does have an effect.
• About the Source and Destination Bytes columns:
– The (C) behind the number of bytes indicates that the flow contains captured layer 7
pr a
payload.
– The number of captured bytes is not displayed. By default, QRadar SIEM captures 64 bytes
rm
in each direction.
– The number of bytes in the Source Bytes and Destination Bytes columns indicates how
many bytes the source and destination sent.
Fo
Uempty
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Flows
Only flows, but not events, have the properties shown in the screen capture with the exception of
Protocol. However, only events from firewalls and other network systems usually carry protocol
information.
pr a
rm
Fo
Uempty
Grouping flows
Some flow grouping options differ from event grouping options
.R ial
Display:
.N c
Group by Application for an
overview of the application data
transported in the flows
C pe
to es Investigating an Offense Triggered by Flows
Grouping flows
© Copyright IBM Corporation 2017
ec n
• Display > Default (Normalized):
oy cio
• QRadar SIEM works in 1-minute cycles. With QFlow and QNI, QRadar SIEM can update flows
that it created in previous cycles. For network activity, that spans more than once cycle and is
received in IPFIX/NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files, QRadar SIEM creates a
new flow during each 1-minute cycle. To display such flows together, group By Source IP,
Source port, Destination IP, Destination port, Protocol, and enable capturing of time series data.
Uempty
Lesson 2 Using summary information to
investigate an offense
.R ial
.N c
Lesson: Using summary information
to investigate an offense
C pe
to es
ec n
oy cio
An offense bundles information about a suspicious activity, including flows. In this lesson, you learn
how to use offense summary information related to flows to begin your offense investigation.
pr a
References:
• QRadar SIEM Administration Guide
rm
http://www.ibm.com/support/docview.wss?uid=swg27049537
• QRadar SIEM Default Applications Configuration Guide
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/kc_gen/toc-gen25.html
Fo
Uempty
Offense parameters
The parameter at the top of the offense summary provides the first clues to investigate the offense
.R ial
Description:
From suspicious DNS traffic, QRadar SIEM concluded Flows added to
botnet activity; rules compile the description this offense
.N c
C pe
to es Investigating an Offense Triggered by Flows
Offense parameters
© Copyright IBM Corporation 2017
ec n
Description:
oy cio
Uempty
.R ial
• Remote source IP addresses are displayed, but remote destination IP addresses are not
.N c
C pe
to es Investigating an Offense Triggered by Flows
Uempty
.R ial
.N c
C pe
Events:
The Custom Rule Engine (CRE) of QRadar
SIEM created all events of this offense
Uempty
Top 5 Categories
QRadar SIEM classified the events and the flows into categories
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Flows
Top 5 Categories
© Copyright IBM Corporation 2017
ec n
Each flow and event is classified into one category.
oy cio
Uempty
Last 10 Events
The Custom Rule Engine (CRE) created events with information about suspicious activities
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Flows
Last 10 Events
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Last 10 Flows
• This table provides information about what happened most recently
• Double-click a row to open a window with details about the flow
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Flows
Last 10 Flows
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 3 Navigating flow details
.R ial
Lesson: Navigating flow details
.N c
C pe
to es
ec n
Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017
oy cio
A flow in QRadar SIEM provides much information about the network activity it represents. In this
lesson, you learn how to navigate the details of a flow.
pr a
rm
Fo
Uempty
Base information
Flow base information is
similar to event base information
.R ial
.N c
QRadar SIEM extracted only the
C pe
HTTP version; you have two
options to extract more
properties:
to es •
capture more payload so that
QRadar SIEM can extract
more properties
Use QRadar Network Insights
instead QFlow
Investigating an Offense Triggered by Flows
Base information
© Copyright IBM Corporation 2017
ec n
• In the example on the slide, the Event Description, Application detected with state based
decoding, means that QFlow or QRadar Network Insights provided the first bytes of network
oy cio
packets to QRadar SIEM's state-based decoder so that it was able to detect the application
protocol of this flow. QRadar SIEM applies the following methods ordered by priority to
determine which kind of application data a network connection transports:
a. user defined application mapping
pr a
b. state-based decoder
rm
c. signature matching
SIEM can only perform the last method. These accounting technologies do not provide the first
bytes of network packets, and therefore QRadar SIEM can only use the port number to take a
guess about the application protocol.
• QRadar SIEM administrators can create Custom Flow Properties. Their field names in the
example on the slide end with (Custom). Only QFlow and QNI can extract Custom Flow
Properties from network activity. QFlow only captures from the limited number of payload bytes
that it captures and therefore might miss information. QNI examines the complete payload.
Uempty
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Flows
Uempty
Layer 7 payload
This example shows the layer 7 payloads for an HTTP GET request and response; both show only the
first 64 bytes of payload by default
.R ial
.N c
C pe
to es Note: QRadar SIEM administrators can increase the content capture length to provide more layer 7
payload
Layer 7 payload
© Copyright IBM Corporation 2017
ec n
A layer 7 content capture length greater than 1024 bytes negatively impacts QRadar SIEM's
performance.
oy cio
pr a
rm
Fo
Uempty
Additional information
.R ial
Custom Rules:
Rules fired for this flow
.N c
Custom Rules Partially Matched:
C pe
At least one test condition of a rule
was met and an occurrence
counter was incremented but the
rule did not fire
Annotations:
to es Added by rules
Additional information
© Copyright IBM Corporation 2017
ec n
The Flow Direction field can include the following values:
oy cio
QRadar SIEM considers all networks local that are configured in the Network Hierarchy. You find
rm
the Network Hierarchy on the Admin tab. The Network Hierarchy is introduced later in this course.
Fo
Uempty
Lesson 4 False positives overview
.R ial
Lesson: False positives overview
.N c
C pe
to es
ec n
Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017
oy cio
Each organization has legitimate network activity that can trigger false positive flows and events.
This traffic creates noise that makes it difficult to identify true security incidents. In this lesson, you
learn how to tune a flow or event as false positive.
pr a
rm
Fo
Uempty
.R ial
• In the top menu bar, click the False
Positive icon
.N c
The QID uniquely identifies the kind of
application data that the flow transports
C pe
to es This option is rarely useful because it
eliminates every occurrence of the
above selection every time
For events, the QID uniquely identifies a specific action of a device. For example, firewall denies
issued from different firewall models have different QIDs. For flows, the QID uniquely identifies
which kind of application data is transported by the flow.
pr a
To edit a false positive, edit the User-BB-FalsePositive: User Defined False Positives Tunings
building block. To locate this building block, navigate to Rules on the Offenses tab. Rules and
rm
Uempty
.R ial
• To prevent unwanted offenses, QRadar SIEM administrators must perform these tasks
Keep the Network Hierarchy up-to-date
Keep building blocks that identify approved services up-to-date
Disable rules that create numerous pointless offenses
.N c
The next modules of this course provide an introduction to these topics; QRadar SIEM administrators
perform these tasks
C pe
to es Investigating an Offense Triggered by Flows
building blocks with names beginning with BB:PortDefinition. The IP addresses of approved
services are stored in building blocks with names beginning with BB:HostDefinition. QRadar SIEM
administrators need to update these building blocks manually or run the Server Discovery on the
Assets tab.
pr a
By default, QRadar SIEM has many rules disabled. In a production environment, it may be
necessary to enable some rules. In most deployments, a professional services consultant performs
rm
Uempty
Lesson 5 Investigating superflows
.R ial
Lesson: Investigating superflows
.N c
C pe
to es
ec n
Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017
oy cio
A superflow is an aggregate of similar network activity that otherwise would result in a large number
of separate flows. In this lesson, you learn about the three different types of superflows.
pr a
rm
Fo
Uempty
About superflows
Flow processors aggregate network activity with common characteristics into superflows that indicate
common attack types
.R ial
• Type A: Network sweep
one source IP address > many destination IP addresses
• Type B: Distributed denial of service (DDOS) attack
many source IP addresses > one destination IP address
.N c
• Type C: Portscan
one source IP address > many ports on one destination IP address
C pe
to es Investigating an Offense Triggered by Flows
About superflows
© Copyright IBM Corporation 2017
ec n
Benefits of superflows include:
oy cio
Uempty
.R ial
Source IP addresses and ports
from where the DDOS originates Target of the DDOS
.N c
C pe
to es Investigating an Offense Triggered by Flows
Uempty
.R ial
.N c
C pe
Tagged by DoS
to es building block
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Investigating an offense that is triggered by flows
.R ial
.N c
C pe
to es Investigating an Offense Triggered by Flows
Exercise introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Describe flows
.R ial
• Investigate the summary of an offense that is triggered by flows
• Investigate flow details
• Tune false positives
.N c
• Investigate superflows
C pe
to es Investigating an Offense Triggered by Flows
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Using Rules
to es
ec n
oy cio
Rules and building blocks test and correlate incoming events, flows, and offenses in QRadar SIEM
pr a
for indicators of an attack or policy violation. Building blocks are used as variables in other rules or
reports. Unlike building blocks, rules can perform an action or response if they evaluate to true. This
rm
unit teaches you the significance of rules and building blocks, and how to locate and understand
their tests, actions and responses.
References:
Fo
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Navigate rules and rule groups
.R ial
• Locate the rules that fired for an event or flow, and triggered an offense
• Investigate which test conditions caused a rule to fire
• Investigate building blocks and function tests
• Examine rule actions and responses
.N c
• Use rules in searches
C pe
• Examine for which indicators anomaly detection rules can fire
to es Using Rules
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Rules overview
.R ial
Lesson: Rules overview
.N c
C pe
to es
ec n
Using Rules © Copyright IBM Corporation 2017
oy cio
QRadar SIEM uses rules and building blocks to monitor for attacks and policy violations. This
lesson introduces you to custom rules and building blocks, and you learn how to locate them in
general and find specific rules and building blocks that fired for an event, flow, and offense.
pr a
rm
Fo
Uempty
Definition rule
.R ial
Rule
--noun
A rule tests for an indicator, that is a sign of
.N c
an attack or policy violation.
C pe
to es Using Rules
Definition rule
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
í Reconnaissance from local hosts
í Beaconing
Indicator of Concern
For example
.N c
í Reconnaissance from remote hosts
í DDOS attack ramping up
C pe
• This module follows the common practice to use the following terms, instead of using the rule evaluate
to true
a rule fires
a rule matches
a rule tags an event or flow
Using Rules
Uempty
.R ial
.N c
C pe
To navigate to the rule
details, double-click the row
to es Using Rules
Uempty
.R ial
.N c
C pe
To navigate
to es Using Rules
to an offense or not.
• To view and manage custom rules, the user must have the View Custom Rules or Maintain
Custom Rules role permissions.
pr a
rm
Fo
Uempty
Navigating to rules
Select Rules in the Actions menu on the Log Activity tab or Network Activity tab
.R ial
.N c
C pe
to es Using Rules
Navigating to rules
© Copyright IBM Corporation 2017
ec n
The Rules List opens in a separate window.
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using Rules
Uempty
.R ial
.N c
C pe
to es Using Rules
Uempty
Lesson 2 Using rule definitions during an
investigation
.R ial
.N c
Lesson: Using rule definitions during
an investigation
C pe
to es
ec n
oy cio
Rules and building blocks define what QRadar SIEM considers an attack or policy violation. As part
of an offense investigation, you might need to find out in detail QRadar SIEM created an offense. In
this lesson, you learn how to understand what a rule or building block tests for.
pr a
Reference:
rm
Uempty
.R ial
.N c
C pe
to es Using Rules
Uempty
Rule Wizard
Double-click a rule to open
the Rule Test Stack Editor
in the Rule Wizard
.R ial
.N c
C pe
Learn from the rule's tests what it detects;
Refer to the next slide for more information
to es Using Rules
Rule Wizard
Learn about the rule's purpose
Maintain Custom Rules permission, QRadar SIEM displays the rule summary read only.
Uempty
Rule tests
To find out in detail why a rule fired, investigate what it tests
.R ial
Simple tests with one
test condition each
.N c
C pe
• The Custom Rules Engine (CRE) executes the tests
• When a CRE receives a flow, the CRE evaluates the example rule in the following steps
1. Test whether the context of the flow is Local to Local
2. If true, stop evaluating this rule for the flow
3. If false, move to the next test
to es 4.
5.
6.
Test whether the flow duration is greater than 48 hours
If true, the rule fires
If false, the rule does not fire
Using Rules
Rule tests
© Copyright IBM Corporation 2017
ec n
• CRE instances run on the Console appliance and on each event and flow processor appliance.
oy cio
• All CRE instances in a QRadar SIEM deployment share the same rules.
pr a
rm
Fo
Uempty
Custom rules
• The tests of more complex rules correlate events and flows that by themselves record only one
unsuspicious activity in your IT environment
.R ial
• Many policy violations can be detected without correlation by only a single event or flow, such as
unencrypted telnet traffic
Also, an event from an IDS, IPS, or other security service can notify about an attack without further
correlation
.N c
• If a rule fires for an event or flow, the CRE performs the actions and responses configured for the rule,
such as these examples
Adding the event or flow to an offense
C pe
í If the appropriate offense does not yet exist it is created
Creating a new event
Adding an annotation
Sending an email
Generating system notifications
to es
Rule actions and responses are introduced later in this module
Using Rules
Custom rules
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Building blocks
• Building blocks are the same
as custom rules, but they do
not have actions or
.R ial
responses
• Select Display > Building
Blocks to display them
.N c
C pe
to es Using Rules
Building blocks
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• Combine custom rules and building blocks in complex tests
• Reuse existing test logic and information
• Improve efficiency because the CRE executes a custom rule or building block only one time per event
or flow regardless of how many custom rules and building blocks use it
.N c
C pe
to es Using Rules
Uempty
Function tests
• For function tests, the CRE keeps track of matches to test conditions
• Most function tests use more than one test condition
.R ial
• Function tests primarily serve the following two purposes
Monitoring frequency: Keep count whether conditions become true as many times as a triggering value in a
time frame
.N c
C pe
- In the example, only if the first test evaluates to true is the function test evaluated and can increment its
counters
- If the first test evaluates to false, the function test is not evaluated and cannot increment its counters
Monitoring order: Monitor whether conditions become true in a certain sequence and time frame
to es Using Rules
Function tests
© Copyright IBM Corporation 2017
ec n
• Under the Functions - Simple section, the Rule Test Stack Editor provides the following function
test:
oy cio
• Stateful tests operate on the current event or flow, and information from previous events and
flows.
rm
Fo
Uempty
Partial match
• For function tests, the CRE
maintains counters to track how
many events or flows meet a
.R ial
condition in a time frame
• If an event or flow meets such a
condition and a counter is
incremented, but the custom rule
.N c
does not fire, the event or flow
records the custom rule under
C pe
Custom Rules Partially Matched
to es Using Rules
Partial match
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
í Test only incoming events
í Example test: when the user name matches the following regex
Flow
í Test only incoming flows
í Example test: when the destination TCP flags are exactly these flags
.N c
Common
í Test only incoming events and flows
í Example test: when the source is located in this geographic location
C pe
Offense
í Test only offenses
í Example test: when the number of categories involved in the offense is greater than
to es Using Rules
Uempty
Lesson 3 Custom rule actions and responses
.R ial
Lesson: Custom rule actions and
responses
.N c
C pe
to es
ec n
Using Rules © Copyright IBM Corporation 2017
oy cio
Like the if-then statement in programming languages, a custom rule executes actions and
responses if it evaluates to true. In this lesson, you learn about some of the available rule actions
and responses.
pr a
rm
Fo
Uempty
Rule actions
When a rule fires, QRadar SIEM executes its actions
The CRE requests
.R ial
the Magistrate to
add the tested
event or flow to the
offense
If an offense with
the chosen Source
.N c
IP Index and the IP
address value, that
A rule can change the
is the same as the
C pe
magnitude of the event or flow
source IP address
of the tested flow,
does not yet exist,
the Magistrate
creates such an The rule specifies the offense type
offense
Rule actions
© Copyright IBM Corporation 2017
ec n
Dropping an event or flow prevents the CRE from executing any further rules that have not already
been executed. At this point, some of the rules that have already been executed might have fired
oy cio
and the CRE has already executed or initiated their actions and responses.
