BQ103 Course

®
Course Guide
.R ial
IBM QRadar SIEM Foundations
.N c
Course code BQ103 ERC 1.2
C pe
to es
ec n
oy cio
pr a
rm
Fo
IBM Training
December 2017 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
.R ial
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
.N c
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
C pe
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
to es
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
ec n
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
oy cio
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
pr a
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
rm
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
Fo
ITIL is a Registered Trade Mark of AXELOS Limited.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
© Copyright International Business Machines Corporation 2017.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
.R ial
About this course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
.N c
Course agenda and description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
C pe
Unit 1 Introduction to IBM QRadar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Lesson 1 The security immune system and why we need Security Intelligence . . . . . . . . . . . . . . . . . . . . . 3
Today’s security drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
to es
Attackers break through conventional safeguards every day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
How do I get started when all I see is chaos? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
An integrated and intelligent security immune system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
IBM security immune system portfolio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Lesson 2 The QRadar Ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Best practices: Intelligent detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
ec n
What is Security Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Ask the right questions – The exploit timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
oy cio
IBM QRadar Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

IBM QRadar Risk Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
IBM QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
IBM QRadar Incident Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
QRadar embedded intelligence offers automated offense identification . . . . . . . . . . . . . . . . . . . . . . . . . .21
pr a
QRadar embedded intelligence directs focus for investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Benefits of IBM Security Intelligence approach using QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
rm
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Unit 2 IBM QRadar SIEM component architecture and data flows . . . . . . . . . . . . . . . . . . . . . . . . . 27

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Lesson 1 QRadar functional architecture and deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Fo
Functional solution requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

An integrated, unified architecture in a single console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Identifying suspected attacks and policy violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Providing functional context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Network flow analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Extensible functional architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Cognitive Analytics: Revolutionizing how security analysts work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Open Ecosystem and Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Deep Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Scalable appliance/software/virtual architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
© Copyright IBM Corp. 2017 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents
Uempty
Lesson 2 QRadar SIEM component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
High-level component architecture and data stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Flow collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Event collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Event processor architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
.R ial
Console architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Unit 3 Using the QRadar SIEM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
.N c
Instructor demonstration of the QRadar SIEM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
C pe
Managing the displayed data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Managing your QRadar user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Accessing help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
to es Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Unit 4 Investigating an Offense Triggered by Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Lesson 1 Offenses overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
ec n
Definition offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Introduction to offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Creating and rating offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
oy cio
Offenses on Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Offenses tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Offenses overview by category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Offenses overview by source IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Offenses overview by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
pr a
Lesson 2 Using summary information to investigate an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Instructor demonstration of offense parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
rm
Offense Summary window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Offense parameters (1 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Fo
Offense Source Summary (1 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Lesson 3 Investigating offense details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Last 5 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Last 5 Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Top 5 Source IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Top 5 Destination IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
© Copyright IBM Corp. 2017 iv

V7.0
Contents
Uempty
Top 5 Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Top 5 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Top 5 Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Last 10 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Last 10 Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Annotations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
.R ial
Offense Summary toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Lesson 4 Acting on an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Offense actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Offense status and flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
.N c
Offense lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
C pe
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Unit 5 Investigating the Events of an Offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Lesson 1 Investigating event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
to es Definition event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Navigating to the events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
List of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Event details: Base information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Event details: Source and destination information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
ec n
Event details: Reviewing the raw event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Event details: Additional details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Returning to the list of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
oy cio
Lesson 2 Using filters to investigate events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Filtering events (1 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Applying a Quick Filter to the payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
pr a
Using another filter option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Using another filter option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
rm
Optimizing search execution efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Lesson 3 Using grouping to investigate events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Grouping events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Grouping events by low-level category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Grouping events by protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Fo
Removing grouping criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

Viewing a range of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Lesson 4 Saving a search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Monitoring the offending host (1 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Monitoring the offending host (2 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Monitoring the offending host (3/3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Saving search criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Event list using the saved search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Lesson 5 Modifying saved searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
About Quick Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Using alternative methods to create and edit searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
© Copyright IBM Corp. 2017 v

V7.0
Contents
Uempty
Finding and loading a saved search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Search actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Unit 6 Using Asset Profiles to Investigate Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
.R ial
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Lesson 1 Asset profiles overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Definition asset profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
About asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Data sources for asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
.N c
Identity information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Lesson 2 Investigating asset profile details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
C pe
Navigating from an IP address to an asset profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Assets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Asset summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Network Interface Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
to es Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Display additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Lesson 3 Navigating the Assets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
ec n
Locating asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Filtering asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Searching asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
oy cio
Server Discovery and VA Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Unit 7 Investigating an Offense Triggered by Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
pr a
Lesson 1 Flows overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Definition flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
rm
About flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Creating flows from network activity information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Network Activity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Network specific properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Grouping flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Fo
Lesson 2 Using summary information to investigate an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Offense parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Top 5 Source and Destination IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Top 5 Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Top 5 Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Last 10 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Last 10 Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Lesson 3 Navigating flow details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Base information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Source and destination information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Layer 7 payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
© Copyright IBM Corp. 2017 vi

V7.0
Contents
Uempty
Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Lesson 4 False positives overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Preventing false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
False positive flow or event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Lesson 5 Investigating superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
About superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
.R ial
Superflow source and destination information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Superflow additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
.N c
Unit 8 Using Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
C pe
Lesson 1 Rules overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Definition rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Testing for indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Finding the rules that fired for an event or flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
to es Finding the rules that triggered an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207

Navigating to rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Navigating to rules (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Navigating to rules (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
Lesson 2 Using rule definitions during an investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
ec n
Rule Wizard demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Rule Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Rule tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
oy cio
Custom rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

Building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Building blocks and function tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Function tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Partial match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
pr a
Custom rule and building block types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220

Lesson 3 Custom rule actions and responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
rm
Rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

Based on the index, the Magistrate maintains offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Rule response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Rule response (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Adding and removing property values to and from reference sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Fo
Lesson 4 Using rules as search parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Searching offenses by contributing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Searching events and flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Disabled custom rules and unused building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Lesson 5 Anomaly detection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
About anomaly detection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Navigating to anomaly detection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Threshold rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Anomaly rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
Behavioral rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
© Copyright IBM Corp. 2017 vii

V7.0
Contents
Uempty
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Unit 9 Using the Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Lesson 1 Network Hierarchy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
.R ial
Purpose Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Navigating to the Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Predefined Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Crown jewels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Tree structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
.N c
CIDR ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
About the Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
C pe
Lesson 2 Using networks in investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Network of an IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Filtering by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Grouping by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
to es Offenses overview by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

Networks of Source and Destination IP addresses in Offense Summary . . . . . . . . . . . . . . . . . . . . . . . .254
Networks in the Offense Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Lesson 3 Using Flow Bias and Direction in Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Flow Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
ec n
Flow Bias (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Flow Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Flow Bias and Direction difference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
oy cio
Lesson 4 Using the Network Hierarchy in rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Rule test conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Tagging by custom rules and building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
pr a
Unit 10 Index and Aggregated Data Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

rm
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Lesson 1 Using the Index Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Instructor demonstration of the Index management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Index Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Index information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Fo
Lesson 2 Using the Aggregated Data Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Instructor demonstration of the Aggregated data management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Aggregated Data Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
Enable or disable a view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Aggregated view of report data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Aggregated view of time series data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Aggregated view of ADE rules data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Lesson 3 Gathering index statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Instructor demonstration of the index management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Creating a custom event property and using it in a search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Analyze the Search and Index metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
© Copyright IBM Corp. 2017 viii

V7.0
Contents
Uempty
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
Unit 11 Using Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Lesson 1 Navigating the Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
.R ial
Instructor demonstration of the Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Adding a saved search as a dashboard item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Adding a saved search as a dashboard item (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
.N c
Adding a saved search as a dashboard item (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Enabling a search to be used as a dashboard item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
C pe
Lesson 2 Customizing a dashboard item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Configuring dashboard items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Select what to display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Select how to display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
to es Lesson 3 Utilize time-series charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Enabling time-series data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Investigating data trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Details one-minute time interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Zooming in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
ec n
Focusing on less prevalent data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Resetting the zoom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Navigating to activity tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
oy cio
Activity tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Unit 12 Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

pr a
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
Lesson 1 Navigating the Reports tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
rm
Reporting introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

Reporting demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Reports tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Finding a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Running a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Fo
Selecting the generated report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318

Viewing a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Lesson 2 Creating a report template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Reporting demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Creating a new report template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Choosing a schedule and data time range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Time series data for report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
Choosing a layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Selecting the type of the top chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Configuring the top chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Configuring the top chart (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
© Copyright IBM Corp. 2017 ix

V7.0
Contents
Uempty
Selecting the type of the bottom chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Configuring the bottom chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Layout preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Choosing a format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Distributing the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Adding a description and assigning to groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
.R ial
Verifying the report summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Viewing the generated report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Best practices when creating reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Student exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
.N c
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Unit 13 Using Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
C pe
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Lesson 1 Filters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Filters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Filters introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
to es Using Filters demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344

Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Source and Destination IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Lesson 2 Filtering events and flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
ec n
Continents, countries, and regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Associated With Offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Payload Matches Regular Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
oy cio
Payload Contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352

Event Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Lesson 3 Filtering events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Log Source (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
pr a
Log Source Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357

Event Is Unparsed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
rm
AccountID Custom Event Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359

Lesson 4 Filtering flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Flow Source and Flow Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
TCP Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
DSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
Fo
ICMP Type/Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364

Data Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Applications using nonstandard port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches. . . . . . . . . . . . . . . . . . . 368
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Lesson 1 Describe the basics of AQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Ariel Query Language overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
AQL query flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Structure of an AQL query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
© Copyright IBM Corp. 2017 x

V7.0
Contents
Uempty
SELECT statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Examples for SELECT statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
WHERE clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Examples of WHERE clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
GROUP BY clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Examples of GROUP BY clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
.R ial
HAVING clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Examples of HAVING clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
ORDER BY clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Examples of ORDER BY clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
.N c
Single or Double quotation marks in AQL queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Instructor demonstration of advanced searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
C pe
Lesson 2 Build AQL queries in advanced searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Build AQL queries from the QRadar GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Prepare the search window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Instructor demonstration of advanced searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
to es Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Unit 15 Analyzing a Real-World Large-Scale Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
About Target Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
ec n
The situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Phases of the intrusion kill chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Kill chain timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
oy cio

First trigger - already compromised . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
More alerts - no linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
DOJ notification - 40 million records gone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
pr a
Continued breaches undetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406

Missed opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
rm

Potential improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Appendix A A real-world scenario introduction to IBM QRadar SIEM . . . . . . . . . . . . . . . . . . . . . 411

Fo
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Anatomy of an attack - Lions at the watering hole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Anatomy of an attack - Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Anatomy of an attack - Vulnerable hosts were infected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Anatomy of an attack - Host response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
Anatomy of an attack - The risk of delaying a response to an attack . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Apply Big Data to Security Intelligence and threat management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
A dynamic, integrated system to help detect and stop advanced threats . . . . . . . . . . . . . . . . . . . . . . . .420
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
© Copyright IBM Corp. 2017 xi

V7.0
Contents
Uempty
Appendix B IBM QRadar architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Lesson 1 QRadar functional architecture and deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Functional solution requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
An integrated, unified architecture in a single console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Identifying suspected attacks and policy violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
.R ial
Providing functional context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Network flow analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Extensible functional architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Cognitive Analytics: Revolutionizing how security analysts work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
.N c
Open Ecosystem and Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Deep Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439
C pe
Scalable appliance/software/virtual architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
Deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442
Lesson 2 QRadar SIEM component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
High-level component architecture and data stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
to es Flow collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Flows per minute (FPM) burst handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Application detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450
Superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
Event collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453
ec n
Autodiscovery of log sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Log source parsing uses QID mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
Events per second (EPS) burst handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
oy cio
Event processor architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459

Custom Rules Engine (CRE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
Accumulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Console architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Offense management by the Magistrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
pr a
New asset and service detection by Vulnerability Information Server . . . . . . . . . . . . . . . . . . . . . . . . . . .467

Anomaly Detection Engine rule types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
rm
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469