Dropping an event or flow does not delete it. The event or flow is still stored and searchable;
therefore, it shows up in search results and reports.
pr a
rm
Fo
Uempty
.R ial
• The Magistrate assumes that rules firing for the same index property and property value relate to the
same security issue; therefore, the Magistrate maintains only one active offense indexed on the same
property and property value at any given time
Example: A rule fires and requests that the Magistrate add the event or flow to an offense indexed on
.N c
source IP address 192.168.10.10
If such an offense already exists, the Magistrate adds the event or flow to it
C pe
If such an offense does not exist, the Magistrate creates an offense indexed on the source IP address
192.168.10.10, and adds the event or flow to it
• A rule should index its offense on the key property in its tests; for example, the Username property is
the appropriate index for a rule that tests for 5 login failures with same user name
• More than one rule can fire for an event or flow
to es For rules firing with the same index property and property value, the Magistrate adds the event or flow to the
same offense; therefore, more than one rule can add events and flows to one single offense
For each rule firing with different index properties or property values, the Magistrate adds the event or flow to
each of the separate offenses
Using Rules
192.168.10.10, and another offense can be indexed on the same IP address 192.168.10.10, but
as the destination IP address. This happens when a compromised machine attacks other
targets. QRadar SIEM chains such offenses.
• The difference between the CRE and Magistrate is as follows:
pr a
– The CRE tests events and flows. It tags each event and flow with each custom rule and
building block that fires for it, regardless of the Rule Action and Rule Response.
rm
– The Magistrate maintains offenses. It adds events and flows to offenses if told so by the
Rule Action and Rule Response. The Magistrate only runs on the Console.
Fo
Uempty
Rule response
.R ial
The CRE
requests the
Magistrate to
create an
offense, if an
.N c
offense with the
same property The rule requests the
chosen as CRE to create a new
C pe
index and same event for these purposes:
property value • Name the offense
as the tested appropriately
flow does not • Simplify searching and
already exist reporting on the
detected indicator
The Magistrate
to es
adds the new
event to the
existing or
newly created
offense
Using Rules
Rule response
© Copyright IBM Corporation 2017
ec n
• The Custom Rule Engine (CRE) is the log source of the new event, because the CRE creates
all events that are triggered by custom rules.
oy cio
• The user interface often refers to the name of an offense as the description.
pr a
rm
Fo
Uempty
.R ial
Send email to addresses
.N c
C pe
Limit how often
to es the CRE
executes the
configured rule
responses
Using Rules
separate CREs.
• The Response Limiter configuration limits every option under Rule Response, including the
frequency of dispatched or forwarded events.
pr a
rm
Fo
Uempty
.R ial
such as a
watchlist of IP Click to manage
reference sets
addresses that
can be looked up
.N c
Add property
C pe
value to
reference set
Remove property
to es value from
reference set
Using Rules
Uempty
Lesson 4 Using rules as search parameters
.R ial
Lesson: Using rules as search
parameters
.N c
C pe
to es
ec n
Using Rules © Copyright IBM Corporation 2017
oy cio
The custom rules engine tags each offense with the rules that added an event or flows to it. The
custom rules engine also tags each event and flow with the custom rules and building blocks that
fired for it. In this lesson, you learn how to search for tagged offenses, events and flows.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using Rules
this search only finds offenses for which the selected rule contributed an event or flow.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using Rules
Uempty
.R ial
• If you search for events or flows for which a disabled custom rule or unused building block has fired,
the CRE will not find any
• To make the CRE evaluate a custom rule, enable it
.N c
• Add any unused building blocks required by searches used in report templates to the
Load Basic Building Blocks custom rule
C pe
to es Using Rules
Uempty
Lesson 5 Anomaly detection rules
.R ial
Lesson: Anomaly Detection rules
.N c
C pe
to es
ec n
Using Rules © Copyright IBM Corporation 2017
oy cio
Anomaly Detection rules alert to deviations from recorded past activities. This lesson introduces
you to the differences to custom rules and the purposes of the three types of anomaly detection
rules.
References:
pr a
Uempty
.R ial
• The saved search needs to be grouped and needs to have capturing of time series data enabled
• The Anomaly Detection Engine (ADE) executes the anomaly detection rules
• An anomaly detection rule only tags the event that it creates as a rule response but not the event or
flow that triggered it; this has two implications
.N c
It is not possible to search and report on events and flows that triggered an anomaly detection rule
In the Rule Wizard, an anomaly detection rule has only a Rule Response but not a Rule Action because the
C pe
Rule Action only works on the triggering event or flow
• Typically anomaly detection rules monitor over longer timespans than custom rules
to es Using Rules
Uempty
.R ial
.N c
C pe
to es Using Rules
Uempty
Threshold rules
Test whether a property Rule Triggers
value surpasses an upper
or lower boundary
.R ial
Threshold
.N c
C pe
value
to es Using Rules
Threshold rules
time
Uempty
Anomaly rules
Test whether the average
property value during the Rule Triggers
current short time range
.R ial
deviates above the
configured percentage from
the baseline over a longer
time range
.N c
Average over long period
C pe
value
to es Using Rules
Anomaly rules
time
Uempty
Behavioral rules
• Test whether current
property values deviate
from seasonal patterns
.R ial
• A behavior rule learns the
rate or volume of a
property value over the Rule Triggers
configured time to
.N c
establish a baseline
C pe
value
to es Using Rules
Behavioral rules
M T W T F S SM T W T F S S M T W T F S SM T W T F S S
time
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Create an event rule
.R ial
• Analyze the rule that contributed to the Local DNS Scanner offense
• Work with rule parameters
• Delete changes made to a rule
.N c
• Search for a rule
C pe
to es Using Rules
Exercise introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Navigate rules and rule groups
.R ial
• Locate the rules that fired for an event or flow, and triggered an offense
• Investigate which test conditions caused a rule to fire
• Investigate building blocks and function tests
• Examine rule actions and responses
.N c
• Use rules in searches
C pe
• Examine for which indicators anomaly detection rules can fire
to es Using Rules
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Using the Network Hierarchy
to es
ec n
oy cio
The Network Hierarchy reflects your environment from a security perspective. This unit teaches you
pr a
the significance of the Network Hierarchy and the many ways that QRadar SIEM uses and displays
its information.
rm
Fo
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Locate and explain the structure of the Network Hierarchy
.R ial
• Use networks in investigations
• Use Flow Bias and Direction in investigations
• Use the Network Hierarchy in rules
.N c
C pe
to es Using the Network Hierarchy
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Network Hierarchy overview
.R ial
Lesson: Network Hierarchy overview
.N c
C pe
to es
ec n
Using the Network Hierarchy © Copyright IBM Corporation 2017
oy cio
The network information, that QRadar SIEM displays and uses, is configured in the Network
Hierarchy. This lesson introduces you to the Network Hierarchy including its tree structure.
pr a
rm
Fo
Uempty
.R ial
Network connections initiated from an IP address belonging to your organization
The subnet storing and processing customer data that is the target of more offenses than any other subnet
.N c
C pe
• QRadar SIEM draws such network information from the Network Hierarchy
• QRadar SIEM considers every IP address that is part of a network configured in the Network
Hierarchy as local to your organization's network
• QRadar SIEM considers any other IP address as remote
Uempty
.R ial
.N c
C pe
to es Using the Network Hierarchy
Uempty
.R ial
reports
.N c
with the IP address ranges reserved for private
use because they cannot be routed through the
public internet and therefore can only be local
C pe
to es Using the Network Hierarchy
Uempty
Crown jewels
• Many organizations specify their crown
jewels in the Network Hierarchy and monitor
them more granularly for indicators, and run
.R ial
specific searches and reports
• The term crown jewels refers to the hosts that
store and process data most critical for an
organization's mission
.N c
• Crown jewels handle the following kinds of
C pe
data:
Customer
Employee
Financial
Intellectual property
Crown jewels
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Tree structure
• If an IP address is part of a CIDR range of
a network object, QRadar SIEM tags the IP
address with this network object and its
.R ial
groups
Parent nodes are called Groups.
They cannot have CIDR ranges configured
.N c
Leaf nodes are called Network Objects
C pe
They represent one or more CIDR ranges
Tree structure
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
CIDR ranges
• The CIDR ranges do not need to
match the tree structure
.R ial
• A CIDR of a network object can
include a CIDR range of another
network object regardless of its
location in the hierarchy
.N c
• The primary purpose of the
hierarchy is to provide a
C pe
structure for CIDR ranges that
rules, searches, and reports can
use
CIDR ranges
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• The Network Hierarchy does not need to reflect your technical network layout
• Usually the names of groups and network objects reflect purpose, department, and location because
they determine security requirements
• QRadar SIEM's Asset Profiler creates and updates asset profiles only for IP addresses that are part of
.N c
any of the CIDR ranges in the Network Hierarchy
C pe
to es Using the Network Hierarchy
Uempty
Lesson 2 Using networks in investigations
.R ial
Lesson: Using networks in
investigations
.N c
C pe
to es
ec n
Using the Network Hierarchy © Copyright IBM Corporation 2017
oy cio
The network hierarchy is often beneficial to security related analysis, including offense
investigation. In this lesson, you learn how to locate and use network information.
pr a
rm
Fo
Uempty
Network of an IP address
• Hover the mouse over an IP
address to learn its groups and
network object
.R ial
• The remainder of this module
refers to both groups and network
objects as network
.N c
C pe
to es Using the Network Hierarchy
Network of an IP address
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Filtering by network
• You can use
networks in many
ways for
.R ial
investigations, for
example for
filtering
• If you select a
.N c
group, QRadar
SIEM filters for all
C pe
CIDR ranges of
the group's
descendants
Filtering by network
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Grouping by network
Log Network
Activity Activity
.R ial
tab tab
.N c
C pe
to es Using the Network Hierarchy
Grouping by network
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es other includes all IP
addresses that are
not part of a network
configured in the
Network Hierarchy
Using the Network Hierarchy
Uempty
.R ial
addresses with
network information
from the Network
Hierarchy
.N c
C pe
to es Using the Network Hierarchy
Uempty
.R ial
.N c
C pe
to es Using the Network Hierarchy
Uempty
Lesson 3 Using Flow Bias and Direction in
Investigations
.R ial
.N c
Lesson: Using Flow Bias and
Direction in Investigations
C pe
to es
ec n
oy cio
Most importantly the Network Hierarchy defines which IP addresses are local because they belong
to your organization. In this lesson, you learn how QRadar SIEM uses this information to measure
the Flow Bias and Direction which can hint to suspicious activities.
pr a
rm
Fo
Uempty
Flow Bias
• A flow records characteristics
of the network activity that it
represents, including its Flow
.R ial
Bias
• The bias of a flow marks the
ratio between bytes leaving
from and arriving at your
.N c
organization's perimeter
C pe
• QRadar SIEM uses the
Network Hierarchy to
determine whether bytes
transfer inbound or outbound
Flow Bias
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
This bias indicates outbound connection attempts that are being blocked by a firewall, such as beaconing
attempts by a malware to its command-and-control (C&C) servers
In only: Unidirectional inbound
This bias indicates inbound connection attempts that are being blocked by a firewall or a port scan attempt of a
publicly reachable IP address of your organization
.N c
Mostly out: 70% to 99% of bytes outbound
This bias indicates data leaving your organization. Only your publicly reachable servers should have many flows
C pe
with this bias
Mostly in: 70% to 99% of bytes inbound
This bias is typical for end-user machines
Near same: inbound-outbound byte ratio between 31% and 69%
This bias is typical for VOIP, chat, and SSH
to es Other
This bias usually indicates traffic between local machines. It can also indicate traffic between two remote
machines that either points to a misconfiguration of an organization’s network or notifies you that a local network
is missing in the Network Hierarchy
Using the Network Hierarchy
Uempty
Flow Direction
.R ial
Direction indicates
Whether the network activity
has been initiated from inside
or outside your organization's
network perimeter
.N c
Whether a host inside or
outside your organization's
C pe
network perimeter is the destination of the network activity
• The Flow Direction takes the following values
L2L: Traffic from a local network to another local network
L2R: Traffic from a local network to a remote network
R2L: Traffic from a remote network to a local network
to es
R2R: Traffic from a remote network to another remote network
Usually R2R indicates a network misconfiguration or a local network missing in the Network Hierarchy
Flow Direction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
Flow Direction indicates whether source and destination are located inside or outside your organization's
network perimeter regardless of the number of bytes transferred in each direction
• Events cannot have the equivalent of a Flow Bias, but events have a Direction
.N c
The Source and Destination IP addresses of an event determine its Direction in the same way as for
flows
C pe
to es Using the Network Hierarchy
Uempty
Lesson 4 Using the Network Hierarchy in rules
.R ial
Lesson: Using the Network Hierarchy
in rules
.N c
C pe
to es
ec n
Using the Network Hierarchy © Copyright IBM Corporation 2017
oy cio
Network information is crucial to detect indicators of compromise and concern. In this lesson, you
learn how rules and building blocks can use the Network Hierarchy, and how they can tag events
and flows based on CIDR ranges.
pr a
rm
Fo
Uempty
.R ial
• Flow Bias
Only available for rules of type Flow
• Context
The Event and Flow Direction are equivalent to the Context
.N c
C pe
to es Using the Network Hierarchy
Uempty
.R ial
.N c
C pe
to es Using the Network Hierarchy
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Create a network object
.R ial
• View network objects in flows
.N c
C pe
to es Using the Network Hierarchy
Exercise introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Locate and explain the structure of the Network Hierarchy
.R ial
• Use networks in investigations
• Use Flow Bias and Direction in investigations
• Use the Network Hierarchy in rules
.N c
C pe
to es Using the Network Hierarchy
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Index and Aggregated Data
Management
to es
ec n
oy cio
pr a
Searches leverage indexes and data aggregation. This unit teaches you about indexes and
aggregated data.