Dissecting the flow of a captured event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470
Dissecting the flow of a captured event (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471
Fo
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
© Copyright IBM Corp. 2017 xii

About this course
.R ial
.N c
C pe
IBM QRadar SIEM Foundations
to es
ec n
oy cio
© Copyright IBM Corporation 2017

IBM QRadar SIEM provides deep visibility into network, user, and application activity. It provides
pr a
collection, normalization, correlation, and secure storage of events, flows, asset profiles, and
vulnerabilities. QRadar SIEM classifies suspected attacks and policy violations as offenses.
rm
Fo
© Copyright IBM Corp. 2017 xiii

V7.0
About this course
Uempty
In this 3-day instructor-led course, you learn how to perform the following tasks:
• Describe how QRadar SIEM collects data to detect suspicious activities
• Describe the QRadar SIEM component architecture and data flows
• Navigate the user interface
• Investigate suspected attacks and policy violations
.R ial
• Search, filter, group, and analyze security data
• Investigate events and flows
.N c
• Investigate asset profiles
• Describe the purpose of the network hierarchy
C pe
• Determine how rules test incoming data and create offenses
• Use index and aggregated data management
• Navigate and customize dashboards and dashboard items
to es • Create customized reports

• Use filters
• Use AQL for advanced searches
ec n
• Analyze a real world scenario
Extensive lab exercises are provided to allow students an insight into the routine work of an IT
oy cio
Security Analyst operating the IBM QRadar SIEM platform. The exercises cover the following
topics:
• Using the QRadar SIEM user interface
• Investigating an Offense triggered by events
pr a
• Investigating the events of an offense

rm
• Investigating an offense that is triggered by flows

• Using rules
• Using the Network Hierarchy
Fo
• Index and Aggregated Data Management

• Using dashboards
• Creating reports
• Using AQL for advanced searches
• Analyze a real-world large-scale attack
The lab environment for this course uses the IBM QRadar SIEM 7.3 platform with a QRadar SIEM
server and a Linux based client that provides web based access to the QRadar SIEM server.
© Copyright IBM Corp. 2017 xiv

V7.0
About this course
Uempty
Details
Delivery method Classroom or instructor-led Online (ILO)
Course level ERC 1.2
This course is a new course.
.R ial
Product and version IBM QRadar SIEM 7.3
Skill level Basic
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
© Copyright IBM Corp. 2017 xv

V7.0
About this course
Audience
Uempty
Audience
This course is designed for security analysts, security technical architects, offense managers,
network administrators, and system administrators using QRadar SIEM.
.R ial
Prerequisites
.N c
Before taking this course, make sure that you have the following skills:
• IT infrastructure
C pe
• IT security fundamentals
• Linux
• Windows
to es • TCP/IP networking
• Syslog
ec n
oy cio
pr a
rm
Fo
© Copyright IBM Corp. 2017 xvi

Course agenda and description
The course contains the following units:
.R ial
1. Introduction to IBM QRadar
Every organization must consider a Security Intelligence solution at the center of their overall IT
Security strategy because too many IT security related point solutions, and the ever growing
.N c
sophistication of the attackers, demand a consolidation and analysis of events and network
traffic in a close to real-time manner.
C pe
This introduction covers the overall IBM QRadar ecosystem and shows how it is anchored at
the center of an overall security immune system.
2. IBM QRadar SIEM component architecture and data flows
to es Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
Security who is concerned with solutions in the overall security immune system. By learning
how the central Security Intelligence components are designed to take in and process log
events and flow data, you will be better equipped to holistically work as a Security Analyst.
In this unit we start at the functional architecture level and explain how IBM QRadar was
ec n
designed as a modular Security Intelligence solution from the ground up. After taking a look at
this modular design, its extensibility and deployment pattern, we closely examine the
oy cio
component architecture so that the analyst understands how data is ingested and processed.
When the analysts later examine bits and pieces of a larger security incident investigation, this
architectural understanding can substantially enhance their capability for detailed and fast
analysis.
pr a
3. Using the QRadar SIEM User Interface

The user interface of QRadar SIEM is your workbench to gain visibility into your environment
rm
from an security perspective. This lesson teaches you how to operate the interface, such as
pausing and refreshing the displayed data, changing your password and accessing help.
4. Investigating an Offense Triggered by Events

Fo
QRadar SIEM correlates events and flows into an offense if it assumes suspicious activity. This
unit teaches you how to investigate the information that is contained in an offense.
5. Investigating the Events of an Offense

The investigation of an offense usually leads to the investigation of the events that contributed
to the offense. This unit teaches you how to find, filter, and group events in order to gain critical
insights about the offense. You also learn how to create and edit a search that monitors the
events of suspicious hosts.
6. Using Asset Profiles to Investigate Offenses
© Copyright IBM Corp. 2017 xvii

V7.0
About this course
Uempty
QRadar SIEM stores security-relevant information about systems in your network in asset
profiles. This unit teaches you how asset profiles are created and updated, and how to use
them as part of an offense investigation.
7. Investigating an Offense Triggered by Flows

QRadar SIEM correlates flows into an offense if it determines suspicious network activities. This
.R ial
unit teaches you how to investigate the flows that contribute to an offense. You also learn how
to create and tune false positives and investigate superflows.
8. Using Rules
.N c
Rules and building blocks test and correlate incoming events, flows, and offenses in QRadar
SIEM for indicators of an attack or policy violation. Building blocks are used as variables in
C pe
other rules or reports. Unlike building blocks, rules can perform an action or response if they
evaluate to true. This unit teaches you the significance of rules and building blocks, and how to
locate and understand their tests, actions and responses.
9. Using the Network Hierarchy
to es The Network Hierarchy reflects your environment from a security perspective. This unit teaches
you the significance of the Network Hierarchy and the many ways that QRadar SIEM uses and
displays its information.
10. Index and Aggregated Data Management

ec n
Searches leverage indexes and data aggregation. This unit teaches you about indexes and
aggregated data.
oy cio
11. Using Dashboards

QRadar SIEM displays the Dashboard tab after you have signed in. Items on a dashboard
display information about activities in your network. The items enable you to focus on specific
areas of interest. You can customize and add new items and dashboards. This unit teaches you
pr a
how to navigate and customize the Dashboard tab.

rm
12. Creating Reports

Reports condense data to statistical views on your environment for various purposes, in
particular to meet compliance requirements. This unit teaches you how to generate a report
using a predefined template and create a report template.
Fo
13. Using Filters

Filters limit a search result to the data that meets the conditions of the applied filters. Use filters
to look for specific activities or to view your environment from various angles. This unit teaches
you about some of the many available filters.
14. Using the Ariel Query Language (AQL) for Advanced Searches
Ariel Query Language (AQL) queries can retrieve stored data more flexibly than interactively
built searches. This unit teaches you how to build use AQL.
15. Analyzing a Real-World Large-Scale Attack
© Copyright IBM Corp. 2017 xviii

V7.0
About this course
Uempty
This unit evaluates a large-scale advanced persistent attack against a US retailer. You will
evaluate how a properly implemented Security Intelligence solution could have helped to fend
off the attackers.
This unit is based on the “Kill Chain” Analysis of the 2013 Target Data Breach study by the
Committee On Commerce, Science and Transportation, which is available at the following URL:
.R ial
16. A real-world scenario introduction to IBM QRadar SIEM
In this appendix you can study a real world attack scenario to explain the following details:
17. IBM QRadar architecture
.N c
Understanding the architecture of the IBM QRadar ecosystem is relevant for everyone in IT
Security who is concerned with solutions in the overall security immune system. By learning
C pe
how the central Security Intelligence components are designed to take in and process log
events and flow data, you will be better equipped to holistically work as a Security Analyst.
In this unit we start at the functional architecture level and explain how IBM QRadar was
to es designed as a modular Security Intelligence solution from the ground up. After taking a look at
this modular design, its extensibility and deployment pattern, we closely examine the
component architecture so that the analyst understands how data is ingested and processed.
When the analysts later examine bits and pieces of a larger security incident investigation, this
architectural understanding can substantially enhance their capability for detailed and fast
ec n
analysis.
oy cio
pr a
rm
Fo
© Copyright IBM Corp. 2017 xix

Unit 1 Introduction to IBM QRadar
.R ial
.N c
C pe
Introduction to IBM QRadar
to es
ec n
oy cio

Every organization must consider a Security Intelligence solution at the center of their overall IT
pr a
Security strategy because too many IT security related point solutions, and the ever growing
sophistication of the attackers, demand a consolidation and analysis of events and network traffic in
rm
a close to real-time manner.
This introduction covers the overall IBM QRadar ecosystem and shows how it is anchored at the
center of an overall security immune system.
Fo
Note: You can expand this deck by utilizing the Appendix Unit
“BQ103_A1_Introduction_Real_World_Scenario”, which walks you through a real world attack
scenario explaining the attack vectors and how a Security Intelligence solution could have stopped
this attack from being successful.
© Copyright IBM Corp. 2017 1

V7.0
Objectives
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Describe why we need Security Intelligence and a security immune system
.R ial
• Describe the QRadar ecosystem
.N c
C pe
to es Introduction to IBM QRadar
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 The security immune system and why we need Security Intelligence
Uempty
Lesson 1 The security immune system and
why we need Security Intelligence
.R ial
.N c
Lesson: The security immune system
and why we need Security
C pe
Intelligence
to es
ec n
oy cio
Introduction to IBM QRadar © Copyright IBM Corporation 2017
It is important to understand today’s IT security drivers that every organization is confronted with.
The problem is not only rooted in the large amount of attacks, but in the immense diversity in how
an individual attack can be carried out.
pr a
Let us investigate the following details:

rm
• Today’s security drivers

• Number and diversity of attacks
• How to consolidate your security intelligence
Fo
• The IBM Security Immune System

V7.0
Uempty
Today’s security drivers
.R ial
ADVANCED
INNOVATION SKILLS GAP
ATTACKS
HUMAN
COMPLIANCE
ERROR
.N c
C pe
Today’s security drivers

ec n
Every organization today is facing similar challenges when it comes to IT security. IT solutions need
to be easy to use and access, but securing data assets and network access is paramount for
oy cio
almost every industry. Let us look at some of the most prevalent drivers.
• Advanced Attacks
Cybercrime will become a $2.1 trillion dollar problem by 20191 . It takes companies an average
of 229 days to detect advanced persistent threats2 .
pr a
Sources:
rm
1
Juniper Research:
https://www.juniperresearch.com/researchstore/innovation-disruption/cybercrime-security/enter
prise-threats-mitigation
2
Ponemon Study:
Fo
https://www.ponemon.org/blog/new-ponemon-study-on-malware-detection-prevention-released
• Human error
More than half of data breaches are caused by insiders, including employees, third-party
contractors and partners. Inside attacks happen across all industries and are caused from both
inadvertent actors and malicious insiders. The financial services industry was hit hard in 2016
and experienced a greater percentage (58%) of insider attacks versus outsider attacks (42%).
Note: 53% inadvertent actors and 5% malicious insiders.

V7.0
Uempty
Source: IBM X-Force Threat Intelligence Report – 2017:
https://www.ibm.com/marketing/iwm/dre/signup?source=urx-13655&S_PKG=ov57325
• Innovation
Cloud, mobile, and IOT create unprecedented risks to organizations. 44% of security leaders
expect a major cloud provider to suffer a significant security breach in the future. 33% of
.R ial
organizations do not even test their mobile apps. CISCO estimates that by 2020, there will be
50 billion devices connected.
Sources:
.N c
https://www.ibm.com/press/us/en/pressrelease/45326.wss
https://securityintelligence.com/mobile-insecurity/
C pe
http://blogs.cisco.com/diversity/the-internet-of-things-infographic
• Compliance
Adapting to a threat-aware, risk based approach vs. compliance based, box checking
to es approach. General Data Protection Regulation (GDPR) is a new data protection framework that
takes effect across Europe starting May 2018. GDPR does not just impact European
companies, any organization that stores, accesses, processes or uses EU residents’ personal
data is subject to the regulation. Fines for violations have the potential to reach the billions for
large, global companies — anywhere from 2 to 4 percent of a company’s gross revenue.
ec n
Source:
https://securityintelligence.com/prepared-for-the-general-data-protection-regulation-gdpr-top-10
oy cio
-findings-from-hurwitz-associates-survey/
• Skills gap
The shortage in skilled cyber security professionals is growing, with the projected talent gap
reaching 1.8 million jobs by 2022. This skills shortage has left many companies stuck: A recent
pr a
report from ISACA found that 55% of organizations reported that open cyber positions take at
least three months to fill, while 32% said they take six months or more. And, 27% of US
rm
companies said they are unable to fill cyber security positions at all.
Source:
http://www.techrepublic.com/article/4-tips-to-help-your-business-recruit-and-keep-cybersecurity
Fo
-pros/

V7.0
Uempty
Attackers break through conventional safeguards every day

2014 2015 2016
1+ Billion records Unprecedented Impact 4+ Billion records
.R ial
.N c
C pe
average time to identify data breach average cost of a U.S. data breach
201 days $7M

to es Source: IBM X-Force Threat Intelligence Index - 2017
Attackers break through conventional safeguards every day

ec n
Today’s threats continue to rise in numbers and scale as sophisticated attackers break through
conventional safeguards every day.
oy cio
Organized criminals, hacktivists, governments and adversaries are compelled by financial gain,
politics, and notoriety to attack your most valuable assets. Their operations are well-funded and
business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their
methods are extremely targeted ‒ they use social media and other entry points to track down
pr a
people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile,
negligent employees inadvertently put the business at risk via human error. Even worse, security
rm
investments of the past can fail to protect against these new classes of attacks. The result is more
severe security breaches happening more and more frequently.
In fact, according to the latest IBM X-Force Threat Intelligence Report, the amount of data records
and variety of attacks have expanded to more than 4 billion!
Fo
Note: The size of the circle indicates the estimated relative impact.
Cyber criminals’ targets are now bigger and their rewards greater as they fine-tune efforts to obtain
and leverage higher value data than years past.
The demand for leaked data is trending toward higher-value records such as health-related
personally identifiable information (PII) and other highly sensitive data, with less emphasis on the

V7.0
Uempty
emails, passwords, and even credit card data that were the targets of years past. This PII can be
used for social engineering to gain access to valuable financial targets.
You see this in both the breach trends and the evolution of malware to target high value bank
accounts.
Source: IBM X-Force Threat Intelligence Report – 2017:
.R ial
https://securityintelligence.com/media/ibm-x-force-threat-intelligence-index-2017/
According to a recent Ponemon study, 201 days is the average time it takes companies to identify a
.N c
data breach; and it costs U.S. organizations an average of $7million per data breach
Source: Key findings from the 2017 Cost of Data Breach Study: Global Analysis
C pe
https://ibm.biz/BdjqHG
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
How do I get started when all I see is chaos?

Threat and anomaly detection Virtual patching Indicators of compromise
Cognitive security
Network visibility and segmentation
Data access control
.R ial
Incident response Data monitoring
Sandboxing
Access management
Content security Application security management
IP reputation
.N c
Threat sharing Firewalls Endpoint patching
and management
Criminal detection
Network forensics and threat management
C pe
Entitlements and roles
Privileged identity management
Malware protection Fraud protection Vulnerability management
Workload Threat hunting and investigation Transaction protection Endpoint detection
to es protection
Application scanning

Identity management
How do I get started when all I see is chaos?

Device management User behavior analysis
and response
Cloud access
security broker

ec n
Let us first set the stage of what the average IT security environment looks like. This is a snapshot
of just some of the capabilities CISOs already have in their arsenal. They have been acquiring
oy cio
these different and scattered technologies over the years to address the many challenges that their
complex environments face. The average enterprise has 85 tools from 45 vendors.
Once you start a conversation with them, you will hear them say, “Oh yeah, we have got that…”
Which is fine, but are they INTEGRATED? Are they working together across your multiple teams,
pr a
locations, and platforms? Or is just creating more complexity, risk and cost, and as a result, are they
losing visibility into their network?
rm
How can a CISO, or frankly any security professional, gain any valuable insight and control over
their security environments when all they see is this type of scattered chaos in the technologies
they themselves are already using?
Fo
Hint: If you want to examine a typical cyber attack that depicts some of these challenges, you can
now load and study Appendix 1: BQ103_A1_Introduction_Real_World_Scenario.pptx. Once
you’re done, you can resume your studies here.

V7.0
Uempty
An integrated and intelligent security immune system

Indicators of compromise
IP reputation Threat sharing
Endpoint detection
and response Network forensics and threat management
.R ial
Endpoint patching Firewalls
and management Sandboxing
Malware protection Virtual patching
Network visibility and segmentation
Threat and anomaly detection User behavior analysis
.N c
Transaction protection Vulnerability management Incident response Fraud protection
Device management Criminal detection
Content security
C pe
Cognitive security Threat hunting and investigation
Data monitoring Privileged identity management

Data access control Entitlements and roles
to es Application scanning
Application security management
An integrated and intelligent security immune system

Cloud access
security broker
Workload
protection
Access management
Identity management

ec n
We encourage organizations to think about their security imperatives in a more organized fashion;
structured around logical domains, and centered around a core discipline of security analytics. This
oy cio
core is enabled by cognitive intelligence that continuously understands, reasons, and learns the
many variables that are affecting their environments and feeds the entire ecosystem of connected
capabilities.
This is where the immune system metaphor really comes into play where you can start to imagine...
pr a
Different organs as your layers of defense, all working together to automate policies and block
rm
threats. Much like when you get sick, these are the organs that understand the threat and send data
up through your central nervous system (security analytics) to create white blood cells / antibodies
to gather information, prioritize and take actions. This is what is called the “Immune Response”.
And by the way, this is just part of the story. It is really not fully integrated until it is integrated with
Fo
the extended partner ecosystem. Integration that enables collaboration across companies and
competitors, to understand global threats and data, and adapt to new threats.
Integration can help increase visibility. Notice how capabilities organize around their domains. You
will start to get an idea of how this immune system works. Like a body fighting a virus, there are
different parts of a security portfolio working at once.

V7.0
Uempty
IBM security immune system portfolio

App Exchange X-Force Exchange
.R ial
BigFix QRadar Network Security (XGS)
QRadar Incident Forensics
SECURITY OPERATIONS
AND RESPONSE
QRadar SIEM QRadar User Behavior Analytics
.N c
QRadar Vulnerability / Risk Manager Resilient Incident Response Trusteer Pinpoint
MaaS360 Trusteer Mobile
C pe
QRadar Advisor with Watson i2 Enterprise Insight Analysis Trusteer Rapport
INFORMATION RISK
AND PROTECTION
Guardium Identity Governance and Access
Key Manager Privileged Identity Manager
Cloud Identity Service
IBM security immune system portfolio

AppScan
SECURITY
SECUR
CUR
URRITY TRANTRA
TRANSFORMATION
S
SFORMA
SFORMATI O SER
ON
Cloud Security
SERVICES
S secuRV
RVI
RVICES
Management consulting | Systems integration | Managed security
rity
zSecure

ec n
IBM offers a rich portfolio of products and services that are organized into three domains that
uniquely address client needs.
oy cio
Note: This slide uses animation as explained below.

pr a
• First is the Security Operations and Response domain that helps organizations orchestrate their
defenses throughout the attack lifecycle.
rm
• The second is the Information Risk and Protection domain that helps organizations protect their
most critical information and risks.
• And the third is the Security Transformation Services which help organizations transform their
Fo
security program. All of the IBM Security offerings are backed by an extensive business partner
ecosystem which consists of industry-leading technology, sales and service partners.

V7.0
Uempty
Security Operations and Response
These are the key offerings:

• IBM X-Force Exchange: Automatically update incident artifacts with threat intelligence
• IBM App Exchange: Quickly defend your organization with apps and add-ons
.R ial
• IBM BigFix: Find, fix, and secure endpoint threats and vulnerabilities
• IBM QRadar Network Security (XGS): Prevent network exploits and limit malware
communications
.N c
• IBM QRadar Security Intelligence: Use advanced analytics to discover and eliminate threats
• IBM Resilient Incident Response Platform: Generate response playbooks and coordinate
C pe
activity
• IBM QRadar User Behavior Analytics: Helps detect insider threat and risks
• IBM Security Services: Deliver operations consulting to help implement processes and
to es response experts when something goes wrong
Information Risk and Protection
These are the key offerings:

ec n
• IBM Cloud Security: Delivering new investments to help secure innovation to and from the cloud
• IBM MaaS360: Mobile productivity and enterprise security without compromise
oy cio
• IBM Identity Governance and Access Management: Govern and enforce context-based access
to critical assets
• IBM Guardium: Protect crown jewels across the enterprise and cloud
pr a
• IBM AppScan: Scan and remediate vulnerabilities in modern applications

• IBM Trusteer: Stop financial and phishing fraud, and account takeovers
rm
• IBM Security Services: Deliver governance, risk and compliance consulting, systems
integration and managed security services
Fo

V7.0
Uempty
Security Transformation Services
• Security Strategy, Risk and Compliance: Automate governance, risk and compliance programs
• Security Intelligence and Operations: Build security operations and security fusion centers
• Cyber Security Assessment and Response: Establish robust security testing and incident
management programs
.R ial
• Identity Governance and Management: Modernize identity and access management for the
cloud and mobile era
.N c
• Data and Application Security: Deploy robust critical data protection programs
• Infrastructure and Endpoint Security: Redefine infrastructure and endpoint solutions with secure
C pe
software-defined networks
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 2 The QRadar Ecosystem
Uempty
.R ial
Lesson: The QRadar Ecosystem
.N c
C pe
to es
ec n
Introduction to IBM QRadar © Copyright IBM Corporation 2017
oy cio
This lesson explains how Security Intelligence works and how IBM defines it. Realizing that the
overall goal is to detect, or even prevent any vulnerability exploit, we examine the exploit timeline,
and how IBM QRadar solutions can help.
pr a
rm
Fo

V7.0
Uempty
Best practices: Intelligent detection

1 Predict and prioritize security weaknesses
Gather threat intelligence information
.R ial
Manage vulnerabilities and risks
Augment vulnerability scan data with context for optimized prioritization
Manage device configurations (firewalls, switches, routers, IPS/IDS)
2 Detect deviations to identify malicious activity
.N c
Establish baseline behaviors
Monitor and investigate anomalies
C pe
Monitor network flows
3 React in real time to exploits

Correlate logs, events, network flows, identities, assets, vulnerabilities, and configurations, and add
context
Use automated and cognitive solutions to make data actionable by existing staff
Best practices: Intelligent detection

ec n
To recap, the cost of cyber attacks is increasing, threats are escalating and becoming more
complex, perimeter defenses are no longer sufficient, and new techniques like flow analysis,
oy cio
anomaly detection, and vulnerability management are needed. That statement defines the problem,
and offers some capabilities that can help, but exactly what can you do about it? What are the best
practices that you should follow?
• The first best practice is proactive in nature. Identify, predict, and prioritize your security
pr a
weaknesses so you can take actions to prevent a breach. Use resources such as X-Force and
the US National Vulnerability Database (https://nvd.nist.gov/) to gather threat information,
rm
address vulnerabilities and risks based on priorities, add network context, and manage device
configurations to improve security. You could improve security, for example, by removing
ineffective firewall rules and adding new rules that are more effective.
• Use tools that can detect unusual behavior for follow-up. Deploy solutions that can find network
Fo
anomalies and provide visibility to network flows for the reasons mentioned earlier.
• Use Security Intelligence solutions that use integrations, automation, and context to provide a
complete view of what is happening in your network. Automation is key so that you can utilize
existing staff more efficiently, and reduce the large amount of collected data into a small number
of events that can be acted upon by existing personnel.

V7.0
Uempty
What is Security Intelligence
Security Intelligence
.R ial
--noun
The real-time collection, normalization, and
analytics of the data generated by users,
.N c
applications, and infrastructure that impacts
the IT security and risk posture of an
C pe
enterprise

Security Intelligence provides actionable and comprehensive insight for managing
What is Security Intelligence

risks and threats from protection and detection through remediation
ec n
Several years ago, IBM introduced the term Security Intelligence to describe the value that
organizations can gain from their security data by treating and analyzing security information in
oy cio
much the same way they do the outputs produced from other business functions, such as
marketing.
This term is being used more and more by customers, vendors, and industry experts, but they do
not seem to be describing the same concept. To avoid confusion, IBM’s definition is stated on the
pr a
slide. The goal of Security Intelligence is to provide actionable and comprehensive insight that
reduces risk and operational effort for any organization, regardless of its size.
rm
Data collected and warehoused by security intelligence solutions includes logs, events, network
flows, user identities and activities, asset profiles and locations, vulnerabilities, asset configurations
and external threat data.
Fo
Security Intelligence provides analytics to answer fundamental questions that cover the full
“before-during-and-after” timeline of risk and threat management.