Fo
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Use the Index Management administration tool to enable, disable, and configure an index
.R ial
• Use the Aggregated Data Management administration tool to see Aggregated Data View statistics and
manage the data that QRadar SIEM accumulates
• Use the information provided by the Aggregated Data Management tool in combination with Index
Management to optimize search and rule performance
.N c
C pe
to es Index and aggregated data management
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Using the Index Management tool
.R ial
Lesson: Using Index Management
tool
.N c
C pe
to es
ec n
Index and aggregated data management © Copyright IBM Corporation 2017
oy cio
Indexes can significantly reduce the run-time of a searches on the expense of storage space. In this
lesson, you learn how to manage indexes.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Index and aggregated data management
Uempty
.R ial
for an index in the Display context
.N c
C pe
to es Index and aggregated data management
Uempty
Index information
• You can search for indexes by name using the query window
• Use the Quick Filter property to create indexes for the free text
payload searches
.R ial
Properties that already
By default, index include an index display
information is a green bullet icon; to
.N c
updated every hour enable an index for a
property, right-click the
property and select
C pe
Enable Index
% of Searches fields
• Using Property: Indicates how many executed searches use the property
• Hitting Index: Indicates how many executed searches benefit from the
property index
Index information
• Missing Index: Indicates how many executed searches might benefit if the
property was indexed
Benchmark numbers generate every hour and are combined in wider views
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 2 Using the Aggregated Data
Management tool
.R ial
.N c
Lesson: Using the Aggregated Data
Management tool
C pe
to es
ec n
oy cio
Time-series charts and reports use aggregated data. In this lesson, you learn how to manage
aggregated data.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Index and aggregated data management
Uempty
.R ial
• Aggregated Data Views contain accumulated data that is used by the saved searches that include a
Group By Column clause
.N c
C pe
to es Index and aggregated data management
Uempty
.R ial
created
• When you disable a
view, searches no
longer use the
.N c
aggregated data
C pe
• Disabled views can be
enabled again
• When you enable or
disable a view, a list of
the searches, reports,
Uempty
.R ial
• Charts in the reports that use the aggregated data view
• Searches that generate the aggregated data view
• How often the view was triggered
.N c
• Disk space used by the view in the event database
• If unique count is enabled for the search; views with unique count enabled require more disk space
C pe
to es Index and aggregated data management
Uempty
.R ial
• The Time Series view displays the accumulated field or fields used by the search
.N c
C pe
The saved search Event
Category Distribution
accumulates across two
properties: count and
SUM eventCount
Uempty
.R ial
.N c
Anomaly Detection Engine (ADE) rules use aggregated data
and this view shows what view is used by each ADE rule
C pe
This view displays the aggregated data views by
ID and how often the view is referenced and was
triggered
Uempty
Lesson 3 Gathering index statistics
.R ial
Lesson: Gathering index statistics
.N c
C pe
to es
ec n
Index and aggregated data management © Copyright IBM Corporation 2017
oy cio
Statistics about the use and resource consumption of indexes help you decide whether to enable or
disable them. In this lesson, you learn how to locate index statistics.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Index and aggregated data management
Uempty
.R ial
events
• This property is used in the search to filter
authentication events that relate to the console
or network logon (values 2 or 3) attempts on
.N c
Windows hosts
C pe
to es Index and aggregated data management
Uempty
.R ial
returned
.N c
C pe
Check Index Management for the % of Searches performed that missed the index for the property
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Manage indexes
.R ial
.N c
C pe
to es Index and aggregated data management
Exercise introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Unit summary
• Use the Index Management administration tool to enable, disable, and configure an index
• Use the Aggregated Data Management administration tool to see Aggregated Data View statistics and
.R ial
manage the data that QRadar SIEM accumulates
• Use the information provided by the Aggregated Data Management tool in combination with Index
Management to optimize search and rule performance
.N c
C pe
to es Index and aggregated data management
Unit summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Using Dashboards
to es
ec n
oy cio
QRadar SIEM displays the Dashboard tab after you have signed in. Items on a dashboard display
pr a
information about activities in your network. The items enable you to focus on specific areas of
interest. You can customize and add new items and dashboards. This unit teaches you how to
rm
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Navigate the Dashboard tab
.R ial
• Customize dashboard items
• Utilize time-series charts
.N c
C pe
to es Using Dashboards
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Navigating the Dashboard tab
.R ial
Lesson: Navigating the Dashboard
tab
.N c
C pe
to es
ec n
Using Dashboards © Copyright IBM Corporation 2017
oy cio
A dashboard hosts several dashboard items in order to provide real-time visibility into activity in
your environment. In this lesson, you learn how to manage dashboards and how to add a saved
search as an item to a dashboard.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using Dashboards
Uempty
Dashboard tab
.R ial
.N c
C pe
The Dashboard
tab displays
Dashboard
items.
to es Using Dashboards
Dashboard tab
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Dashboards
Dashboards are like a canvas for dashboard items
You can create custom dashboards to focus on your security or operations responsibilities
.R ial
Each dashboard is associated with a user; changes that you make to a dashboard do not affect the
dashboards of other users
.N c
display its items dashboard selected dashboard selected dashboard
C pe
to es Using Dashboards
Dashboards
© Copyright IBM Corporation 2017
ec n
Use multiple dashboards to better organize data; for example create dashboards for the following
purposes:
oy cio
• Databases
• Critical Applications
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using Dashboards
Uempty
.R ial
.N c
C pe
to es Using Dashboards
Uempty
.R ial
.N c
C pe
to es Using Dashboards
Uempty
.R ial
.N c
C pe
Include in my Dashboard:
to es Using Dashboards
Uempty
Lesson 2 Customizing a dashboard item
.R ial
Lesson: Customizing a dashboard
item
.N c
C pe
to es
ec n
Using Dashboards © Copyright IBM Corporation 2017
oy cio
You can customize which data a dashboard item displays in which way. In this lesson, you learn
about the options to leverage dashboard items for your needs and responsibilities.
pr a
rm
Fo
Uempty
.R ial
Open item in separate
browser window
.N c
C pe
to es Using Dashboards
Uempty
.R ial
.N c
C pe
to es Using Dashboards
Uempty
.R ial
.N c
C pe
to es Using Dashboards
Uempty
Lesson 3 Utilize time-series charts
.R ial
Lesson: Utilize time-series charts
.N c
C pe
to es
ec n
Using Dashboards © Copyright IBM Corporation 2017
oy cio
A time-series chart plots data against time in order to observe trends. To provide time-series charts,
QRadar SIEM needs to keep track of data over time. In this lesson, you learn how to leverage
time-series charts.
pr a
rm
Fo
Uempty
.R ial
flows according your search
criteria, grouping, and chosen
value to graph
• Most of the predefined
.N c
searches capture time-series
data
C pe
The asterisk (*) Select Capture
• Capturing time-series data indicates that Time Series
increases resource QRadar SIEM Data and click
accumulates Save to
consumption of QRadar SIEM time-series data accumulate time-
for this value series data to
count events or
to es Using Dashboards
report. Therefore, time-series charts can display without asterisk and checkmark.
• User permissions control the ability to configure and view time-series data.
pr a
rm
Fo
Uempty
.R ial
• Peaks and valleys displayed in the chart depict
high- and low-volume activity
• Time-series charts are useful to investigate short-
term and long-term data trending
.N c
C pe
to es Using Dashboards
Uempty
.R ial
.N c
C pe
to es Using Dashboards
Uempty
Zooming in
To zoom in to a shorter chart interval, hold the left
mouse button pressed while moving the mouse
pointer to the left or right; release the mouse button
.R ial
when you have highlighted the interval that you want
to zoom in to
.N c
C pe
to es Using Dashboards
Zooming in
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using Dashboards
Uempty
.R ial
.N c
C pe
to es Using Dashboards
Uempty
.R ial
bottom
• Items displaying event data provide the View in
Log Activity link
.N c
C pe
to es Using Dashboards
Uempty
Activity tabs
• The same way as
with the charts in
the dashboard
.R ial
items, you can
zoom in, hover
over, and hide data
• If you want to
.N c
configure what the
chart displays, click
C pe
the yellow icon in
the header
to es Using Dashboards
Activity tabs
© Copyright IBM Corporation 2017
ec n
The Log Activity and Network Activity tabs display only one time-series chart. QRadar SIEM
displays this chart even if it did not capture time-series data for the chart. Any missing time-series
oy cio
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Creating a new dashboard
.R ial
.N c
C pe
to es Using Dashboards
Exercise introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Navigate the Dashboard tab
.R ial
• Customize dashboard items
• Utilize time-series charts
.N c
C pe
to es Using Dashboards
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Creating Reports
to es
ec n
oy cio
Reports condense data to statistical views on your environment for various purposes, in particular
pr a
to meet compliance requirements. This unit teaches you how to generate a report using a
predefined template and create a report template.
rm
Reference:
• IBM App Exchange https://exchange.xforce.ibmcloud.com/hub
Fo
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Navigate and use the Reports tab
.R ial
• Generate and view a report
• Use the Report Wizard to create a custom report template
.N c
C pe
to es Creating Reports
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Navigating the Reports tab
.R ial
Lesson: Navigating the Reports tab
.N c
C pe
to es
ec n
Creating Reports © Copyright IBM Corporation 2017
oy cio
QRadar SIEM and extensions provide many templates you can use to generate reports. In this
lesson, you learn how to access the report templates and generate a report.
Reference:
• IBM App Exchange https://exchange.xforce.ibmcloud.com/hub
pr a
rm
Fo
Uempty
Reporting introduction
• A QRadar SIEM report is a means of scheduling and automating one or more saved searches
• QRadar SIEM reports perform the following tasks
.R ial
Present measurements and statistics
Provide users the ability to create custom reports
Can brand reports and distribute them
• Predefined report templates serve a multitude of purposes, such as the following examples
.N c
Regulatory compliance
Authentication activity
C pe
Operational status
Network status
Executive summaries
to es Creating Reports
Reporting introduction
© Copyright IBM Corporation 2017
ec n
QRadar SIEM administrators can install extensions to add report templates for the following
regulatory schemas:
oy cio
Uempty
Reporting demonstration
.R ial
.N c
C pe
to es Creating Reports
Reporting demonstration
© Copyright IBM Corporation 2017
ec n
Demonstrate finding a template and generating a report and have the students follow along. Make
sure your QRadar SIEM contains security data to generate a report. The
oy cio
/labfiles/sendCheckpoint.sh script provided the events displayed in the screen captures in this
unit.
pr a
rm
Fo
Uempty
Reports tab
You can search and sort report templates in a similar way as events and flows
.R ial
.N c
C pe
to es Creating Reports
Reports tab
© Copyright IBM Corporation 2017
ec n
QRadar SIEM administrators can select Branding on the left side to upload logos for your reports.
Once a logo is uploaded, users can use the logo when creating or editing report templates.
oy cio
pr a
rm
Fo
Uempty
Finding a report
• QRadar SIEM and extensions provide many report templates
Before you create a new template, check the installed templates and the templates provided by extensions
available on the IBM App Exchange
.R ial
.N c
Hide Inactive Reports: IBM App Exchange:
C pe
Disable to display all QRadar SIEM administrators can add
inactive report templates more report templates by downloading
and installing extensions
to es Creating Reports
Finding a report
reporting group name matches the search criteria
• Active reports: QRadar SIEM generates reports for active templates automatically according
to the schedule, unless the schedule is set to Manual. QRadar SIEM lists active templates with
a manual schedule if the Hide Inactive Reports check box is enabled.
• To learn about available extensions, visit the IBM App Exchange
(https://exchange.xforce.ibmcloud.com/hub)
pr a
rm
Fo
Uempty
Running a report
.R ial
.N c
Run Report:
Generate a report for the
selected report template
C pe
immediately, regardless of
its schedule or
active/inactive state
Toggle scheduling:
Run Report on Raw Data: Toggle the active and
Generate a report on raw inactive state of the
data if QRadar SIEM has selected template
to es Creating Reports
Running a report
not captured the required
time-series data Delete Generated
Content:
Delete any generated
report for the selected
template
© Copyright IBM Corporation 2017
ec n
• Exclamation mark:
oy cio
The leftmost column with the exclamation mark includes an error icon when a report fails to
generate
• Run Report:
Initiate the generation of a report for the selected template. The generation uses accumulated
pr a
time series data. If no accumulated data is available when the report runs, the generated report
displays the message that accumulated data is not available. Refer to the next lesson to learn
rm
data store to generate the report. Running a report on raw data takes a longer time to process
than running a report on accumulated time series data.
Uempty
.R ial
Estimated 34 seconds until
.N c
the report is generated
C pe
to es Creating Reports
Uempty
Viewing a report
.R ial
.N c
C pe
to es Creating Reports
Viewing a report
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 2 Creating a report template
.R ial
Lesson: Creating a report template
.N c
C pe
to es
ec n
Creating Reports © Copyright IBM Corporation 2017
oy cio
If the provided default report templates do not meet your specific needs, you can create a
customized report template. In this lesson, you learn how to use the Report Wizard to create a new
report template and generate the report.
pr a
rm
Fo
Uempty
Reporting demonstration
.R ial
.N c
C pe
to es Creating Reports
Reporting demonstration
© Copyright IBM Corporation 2017
ec n
Demonstrate creating a new report template and have the students follow along.
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Creating Reports
Uempty
.R ial
The selection in the example screen capture configures QRadar SIEM
to generate a report on each Monday, Tuesday, Wednesday, Thursday
and Friday at 2:00 am
• Default data time range to use
.N c
Regardless of when a report template is configured to run, it uses the
data from the previous time period by default
C pe
Hourly uses the data from the previous hour
Daily uses data from the previous day, 12:00 am through 11:59 pm
Weekly uses the data from the previous week, Monday 12:00 am through
Sunday 11:59 pm
Monthly uses data from the previous month, 1st of the month 12:00 am
to es
through last day of the month 11:59 pm
For Daily, Weekly and Monthly, a later wizard page allows to change the
default time ranges stated above
Creating Reports
QRadar SIEM generates a report for a template configured to be started Manually only when a
QRadar user initiates a run.
The screen capture displays the default configuration for Daily. By default Daily reports use the data
from the previous day. Therefore, the configuration generates reports that use data from Sunday
pr a
Uempty
.R ial
• While Hourly reports substitute missing time series data by
directly using raw data, Daily, Weekly, and Monthly reports
can only use time series data and therefore have only
complete time series data available on their second or third
.N c
scheduled run; example:
On a Tuesday, you configure a report to run weekly on each
C pe
Wednesday; time series accumulation begins
1st Wednesday: The generated report is empty because data
accumulation started after the previous week had ended
2nd Wednesday: The generated report displays incomplete data
because data accumulation started only on Tuesday in the
to es
previous week
3rd Wednesday: The generated report displays data from the
previous week because accumulated data is available for the
whole week
Creating Reports
If you select Run Report, the report generates from time series data. If time series data is not
available for the required reporting period, the generated report displays the message that
accumulated data is not available.
pr a
Templates configured be started Manually do not kick off time series data accumulation implicitly
like the other scheduling options do.
rm
Fo
Uempty
Choosing a layout
QRadar SIEM uses
containers to separate
report pages so that
.R ial
different data sets can
display on the same
report page
.N c
C pe
to es Creating Reports
Choosing a layout
© Copyright IBM Corporation 2017
ec n
When you select the layout of a report, consider the type of report you want to create. For example,
do not choose a small chart container for graph content that displays a large number of objects.
oy cio
Uempty
.R ial
The report saves with the name
.N c
entered in the Report Title field
C pe
to es Creating Reports
Uempty
.R ial
Enter chart title
.N c
C pe
to es Select the previously
saved search to report
firewall activity
Creating Reports
Uempty
.R ial
Select the graph type.
The available graph types
depend on the chart type
.N c
Select the property to
graph for both axis
C pe
Optionally record the
runs of the selected
saved search in an
to es Creating Reports
Uempty
.R ial
.N c
C pe
to es Creating Reports
Uempty
.R ial
Select graph type Table to list
the reported data in a table
.N c
C pe
Select which kind of offenses
you want to report
to es Creating Reports
Uempty
Layout preview
• The Layout Preview
provides only the layout of
the report; it does not show
.R ial
the actual data
• Reports can take a long
time to generate. Therefore,
the preview helps you
.N c
configure the layout
correctly before running a
C pe
potentially large amount of
real data for a long time
to es Creating Reports
Layout preview
© Copyright IBM Corporation 2017
ec n
Reports can take a long time to generate. Therefore, the preview helps you configure the layout
correctly before running a potentially large amount of real data for a long time.
oy cio
pr a
rm
Fo
Uempty
Choosing a format
Select any or all of the available output
formats for your report
.R ial
.N c
C pe
to es Creating Reports
Choosing a format
© Copyright IBM Corporation 2017
ec n
You will most likely use the PDF format for most of your reports, but you can also generate reports
in HTML and RTF format. XML and RTF facilitate further processing and the extraction of report
oy cio
data.
pr a
rm
Fo
Uempty
.R ial
Allow users to view
.N c
the generated report
C pe
to es Creating Reports
Distribute the report
by email
Uempty
.R ial
• Use reporting groups to sort report templates
by purpose, such as a specific regulatory or
executive requirement
.N c
C pe
to es Creating Reports
Uempty
.R ial
.N c
C pe
to es Creating Reports
Uempty
.R ial
.N c
C pe
to es Creating Reports
Uempty
.R ial
communicate the data
• Do not choose a small page division for a graph that might contain a large number of objects
• Executive summary reports use one-page or two-page divisions to simplify the report focus
.N c
C pe
to es Creating Reports
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• View an existing report
.R ial
• Create a new event report
• Create a new search and report
.N c
C pe
to es Creating Reports
Student exercises
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Navigate and use the Reports tab
.R ial
• Generate and view a report
• Use the Report Wizard to create a custom report template
.N c
C pe
to es Creating Reports
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Using Filters
to es
ec n
oy cio
Filters limit a search result to the data that meets the conditions of the applied filters. Use filters to
pr a
look for specific activities or to view your environment from various angles. This unit teaches you
about some of the many available filters.
rm
Reference:
• Technote: Searching your QRadar data efficiently
http://www.ibm.com/support/docview.wss?uid=swg21689803
Fo
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Apply filters that include or exclude specific events and flows
.R ial
.N c
C pe
to es Using Filters
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Filters overview
.R ial
Lesson: Filters overview
.N c
C pe
to es
ec n
Using Filters © Copyright IBM Corporation 2017
Filters overview
oy cio
QRadar SIEM provides filters so that you can focus on specific data. This lesson introduces you to
operators and indexes.
Reference:
pr a
Uempty
Filters introduction
• Filters are a search criteria
• Use filters to look for specific activities and narrow down search results
.R ial
• Right-click a property value in a list of events or flows to open a menu with a few filter options
To use other filters, click the Add Filter icon
.N c
C pe
• A wide variety of parameters is available for filtering. Previous course modules have already
introduced the following parameters
Source and Destination IP addresses
Source and Destination port numbers
to es
Event and Flow Direction
Rules and building blocks that have fired
Groups and network objects as defined in the Network Hierarchy
Using Filters
Filters introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using Filters
Uempty
Operators
• A wide variety of
operators is available
for filtering
.R ial
• The nature of the
parameters determines
which kind of operators
are available
.N c
C pe
to es Using Filters
Operators
© Copyright IBM Corporation 2017
ec n
To build an OR expression, use Equals any of.
oy cio
pr a
rm
Fo
Uempty
Indexes
• [Indexed] behind a property in the Parameter drop-down list indicates
that QRadar SIEM maintains an index for values of the property
.R ial
• An index on a filtered property significantly reduces the run-time of a
search
• If you use a property without index in a filter, add additional filters with
indexed properties to lower the number of events or flows that QRadar
.N c
SIEM needs to search
C pe
to es Using Filters
Indexes
© Copyright IBM Corporation 2017
ec n
Refer to the Searching your QRadar data efficiently technote
(http://www.ibm.com/support/docview.wss?uid=swg21689803) for more information about search
oy cio
optimization.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using Filters
Uempty
Lesson 2 Filtering events and flows
.R ial
Lesson: Filtering events and flows
.N c
C pe
to es
ec n
Using Filters © Copyright IBM Corporation 2017
oy cio
Use filters to focus only on data relevant for a purpose. This lesson introduces you to filters on
events and flows.
pr a
rm
Fo
Uempty
.R ial
located in the selected
continents, countries, or
regions
.N c
C pe
to es Using Filters
Uempty
.R ial
.N c
C pe
to es Using Filters
Uempty
.R ial
• When applying a regex to the payload of flows, QRadar SIEM tests the captured layer 7 content sent
by the source or destination
socket
• Performing a regex on
.N c
payloads consumes more
computational resources
C pe
than any other filter
With a regex filter, do not
select real time or last
interval viewing of log
activity or network activity
The Log Activity and
Uempty
Payload Contains
• The only difference between Payload Matches Regular Expression filters and the Payload Contains
filters is that the latter performs a substring test instead of a regular expression test
.R ial
• Follow the same best practices as for regular expressions, because the substring operation is less
expensive than regular expression matching but still consumes much more computational resources
than other filters
.N c
C pe
to es Using Filters
Payload Contains
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Event Processor
• The appliances that store events and flows perform searches and transfer the result to the Console
appliance
.R ial
• If you know which appliances store the relevant events and flows, add a filter on these Event
Processor appliances
• The Event Processor parameter is not only available for events but also for flows because the event
and flow processor functionality is provided by the same software component
.N c
C pe
to es Using Filters
Event Processor
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 3 Filtering events
.R ial
Lesson: Filtering events
.N c
C pe
to es
ec n
Using Filters © Copyright IBM Corporation 2017
oy cio
Use filters to focus only on data relevant for a purpose. This lesson introduces you to filters on
events.
pr a
rm
Fo
Uempty
Log Source
Use the log source filter to include or
exclude events from a specific service
.R ial
.N c
C pe
to es Using Filters
Log Source
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
from the selected log sources
• For example,
you can
exclude the
.N c
log sources
that Qradar
C pe
SIEM uses
for its own
services
to es Using Filters
Uempty
.R ial
.N c
C pe
to es Using Filters
Uempty
Event Is Unparsed
• Use the Event Is Unparsed filter to include or exclude events that event collectors linked to a generic
log source
.R ial
• Event collectors link events to a generic log source when they cannot automatically discover the kind
of software or device sending the raw events, and no log source type has been configured manually
by a QRadar administrator
.N c
C pe
to es Using Filters
Event Is Unparsed
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• Extensions and QRadar
administrators can add
custom event and flow
properties in order to
.N c
parse information specific
to certain kinds of
C pe
software or devices; for
example the HTTP
version from web servers
to es Using Filters
Uempty
Lesson 4 Filtering flows
.R ial
Lesson: Filtering flows
.N c
C pe
to es
ec n
Using Filters © Copyright IBM Corporation 2017
oy cio
Use filters to focus only on data relevant for a purpose. This lesson introduces you to filters on
flows.
pr a
rm
Fo
Uempty
.R ial
captured by the selected flow
sources or interfaces
.N c
C pe
to es Using Filters
Uempty
TCP Flags
Use the Source and Destination Flags filters to include or exclude flows with the selected TCP flags
.R ial
.N c
C pe
to es Using Filters
TCP Flags
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
DSCP
Use the Source and Destination DSCP filters to include or exclude flows with the selected Quality of
Service precedence in IP headers
.R ial
.N c
C pe
to es Using Filters
DSCP
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
ICMP Type/Code
Use the
ICMP
Type/Code
.R ial
filter to
include or
exclude
flows with
.N c
the selected
ICMP Type
C pe
and Code
to es Using Filters
ICMP Type/Code
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Data Loss
Combine filters to look for large amounts of data leaving your organization
.R ial
.N c
C pe
to es Using Filters
Data Loss
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using Filters
Uempty
Summary
Now you should be able to perform the following tasks:
• Apply filters that include or exclude specific events and flows
.R ial
.N c
C pe
to es Using Filters
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Using the Ariel Query Language
(AQL) for Advanced Searches
to es
ec n
oy cio
pr a
Ariel Query Language (AQL) queries can retrieve stored data more flexibly than interactively built
searches. This unit teaches you how to build use AQL.
Reference:
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Describe the basics of AQL
.R ial
• Build AQL queries in advanced searches
.N c
C pe
to es Using AQL for advanced searches
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 Describe the basics of AQL
.R ial
Lesson: Describe the basics of AQL
.N c
C pe
to es
ec n
Using AQL for advanced searches © Copyright IBM Corporation 2017
oy cio
Reference:
• QRadar Ariel Query Language Guide
http://www.ibm.com/support/docview.wss?uid=swg27049537
pr a
rm
Fo
Uempty
.R ial
• Use AQL to retrieve, filter, and perform actions on events and flows from the Ariel database of QRadar SIEM
• AQL is used for advanced searches to get data that might not be easily accessible from the user interface. This
provides extended functionality to the search and filtering capabilities in QRadar SIEM
• AQL V3 represents the current structure of the Ariel Database. Older versions are deprecated because property
names in the Ariel database have been changed or properties were removed. If you have queries that use these
.N c
properties, you must replace them
C pe
to es Using AQL for advanced searches
Uempty
.R ial
.N c
C pe
to es Using AQL for advanced searches
Uempty
.R ial
ORDER BY, LIMIT, and LAST clauses
• Operators are used in AQL statements to determine any equality or difference between values. By
using operators in the WHERE clause of an AQL statement, the results are filtered by those results
that match the conditions in the WHERE clause
.N c
• A variety of functions exists in AQL. They are used in the SELECT statement with properties where
the function returns specific data from
C pe
to es Using AQL for advanced searches
Uempty
SELECT statement
• Use the SELECT statement to select properties of events or flows
• For example, select all properties from events or flows by typing
.R ial
SELECT * FROM events, or SELECT * FROM flows
• Use the SELECT statement to select the columns that you want to display in the query output
SELECT sourceip, destinationip, username FROM events
• A SELECT statement can include the following elements:
.N c
Properties from the events or flows databases
Custom properties from the events or flows databases
C pe
Functions that you use with properties to represent specific data that you want to return
SELECT statement
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• SELECT sourceip AS 'MY Source IPs', FROM events
Returns the sourceip column as the alias or renamed column 'MY Source IPs'
.N c
• SELECT ASSETHOSTNAME(sourceip) AS 'Host Name', sourceip FROM events
Returns the output of the function ASSETHOSTNAME as the column name Host Name, and the sourceip
C pe
column from the events database
Uempty
WHERE clause
• Use the WHERE clause to insert a condition that filters the output, for example:
WHERE logsourceid='65'
.R ial
• A search condition is a combination of logical and comparison operators that together make a test.
Only those input rows that pass the test are included in the result
• You can apply the following filters when you use WHERE clause in a query
Equal sign (=) , Not equal to symbol (<>)
.N c
Less than symbol (<), Greater than symbol (>)
Less that or equal to symbol (<=), Greater than or equal to symbol (>=)
C pe
BETWEEN between two values, for example (64 AND 512)
LIKE case sensitive match, ILIKE case insensitive match
IS NULL is empty
AND / OR combine conditions or either condition
TEXT SEARCH text string match
WHERE clause
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
SELECT sourceIP, category, credibility
FROM events
WHERE
severity > 9
AND
.N c
category = 5013
• Change the order of evaluation by using parentheses. The search conditions that are enclosed in
C pe
parentheses are evaluated first
SELECT sourceIP, category, credibility
FROM events
WHERE
(severity > 9 AND category = 5013)
to es OR
(severity < 5 AND credibility > 8)
Uempty
GROUP BY clause
• Use the GROUP BY clause to aggregate your data by one or more columns. To provide meaningful
results of the aggregation, usually, data aggregation is combined with arithmetic functions on
remaining columns
.R ial
• When you use the GROUP BY clause with a column name or AQL function, only the first value is
returned for the GROUP BY column, by default, even though other values might exist
.N c
C pe
to es Using AQL for advanced searches
GROUP BY clause
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
SELECT sourceIP, SUM(sourceBytes)
FROM flows where sourceBytes > 1000000
GROUP BY sourceIP
• To view the number of average events from a source IP, use the following syntax
.N c
SELECT AVG(eventCount), PROTOCOLNAME(protocolid)
FROM events
GROUP BY sourceIP
C pe
to es Using AQL for advanced searches
Uempty
HAVING clause
• Use the HAVING clause in a query to apply more filters to specific data by applying filters to the
results after the GROUP BY clause
.R ial
• The HAVING clause follows the GROUP BY clause
• You can apply the following filters when you use a HAVING clause in a query:
Equal sign (=) , Not equal to symbol (<>)
Less than symbol (<), Greater than symbol (>)
.N c
Less that or equal to symbol (<=), Greater than or equal to symbol (>=)
BETWEEN between two values, for example (64 AND 512)
C pe
LIKE case sensitive match, ILIKE case insensitive match
SUM/AVG total or average values
MAX/MIN maximum or minimum values
HAVING clause
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
SELECT username, UNIQUECOUNT(sourceip) AS 'Count of Source IPs'
FROM events
WHERE LOGSOURCENAME(logsourceid) ILIKE '%vpn%'
AND username IS NOT NULL
GROUP BY username
.N c
HAVING "Count of Source IPs" > 4
LAST 24 HOURS
C pe
• The following query groups results by source IP but displays only results where the magnitude
(HAVING magnitude > 5) is greater than five
SELECT sourceIP, magnitude
FROM events
GROUP BY sourceIP
Uempty
ORDER BY clause
• Use the ORDER BY clause to sort the resulting view that is based on expression results. The result is
sorted by ascending or descending order
.R ial
• Note: When you type an AQL query, use single quotation marks for a string comparison, and use
double quotation marks for a property value comparison
• You can use the ORDER BY clause on one or more columns
• Use the GROUP BY and ORDER BY clauses in a single query
.N c
• Sort in ascending or descending order by appending the ASC or DESC keyword to the ORDER BY
clause
C pe
to es Using AQL for advanced searches
ORDER BY clause
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
FROM flows
WHERE sourceBytes > 1000000
ORDER BY sourceBytes DESC
• To determine the top abnormal events or the most bandwidth-intensive IP addresses, you can
.N c
combine GROUP BY and ORDER BY clauses in a single query. For example, the following query
displays the most traffic intensive IP address in descending order
C pe
SELECT sourceIP, SUM(sourceBytes)
FROM flows
GROUP BY sourceIP
ORDER BY SUM(sourceBytes) DESC
Uempty
.R ial
• When you enter an AQL query, use single quotation marks for a string comparison, and use double
quotation marks for a property value comparison
• You can call a custom property directly in your AQL statements. If the custom property contains
spaces you must use double quotation marks to encapsulate the custom property
.N c
C pe
to es Using AQL for advanced searches
VARCHAR string.
Examples:
SELECT * from events WHERE sourceip = '173.16.152.214'
SELECT * from events WHERE userName LIKE '%james%'
pr a
Use double quotation marks for the following query items to specify table and column names that
contain spaces or non-ASCII characters, and to specify custom property names that contain spaces
Fo
or non-ASCII characters.