V7.0
Uempty
Ask the right questions – The exploit timeline

Are we configured
What are the major risks What security incidents What was the impact
to protect against
and vulnerabilities? are happening right now? to the organization?
advanced threats?
.R ial
Vulnerability Pre-Exploit Exploit Post-Exploit Remediation
PREDICTION / PREVENTION PHASE REACTION / REMEDIATION PHASE
.N c
• Gain visibility over the organization’s security posture • Automatically detect threats with prioritized workflow to
and identify security gaps quickly analyze impact
• Detect deviations from the norm that indicate early • Gather full situational awareness through advanced
C pe
warnings of APTs security analytics
• Prioritize vulnerabilities to optimize remediation • Perform forensic investigation, reducing time to find the
processes and close critical exposures before exploit root cause; use results to drive faster remediation
to es Vulnerability
Manager
Ask the right questions – The exploit timeline

Risk
Manager
SIEM Incident
Forensics

ec n
Securing today’s businesses and public organizations requires a new approach. Everyone needs to
gain insights across the entire security event timeline.
oy cio
The IBM Security Intelligence solution helps customers react and respond to exploits as they occur
in a network. IBM solutions that help to model risk, evaluate configurations, and prioritize
vulnerabilities also provide much-needed value to customers as they seek to predict and prevent
incidents in the first place.
pr a
To IBM, Security Intelligence can be characterized in two ways. First, Security Intelligence is the
rm
result of advanced analytics. It is the wisdom gained from reviewing every available bit of data and
normalizing, correlating, indexing, and pivoting it to discover the dozen things your team needs to
investigate as soon as possible. Alternatively, Security Intelligence characterizes the iterative
process of eliminating false positive results by continuously tuning the system analytics and rules to
remove an increasing number of interesting but nonthreatening incidents.
Fo
Adding QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Incident Forensics
modules to the core Security Information and Event Management (SIEM) engine improves
accuracy and provides context throughout the entire security event timeline, from detection and
protection through investigation and remediation. Working together, these solutions can help you
both reduce exposures and recognize attacks as early as possible.

V7.0
Uempty
IBM QRadar Vulnerability Manager ®

Scan, assess, and remediate vulnerabilities
• Contains an embedded, well proven, scalable, analyst recognized

vulnerability detection engine that detects more than 70,000
.R ial
vulnerabilities
• Integrates into the QRadar ecosystem
• Is present on all QRadar event and flow collector and processor
appliances (QRadar 7.2 and up) as well as QRadar data nodes
.N c
(QRadar 7.2.8 and up)
• Integrates with endpoint management (IBM BigFix), web application
C pe
security (IBM AppScan), database security (IBM Guardium), and
network management (IBM Security SiteProtector)
• Leverages QRadar Risk Manager to report which vulnerabilities are

blocked by your IPS and FW
• Uses QFlow report if a vulnerable application is active
to es • Presents a prioritized list of vulnerabilities you should deal with as

soon as possible
IBM QRadar Vulnerability Manager

ec n
QRadar Vulnerability Manager proactively discovers network device and application security
vulnerabilities, adds context, and supports the prioritization of remediation and mitigation activities.
oy cio
It is fully integrated with the QRadar Security Intelligence platform, and enriches the results of both
scheduled and dynamic vulnerability scans with network asset information, security configurations,
flow data, logs, and threat intelligence to manage vulnerabilities and achieve compliance.
QRadar Vulnerability Manager helps you develop an optimized plan for addressing security
pr a
exposures. Unlike stand-alone tools, the solution integrates vulnerability information to help
security teams gain the visibility they need to work more efficiently and reduce costs. It is part of the
rm
QRadar SIEM architecture. It can be quickly activated with a licensing key and requires no new
hardware or software appliances.
IBM QRadar Vulnerability Manager provides the following capabilities:

Fo
• Helps prevent security breaches by discovering and highlighting over 70,000 known dangerous
default settings, misconfigurations, software features, and vendor flaws.
• Provides a consolidated vulnerability view across major vulnerability products and technologies.
• Adds context to identify key vulnerabilities and reduce false positives.
• Integrates with IBM QRadar Security Intelligence Platform for easy installation, faster time to
value, and reduced deployment cost.
• Performs intelligent, customizable scheduled and event-driven scanning, asset discovery, and
asset profiling for 360-degree, enterprise wide visibility to your network.

V7.0
Uempty
IBM QRadar Risk Manager

Scan, assess, and remediate risks
• Network topology model based on security device

configurations enables visualization of actual and
.R ial
potential network traffic patterns
• Policy engine correlates network topology, asset
vulnerabilities and configuration, and actual network
traffic to quantify and prioritize risk, enabling risk-
.N c
prioritized remediation and compliance checking,
alerting, and reporting
C pe
• Centralizes network security device configuration data
Asset risk
isk quantification
and discovers configuration errors; monitors firewall
rule activity Remediation prioritization
• Models threat propagation and simulates network Network topology

topology changes
IBM QRadar Risk Manager

Policy and compliance
monitoring
Threat simulations

ec n
QRadar Risk Manager provides three key areas of value that build on top of the QRadar SIEM
value proposition:
oy cio
• Network topology visualization and path analysis

• Network device optimization and configuration monitoring
• Improved compliance monitoring and reporting
pr a
A key area to emphasize is the ability of the product to risk-prioritize vulnerable machines based on
network reachability, and to provide detailed device configuration information that can be used to
rm
quickly shut down network paths that attackers may use to exploit vulnerabilities. This is key, as
many vulnerabilities either cannot be rapidly remediated due to change windows or technological
limitations, or remediation might not be available because many vulnerabilities never have patches
available. In either case, the ability to rapidly pinpoint the precise firewall rules that enable the
Fo
attack path is key.

V7.0
Uempty
IBM QRadar SIEM

Web-based command console for Security Intelligence
• Delivers actionable insight, focusing security teams on high-
.R ial
probability incidents
Employs rules-based correlation of events, flows, assets, topologies, and
vulnerabilities
• Detects and tracks malicious activity over extended time

periods, helping uncover advanced threats often missed by
.N c
other solutions
Consolidates “big data” security incidents within purpose-built, federated
database repository
C pe
Optimized threat analysis
• Provides anomaly detection to complement existing
perimeter defenses Daily volume of events and flows
Calculates identity and application baseline profiles to assess abnormal 2,000,000,000
conditions automatically analyzed to find
• Provides deep visibility into network, user, and application ~25
to es activity
• Provides reliable, tamper-proof log storage for forensic
investigations and evidentiary use
IBM QRadar SIEM

Potential offenses to investigate
Global enterprise
Dedicated SOC team

ec n
QRadar SIEM consolidates log source event data from thousands of device endpoints and
applications distributed throughout a network. It performs immediate normalization and correlation
oy cio
activities on raw data to distinguish real threats from false positives. As an option, this software
incorporates IBM X-Force Threat Intelligence, which supplies a list of potentially malicious IP
addresses including malware hosts, spam sources, and other threats. QRadar SIEM can also
correlate system vulnerabilities with event and network data, helping to prioritize security incidents.
pr a
IBM QRadar SIEM provides the following capabilities:

• Provides near real-time visibility for threat detection and prioritization, delivering surveillance
rm
throughout the entire IT infrastructure

• Reduces and prioritizes alerts to focus investigations on an actionable list of suspected
incidents
Fo
• Enables more effective threat management while producing detailed data access and user
activity reports
• Delivers security intelligence in cloud environments
• Produces detailed data access and user activity reports to help manage compliance
• Offers multi-tenancy and a master console to help Managed Service Providers provide security
intelligence solutions in a cost-effective manner

V7.0
Uempty
IBM QRadar Incident Forensics ®
Intuitive investigation of security incidents Incident Forensics
• Reduces incident investigation periods from days or
.R ial
hours to minutes
Employs Internet search engine technology to close security
team skill gaps
• Compiles evidence against malicious entities breaching
.N c
secure systems and deleting or stealing sensitive data
Creates rich “digital impression” visualizations of related content
C pe
• Helps determine root cause of successful breaches to
Wins
prevent or reduce recurrences the
Adds full packet captures to complement SIEM security data race
collection and analytics against
time
IBM QRadar Incident Forensics

ec n
QRadar Incident Forensics allows you to retrace the step-by-step actions of a potential attacker,
and quickly and easily conduct an in-depth forensics investigation of suspected malicious network
oy cio
security incidents. It reduces the time it takes security teams to investigate offense records, in many
cases from days to hours, or even minutes. It can also help you remediate a network security
breach and prevent it from happening again.
The solution offers an optional QRadar Packet Capture appliance to store and manage data used
pr a
by QRadar Incident Forensics if no other network packet capture (PCAP) device is deployed. Any
number of these appliances can be installed as a tap on a network or subnetwork to collect the raw
rm
packet data.
QRadar Incident Forensics provides the following capabilities:

• Retraces the step-by-step actions of cyber criminals to provide deep insights into the impact of
Fo
intrusions and help prevent their reoccurrence

• Reconstructs raw network data related to a security incident back into its original form for a
greater understanding of the event
• Integrates with IBM QRadar Security Intelligence Platform and offers compatibility with many
third-party packet capture offerings

V7.0
Uempty
QRadar embedded intelligence offers automated offense identification
.R ial
Security devices
S
Correlation
• Logs/events Suspected
Servers and mainframes incidents
• Flows
• IP reputation
Network and virtual activity
• G
Geographic location Prioritized incidents
.N c
Data activity
Offense identification
• Credibility
Application activity
A Secure archive • Severity
C pe
• Relevance
Configuration information A
Activity baselining and
anomaly detection
• User activity
Vulnerabilities and threats
• Database activity
• Application activity
Users and identities • Network activity Embedded
dded
d
to es Introduction to
Global threat intelligence
G
o IBM QRadar
QRadar embedded intelligence offers automated offense identification

enc
ce
intelligence

ec n
Harness security-relevant information from across the organization. Use real-time big data
analytics to provide context to help detect threats faster, identify vulnerabilities, prioritize risk, and
oy cio
automate compliance activities.
For security threat management, the key challenge is to reduce millions of logs to actionable
intelligence that identify key threats. Traditional first generation SIEM systems achieve this by
leveraging correlation, for example, “five failed logins followed by a successful login,” to identify
pr a
suspected security incidents. Event correlation is a very important tool, but it is not enough.
rm
There are two problems. First, consider a 100k to 1 reduction ratio of events to correlated incidents.
On the surface, this sounds impressive, but for companies generating 2 billion events per day (and
you do not need to be a massive company to do that), it will leave that company’s security team
with 20,000 incidents per day to investigate. Traditional SIEM correlation cannot get the data
reduced enough and of course Log Managers cannot even get a 10,000 to 1 reduction ratio.
Fo
Secondly, an exclusive reliance on event correlation assumes that the criminals will not figure out
ways to disable or bypass logging infrastructure. However, that is practically their entire focus and
you cannot correlate logs that are not there. This limitation results in missed threats or a very poor
understanding of the impact of a breach.
QRadar vastly expands the capabilities of traditional SIEM systems by incorporating new analytics
techniques and broader intelligence. Unlike any other SIEM system in the market today, QRadar
captures all activity on the network for assets, users, and attackers before, during, and after an
exploit and analyzes all suspected incidents in this context. New analytical techniques such as
behavioral analysis are applied. QRadar notifies analysts about offenses, where an offense is a
correlated set of incidents with all of the essential, associated network, asset, vulnerability, and

V7.0
Uempty
identity context. By adding business and historical context to suspected incidents and applying new
analytic techniques, massive data reduction is realized and threats otherwise missed will be
detected.
IBM delivers real-time correlation and anomaly detection across a distributed and scalable
repository of security information enable more accurate security monitoring and better visibility for
.R ial
any organization, small or large.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
QRadar embedded intelligence directs focus for investigations
Suspected
incidents
.R ial
Prioritized incidents
Directed forensics investigations
• Reduce time to resolution

through intuitive forensic workflow
.N c
• Use intuition more than technical training
• Determine root cause and prevent recurrences
C pe
Embedded
intelligence
to es Introduction
duction to IB
IBMMQ
QR
QRadar
Radar
ad
dar
a
QRadar embedded intelligence directs focus for investigations

© Co
C
Copy
Copyright
opy
pyri
righ
ri ghtt IBM
gh IBM Corporation
Corporati 2017
Co
ec n
QRadar has the forensic ability to use collected data to recover the details that are critical to a much
deeper and faster investigation.
oy cio
pr a
rm
Fo

V7.0
Uempty
Benefits of IBM Security Intelligence approach using QRadar
Threat and Anomaly Protection
.R ial
Vulnerability and Incident Forensics
Risk Management and Response
.N c
C pe
User Behavior Analytics Compliance
Reporting
Benefits of IBM Security Intelligence approach using QRadar

Cognitive Security

ec n
The Security Operations Center team has a complex job to do – finding and stopping advanced
threats before they do damage and/or steal valuable assets. IBM offers an entire integrated
oy cio
platform of capabilities that work together to provide the broadest visibility of any platform on the
market – and QRadar is at the center of attention.
Holistic IT security management and integration with infrastructure and processes

• Use tools and solutions that know how to communicate with each other
pr a
• Integrate with centralized vulnerability and risk management

rm
• Provide out of the box compliance reporting
Proactive Threat and Anomaly Protection

• Detect and counteract the threat before the actual exploit
Fo
• Employ powerful User Behavior Analytics

• Use threat information and threat research from IBM’s X-Force team
Network flow analysis and forensics

• Collect data that no attacker can obfuscate (network flow) and store application data for more
detailed forensic investigations

V7.0
Uempty
Cognitive Security
• Automated analysis of security incidents and anomalies powered by Watson for Cyber Security
to help transform security operations
• Powerful cognitive analytics that help security teams address skills shortages, alert overloads,
incident response delays, currency of security information and process risks
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
Now you should be able to perform the following tasks:
• Describe why we need Security Intelligence and a security immune system
.R ial
• Describe the QRadar ecosystem
.N c
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 2 IBM QRadar SIEM component
architecture and data flows
.R ial
.N c
C pe
IBM QRadar SIEM Component
Architecture and Data Flows
to es
ec n
oy cio
pr a

rm
Security who is concerned with solutions in the overall security immune system. By learning how
the central Security Intelligence components are designed to take in and process log events and
flow data, you will be better equipped to holistically work as a Security Analyst.
Fo
In this unit we start at the functional architecture level and explain how IBM QRadar was designed
as a modular Security Intelligence solution from the ground up. After taking a look at this modular
design, its extensibility and deployment pattern, we closely examine the component architecture so
that the analyst understands how data is ingested and processed. When the analysts later examine
bits and pieces of a larger security incident investigation, this architectural understanding can
substantially enhance their capability for detailed and fast analysis.

V7.0
Unit 2 IBM QRadar SIEM component architecture and data flows
Objectives
Uempty
Objectives
• Describe QRadar functional architecture and deployment models
.R ial
• Describe QRadar SIEM component architecture
.N c
C pe
to es Component architecture and data flows
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 QRadar functional architecture and deployment models
Uempty
Lesson 1 QRadar functional architecture and
deployment models
.R ial
.N c
Lesson: QRadar functional
architecture and deployment models
C pe
to es
ec n
oy cio
Component architecture and data flows © Copyright IBM Corporation 2017
This lessons explains the QRadar functional architecture and deployment models. It shows how
IBM QRadar was designed as a modular Security Intelligence solution from the ground up.
pr a
rm
Fo

V7.0
Uempty
Functional solution requirements

• IT Log Management
Collect and securely archive log event and network flow records for forensic analysis
.R ial
• IT Regulatory Compliance
Collect and securely archive log records for audit and compliance
Generate reports required by internal or external regulations to succesfully pass compliance audits
• IT Internal monitoring
.N c
Frequently collect, correlate, and analyze data to alert on security policy violations
• Threat detection
C pe
Analyze event log and network flow data to detect and alert on IT security risk management related
issues

ec n
In order to describe the functional components of the IBM QRadar solution you need to understand
the basic functional requirements for an overall SIEM solution.
oy cio
The first requirement addresses IT log management for forensic analysis. The archived event and
network flow records are used to analyze incidents and gather evidence. The data must be
collected and stored reliably in its original format to stand up as evidence in a court of law or to be
used for compliance reporting. Also, the data must be archived for several years and it must be
pr a
searchable.
rm
To fulfill the compliance audit requirement, the archived data is used to prove that relevant audit
information has been collected and securely stored. Furthermore, the data must be used to create
reports required by the regulation, and the regulatory compliance reports must be stored for a
period of time.
Fo
The next requirement addresses IT internal monitoring to alert on security policy violations. This in
itself requires an organizational IT Security Policy that defines appropriate use of the IT
environment. High risk offenses to the policy must be identified and reported upon, and offenses
must be managed. IT usage that is not in compliance with the policy must be reported upon.
The most prevalent requirement today, however, revolves around IT security risk management for
the overall organization. All of the previously described functional requirements apply here as well.
In addition, an extensive knowledge of the IT environment, and the threats to which it is exposed, is
required. To perform anomaly detection it is also necessary to understand data patterns within the
captured events and network flows.

V7.0
Uempty
An integrated, unified architecture in a single console
.R ial
.N c
C pe

ec n
The QRadar console is the central interface for all analyst related tasks. It provides a number of
tabs that allow insight into different views of the collected and correlated data.
oy cio
No matter how many QRadar applications are leveraged, or how many appliances constitute a
deployment, all capabilities are leveraged through a single, Web-based console, with all the
associated benefits that a common interface delivers in terms of speed of operation, transference of
skills, ease of adoption, and a universal learning curve.
pr a
• Dashboard
rm
The Dashboard tab allows an organization to define many different views into the collected and
processed data. QRadar provides many predefined dashboards, but you can create and
maintain your own.
• Offenses
Fo
Use the Offenses tab to view all the offenses that occur on your network and complete the
following tasks:
– Investigate offenses, source and destination IP addresses, network behaviors, and
anomalies on your network
– Correlate events and flows that are sourced from multiple networks to the same destination
IP address
– Go to the various pages of the Offenses tab to investigate event and flow details
– Determine the unique events that caused an offense
• Log Activity

V7.0
Uempty
The Log Activity tab displays event information as records from a log source, such as a firewall
or router device. Use the Log Activity tab to do the following tasks:
– Investigate event data
– Investigate event logs that are sent to QRadar SIEM in real time
– Search event
.R ial
– Monitor log activity by using configurable time-series charts
– Identify false positives to tune QRadar SIEM
.N c
• Network Activity
If the content capture option is enabled, the Network Activity tab displays information about
C pe
how network traffic is communicated and what was communicated. Here, you can do the
following tasks:
– Investigate the flows that are sent to QRadar SIEM in real time
to es –
–
Search network flows
Monitor network activity by using configurable time-series charts
• Assets
QRadar automatically creates asset profiles by using passive flow data and vulnerability data to
ec n
discover your network servers and hosts.
Asset profiles provide information about each known asset in your network, including the
oy cio
services that are running. Asset profile information is used for correlation purposes, which helps
to reduce false positives.
Use the Assets tab to do the following tasks:
– Search for assets
pr a
– View all the learned assets

rm
– View identity information for learned assets

– Tune false positive vulnerabilities
• Reports
Fo

V7.0
Uempty
Report templates are grouped into report types, such as compliance, device, executive, and
network reports. Use the Reports tab to complete the following tasks:
– Create, distribute, and manage reports for QRadar SIEM data
– Create customized reports for operational and executive use
– Combine security and network information into a single report
.R ial
– Use or edit preinstalled report templates
– Brand your reports with customized logos. Branding is beneficial for distributing reports to
different audiences
.N c
– Set a schedule for generating both custom and default reports
C pe
– Publish reports in various formats
• Vulnerabilities
If the QRadar Vulnerability Manager license has been deployed, you will see a Vulnerabilities
to es tab, which you can use for the following tasks:

–
–
–
Create and manage Scan Policies and Scan Profiles
Execute vulnerability scans for your deployed assets
Create, distribute, and manage vulnerability reports to stake holders
ec n
– Integrate with endpoint management systems to fix vulnerabilities
oy cio
• Admin
The Admin tab provides all tools to manage and maintain the QRadar deployment. Analysts
typically do not have access to these tools.
The example in this screen shot depicts the integration of the QRadar console with QRadar
pr a
Vulnerability Manager on the Dashboard tab.
Designed to integrate Log Management, SIEM, Vulnerability and Risk Management, Incident
rm
Forensics, and an extensible application framework into one solution, QRadar Security Intelligence
can deliver a large log management scale without any compromise on SIEM “Intelligence.”
As a QRadar analyst you can switch from log events, to network flows, to risk and compliance
Fo
policy reports and prioritized lists of network wide vulnerabilities, and complete analysis of incidents
after an offense has occurred. This allows an organization to reduce the time before an initial
breach is detected and avoid the actual exploit.

V7.0
Uempty
Identifying suspected attacks and policy violations

What was the attack?
.R ial
Is the attack credible?
How
valuable are Where are they located?
.N c
the targets
to the Who was responsible
business? for the attack?
C pe
What was
stolen and
where is the
evidence?

Are any assets vulnerable?

How many targeted assets
are involved?
ec n
IBM QRadar SIEM can analyze large amounts of data and uses context to transform it into useful,
actionable information as is depicted in this slide.
oy cio
Here is what you can see as a security analyst when you begin to investigate an offense record that
was triggered by a correlation rule. You can quickly investigate the who, what, and where behind an
offense and quickly determine if it is a legitimate threat or a false positive.
pr a
IBM QRadar SIEM provides strong event-management and analysis capabilities and is very
effective in detecting threats because it can leverage a broad range of data, analyze it, and apply
rm
context from an extensive range of sources. This helps to reduce false positives, report on actual
exploits, and show what kind of activity is taking place. This can result in faster threat detection and
response.
QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context
Fo
in which systems are operating. That context includes security and network device logs,
vulnerabilities, configuration data, network traffic telemetry, application events and activities, user
identities, assets, geolocation, and application content. This activity generates a staggering amount
of data, which makes the automation in QRadar very important because it can correlate this large
amount of data down to a small number of actionable offenses.
QRadar SIEM leverages this data to establish very specific context around each potential area of
concern, and uses sophisticated analytics to accurately detect more and different types of threats.
For example, a potential exploit of a web server reported by an intrusion detection system can be
validated by unusual outbound network activity detected by QRadar.