Examples:
SELECT "username column" AS 'User name' FROM events
SELECT "My custom property name" AS 'My new alias' FROM events
Use double quotation marks to define the name of a system object such as property, function,
database, or an existing alias.
Uempty
Example:
SELECT "Application Category", sourceIP,
EventCount AS 'Count of Events'
FROM events GROUP BY "Count of Events"
Use double quotation marks to specify an existing alias that contains a space when you use a
.R ial
WHERE, GROUP BY, or ORDER BY clause
Examples:
SELECT sourceIP, destinationIP, sourcePort,
.N c
EventCount AS 'Event Count',
category, hasidentity, username, payload, UtF8(payLoad),
C pe
QiD, QiDnAmE(qid) FROM events
WHERE (NOT (sourcePort <= 3003 OR hasidentity = 'True'))
AND (qid = 5000023 OR qid = 5000193)
AND (INCIDR('1.1.1.0/4', sourceIP)
Use single quotation marks to specify an alias for a column definition in a query.
Example:
pr a
Use double quotation marks to specify an existing alias that contains a space when you use a
WHERE, GROUP BY, or ORDER BY clause.
Example:
SELECT sourceIP AS 'Source IP Address',
Fo
Uempty
.R ial
.N c
C pe
to es Using AQL for advanced searches
Uempty
Lesson 2 Build AQL queries in advanced
searches
.R ial
.N c
Lesson: Build AQL queries in
advanced searches
C pe
to es
ec n
oy cio
The QRadar SIEM user interface provides an easy way to create AQL queries. In this lesson, you
learn how to build an AQL query in the user interface.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Using AQL for advanced searches
Uempty
.R ial
• Drag the Search field on the right side and pull it down. Now you can start entering an AQL query
.N c
C pe
to es Using AQL for advanced searches
Uempty
.R ial
events by magnitude descending
2. Find all events with the ID 2 that belong to offense
3. How many events do you have in the Ariel database? (How many of these have a
magnitude of 5 or greater?)
.N c
4. List all categories and category names from events with the ID 3 that belong to the
offense. Group the events by category
C pe
to es Using AQL for advanced searches
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Using AQL in advanced searches
.R ial
.N c
C pe
to es Using AQL for advanced searches
Exercise introduction
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Describe the basics of AQL
.R ial
• Build AQL queries in advanced searches
.N c
C pe
to es Using AQL for advanced searches
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
Analyzing a Real-World Large-Scale
Attack
to es
ec n
oy cio
pr a
This unit evaluates a large-scale advanced persistent attack against a US retailer. You will evaluate
how a properly implemented Security Intelligence solution could have helped to fend off the
attackers.
This unit is based on the “Kill Chain” Analysis of the 2013 Target Data Breach study by the
Fo
Committee On Commerce, Science and Transportation, which is available at the following URL:
https://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-a3a67f183883/23
E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf
Uempty
Objectives
In this unit, you focus on the following tasks:
• Analyze the provided attack scenario
.R ial
• Discuss in your team how a proper centralized Security Intelligence approach could have avoided this
nightmare scenario
.N c
C pe
to es Analyzing a real-world large-scale attack
Objectives
© Copyright IBM Corporation 2017
ec n
After investigating what happened during the attack, you will have an opportunity to discuss in
teams how this incident could have been mitigated or avoided by implementing properly configured
oy cio
Uempty
“Target Corporation is an American retailing company, founded in 1902 and headquartered in Minneapolis,
Minnesota. It is the second-largest discount retailer in the United States, Walmart being the largest. The company is
.R ial
ranked 36th on the Fortune 500 as of 2013 and is a component of the Standard & Poor's 500 index. Its bullseye
trademark is licensed to Wesfarmers, owners of the separate Target Australia chain, which is unrelated to Target
Corporation.”
.N c
“The first Target store was opened in 1962 in Roseville, Minnesota. Target grew and eventually became the largest
C pe
division of Dayton Hudson Corporation, culminating in the company being renamed as Target Corporation in August
2000. Target operates 1,916 stores in the United States; it began operations in Canada in March 2013 and operates
127 locations through its Canadian subsidiary. In December 2013, a data breach of Target's systems affected
up to 110 million customers.”
to es Source: Wikipedia
operates 1,916 stores in the United States. It also began operations in Canada in March 2013.
In December 2013, a data breach of Target's systems affected up to 110 million customers.
pr a
rm
Fo
Uempty
The situation
“In November and December 2013, cyber thieves executed a successful cyber attack against Target, one of the
largest retail companies in the United States. The attackers gained access to Target’s computer network, stole the
.R ial
financial and personal information of as many as 110 million Target customers, and then removed this sensitive
information from Target’s network to a server in Eastern Europe.”
.N c
“John Mulligan, Target’s Executive Vice President and Chief Financial Officer, testified that his company “had in
C pe
place multiple layers of protection, including firewalls, malware detection software, intrusion detection and
prevention capabilities and data loss prevention tools.” He further stated that Target had been certified in
September 2013 as compliant with the Payment Card Industry Data Security Standards (PCI-DSS), which credit
card companies require before allowing merchants to process credit and debit card payments.”
to es Source: “Kill Chain” Analysis of the 2013 Target Data Breach; Committee On Commerce, Science and Transportation
The situation
© Copyright IBM Corporation 2017
ec n
Within a very short time period of two months, cyber thieves executed a successful cyber attack
against Target. The attackers gained access to Target’s computer network, stole the financial and
oy cio
personal information of as many as 110 million Target customers, and then removed this sensitive
information from Target’s network to a server in Eastern Europe.
Target had in place multiple layers of protection, including firewalls, malware detection software,
intrusion detection and prevention capabilities, and data loss prevention tools. Additionally, target
pr a
had been certified in September 2013 as compliant with the Payment Card Industry Data Security
Standards (PCI-DSS), which credit card companies require before allowing merchants to process
rm
This investigative data has been made publicly available through the United States Committee On
Fo
Uempty
.R ial
.N c
C pe
Source: Lockheed Martin
Every attack begins with a reconnaissance phase where the attackers select their main targets.
Once they have their data identified, they research and identify external and potentially vulnerable
connections. These can include direct network access points or systems, as well as employees or
pr a
In the weaponization phase the attackers pair remote access malware with well known exploits into
a deliverable payload, such as Adobe PDF or Microsoft Office files.
The delivery phase consists of the actual transmission of the weapon to a target. The most
common approach is to use phishing attacks via email attachments, websites, or even physical
Fo
USB drives.
Once delivered, the weapon’s code is triggered on the target systems, exploiting vulnerable
applications or systems.
During the installation phase the weapon now installs a backdoor on a target’s system, allowing
persistent access. It is also very common for the weapon to regularly install new variants to avoid or
distract detection.
Once the weapon is activated it begins communicating with outside servers that provide real-time
system access for the attackers, who can now extend their reconnaissance from within the attacked
network and systems.
Uempty
After final weapons and communication paths are established, the attackers work to achieve the
objective of the intrusion. Most likely, this includes exfiltration, encryption or destruction of data.
Let us now investigate the Target kill chain timeline and find out what really happened.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
.N c
1
C pe
to es Analyzing a real-world large-scale attack
Roughly at the same time when Target was PCI-DSS certified, the first phases of the attack were
executed.
In the first reconnaissance phase the attacker gathered as much information about the victim. In
this case, the attackers were able to find information about a Target’s third-party vendor through
pr a
simple Internet searches. Target even displayed a public Internet portal for vendors, which gave
away the kind of software that was used for their online vendor billing. Equipped with this
rm
knowledge, the attacker then started their reconnaissance on one particular vendor, Fazio.
In the weaponization phase the attackers created malware stricken emails, likely attaching a PDF
or Microsoft Office document.
Fo
In the first part of the delivery phase, the attacker sent infected emails to the vendor in a so-called
phishing attack. Once deployed, the malware started to record passwords and provided the
attackers with their key to Target’s external billing system.
Uempty
.R ial
.N c
2
C pe
to es Analyzing a real-world large-scale attack
In the second part of the delivery phase, the attackers leveraged their access to this vendor’s
system to enter Target’s network. Weak security at the perimeter of Target’s network may have
contributed to the attackers’ success in breaching the most sensitive area of Target’s network
containing cardholder data. Using the vendor’s credentials to gain access to Target’s inner network,
it appears the attackers then directly uploaded their RAM scraping malware to POS terminals.
pr a
rm
Fo
Uempty
.R ial
.N c
3
C pe
to es Analyzing a real-world large-scale attack
In the exploitation phase, the RAM scraping malware and exfiltration malware began recording
millions of card swipes, and storing the stolen data for later exfiltration.
Reports suggest, that the attacker maintained access to the vendor’s systems for some time while
attempting to further breach Target’s network during the installation phase. It is unclear exactly how
pr a
the attacker could have escalated its access from the external billing system to deeper layers of
Target’s internal network. But given the installation of the Black POS malware on Target’s POS
rm
terminals, the compromise of 70 million records of non-financial data, and the compromise of the
internal Target servers used to gather stolen data, it appears that the attackers succeeded in
moving through various key Target systems by exploiting default account names in Target’s IT
management system.
Fo
Based on the reported timeline of the breach, the attackers had access to Target’s internal network
for over a month and compromised internal servers with exfiltration malware by November 30.
While the exact method by which the attackers maintained command and control is unknown, it is
clear, that the attackers were able to maintain a line of communication between the outside Internet
and Target’s cardholder network.
The attackers transmitted the stolen data to outside servers – at least one of which was located in
Russia – in plain text via FTP (a standard method for transferring files) over the course of two
weeks.
Uempty
On December 12, the US Department of Justice notified Target that their stolen credit card
credentials have been identified on a Russian Dark Web site where they were offered for sale. At
this point in time, no one at Target had realized that there was an attack.
Target immediately started intense investigations and was able to stop further activities to exfiltrate
data, and three days later most of the malware had been removed.
.R ial
It was at this time when Target found out not only about the loss of 40 million credit card records but
also an additional 70 million customer data records without financial information.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• Fire eye event
• False position prone
Users do not fully trust
• No additional activity
information
.N c
What traffic preceded and followed,
from and to where?
• Business context
C pe
Are critical assets exposed?
• Network context
Can the attackers reach critical
assets?
• No business process for
triaging and analyzing was
defined
Firewall and endpoint analysts may have disregarded these events as false positives, because no
action was initiated. The reason for that can be founded in the complexity, where those point
solutions do not communicate with one another. It is hard to retrieve additional activity information
about the preceding and following traffic, and to realize business and network context by just
pr a
looking at individual incidents without any correlation. The ability to include business context and
risk management can show if any high value assets are exposed by a certain attack pattern.
rm
Network context shows if those assets can be physically reached by the malware.
Without the means for correlating the individual events the attack was ignored.
Fo
Uempty
.R ial
• More alerts
• Different areas of network
.N c
• Not correlated with other
activity or in the context of
the business or network
C pe
• Not enough visibility or
context
• Still ignored
the ongoing malware deployment and data exfiltration. This resulted in the fact that the ongoing
attack was still being ignored.
pr a
rm
Fo
Uempty
.R ial
.N c
• Too Late
• Nightmare business
scenario unfolds
C pe
to es Analyzing a real-world large-scale attack
backend data servers as well as ongoing exfiltration transmissions to external FTP servers. The
communication lines were then severed and the malware removed from the systems.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Analyzing a real-world large-scale attack
It was an awakening of the worst case business scenario any organization can possibly face.
pr a
rm
Fo
Uempty
Missed opportunities
.R ial
.N c
C pe
to es Analyzing a real-world large-scale attack
Missed opportunities
© Copyright IBM Corporation 2017
ec n
In summary, several situational actions and reactions lead to the disaster.
oy cio
First, the attackers took advantage of weak security at a Target vendor, and thus, gaining an initial
foothold in Target’s inner IT network.
This happened while Target missed initial warnings from their anti-intrusion software that attackers
were installing malware on their deployed assets.
pr a
Then the attackers took advantage of further weak controls within Target’s network and
successfully maneuvered into the network’s most sensitive areas.
rm
During the final phase of the attack Target missed more information by its anti-intrusion software
about the attackers’ escape plan, allowing them to steal as many as 110 million customer records.
Fo
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Investigate the Target kill chain timeline
.R ial
• Suggest improvements
.N c
C pe
to es Analyzing a real-world large-scale attack
Exercise introduction
© Copyright IBM Corporation 2017
ec n
How could this scenario have been avoided?
oy cio
In this exercise, you find a few dedicated questions and investigate possible solutions to improve
correlation and reaction for a security team.
Revisit the idea of the Security Immune System and apply your understanding to this exercise.
Also, revisit the “Kill Chain” Analysis of the 2013 Target Data Breach study by the Committee On
pr a
Source:
rm
https://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-a3a67f183883/23
E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf
Fo
Uempty
Potential improvements
.R ial
• Network flow data
• Vulnerability data
• Network topology
• Asset profile with business
context, risk, ownerships
.N c
• Correlation rules
• User behavioral analysis
C pe
• Increased incident
relevance
• One incident case and
analysis workflow
• Integrated forensics -
Rapid confirmation of
Potential improvements
•
attack
Massive reduction of
window of exposure
Uempty
Summary
In this unit, you performed the following tasks:
• Analyze the provided attack scenario
.R ial
• Discuss in your team how a proper centralized Security Intelligence approach could have avoided this
nightmare scenario
.N c
C pe
to es Analyzing a real-world large-scale attack
Summary
© Copyright IBM Corporation 2017
ec n
In this unit, you investigated what happened during the attack, and you have discussed how this
incident could have been mitigated or avoided by implementing properly configured and connected
oy cio
.R ial
SIEM
.N c
C pe
to es Appendix:
A real-world scenario introduction to
IBM QRadar SIEM
ec n
oy cio
pr a
rm
In this appendix you can study a real world attack scenario to explain the following details:
• How to instigate a successful attack by infecting portable computers outside of an
organization’s physical network infrastructure using a “watering hole” attack
Fo
• How this infected computer then spreads the malicious code and how it contacts a remote
command and control server once it returns to the organization’s environment
• How the overall timeline works for the bad guys
• That this type of attack can only be mitigated by correlation and collaboration (Security
Intelligence) inside an organization using a variety of detection tools across several IT
disciplines
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Investigate the anatomy of an attack
.R ial
.N c
C pe
to es Appendix: A real-world scenario introduction to IBM QRadar SIEM
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
MA
Step 1: Stake out the watering hole NY
Watering holes Metro
Insert iFrame that redirects visitors to a Regional financial
zero-day malware download services institutions
.N c
… visits compromised consumer banking site …
C pe
… redirected to a zero-day malware download
Employee using
corporate laptop at
home …
Employees bring their infected laptops to work the next day …
Attack vectors
rm
• Fraudulent malware download (maybe as part of a JPG, a PDF, or just by visiting a website that
downloads a malicious JavaScript) that is not detected by antivirus software
• Spear phishing - luring people to click on something “interesting”
• Network attack vectors - command and control malware uses “unusual ports” on the client’s
Fo
The next slides look at the timeline, the actual vulnerabilities that were involved, and the malicious
communication scheme.
Uempty
.R ial
The hackers plant a hidden iframe on the consumer portal
.N c
Infections are detected at several IBM clients
IBM Emergency Response Services are deployed for incident response
C pe
IBM collaborates with the FBI, major antivirus (AV) vendors, and others to protect its clients
Hidden iFrame
Note: This slide uses animation to sequentially display the bullet point groups.
pr a
Uempty
.R ial
.N c
C pe
Variant A Variant B
Note: This slide uses animation to sequentially display the two variants sequentially.