V7.0
Uempty
QRadar uses intelligence, automation, and analytics to provide actionable security information
including the number of targets involved in a threat, who was responsible, what kind of attack
occurred, whether it was successful, vulnerabilities, evidence for forensics, and so on.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Providing functional context

To enable security analysts to perform investigations, QRadar SIEM correlates information such as:
• Point in time
.R ial
• Offending users
• Origins
• Targets
.N c
• Asset information
• Vulnerabilities
C pe
• Known threats
• Behavioral analytics
• Cognitive analytics

ec n
The previous slide showed what a typical security analyst can see after QRadar SIEM analyzed
large amounts of data and used context to transform this data into useful, actionable information.
oy cio
This slide provides an overview where all this data is coming from.
• Point in time
Everything that QRadar investigates needs to provide an exact point in time. This timestamp
pr a
allows QRadar to correlate the most complex relationships between disparate log sources and
network flows to present those as one connected event.
rm
• Offending users
QRadar extracts user information wherever possible allowing an analyst to further investigate
individual users. QRadar also uses this information for user behavioral analytics.
Fo
• Origins
The origin represents the starting point for all QRadar correlation activity. The origin is captured
as an IP address.
• Targets
The target represents the final point for all QRadar correlation activity. The target is captured as
an IP address.
QRadar maintains a centralized asset database that is used to record a variety of details for
each asset that has been discovered. Assets can be discovered in two ways. Actively, by using

V7.0
Uempty
vulnerability scans with QRadar Vulnerability Manager, or passively through network flow
records. Asset data can also be imported by using other enterprise tools for asset management.
Details can include IP address, host name, running applications and services, as well as
vulnerabilities.
• Vulnerabilities
.R ial
QRadar maintains a list of vulnerabilities for each asset. These can either be discovered by
using QRadar Vulnerability Manager or any other 3rd party vulnerability management solution.
Asset related vulnerabilities are being used for QRadar correlations and analytics, and they can
influence several factors throughout the incident management process.
.N c
• Known threats
C pe
QRadar is able to connect to external threat feeds, such as the IBM X-Force Exchange. This
threat information can also be used for QRadar correlations and analytics to influence the
incident management process.
to es Utilizing some of the above mentioned data in combination with other enterprise wide collected
information QRadar can analyze user behavior to alert whenever abnormal activity has been
detected.
ec n
After all this data has been correlated it is presented to the analysts in the QRadar Console. If a
particularly important threat is discovered, an analyst has to investigate it with an utmost
oy cio
urgency. To support this task QRadar now provides Cognitive Analytics. This capability
augments a security analyst's ability to identify and understand sophisticated threats, by tapping
into unstructured data (such as blogs, websites, research papers) and correlating it with local
security offenses.
pr a
rm
Fo

V7.0
Uempty
Network flow analytics

• Provides insight into raw network traffic
Attackers can interfere with logging to erase their tracks, but they
cannot cut off the network (flow data)
.R ial
• Allows deep packet inspection for Layer 7 flow data
Pivoting, drill-down, and data-mining activities on flow sources
allow for advanced detection and forensics
• Helps to detect anomalies that might otherwise be missed
.N c
• Helps to detect zero-day attacks that have no signature
• Provides visibility into all attacker communications
C pe
• Uses passive monitoring to build asset profiles and classify
hosts
• Improves network visibility and helps resolve traffic
problems

ec n
While log events are critical, they can leave gaps in visibility. When attackers compromise an IT
system, they first turn off logging to obfuscate their tracks. Traditional SIEMs are blind at this point.
oy cio
However, no attacker can disable the network, or they cut themselves off as well.
Network flow analytics in QRadar allows deep packet inspection for OSI Layer 7 flow data, which
can contain very helpful information for advanced forensics. Network flow information helps to
detect communication flow anomalies, zero-day attacks that have no signature yet, and provides
pr a
visibility into all attacker communications.

rm
Using passive monitoring, flow analytics builds up an asset database and profiles your assets. For
example, an IT system that has responded to a connection on port 53 UDP is obviously a DNS
server. Another IT system that has accepted connections on ports 139 or 445 TCP is a Windows
server.
Fo
Adding application detection can confirm this not only at a port level, but the application data level
as well.
Source: To learn more about the OSI Layer model please visit:
http://searchnetworking.techtarget.com/definition/OSI

V7.0
Uempty
Extensible functional architecture
.R ial
Deep Threat Intelligence
Cognitive Analytics Open Ecosystem
and Analysis
• QRadar Sense Analytics • IBM Security App Exchange • IBM X-Force Exchange
allows you to inspect events, provides access to apps from helps you stay ahead of the
flows, users, and more latest threats and attacks
.N c
leading security partners
• Speed analysis with visuals, • Out-of-the-box integrations • Extend investigations to cyber
query, and auto-discovery for 500+ third-party security threat analysis with i2
C pe
across the platform products Enterprise Insight Analysis
• Augment your analysts’ • Open APIs allow for custom • Powered by the X-Force
knowledge and insights with integrations and apps Research team and 700TB+ of
QRadar Advisor with threat data
Watson
• Share data with a collaborative

portal and STIX / TAXII
standards

ec n
The QRadar functional architecture is extensible by design. The framework allows you to add on
additional functionality as needed in an organization.
oy cio
Security Analysts today are more and more overwhelmed by the amount of data that requires
investigation and by the mounting time pressure to act. Cognitive analytics augments your analysts’
knowledge and insights with QRadar Advisor with Watson to speed up analysis with visuals, query,
and auto-discovery across the platform where you can inspect events, flows, users, and more by
pr a
tapping into unstructured data (such as blogs, websites, research papers) and correlating it with
local security offenses.
rm
QRadar provides open APIs to allow for custom integrations and applications, which can be found
at the IBM Security App Exchange. One example here is the User Behavior Analytics app, which is
available free of charge and provides early visibility to insider threats.
Fo
You can further extend the QRadar functionality with threat intelligence data and analytic functions
from the IBM X-Force Exchange and the IBM i2 Enterprise Insight Analysis solution.
These functional extensions greatly support the security analysts in their daily tasks. Let us take a
closer look at some of these extensions now.

V7.0
Uempty
Cognitive Analytics: Revolutionizing how security analysts work

• Natural language processing with security that understands, reasons, learns, and interacts
.R ial
.N c
C pe
to es Watson determines the specific campaign (Locky),
discovers more infected endpoints, and sends results
to the incident response team
Component architecture and data flows

ec n
The cognitive era is here. “Digital everything” means that technology’s number one job in business
now is handling and responding to data. Cognitive capabilities are being applied to security to
oy cio
establish a relationship between machines and humans. The role of technology can now change
from enabler to advisor. We are ushering in this new era of cognitive security to out-think and
outpace threats with security that understands, reasons, and learns.
IBM Watson enables fast and accurate analysis of security threats, saving precious time and
pr a
resources. This empowers the analysts to perform faster investigations and clear their backlog
easier. It will also help to increase the investigative skills for individual analysts over time.
rm
With the help of IBM Watson, security analysts will be able to spend less time on the mundane
tasks of manual and time consuming threat analysis, and more time being human.
Fo

V7.0
Uempty
Open Ecosystem and Collaboration

• Application extensions to enhance visibility and productivity
.R ial
.N c
C pe

https://exchange.xforce.ibmcloud.com
ec n
Today’s attackers share tools. They collaborate in creating malware that is difficult to discover.
oy cio
On the defensive side, organizations have to deal with a large number of siloed security solutions
from an equally large number of vendors. It is estimated that an average enterprise can have up the
85 security products from 40 vendors. With this mix, it is difficult to link the products together so
they can support each other.
pr a
To fill this gap, IBM has introduced the IBM Security App Exchange. The exchange is a marketplace
for the security community to create and share applications that integrate with IBM Security
rm
solutions. The first offering in which customers, business partners, and other developers can build
custom apps is QRadar.
Releasing application programming interfaces (APIs) and software development kits for QRadar
fosters the integration with third-party technologies. This provides organizations with better visibility
Fo
into more types of data, and also offers new automated search and reporting functions that can
help security specialists focus on the most pressing threats.
The IBM Security App Exchange has a number of customized apps that extend security analytics
into areas like user behavior, endpoint data, and incident visualization.
Before releasing the app IBM Security tests them to will be closely testing every application to
ensure the integrity of these community contributions.
In the future the App Exchange will offer the opportunity to produce apps for additional IBM Security
products.

V7.0
Uempty

• Crowd-sourced information sharing based on 700+TB of threat intelligence
.R ial
.N c
C pe

ec n
One element that the offense have mastered is collaboration. According to the United Nations
Office on Drugs and Crime upwards to 80% of cybercrime acts are estimated to originate in some
oy cio
form of organized activity. Cyber criminals have learned to collaborate. They share vulnerability,
targeting, and countermeasure information. They also share tools to ensure that their attacks can
be successful. Collaboration is a force multiplier for the hacking community. Organizations have
been using threat intelligence in an effort to stay abreast of the threats, but these efforts are limited.
pr a
To succeed requires much more information, shared among security professionals, researchers,
and practitioners.
rm
IBM has built a collaboration platform called the X-Force Exchange to facility the collaboration that
will allow organizations to have a much greater understanding of threats and actors. X-Force
Exchange is a cloud-based threat intelligence sharing platform that enables users to rapidly
research the latest global security threats, aggregate actionable intelligence, consult with experts
Fo
and collaborate with peers. IBM X-Force Exchange provides timely, curated threat intelligence
insights, which adds context to machine-generated data. The platform facilitates making
connections with industry peers to validate findings and research threat indicators.
Leveraging the open and powerful infrastructure of the cloud, users can collaborate and tap into
over 700 terabytes of information from multiple data sources. This includes one of the largest and
most complete catalogs of vulnerabilities in the world, threat information based on monitoring of
more than 15 billion monitored security events per day, and malware threat intelligence from a
network of 270 million endpoints. This threat information is based on over 25 billion web pages and
images and deep intelligence on more than 8 million spam and phishing attacks.
Source: https://exchange.xforce.ibmcloud.com

V7.0
Uempty
Scalable appliance/software/virtual architecture

• Log, flow, vulnerability, and identity correlation
SIEM • Sophisticated asset profiling
• Offense management and workflow
.R ial
• Layer 7 application monitoring
Network and
• Content capture for deep insight and forensics
Application Visibility
• Physical and virtual environments
• Configurable network traffic analysis for
.N c
Network Insights real time threat detection and long-term
retrospective analysis
C pe
Risk & Vulnerability • Network security configuration monitoring
Management • Vulnerability scanning and prioritization
• Predictive threat modeling and simulation
• Event processors for remote site

Scalability • High Availability and Disaster Recovery (HADR)
• Data node to increase storage and performance
to es Network Forensics

Incident Forensics

• Reconstructs network sessions
• Data pivoting and visualization tools
• Accelerated clarity around who, what, and when

ec n
Security Intelligence can be delivered through a family of QRadar products.
oy cio
• For many organizations, the starting point is to address the log management challenge, which
is why IBM offers a family of “log management only” appliances. These log management
appliances can be upgraded to full SIEM capability by configuring an additional license key.
• The full SIEM implementation provides integration of log management with threat, fraud,
network, and security intelligence. Network activity data, vulnerability assessment, and external
pr a
threat data are added as data sources along with sophisticated correlation and behavioral
analytics.
rm
• For application layer visibility and forensic content capture, the QFlow and VFlow flow collectors
can be deployed in physical or virtual infrastructures. These appliances provide extensive
application-level surveillance of all activity at key locations.
Fo
• QRadar Network Insights can provide configurable network traffic analysis for real time threat
detection and long-term retrospective analysis to detect insider threats, data exfiltration and
malware activity.
• Risk and Vulnerability management capabilities can be activated by configuring an additional
license keys. Risk Manager requires an additional dedicated appliance as well, while
Vulnerability Manager can be deployed on existing appliances. Risk Manager provides network
security configuration monitoring, while Vulnerability Manager focuses on vulnerability scanning
and prioritization. Together they can be used for predictive threat modeling and simulation.
• For some organizations, the full SIEM scale can be met with a single appliance; for others who
have higher scale, or remote collection and storage requirements, QRadar processors enable

V7.0
Uempty
massive deployments. This horizontal, stackable expansion supports a massive scale and
geographic distribution, while maintaining exactly the same user experience.
• Network Forensics appliances allow you to fully reconstruct network sessions that can provide
clarity around questions like “who”, “what”, and “when” in great detail.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Deployment models
All-in-One
.R ial
(2100/31XX) Flow Processor
Console
(17XX)
(31XX)
Event Processor
QFlow (16XX)
.N c
Collector
(12XX/13XX)
C pe
All-in-One is a single appliance used to collect events and flow A Distributed deployment consists of multiple appliances for different purposes
to es data from various security and network devices, perform data

correlation and rule matching, report on alerts and threats, and
provide all administrative functions through a web browser
Deployment models
• Event Processor to collect, process, and store log events
• Flow Processor to collect, process, and store several kinds of flow data generated from network
devices; optional QFlow Collector is used to collect Layer 7 application data
• Console to correlate data from managed processors, generate alerts and reports, and provide all
administrative functions

ec n
Based on the previously introduced functional requirements and the layout of an organization’s IT
infrastructure, different types of appliances are available to address different deployment models.
oy cio
The selection depends on the amount of collected and processed events, data storage estimations,
high availability and disaster recovery requirements, organizational network topology, and other
factors.
An all-in-one deployment uses a single appliance to collect events and flow data from various
pr a
security and network devices, perform data correlation and rule matching, report on alerts and
threats, and provide all administrative functions through a web browser.
rm
A distributed deployment consists of multiple appliances for different purposes. You can deploy
Event Collectors and Processors to collect, process, and store log events. Flow Collectors and
Processors are used to collect, process, and store several kinds of flow data generated from
network devices, and optionally, you can deploy QFlow Collectors to collect Layer 7 application
Fo
data. A Console is used to correlate data from managed processors, generate alerts and reports,
and provide all administrative functions.
This remainder of this course material does not pay any closer attention to currently available exact
appliance configurations and models.

V7.0
Lesson 2 QRadar SIEM component architecture
Uempty
Lesson 2 QRadar SIEM component
architecture
.R ial
.N c
Lesson: QRadar SIEM component
architecture
C pe
to es
ec n
oy cio
Component architecture and data flows © Copyright IBM Corporation 2017
This lesson describes the high-level architecture of the major IBM QRadar SIEM components,
including the flow collector, event collector, event processor, and console. You also learn about the
flow of a captured event.
pr a
rm
Fo

V7.0
Uempty
Architecture overview
• High-level architecture
• Flow collector (FC)
.R ial
• Event collector (EC)
• Event processor (EP)
• Console
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
High-level component architecture and data stores

• Flow and event data is stored in the Ariel database on the
Identities event processors
Assets
.R ial
Offenses If accumulation is required, accumulated data is stored in Ariel
Configuration accumulation data tables
As soon as data is stored, it cannot be changed (tamper proof)
Data can be selectively indexed
Console services
User interface
Magistrate
• Offenses, assets, and identity information are stored in
.N c
Reporting the master PostgreSQL database on the Console
Provides one master database with copies on each processor
for backup and automatic restore
C pe
Flows
Events Event processor
Accumulations • Secure SSH communication between appliances in a
distributed environment is supported
Flow collector Event collector
to es Network packet
interface, sFlow,
and 3rd party

Events from log
sources

ec n
Let us begin by looking at the high level architecture one more time. (We have already done this
briefly on slide 5)
oy cio
Events from individual log sources and network flow data is collected by the QRadar Event and
Flow collectors. Once the flow and event data is forwarded to the Event Processor it is stored in the
Ariel database on the Event Processor. If accumulation is required, the accumulated data is stored
in Ariel accumulation data tables. To fulfill the tamper proof data storage aspects for compliance
pr a
mandates, data cannot be changed as soon as it is stored in the Ariel database. At any point in
time, data can be selectively indexed to support specific search and report requirements.
rm
Once the Event Processor is finished processing, the data is passed on to the QRadar Console,
where further consolidated processing occurs. Offenses, assets, identity, and configuration
information are stored in the master PostgreSQL database on the Console. There is one master
database with optional copies on each processor for backup and automatic restore.
Fo
Secure SSH communication between appliances in a distributed environment is supported.

V7.0
Uempty
Flow collector architecture

Event Processor • A flow is a record of a conversation between
To Event Processor every 60 seconds two devices on a network
.R ial
Flow reporting and routing - Create superflows
• Flow data packets are collected from a variety
of network device vendors and directly from the
Application Detection Module (appId = eventId)
network interface
• Collected flow data can update asset profiles
.N c
Aggregator with the ports and services that are running on
(enforce license limit)
each host
C pe
Raw data packets received • If the flow license limit is exceeded, an overflow
(NetFlow, sFlow, NIC, and so on)
record is created with SRC/DST address
QFlow
127.0.0.4/5
Flow data packets
• (Custom) applications are detected

• Superflows are created
• QFlow provides Layer 7 insights into the
payload if it is unencrypted
ec n
A network flow record provides information about a conversation between two devices using a
specific protocol, and can include fields that provide details about the conversation. Examples
oy cio
include the source and destination IP addresses, the port, and other fields.
Flow data packets can be collected from a variety of network device vendors, and directly from the
network interface. Collected flow data can update asset profiles with the ports and services that are
running on each host. If a new host is detected through network flow data, a new asset is created in
pr a
the QRadar Asset database.

rm
Next in line is the Aggregator. This component enforces the license limit for the Flow Collector,
which is measured in “flows per minute”, or FPM. If the license limit is exceeded, flows are
temporarily stored in an overflow buffer, which will be processed with the next set of flows. Every
log source protocol has an overflow buffer of 5 GB, and if the overflow buffer fills up, the additional
flows are dropped.
Fo
The Application Detection Module uses four methods of determining the application of the flow.
• The first is the User Defined method.
This method is mainly used when users have a proprietary application running on their network.
For example, all traffic going to host 10.100.100.42 on port 443 is recognized to be
MySpecialApplication.
• The second method uses State-based decoders.

V7.0
Uempty
This method is implemented by looking at the source code. It determines the application by
analyzing the payload for multiple markers, for example, if you see A followed by B, then
application = X; and if you see A followed by C, then application = Y.
• The next method uses Signature matching.
This method relies on basic string matching in the payload (see the Application Configuration
.R ial
Guide for signature customization).
• The final method uses Port-based matching.
In this case, applications are matched based on their port use, for example, port 80 = http.
.N c
Finally, the flow data packets reach the Flow reporting and routing component. This component
C pe
is responsible to create superflows. Superflows only store one single flow with the collection of IP
addresses, which allows processing of flows to be faster, and require less storage space. There are
three types of superflows.
• Type A superflows contain a single source and multiple destination addresses with the same
to es destination port, byte count, and source flags or ICMP codes. An example for a type A
superflow is a network sweep.
• Type B superflows contain multiple source and a single destination address with the same
destination port, byte count, and source flags or ICMP codes. An example for a type B
superflow is a Distributed Denial of Service attack.
ec n
• Type C superflows contain a single source and destination address with changing source and
destination ports. An example for a type C superflow is a port scan.
oy cio
Specific rule tests can leverage the flow type to determine if an offense needs to be created. The
creation of superflows can be disabled.
Up to a configurable number of bytes, QFlow provides layer 7 insights into the payload if it is
pr a
unencrypted. Using a tap or span port, QFlow collects raw packets and places them into 60-second
chunks. QFlow can also receive layer 4 flows from other network devices in IPFIX/NetFlow, sFlow,
rm
J-Flow, Packeteer, and Flowlog file accounting technologies.

Fo

V7.0
Uempty
Event collector architecture

Event processor
• Each event collector gathers events from local
and remote sources
.R ial
Coalescing filter
• EPS license is checked
• Log Sources are automatically discovered after
record analysis in the Traffic Analysis module Device Support Module (DSM)
Parser threads
.N c
• The event collector normalizes events and DSM normalization filter
classifies them into low- and high-level
categories Traffic Analysis
C pe
(Log source detection)
• Events are parsed by log source parser threads

Overflow filter
• The event collector bundles identical events to (enforce license limit)
conserve system usage through a process that

is known as coalescing Raw data packets received

Event collector
Log Sources

ec n
Each Event Collector gathers events from local and remote log sources. Once the raw data packets
have been received, the license limit is checked first. On the Event Collector, this limit is measured
oy cio
in Events per Second, or EPS. Events are temporarily stored in an overflow buffer if the EPS
license is exceeded, and those events are processed during the next cycle. Should the overflow
buffer fill up, the additional events are dropped, and a message is logged for the administrators.
Log Sources are automatically discovered after record analysis in the Traffic Analysis module. This
pr a
is an essential module for automating a successful evaluation or deployment, because it

categorizes traffic from devices that are unknown to the system. Log source detection creates a
rm
new QRadar log source, if detection is successful on an IP address. The Traffic Analyses module
only carries out detection on event protocols that are “pushed” to the event collector, for example,
syslog.
After the correct log source has been detected, such as a Checkpoint Firewall, the individual
Fo
Device Support Modules begin to parse the events. First, the events are normalized, where source
specific data fields are mapped into QRadar terminology for further processing. The log source
parser then extracts the log source event ID from the log record and maps that to the QRadar
Identifier, or QID. This is a unique ID that links the extracted log source event ID to a QID. Each QID
relates to a custom event name and description, as well as severity and event category information.
The event category information is structured into High Level Categories (HLC) and Low Level
Categories (LLC). Every QID is linked to one of the low-level categories, for example, a valid
category combination is "Authentication” (being a High Level Category) and “Admin Login
Successful” being a Low Level Category.

V7.0
Uempty
Finally, the coalescing filter can optionally bundle identical events to conserve system usage before
handing the data off to the Event Processor.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Event processor architecture Anomaly New host

Magistrate
Detection Engine or port event
• EPS license is checked and enforced
• Every single event and flow is tested against all
.R ial
Accumulator Host profiler Exit filter
enabled rules in the rules engine Accumulations
• New offenses can be triggered and sent to the Flows Event storage filter
Events
Magistrate (see Console)
• Events and flows are stored in the events or flows
.N c
Custom Rules Engine (CRE)
Ariel database
• If a new port or host is detected, an asset profile is
C pe
Overflow filter
updated or created in the PostgreSQL database
(see Console) Event or flow sources received
• Events are accumulated every minute and stored Event processor
in the accumulator Ariel database
Event processor architecture

Event Processor
Event processor
Event Processor
Event collector
Event Processor
Flow collector

ec n
The Event Processor can receive event and flow data from Event and Flow Collectors as well as
other Event Processors that may be distributed throughout the organizations IT deployment. First,
oy cio
the Overflow Filter enforces the license in a similar way to the collectors.
Next, the Custom Rule Engine, or CRE, tests every single event or flow against all enabled rules.
Matched rules can have responses or results. For example, a matched rule might trigger the
creation of an offense, or create a new CRE event that triggers the creation of an offense. However,
pr a
actual offenses are not created here at the Event Processor, but rather at the Console.
rm
It is possible that multiple matched events, flows, and matched rules might correlate into a single
offense. On the other hand, a single event or flow can also be correlated into multiple offenses.
By default, rules are tested against events or flows received by a single event processor (local
rules). The Exit Filter sends on any events or flows that have been marked for further processing by
Fo
the Magistrate component on the Console.
Every event and flow is then sent on to the Event Storage Filter, where they are stored in the events
or flows Ariel database.
If a new port or host is detected at this time, an asset profile needs to be updated or created in the
PostgreSQL database. The Host Profiler, or Host Profiling Filter, sends the collected information
about the new host to the Console, so that a new asset can be created or updated.
Finally, if an analyst has defined any searches to collect and investigate specific sets of data,
events and flow records are accumulated every minute and stored in the accumulator Ariel
database. These accumulations create time-series statistical metadata that is used for Dashboards,

V7.0
Uempty
event and flow forensics and searching, reporting, and the Anomaly Detection Engine on the
Console. Accumulated time intervals can be defined as 1 minute, 1 hour, and 1 day. The
Accumulator is a distributed component that operates on each Event Processor.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Console architecture
• The Magistrate creates and stores offenses
in the PostgreSQL database; these offenses Offenses
are then brought to the analyst’s attention in
.R ial
the interface
• The Magistrate instructs the Ariel Proxy Magistrate
Custom rule
engine
Server to gather information about all events Assets
and flows that triggered the creation of an
.N c
offense Overflow filter
Ariel Vulnerability Anomaly
Proxy Information Detection
• The Vulnerability Information Server (VIS)
C pe
Server Server Engine
creates new assets or adds open ports to

Event Sources received
existing assets based on information from the
Console
EPs
• The Anomaly Detection Engine (ADE) Ariel Host
to es searches the Accumulator databases for

anomalies, which are then used for offense
evaluation
Event
Exit Filter
Eventprocessor
processor
Query Server profiler
Accumulators

ec n
The Console receives data from the deployed Event Processors for further analysis by the
Magistrate component, which creates and stores offenses in the PostgreSQL database. These
oy cio
offenses are then brought to the analyst’s attention in the user interface. The Magistrate instructs
the Ariel Proxy Server to gather information about all related events and flows that triggered the
creation of an offense. The collected data is then available for further investigation by the analyst.
If data is collected from multiple Event Processors, the Console’s Custom Rules Engine can utilize
pr a
Global Cross Correlation to test rules on data from all deployed Event Processors. This helps to
locate more complex attacks, which can span across the overall IT infrastructure and are not
rm
confined to being detected by a single Event Processor.
The Vulnerability Information Server (VIS) creates new assets, or adds open ports or discovered
services to existing assets, based on information from the Host Profiler on the Event Processors.
This happens when hosts, services, or vulnerabilities that cannot be mapped to existing assets are
Fo
discovered.