Sources:
pr a
http://resources.infosecinstitute.com/gh0st-rat-complete-malware-analysis-part-1/#gref
http://resources.infosecinstitute.com/gh0st-rat-part-2-packet-structure-defense-measures/#gref
rm
The next slide explains what happens after a computer has been infected.
Fo
Uempty
After being infected, compromised hosts made contact with a remote command and control server in
China
.R ial
.N c
C pe
• Infected machines attempt to communicate with one of two Chinese command and control (C&C) servers,
58.64.155.57 and 58.64.155.59, on ports 53, 80, and 443
• If communications are successfully established, the C&C server gains complete, real-time control of a system on
the protected network
• The malware, a remote access Trojan, allows a remote attacker to access data, log system activity, capture key
logs, take screenshots, activate the system’s camera, and record from the system’s microphone
to es • The remote attacker can also drop additional downloads and programs on the controlled machine, and use it as
a launching point for further attacks
Note: This slide uses animation to sequentially display the bullet points.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
• The infected machine “legitimately” distributes more malware inside the enterprise network to gain a stronger
foothold if detected
• The malware’s first goal is to obtain privileged user identities, which it then uses to gain access to valuable
assets inside the enterprise network
• Most attacks use ports and scans that typically are not executed from either the infected machines or user IDs
to es • After valuable assets are found, they are slowly exfiltrated to not raise any suspicion
Note: This slide uses animation to sequentially display the bullet points. Use the details below to
address controls and counter measures for each of these attack vectors.
pr a
rm
Fo
Uempty
The following details describe how each of these attack vectors can be countered by proper
measures.
• The infected machine “legitimately” distributes more malware inside the enterprise network to
gain a stronger foothold if detected
– Endpoint management negation - Additional software gets installed on machine by remote
.R ial
malware.
– Control: Endpoint management software should immediately detect any new software
deployments, report them, and either remove them or deny network access.
.N c
• The malware’s first goal is to obtain privileged user identities, which it then uses to gain access
to valuable assets inside the enterprise network
C pe
– Privileged user access - If a machine of a privileged user is found, that credential is going to
open many doors for the attackers.
– Control: A privileged user access control system can negate the chance of any attacker
gaining privileged access because those ID have to be signed out through a particular
to es –
process using multi-factor authentication and other security means.
Control: If privileged user access is maliciously gained, a data access monitoring solution
can realize that large amounts of privileged data is being accessed in a behavioral pattern
that does not reflect usual routines and report on it.
ec n
• Most attacks use ports and scans that typically are not executed from either the infected
machines or user IDs
oy cio
– Network anomalies - Unusual ports or scan activity is detected from IT systems that usually
do not display such activity.
– Control: The flow control system shows traffic records involving on-site and off-site IT
systems and immediately logs and reports this.
pr a
• These attacks are rarely an isolated event, and the attacked organization is one out of many
who are being probed by those remote command and control systems.
rm
– Control: Public threat research feeds the recognized IP addresses and ports into a blacklist
of malicious hosts that can be incorporated into the organizations Security Intelligence
solution.
Fo
Only the correlation of all these single events in almost real-time enables an organization to detect
and hopefully stop threats before they can be exploited and cause any damage.
Uempty
.R ial
Logs
Log
ogs Size and speed
Basic maturity Events
s Alerts Enrichment and correlation
.N c
System Identity Unstructured analysis
audit trails context Learning and prediction
C pe
Network flows Customization
and anomalies Sharing and export
External threat Full packet and
Global intelligence
intelligence feeds DNS captures
Campaign identification
Web pag
page Business
IP reputation covering
to es Optimized
maturity
text
Email and
social activity
First, data is available to be processed; security data will need to be persisted for longer times to
detect longer-running attack patterns. New cyberdata sources have more security relevance now,
such as DNS. Business application data can be correlated with security data and unstructured
content.
pr a
Second, there is the need for more advanced analytics that does not make sense to employ in a
rm
Uempty
1 Break
ak-
k-in
.R ial
2 L
Latch
ch-
h-on
.N c
3 Expand
C pe
4 Gather
5 Exfiltrate
E
Having heard about the chaos throughout the overall IT security domain, you should now
understand that you must design a proper security solution that can help you prevent some of the
break-ins, and quickly detect the remaining ones to devise proper responses to mitigate the overall
impact to your IT operations.
pr a
Uempty
Summary
Now you should be able to perform the following tasks:
• Investigate the anatomy of an attack
.R ial
.N c
C pe
to es Appendix: A real-world scenario introduction to IBM QRadar SIEM
Summary
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
.R ial
.N c
C pe
IBM QRadar architecture
to es
ec n
oy cio
Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
pr a
Security who is concerned with solutions in the overall security immune system. By learning how
the central Security Intelligence components are designed to take in and process log events and
rm
flow data, you will be better equipped to holistically work as a Security Analyst.
In this unit we start at the functional architecture level and explain how IBM QRadar was designed
as a modular Security Intelligence solution from the ground up. After taking a look at this modular
Fo
design, its extensibility and deployment pattern, we closely examine the component architecture so
that the analyst understands how data is ingested and processed. When the analysts later examine
bits and pieces of a larger security incident investigation, this architectural understanding can
substantially enhance their capability for detailed and fast analysis.
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Describe QRadar functional architecture and deployment models
.R ial
• Describe QRadar SIEM component architecture
.N c
C pe
to es Appendix: Extended component architecture and data flows
Objectives
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Lesson 1 QRadar functional architecture and
deployment models
.R ial
.N c
Lesson: QRadar functional
architecture and deployment models
C pe
to es
ec n
oy cio
Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017
This lessons explains the QRadar functional architecture and deployment models. It shows how
IBM QRadar was designed as a modular Security Intelligence solution from the ground up.
pr a
rm
Fo
Uempty
.R ial
• IT Regulatory Compliance
Collect and securily archive log records a for audit and compliancy
Generate reports required by internal or external regulations to succesfully pass compliance audits
• IT Internal monitoring
.N c
Frequently collect, correlate, and analyze data to alert on security policy violations
• Security breach detection
C pe
Analyze data to detect and alert on IT security risk management related issues
The first requirement addresses IT log management for forensic analysis. The archived event and
network flow records are used to analyze incidents and gather evidence. The data must be
collected and stored reliably in its original format to stand up as evidence in a court of law or to be
used for compliance reporting. Also, the data must be archived for several years and it must be
pr a
searchable.
rm
To fulfill the compliance audit requirement, the archived data is used to prove that relevant audit
information has been collected and securely stored. Furthermore, the data must be used to create
reports required by the regulation, and the regulatory compliance reports must be stored for a
period of time.
Fo
The next requirement addresses IT internal monitoring to alert on security policy violations. This in
itself requires an organizational IT Security Policy that defines appropriate use of the IT
environment. High risk offenses to the policy must be identified and reported upon, and offenses
must be managed. IT usage that is not in compliance with the policy must be reported upon.
The most prevalent requirement today, however, revolves around IT security risk management for
the overall organization. All of the previously described functional requirements apply here as well.
In addition, an extensive knowledge of the IT environment, and the threats to which it is exposed, is
required. To perform anomaly detection it is also necessary to understand data patterns within the
captured events and network flows.
Uempty
.R ial
.N c
C pe
to es Appendix: Extended component architecture and data flows
No matter how many QRadar applications are leveraged, or how many appliances constitute a
deployment, all capabilities are leveraged through a single, Web-based console, with all the
associated benefits that a common interface delivers in terms of speed of operation, transference of
skills, ease of adoption, and a universal learning curve.
pr a
• Dashboard
rm
The Dashboard tab allows an organization to define many different views into the collected and
processed data. QRadar provides many predefined dashboards, but you can create and
maintain your own.
• Offenses
Fo
Use the Offenses tab to view all the offenses that occur on your network and complete the
following tasks:
– Investigate offenses, source and destination IP addresses, network behaviors, and
anomalies on your network
– Correlate events and flows that are sourced from multiple networks to the same destination
IP address
– Go to the various pages of the Offenses tab to investigate event and flow details
– Determine the unique events that caused an offense
• Log Activity
Uempty
The Log Activity tab displays event information as records from a log source, such as a firewall
or router device. Use the Log Activity tab to do the following tasks:
– Investigate event data
– Investigate event logs that are sent to QRadar SIEM in real time
– Search event
.R ial
– Monitor log activity by using configurable time-series charts
– Identify false positives to tune QRadar SIEM
.N c
• Network Activity
If the content capture option is enabled, the Network Activity tab displays information about
C pe
how network traffic is communicated and what was communicated. Here, you can do the
following tasks:
– Investigate the flows that are sent to QRadar SIEM in real time
to es –
–
Search network flows
Monitor network activity by using configurable time-series charts
• Assets
QRadar automatically creates asset profiles by using passive flow data and vulnerability data to
ec n
discover your network servers and hosts.
Asset profiles provide information about each known asset in your network, including the
oy cio
services that are running. Asset profile information is used for correlation purposes, which helps
to reduce false positives.
Use the Assets tab to do the following tasks:
– Search for assets
pr a
Uempty
Report templates are grouped into report types, such as compliance, device, executive, and
network reports. Use the Reports tab to complete the following tasks:
– Create, distribute, and manage reports for QRadar SIEM data
– Create customized reports for operational and executive use
– Combine security and network information into a single report
.R ial
– Use or edit preinstalled report templates
– Brand your reports with customized logos. Branding is beneficial for distributing reports to
different audiences
.N c
– Set a schedule for generating both custom and default reports
C pe
– Publish reports in various formats
• Vulnerabilities
If the QRadar Vulnerability Manager license has been deployed, you will see a Vulnerabilities
• Admin
The Admin tab provides all tools to manage and maintain the QRadar deployment. Analysts
typically do not have access to these tools.
The example in this screen shot depicts the integration of the QRadar console with QRadar
pr a
Designed to integrate Log Management, SIEM, Vulnerability and Risk Management, Incident
rm
Forensics, and an extensible application framework into one solution, QRadar Security Intelligence
can deliver a large log management scale without any compromise on SIEM “Intelligence.”
As a QRadar analyst you can switch from log events, to network flows, to risk and compliance
Fo
policy reports and prioritized lists of network wide vulnerabilities, and complete analysis of incidents
after an offense has occurred. This allows an organization to reduce the time before an initial
breach is detected and avoid the actual exploit.
Uempty
.R ial
Is the attack credible?
How
valuable are Where are they located?
.N c
the targets
to the Who was responsible
business? for the attack?
C pe
What was
stolen and
where is the
evidence?
Here is what you can see as a security analyst when you begin to investigate an offense record that
was triggered by a correlation rule. You can quickly investigate the who, what, and where behind an
offense and quickly determine if it is a legitimate threat or a false positive.
pr a
IBM QRadar SIEM provides strong event-management and analysis capabilities and is very
effective in detecting threats because it can leverage a broad range of data, analyze it, and apply
rm
context from an extensive range of sources. This helps to reduce false positives, report on actual
exploits, and show what kind of activity is taking place. This can result in faster threat detection and
response.
QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context
Fo
in which systems are operating. That context includes security and network device logs,
vulnerabilities, configuration data, network traffic telemetry, application events and activities, user
identities, assets, geolocation, and application content. This activity generates a staggering amount
of data, which makes the automation in QRadar very important because it can correlate this large
amount of data down to a small number of actionable offenses.
QRadar SIEM leverages this data to establish very specific context around each potential area of
concern, and uses sophisticated analytics to accurately detect more and different types of threats.
For example, a potential exploit of a web server reported by an intrusion detection system can be
validated by unusual outbound network activity detected by QRadar.
Uempty
QRadar uses intelligence, automation, and analytics to provide actionable security information
including the number of targets involved in a threat, who was responsible, what kind of attack
occurred, whether it was successful, vulnerabilities, evidence for forensics, and so on.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• Offending users
• Origins
• Targets
.N c
• Asset information
• Vulnerabilities
C pe
• Known threats
• Behavioral analytics
• Cognitive analytics
This slide provides an overview where all this data is coming from.
• Point in time
Everything that QRadar investigates needs to provide an exact point in time. This timestamp
pr a
allows QRadar to correlate the most complex relationships between disparate log sources and
network flows to present those as one connected event.
rm
• Offending users
QRadar extracts user information wherever possible allowing an analyst to further investigate
individual users. QRadar also uses this information for user behavioral analytics.
Fo
• Origins
The origin represents the starting point for all QRadar correlation activity. The origin is captured
as an IP address.
• Targets
The target represents the final point for all QRadar correlation activity. The target is captured as
an IP address.
• Asset information
QRadar maintains a centralized asset database that is used to record a variety of details for
each asset that has been discovered. Assets can be discovered in two ways. Actively, by using
Uempty
vulnerability scans with QRadar Vulnerability Manager, or passively through network flow
records. Asset data can also be imported by using other enterprise tools for asset management.
Details can include IP address, host name, running applications and services, as well as
vulnerabilities.
• Vulnerabilities
.R ial
QRadar maintains a list of vulnerabilities for each asset. These can either be discovered by
using QRadar Vulnerability Manager or any other 3rd party vulnerability management solution.
Asset related vulnerabilities are being used for QRadar correlations and analytics, and they can
influence several factors throughout the incident management process.
.N c
• Known threats
C pe
QRadar is able to connect to external threat feeds, such as the IBM X-Force Exchange. This
threat information can also be used for QRadar correlations and analytics to influence the
incident management process.
• Behavioral analytics
to es Utilizing some of the above mentioned data in combination with other enterprise wide collected
information QRadar can analyze user behavior to alert whenever abnormal activity has been
detected.
• Cognitive analytics
ec n
After all this data has been correlated it is presented to the analysts in the QRadar Console. If a
particularly important threat is discovered, an analyst has to investigate it with an utmost urgency.
oy cio
To support this task QRadar now provides Cognitive Analytics. This capability augments a security
analyst's ability to identify and understand sophisticated threats, by tapping into unstructured data
(such as blogs, websites, research papers) and correlating it with local security offenses.
pr a
rm
Fo
Uempty
.R ial
• Allows deep packet inspection for Layer 7 flow data
Pivoting, drill-down, and data-mining activities on flow sources
allow for advanced detection and forensics
• Helps to detect anomalies that might otherwise be missed
.N c
• Helps to detect zero-day attacks that have no signature
• Provides visibility into all attacker communications
C pe
• Uses passive monitoring to build asset profiles and classify
hosts
• Improves network visibility and helps resolve traffic
problems
However, no attacker can disable the network, or they cut themselves off as well.
Network flow analytics in QRadar allows deep packet inspection for OSI Layer 7 flow data, which
can contain very helpful information for advanced forensics. Network flow information helps to
detect communication flow anomalies, zero-day attacks that have no signature yet, and provides
pr a
Using passive monitoring, flow analytics builds up an asset database and profiles your assets. For
example, an IT system that has responded to a connection on port 53 UDP is obviously a DNS
server. Another IT system that has accepted connections on ports 139 or 445 TCP is a Windows
server.
Fo
Adding application detection can confirm this not only at a port level, but the application data level
as well.