V7.0
Uempty
The Anomaly Detection Engine (ADE) searches the Accumulator databases for anomalies, which
are then used for offense evaluation. There are three categories of Anomaly Detection Rule types.
• The Threshold rule examines a numeric range, such as greater than, less than, or a particular
range. This rule can help detect the bandwidth of an application, the number of users connected
to a VPN, or a large and unusual outbound data transfer.
.R ial
• The Anomaly rule looks at a change in short term when comparing against a longer time frame.
This can help to locate new service activity or a change in the bandwidth volume on a specific
link.
• The Behavioral rule can detect changes from the same time yesterday or last week. This
.N c
includes mail traffic, for example, the increase on external SMTP server traffic, which could be a
relay. This rule can also be used for regular IT services, such as backup monitoring, where the
C pe
rule would trigger if a backup failed.
Let us take one closer look at how Offenses are being managed by the Magistrate component.
Events and flows that have been tagged by the Custom Rules Engine for further processing in the
to es Event Processors are being handed over to the Console through the Exit Filter.
Until now, we have examined the QRadar component structure from a deployment viewpoint. Let
us now take a final look into dissecting the flow of a captured event.
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
.R ial
.N c
C pe
Summary
ec n
In this unit we covered the functional architecture level and explained how IBM QRadar was
designed as a modular Security Intelligence solution from the grounds up. After taking a look at this
oy cio
modular design, its extensibility and deployment pattern, we examined the component architecture
so that the analyst understands how data is ingested and processed.
When the analysts now examine bits and pieces of a larger security incident investigation, this
architectural understanding should substantially enhance their capability for detailed and fast
pr a
analysis.
rm
Fo

Unit 3 Using the QRadar SIEM User
Interface
.R ial
.N c
C pe
Using the QRadar SIEM User Interface
to es
ec n
oy cio
pr a

rm
The user interface of QRadar SIEM is your workbench to gain visibility into your environment from
an security perspective. This lesson teaches you how to operate the interface, such as pausing and
refreshing the displayed data, changing your password and accessing help.
Reference:
Fo
• QRadar SIEM User Guide: http://www.ibm.com/support/docview.wss?uid=swg27049537

V7.0
Unit 3 Using the QRadar SIEM User Interface
Objectives
Uempty
Objectives
• Leverage the QRadar SIEM user interface
.R ial
.N c
C pe
to es Using the QRadar SIEM User Interface
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Objectives
Uempty
Instructor demonstration of the QRadar SIEM User Interface
.R ial
.N c
C pe
Instructor demonstration of the QRadar SIEM User Interface

ec n
oy cio
pr a
rm
Fo

V7.0
Objectives
Uempty
Tabs
To leverage QRadar, use its tabs
• Dashboard: Monitor various activities in your environment
.R ial
• Offenses: Query and display suspicious activities
• Log Activity: Query and display events
• Network Activity: Query and display flows
• Assets: Query and display information about systems in your environment
.N c
• Reports: Create templates and generate reports
• Admin: Administrative system management
C pe
to es To reset a tab to its default settings, double-click it.
Using the QRadar SIEM User Interface
Tabs
ec n
The QRadar SIEM user interface provides tabs that let you navigate and focus on specific slices of
the collected, analyzed, and displayed data.
oy cio
Two more tabs become available with a license for QRadar Vulnerability and Risk Manager
installed:
• Risks: Query and display risks in your environment
pr a
• Vulnerabilities: Query and display vulnerabilities in your environment

rm
Fo

V7.0
Objectives
Uempty
Managing the displayed data

Every minute QRadar SIEM automatically
refreshes the data on the following tabs
.R ial
• Dashboard
• Log Activity
.N c
• Reports
Pause:
C pe
Click to pause automatic
display refresh
Refresh:
Display the latest
available data
Play:
Resume the automatic
Managing the displayed data

display refresh

ec n
QRadar SIEM works in 1-minute cycles. When a 1-minute cycle finishes, event and flow processors
send to the Console the data from the passed minute, that is needed there. Clicking the Refresh
oy cio
button resets the displayed countdown to 60 seconds, but results returned can still come from the
prior minute. The countdown in the user interface does not necessarily run in sync with the
1-minute cycles.
The Pause button stops only refreshes of the display. QRadar SIEM continues to process data in
pr a
the background.
rm
Fo

V7.0
Objectives
Uempty
Managing your QRadar user

Click your user name in the top bar to change
properties of your QRadar user and to log out
.R ial
.N c
C pe
Managing your QRadar user

ec n
User Preferences:
oy cio
Users can change their password in the Preferences, if they authenticate with the local system
authentication of QRadar SIEM. Users cannot change the password in the User Preferences if
QRadar SIEM uses RADIUS, TACACS, Active Directory, or LDAP for their authentication.
In most deployments, the user admin authenticates with the local system authentication of QRadar
pr a
SIEM even if other users use external authentication. Therefore, the user admin usually changes
passwords in QRadar SIEM User Preferences.
rm
Fo

V7.0
Objectives
Uempty
Accessing help
QRadar Help Contents:
.R ial
Open the IBM Knowledge Center in a new browser
tab. The browser requires internet access
.N c
C pe
Question mark icon:
Open context-sensitive
help for the currently
displayed feature in a
new browser window.
Accessing help
The browser does not
require internet access
because the Console
appliance provides the
context-sensitive help
ec n
oy cio
pr a
rm
Fo

V7.0
Objectives
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Log in to the QRadar User Interface
.R ial
• Discover the User Interface
• Sending sample data to QRadar
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Leverage the QRadar SIEM user interface
.R ial
.N c
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 4 Investigating an Offense
Triggered by Events
.R ial
.N c
C pe
Investigating an Offense Triggered by
Events
to es
ec n
oy cio
pr a

rm
QRadar SIEM correlates events and flows into an offense if it assumes suspicious activity. This unit
teaches you how to investigate the information that is contained in an offense.
References:
• IBM Knowledge Center: Event Categories
Fo
http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_ad
m_event_categories.html
• QRadar SIEM Users Guide http://www.ibm.com/support/docview.wss?uid=swg27049537

V7.0
Unit 4 Investigating an Offense Triggered by Events
Objectives
Uempty
Objectives
• Explain the concept of offenses
.R ial
• Investigate an offense, which includes this information
Summary information
The details of an offense
• Respond to an offense
.N c
C pe
to es Investigating an Offense Triggered by Events
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Offenses overview
Uempty
.R ial
Lesson: Offenses overview
.N c
C pe
to es
ec n
Investigating an Offense Triggered by Events © Copyright IBM Corporation 2017
oy cio
By creating an offense, QRadar SIEM alerts to suspicious activities. In this lesson, you learn the
significance of offenses and how to view your threat landscape from different perspectives.
pr a
rm
Fo

V7.0
Uempty
Definition offense
.R ial
Offense
--noun
An offense alerts to a suspicious activity,
.N c
and links to helpful information to
investigate it.
C pe
Definition offense
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Introduction to offenses
• The prime benefit of QRadar SIEM for security analysts is that it detects suspected attacks or policy
violations and ties helpful information together into offenses to investigate them
.R ial
• Some common offenses include these examples
Multiple login failures
Malware infection
P2P traffic
.N c
Scanner reconnaissance
• Treat offenses as security incidents and have a security analyst investigate them
C pe
Introduction to offenses
ec n
More examples of offenses include:
oy cio
• Clear Text Application Usage

• Remote Desktop Access from the Internet
• Connection to a remote proxy or anonymization service
• SSH or Telnet detected on Non-Standard Port
pr a
• Large outbound data transfer

rm
• Communication to a known Bot Command and Control

• Local IRC Server detected
Fo

V7.0
Uempty
Creating and rating offenses

• QRadar SIEM creates an offense when events, flows, or both meet the test conditions specified in
changeable rules that analyze the following information
.R ial
Incoming events and flows
Organizational context
í User information, such as admin, newhire, CFO-team
í Network and server information, such as: web server, PCI network, crown jewels
Threat intelligence
.N c
í IP addresses and domain names of malicious hosts, such as
> spam senders
> malware hosts
C pe
> anonymous proxies
> IP address ranges dynamically assigned by ISPs
• The magistrate component running on the Console appliance maintains all offenses; it rates each
offense by its magnitude, which has these characteristics
to es

Ranges from 1 to 10, with 1 being low and 10 being high
Prioritizes each offense by its relative importance
Investigating an Offense Triggered by Events
Creating and rating offenses

ec n
Commonly the term crown jewels refers to the servers that are most critical for an organization's
mission. Typically, crown jewels store and process customer, employee and financial data, as well
oy cio
as intellectual property.
pr a
rm
Fo

V7.0
Uempty
Offenses on Dashboard
Dashboard items can display offenses
.R ial
.N c
C pe
Offenses on Dashboard
ec n
• The Risks and Vulnerabilities tabs are only available if QRadar Risk Manager and QRadar
Vulnerability Manager are licensed.
oy cio
• Double-click a particular offense to display the detailed Offense Summary of that offense.
pr a
rm
Fo

V7.0
Uempty
Offenses tab
The Offenses tab provides many navigation options to view offenses from different perspectives
.R ial
.N c
C pe
Offenses tab
ec n
• To sort offenses, click a column header.
oy cio
• Use the Search menu to find offenses according to search criteria.

pr a
rm
Fo

V7.0
Uempty
Offenses overview by category

To view offenses from the perspective of the nature of the detected suspicious activity, list offenses By
Category
.R ial
.N c
C pe
Offenses overview by category

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Offenses overview by source IP

To locate repeat offenders, view offenses By Source IP
.R ial
.N c
C pe
Offenses overview by source IP

ec n
Select By Destination IP to identify systems that are continually under attack.
oy cio
pr a
rm
Fo

V7.0
Uempty
Offenses overview by network

You can also survey your threat landscape Number of offenses Number of offenses with
from the perspective of your networks with one or more one or more attackers
targets in the network in the network
.R ial
.N c
C pe

ec n
QRadar SIEM administrators configure local networks in the Network Hierarchy. You find the
Network Hierarchy on the Admin tab. The Network Hierarchy is introduced later in this course.
oy cio
pr a
rm
Fo

V7.0
Lesson 2 Using summary information to investigate an offense
Uempty
Lesson 2 Using summary information to
investigate an offense
.R ial
.N c
Lesson: Using summary information
to investigate an offense
C pe
to es
ec n
oy cio
An offense bundles a wealth of information about a suspicious activity. In this lesson, you learn how
to use offense summary information to begin investigating an offense.
pr a
rm
Fo

V7.0
Uempty
Instructor demonstration of offense parameters

This demonstration uses an example offense
Investigating offenses is a typical part of a security analyst's job
.R ial
.N c
C pe
Instructor demonstration of offense parameters

ec n
oy cio
Note: At least an hour before this lesson, run the /labfiles/sendCheckpoint.sh script in order
to have QRadar SIEM create the example offense. On the Offenses tab, navigate to this offense
and use it as an example to illustrate the topics in this lesson.
pr a
rm
Fo

V7.0
Uempty
Offense Summary window

• The Offense Summary provides a single view into all
the evidence that QRadar SIEM has tied together in
the offense
.R ial
• The remainder of the unit examines the window
sections in the same way as the security analyst
investigates an offense
.N c
C pe
Offense Summary window

ec n
The sections of the Offense Summary window include:
oy cio
• Offense Parameters
• Offense Source Summary
• Last 5 Notes
• Last 5 Search Results
pr a
• Top 5 Source IPs

rm
• Top 5 Destination IPs

• Top 5 Log Sources
• Top 5 Users
Fo
• Top 5 Categories
• Top 10 Events
• Top 10 Flows
• Top 5 Annotations
We will review these sections in the remainder of the unit.

V7.0
Uempty
Offense parameters
Investigating an offense begins with the parameters at the top of the offense summary window
.R ial
Magnitude: Credibility:
Relative importance of the offense How valid is information from that source?
.N c
C pe
Relevance: Severity:
Offense parameters (1 of 4)
How significant is the destination? How high is the potential damage?

ec n
• Connections and View Attack Path:
oy cio
These two buttons are only available if QRadar Risk Manager is licensed.
• Magnitude:
Prioritizes an offense by its importance relative to other offenses. However, security analysts
cannot ignore less important offenses, because they could indicate a real attack or policy
pr a
violation.
A proprietary