Source: To learn more about the OSI Layer model please visit:
http://searchnetworking.techtarget.com/definition/OSI
Uempty
.R ial
Cognitive Analytics
.N c
• Speed analysis with visuals,
query, and auto-discovery
C pe
across the platform
• Augment your analysts’
knowledge and insights with
QRadar Advisor with
Watson
Security Analysts today are more and more overwhelmed by the amount of data that requires
investigation and by the mounting time pressure to act. Cognitive analytics augments your analysts’
knowledge and insights with QRadar Advisor with Watson to speed up analysis with visuals, query,
and auto-discovery across the platform where you can inspect events, flows, users, and more by
pr a
tapping into unstructured data (such as blogs, websites, research papers) and correlating it with
local security offenses.
rm
These functional extensions greatly support the security analysts in their daily tasks. Let us take a
closer look at the Cognitive Analytics now.
Fo
Uempty
.R ial
.N c
C pe
to es Watson determines the specific campaign (Locky),
discovers more infected endpoints, and sends results
to the incident response team
establish a relationship between machines and humans. The role of technology can now change
from enabler to advisor. We are ushering in this new era of cognitive security to out-think and
outpace threats with security that understands, reasons, and learns.
IBM Watson enables fast and accurate analysis of security threats, saving precious time and
pr a
resources. This empowers the analysts to perform faster investigations and clear their backlog
easier. It will also help to increase the investigative skills for individual analysts over time.
rm
With the help of IBM Watson, security analysts will be able to spend less time on the mundane
tasks of manual and time consuming threat analysis, and more time being human.
Fo
Uempty
.R ial
Cognitive Analytics Open Ecosystem
.N c
leading security partners
• Speed analysis with visuals, • Out-of-the-box integrations
query, and auto-discovery for 500+ third-party security
C pe
across the platform products
• Augment your analysts’ • Open APIs allow for custom
knowledge and insights with integrations and apps
QRadar Advisor with
Watson
These functional extensions greatly support the security analysts in their daily tasks. Let us take a
closer look at the Open Ecosystem now.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Appendix: Extended component architecture and data flows
On the defensive side, organizations have to deal with a large number of siloed security solutions
from an equally large number of vendors. It is estimated that an average enterprise can have up the
85 security products from 40 vendors. With this mix, it is difficult to link the products together so
they can support each other.
pr a
To fill this gap, IBM has introduced the IBM Security App Exchange. The exchange is a marketplace
for the security community to create and share applications that integrate with IBM Security
rm
solutions. The first offering in which customers, business partners, and other developers can build
custom apps is QRadar.
Releasing application programming interfaces (APIs) and software development kits for QRadar
fosters the integration with third-party technologies. This provides organizations with better visibility
Fo
into more types of data, and also offers new automated search and reporting functions that can
help security specialists focus on the most pressing threats.
The IBM Security App Exchange has a number of customized apps that extend security analytics
into areas like user behavior, endpoint data, and incident visualization.
Before releasing the app IBM Security tests them to will be closely testing every application to
ensure the integrity of these community contributions.
In the future the App Exchange will offer the opportunity to produce apps for additional IBM Security
products.
Uempty
.R ial
Deep Threat Intelligence
Cognitive Analytics Open Ecosystem
and Analysis
• QRadar Sense Analytics • IBM Security App Exchange • IBM X-Force Exchange
allows you to inspect events, provides access to apps from helps you stay ahead of the
flows, users, and more latest threats and attacks
.N c
leading security partners
• Speed analysis with visuals, • Out-of-the-box integrations • Extend investigations to cyber
query, and auto-discovery for 500+ third-party security threat analysis with i2
C pe
across the platform products Enterprise Insight Analysis
• Augment your analysts’ • Open APIs allow for custom • Powered by the X-Force
knowledge and insights with integrations and apps Research team and 700TB+ of
QRadar Advisor with threat data
Watson
• Share data with a collaborative
These functional extensions greatly support the security analysts in their daily tasks. Let us take a
closer look at the Deep Threat Intelligence and Analysis now.
pr a
rm
Fo
Uempty
.R ial
.N c
C pe
to es Appendix: Extended component architecture and data flows
form of organized activity. Cyber criminals have learned to collaborate. They share vulnerability,
targeting, and countermeasure information. They also share tools to ensure that their attacks can
be successful. Collaboration is a force multiplier for the hacking community. Organizations have
been using threat intelligence in an effort to stay abreast of the threats, but these efforts are limited.
pr a
To succeed requires much more information, shared among security professionals, researchers,
and practitioners.
rm
IBM has built a collaboration platform called the X-Force Exchange to facility the collaboration that
will allow organizations to have a much greater understanding of threats and actors. X-Force
Exchange is a cloud-based threat intelligence sharing platform that enables users to rapidly
research the latest global security threats, aggregate actionable intelligence, consult with experts
Fo
and collaborate with peers. IBM X-Force Exchange provides timely, curated threat intelligence
insights, which adds context to machine-generated data. The platform facilitates making
connections with industry peers to validate findings and research threat indicators.
Leveraging the open and powerful infrastructure of the cloud, users can collaborate and tap into
over 700 terabytes of information from multiple data sources. This includes one of the largest and
most complete catalogs of vulnerabilities in the world, threat information based on monitoring of
more than 15 billion monitored security events per day, and malware threat intelligence from a
network of 270 million endpoints. This threat information is based on over 25 billion web pages and
images and deep intelligence on more than 8 million spam and phishing attacks.
Source: https://exchange.xforce.ibmcloud.com
Uempty
.R ial
• Layer 7 application monitoring
Network and
• Content capture for deep insight and forensics
Application Visibility
• Physical and virtual environments
.N c
Network Insights real time threat detection and long-term
retrospective analysis
C pe
Risk & Vulnerability • Network security configuration monitoring
Management • Vulnerability scanning and prioritization
• Predictive threat modeling and simulation
to es Network Forensics
• For many organizations, the starting point is to address the log management challenge, which
is why IBM offers a family of “log management only” appliances. These log management
appliances can be upgraded to full SIEM capability by configuring an additional license key.
• The full SIEM implementation provides integration of log management with threat, fraud,
network, and security intelligence. Network activity data, vulnerability assessment, and external
pr a
threat data are added as data sources along with sophisticated correlation and behavioral
analytics.
rm
• For application layer visibility and forensic content capture, the QFlow and VFlow flow collectors
can be deployed in physical or virtual infrastructures. These appliances provide extensive
application-level surveillance of all activity at key locations.
Fo
• QRadar Network Insights can provide configurable network traffic analysis for real time threat
detection and long-term retrospective analysis to detect insider threats, data exfiltration and
malware activity.
• Risk and Vulnerability management capabilities can be activated by configuring an additional
license keys. Risk Manager requires an additional dedicated appliance as well, while
Vulnerability Manager can be deployed on existing appliances. Risk Manager provides network
security configuration monitoring, while Vulnerability Manager focuses on vulnerability scanning
and prioritization. Together they can be used for predictive threat modeling and simulation.
• For some organizations, the full SIEM scale can be met with a single appliance; for others who
have higher scale, or remote collection and storage requirements, QRadar processors enable
Uempty
massive deployments. This horizontal, stackable expansion supports a massive scale and
geographic distribution, while maintaining exactly the same user experience.
Network Forensics appliances allow you to fully reconstruct network sessions that can provide
clarity around questions like “who”, “what”, and “when” in great detail.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
Deployment models
All-in-One
.R ial
(2100/31XX) Flow Processor
Console
(17XX)
(31XX)
Event Processor
QFlow (16XX)
.N c
Collector
(12XX/13XX)
C pe
All-in-One is a single appliance used to collect events and flow A Distributed deployment consists of multiple appliances for different purposes
Deployment models
• Event Processor to collect, process, and store log events
• Flow Processor to collect, process, and store several kinds of flow data generated from network
devices; optional QFlow Collector is used to collect Layer 7 application data
• Console to correlate data from managed processors, generate alerts and reports, and provide all
administrative functions
The selection depends on the amount of collected and processed events, data storage estimations,
high availability and disaster recovery requirements, organizational network topology, and other
factors.
An all-in-one deployment uses a single appliance to collect events and flow data from various
pr a
security and network devices, perform data correlation and rule matching, report on alerts and
threats, and provide all administrative functions through a web browser.
rm
A distributed deployment consists of multiple appliances for different purposes. You can deploy
Event Collectors and Processors to collect, process, and store log events. Flow Collectors and
Processors are used to collect, process, and store several kinds of flow data generated from
network devices, and optionally, you can deploy QFlow Collectors to collect Layer 7 application
Fo
data. A Console is used to correlate data from managed processors, generate alerts and reports,
and provide all administrative functions.
This remainder of this course material does not pay any closer attention to currently available exact
appliance configurations and models.
Uempty
Lesson 2 QRadar SIEM component
architecture
.R ial
.N c
Lesson: QRadar SIEM component
architecture
C pe
to es
ec n
oy cio
Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017
This lesson describes the high-level architecture of the major IBM QRadar SIEM components,
including the flow collector, event collector, event processor, and console. You also learn about the
flow of a captured event.
pr a
rm
Fo
Uempty
Architecture overview
• High-level architecture
• Flow collector (FC)
.R ial
• Event collector (EC)
• Event processor (EP)
• Console
.N c
• Dissecting the flow of a captured event
C pe
to es Appendix: Extended component architecture and data flows
Architecture overview
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
Offenses If accumulation is required, accumulated data is stored in Ariel
Configuration accumulation data tables
As soon as data is stored, it cannot be changed (tamper proof)
Data can be selectively indexed
Console services
User interface
Magistrate
• Offenses, assets, and identity information are stored in
.N c
Reporting the master PostgreSQL database on the Console
Provides one master database with copies on each processor
for backup and automatic restore
C pe
Flows
Events Event processor
Accumulations • Secure SSH communication between appliances in a
distributed environment is supported
to es Network packet
interface, sFlow,
and 3rd party
Events from individual log sources and network flow data is collected by the QRadar Event and
Flow collectors. Once the flow and event data is forwarded to the Event Processor it is stored in the
Ariel database on the Event Processor. If accumulation is required, the accumulated data is stored
in Ariel accumulation data tables. To fulfill the tamper proof data storage aspects for compliance
pr a
mandates, data cannot be changed as soon as it is stored in the Ariel database. At any point in
time, data can be selectively indexed to support specific search and report requirements.
rm
Once the Event Processor is finished processing, the data is passed on to the QRadar Console,
where further consolidated processing occurs. Offenses, assets, identity, and configuration
information are stored in the master PostgreSQL database on the Console. There is one master
database with optional copies on each processor for backup and automatic restore.
Fo
Uempty
Architecture overview
• High-level architecture
• Flow collector (FC)
.R ial
• Event collector (EC)
• Event processor (EP)
• Console
.N c
• Dissecting the flow of a captured event
C pe
to es Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
Flow reporting and routing - Create superflows
• Flow data packets are collected from a variety
of network device vendors and directly from the
Application Detection Module (appId = eventId)
network interface
• Collected flow data can update asset profiles
.N c
Aggregator with the ports and services that are running on
(enforce license limit)
each host
C pe
Raw data packets received • If the flow license limit is exceeded, an overflow
(NetFlow, sFlow, NIC, and so on)
record is created with SRC/DST address
QFlow
127.0.0.4/5
Flow data packets
• (Custom) applications are detected
include the source and destination IP addresses, the port, and other fields.
Flow data packets can be collected from a variety of network device vendors, and directly from the
network interface. Collected flow data can update asset profiles with the ports and services that are
running on each host. If a new host is detected through network flow data, a new asset is created in
pr a
Next in line is the Aggregator. This component enforces the license limit for the Flow Collector,
which is measured in “flows per minute”, or FPM. If the license limit is exceeded, flows are
temporarily stored in an overflow buffer, which will be processed with the next set of flows. Every
log source protocol has an overflow buffer of 5 GB, and if the overflow buffer fills up, the additional
flows are dropped.
Fo
The Application Detection Module uses four methods of determining the application of the flow.
• The first is the User Defined method.
This method is mainly used when users have a proprietary application running on their network.
For example, all traffic going to host 10.100.100.42 on port 443 is recognized to be
MySpecialApplication.
• The second method uses State-based decoders.
Uempty
This method is implemented by looking at the source code. It determines the application by
analyzing the payload for multiple markers, for example, if you see A followed by B, then
application = X; and if you see A followed by C, then application = Y.
• The next method uses Signature matching.
This method relies on basic string matching in the payload (see the Application Configuration
.R ial
Guide for signature customization).
• The final method uses Port-based matching.
In this case, applications are matched based on their port use, for example, port 80 = http.
.N c
Finally, the flow data packets reach the Flow reporting and routing component. This component
C pe
is responsible to create superflows. Superflows only store one single flow with the collection of IP
addresses, which allows processing of flows to be faster, and require less storage space. There are
three types of superflows.
• Type A superflows contain a single source and multiple destination addresses with the same
to es destination port, byte count, and source flags or ICMP codes. An example for a type A
superflow is a network sweep.
• Type B superflows contain multiple source and a single destination address with the same
destination port, byte count, and source flags or ICMP codes. An example for a type B
superflow is a Distributed Denial of Service attack.
ec n
• Type C superflows contain a single source and destination address with changing source and
destination ports. An example for a type C superflow is a port scan.
oy cio
Specific rule tests can leverage the flow type to determine if an offense needs to be created. The
creation of superflows can be disabled.
Up to a configurable number of bytes, QFlow provides layer 7 insights into the payload if it is
pr a
unencrypted. Using a tap or span port, QFlow collects raw packets and places them into 60-second
chunks. QFlow can also receive layer 4 flows from other network devices in IPFIX/NetFlow, sFlow,
rm
Note: The following slides contain some additional information about the Flows per minute
burst handling, application detection, and Superflows. The explanations for these slides have
Fo
Uempty
.R ial
• Every log source protocol has an overflow buffer of 5 GB
• If the overflow buffer fills up, the additional flows are dropped
.N c
C pe
to es Appendix: Extended component architecture and data flows
Uempty
Application detection
Methods of determining the application of the flow
• User defined
.R ial
This method is mainly used when users have a proprietary application running on their network
For example: All traffic going to host 10.100.100.42 on port 443 is recognized to be MySpecialApplication
• State-based decoders
This method is implemented in the source code and determines the application by analyzing the payload for
.N c
multiple markers
For example: If you see A followed by B then application = X; if you see A followed by C, then application = Y
C pe
• Signature matching
Basic string matching in the payload
Custom signatures are allowed (see Application Configuration Guide for signature customization)
• Port-based matching (port 80 = http, and so on)
Application detection
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Superflows
• Types of superflows
Type A
Single SRC, Multiple DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
.R ial
(for example, network sweeps)
Type B
Multiple SRC, Single DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
(for example, DDoS attacks)
.N c
Type C
Single SRC and DST, TCP/UDP Only, Changing SRC/DST ports
(for example, port scans)
C pe
• Only store the single flow with the collection of IP addresses
• Specific rule tests can leverage the flow type to determine if an offense needs to be created
• Creation of superflows can be disabled
Superflows
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Architecture overview
• High-level architecture
.R ial
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console
.N c
• Dissecting the flow of a captured event
C pe
to es Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• EPS license is checked Coalescing filter
.N c
them into low- and high-level categories DSM normalization filter
C pe
(Log source detection)
• The event collector bundles identical events to
conserve system usage through a process that is Overflow filter
known as coalescing (enforce license limit)
Log Sources
in Events per Second, or EPS. Events are temporarily stored in an overflow buffer if the EPS
license is exceeded, and those events are processed during the next cycle. Should the overflow
buffer fill up, the additional events are dropped, and a message is logged for the administrators.
Log Sources are automatically discovered after record analysis in the Traffic Analysis module. This
pr a
new QRadar log source, if detection is successful on an IP address. The Traffic Analyses module
only carries out detection on event protocols that are “pushed” to the event collector, for example,
syslog.
After the correct log source has been detected, such as a Checkpoint Firewall, the individual
Fo
Device Support Modules begin to parse the events. First, the events are normalized, where source
specific data fields are mapped into QRadar terminology for further processing. The log source
parser then extracts the log source event ID from the log record and maps that to the QRadar
Identifier, or QID. This is a unique ID that links the extracted log source event ID to a QID. Each QID
relates to a custom event name and description, as well as severity and event category information.
The event category information is structured into High Level Categories (HLC) and Low Level
Categories (LLC). Every QID is linked to one of the low-level categories, for example, a valid
category combination is "Authentication” (being a High Level Category) and “Admin Login
Successful” being a Low Level Category.
Uempty
Finally, the coalescing filter can optionally bundle identical events to conserve system usage before
handing the data off to the Event Processor.
Note: The following slides contain some additional information about the Autodiscovery of log
sources, Log source parsing and QID mapping, and Events per second burst handling. The
.R ial
explanations for these slides have already been incorporated in this overview slide.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• Categorizes traffic from devices that are unknown to the system
.N c
• Carries out detection only on event protocols that are “pushed” to the event collector,
for example, syslog
C pe
to es Appendix: Extended component architecture and data flows
Uempty
.R ial
• The QID (QRadar identifier) is a unique ID that links the extracted log source event ID to a QID
• Each QID number relates to a custom event name and description, as well as severity and event
category information
.N c
• The event category information is structured into High Level Categories (HLC) and Low Level
C pe
Categories (LLC); every QID is linked to one of the low-level categories
For example, "Authentication (HLC) - Admin Login Successful (LLC)" is a category combination
Uempty
.R ial
• Every log source protocol has an overflow buffer of 5 GB
• If the overflow buffer fills up, the additional events are dropped
.N c
C pe
to es Appendix: Extended component architecture and data flows
Uempty
Architecture overview
• High-level architecture
.R ial
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console
.N c
• Dissecting the flow of a captured event
C pe
to es Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
Accumulator Host profiler Exit filter
enabled rules in the rules engine Accumulations
• New offenses can be triggered and sent to the Flows Event storage filter
Events
Magistrate (see Console)
• Events and flows are stored in the events or flows
.N c
Custom Rules Engine (CRE)
Ariel database
• If a new port or host is detected, an asset profile is
C pe
Overflow filter
(enforce license limit)
updated or created in the PostgreSQL database
(see Console) Event or flow sources received
• Events are accumulated every minute and stored Event processor
in the accumulator Ariel database
the Overflow Filter enforces the license in a similar way to the collectors.
Next, the Custom Rule Engine, or CRE, tests every single event or flow against all enabled rules.
Matched rules can have responses or results. For example, a matched rule might trigger the
creation of an offense, or create a new CRE event that triggers the creation of an offense. However,
pr a
actual offenses are not created here at the Event Processor, but rather at the Console.
rm
It is possible that multiple matched events, flows, and matched rules might correlate into a single
offense. On the other hand, a single event or flow can also be correlated into multiple offenses.
By default, rules are tested against events or flows received by a single event processor (local
rules). The Exit Filter sends on any events or flows that have been marked for further processing by
Fo
Every event and flow is then sent on to the Event Storage Filter, where they are stored in the events
or flows Ariel database.
If a new port or host is detected at this time, an asset profile needs to be updated or created in the
PostgreSQL database. The Host Profiler, or Host Profiling Filter, sends the collected information
about the new host to the Console, so that a new asset can be created or updated.
Finally, if an analyst has defined any searches to collect and investigate specific sets of data,
events and flow records are accumulated every minute and stored in the accumulator Ariel
database. These accumulations create time-series statistical metadata that is used for Dashboards,
Uempty
event and flow forensics and searching, reporting, and the Anomaly Detection Engine on the
Console. Accumulated time intervals can be defined as 1 minute, 1 hour, and 1 day. The
Accumulator is a distributed component that operates on each Event Processor.
Note: The following slides contain some additional information about the Custom Rule Engine
.R ial
and the Accumulator. The explanations for these slides have already been incorporated in this
overview slide.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
• Matched rules might trigger the creation of an offense or create a CRE event that triggers the creation
of an offense
.N c
• Multiple matched events, flows, and matched rules might correlate into a single offense
C pe
• A single event or flow can be correlated into multiple offenses
• By default, rules are tested against events or flows received by a single event processor (local rules)
to es • Global cross correlation (GCC) allows rules testing across multiple event processors in the QRadar
SIEM deployment
Uempty
Accumulator
• Accumulations are defined by “grouped by” searches
.R ial
• Accumulations create time-series statistical metadata (counts) that is used for the following purposes
Dashboards
Event and flow forensics and searching
Reporting
.N c
Anomaly and behavior alerts
C pe
• The Accumulator is a distributed component that operates on each event processor
Accumulator
© Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Architecture overview
• High-level architecture
.R ial
• Flow collector (FC)
• Event collector (EC)
• Event processor (EP)
• Console
.N c
• Dissecting the flow of a captured event
C pe
to es Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo
Uempty
Console architecture
• The Magistrate creates and stores offenses
in the PostgreSQL database; these offenses Offenses
.R ial
the interface
• The Magistrate instructs the Ariel Proxy Magistrate
Custom rule
engine
Server to gather information about all events Assets
and flows that triggered the creation of an
.N c
offense Overflow filter
Ariel Vulnerability Anomaly
Proxy Information Detection
(enforce license limit)
• The Vulnerability Information Server (VIS)
C pe
Server Server Engine
Console architecture
Event
Exit Filter
Eventprocessor
processor
Query Server profiler
Accumulators
offenses are then brought to the analyst’s attention in the user interface. The Magistrate instructs
the Ariel Proxy Server to gather information about all related events and flows that triggered the
creation of an offense. The collected data is then available for further investigation by the analyst.
If data is collected from multiple Event Processors, the Console’s Custom Rules Engine can utilize
pr a
Global Cross Correlation to test rules on data from all deployed Event Processors. This helps to
locate more complex attacks, which can span across the overall IT infrastructure and are not
rm
The Vulnerability Information Server (VIS) creates new assets, or adds open ports or discovered
services to existing assets, based on information from the Host Profiler on the Event Processors.
This happens when hosts, services, or vulnerabilities that cannot be mapped to existing assets are
Fo
discovered.
Uempty
The Anomaly Detection Engine (ADE) searches the Accumulator databases for anomalies, which
are then used for offense evaluation. There are three categories of Anomaly Detection Rule types.
• The Threshold rule examines a numeric range, such as greater than, less than, or a particular
range. This rule can help detect the bandwidth of an application, the number of users connected
to a VPN, or a large and unusual outbound data transfer.
.R ial
• The Anomaly rule looks at a change in short term when comparing against a longer time frame.
This can help to locate new service activity or a change in the bandwidth volume on a specific
link.
• The Behavioral rule can detect changes from the same time yesterday or last week. This
.N c
includes mail traffic, for example, the increase on external SMTP server traffic, which could be a
relay. This rule can also be used for regular IT services, such as backup monitoring, where the
C pe
rule would trigger if a backup failed.
Let us take one closer look at how Offenses are being managed by the Magistrate component.
Events and flows that have been tagged by the Custom Rules Engine for further processing in the
to es Event Processors are being handed over to the Console through the Exit Filter.
Note: The following slides contain some additional information about the Offense management
ec n
by the Magistrate, the new asset and service detection by the Vulnerability Information
Server, and Anomaly Detection Engine rule types. The explanations for these slides have
already been incorporated in this overview slide.
oy cio
pr a
rm
Fo
Uempty
.R ial
• A single event or flow can belong to multiple offenses
• While rules are tested, they might lead to the creation of an offense
.N c
• Pending offenses tag the events and flows as long as the rule that triggered the creation of the offense
C pe
remains at least partially matched
Uempty
• Generates a new asset based on an event when hosts, services, and vulnerabilities that cannot be
mapped to existing assets are discovered
.R ial
• Detects new or modifies assets and automatically checks the asset information against uploaded
vulnerability information using flow information
.N c
C pe
to es Appendix: Extended component architecture and data flows
Uempty
.R ial
Bandwidth of an application
Failed service
Number of users connected to a VPN
Large outbound transfer
.N c
• Anomaly: Change in short term when comparing against a longer time frame
New service activity
C pe
Change in the bandwidth volume on a link
• Behavioral: Change from the same time yesterday or last week
Mail traffic, for example, increase on external SMTP server traffic (could be a relay)
Backup monitoring (backup failed)
Just about anything with a repetitive pattern
Uempty
Architecture overview
• High-level architecture
• Flow collector (FC)
.R ial
• Event collector (EC)
• Event processor (EP)
• Console
.N c
• Dissecting the flow of a captured event
C pe
to es Appendix: Extended component architecture and data flows
Architecture overview
© Copyright IBM Corporation 2017
ec n
Until now, we have examined the QRadar component structure from a deployment viewpoint. Let
us now take a final look into dissecting the flow of a captured event.
oy cio
pr a
rm
Fo
Uempty
.R ial
• How the events arrive at their first collection point, the Event Collector
• How the events proceed through correlation, accumulation, and storage on the Event Processor
.N c
• How the events end up as part of a larger offense on the Console
C pe
to es Appendix: Extended component architecture and data flows
follow the events as they proceed through correlation, accumulation, and storage on the Event
Processor and finally end up as part of a larger offense on the Console.
pr a
rm
Fo
Uempty
FW
FWDeny events Event processor
FW Deny
Denyevent
event
.R ial
1
Overflow filter
.N c
(enforce license limit)
2
3 5
C pe
License No Traffic Analysis Log source No Create new
Coalescing Filter
exceeded? (Log source discovery) known? log source
Yes Yes
to esEvent collector
1. The firewall denies a large amount of communication requests from an individual IP source and
logs those.
These large amounts of FW Deny events now arrive at the QRadar Event Collector.
pr a
2. The overflow filter counts all the incoming raw events to ensure the license limit for the
appliance is not exceeded.
rm
If the license limit (here: events per second) IS exceeded, the events are buffered and fed back
into stream when the input is below the license limit.
If the buffer is already full, the new events are dropped and a special event for the console is
generated.
Fo
In our case the limit is not exceeded and the FW Deny events are passed on to the Traffic
Analysis module.
Uempty
4. The individual FW Deny events are now parsed inside the applicable (Firewall) Device Support
Module, the Event ID is extracted from the event data, and a QID (QRadar Identifier) gets
assigned to the event.
This QID is later used in the CRE (custom rules engine) to evaluate and correlate our events
together with other events and flows.
.R ial
5. Before handing the normalized data (with QID) off to the Event Processor all events are parsed
through the coalescing filter.
Here, duplicate events (examined within 10 second intervals) are combined into one event with
a counter, which helps to reduce storage space and processing capability when data is handed
.N c
to the Event Processor.
C pe
In our case many FW Deny events are being coalesced because they have occurred within 10
second intervals.
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
Normalized events
Yes
Overflow filter
2
.N c
(enforce license limit)
New host or
port found?
C pe
License No
exceeded?
Flows
Ariel DB Host Profiler Ariel DB Accumulations
Yes Events
3
Buffer overflow events 6
and feed back into stream
when input below limit
to esEvent processor
4
Accumulator
Events can come from multiple Event and Flow Collectors, and there can also be multiple Event
Processors in your deployment.
2. The overflow filter counts the incoming normalized events to ensure the license limit for the
appliance is not exceeded.
pr a
If the license limit IS exceeded, the events are buffered and fed back into stream when the input
is below the license limit.
rm
If the buffer is already full, the new events are dropped and a special event for the console is
generated.
3. The CRE evaluates every single event against every active rule.
Fo
If none of the rules fires on the event, the event is dropped from further processing.
If at least one rule fires (which happens in our FW Deny events example, because the amount
of events within a certain time period exceeds a threshold value in a test rule), the event is
properly marked for further processing. This way the Magistrate on the Console knows how to
actually handle this event (create a new offense, add the event to any number of existing
offenses).
In our case, the amount of accumulated FW Deny events is sufficient evidence to instruct the
Magistrate that these events are worthy of an offense.
Uempty
The CRE can also stream every incoming event to the Log Activity tab if you have configured
any live streaming views on the Console. This way, all of our FW Deny events are displayed in
a streaming Dashboard on the Console.
4. The Event Storage component is responsible for storing all events (and flows) in the Ariel DB.
The filter then passes on the data to the Accumulator.
.R ial
5. The Accumulator manages all the defined searches (Reports, Dashboards, and such) that have
been set up by an analyst on the Console.
Based on the search parameters the Accumulator stores data in the Accumulations Ariel DB.
.N c
This data is later being used by the Console to display results through the GUI or by creating
Reports.
C pe
6. The Host Profiler also receives the event data and searches for any new host or port events.
If any new hosts or ports are detected they are being sent to the Console’s Vulnerability Information
Server.
to es
ec n
oy cio
pr a
rm
Fo
Uempty
.R ial
Processed events
1
Overflow filter
.N c
(enforce license limit)
2 Ariel Proxy 4 5 6
C pe
Custom Rule Engine
License No Anomaly Detection Vulnerability
(CRE)
exceeded? Engine Information Server
Magistrate
Yes
to esConsole
2. The overflow filter counts the incoming normalized events to ensure the license limit for the
appliance is not exceeded.
pr a
If the license limit IS exceeded, the events are buffered and fed back into stream when the input
is below the license limit.
rm
If the buffer is already full, the new events are dropped and a special event for the console is
generated.
3. The Magistrate receives our FW Deny events from the Event Collector.
Based on the Index Property and Index Property Value the Magistrate knows that these events
Fo
4. In case the Magistrate needs to access additional event and flow records it utilizes the Ariel
Proxy to communicate with Ariel Query Servers that are located on other Event Processor
appliances.
Uempty
5. In addition to the Magistrate component the Console also houses the Anomaly Detection
Engine.
It examines behavioral, anomaly, or threshold based rules that can be used to create new
offenses or add additional evidence and details to existing offenses.
6. Based on collected event and flow data the Vulnerability Information Server component on the
.R ial
Console receives information about new hosts or ports that are not yet contained in its Asset
database.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
Uempty
Summary
Now you should be able to perform the following tasks:
• Describe how QRadar SIEM collects and processes events and flows
.R ial
• Describe how QRadar SIEM collects vulnerability data
.N c
C pe
to es Appendix: Extended component architecture and data flows
Summary
© Copyright IBM Corporation 2017
ec n
In this unit we covered the functional architecture level and explained how IBM QRadar was
designed as a modular Security Intelligence solution from the grounds up. After taking a look at this
oy cio
modular design, its extensibility and deployment pattern, we examined the component architecture
so that the analyst understands how data is ingested and processed.
When the analysts now examine bits and pieces of a larger security incident investigation, this
architectural understanding should substantially enhance their capability for detailed and fast
pr a
analysis.
rm
Fo
Uempty
IBM Training
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo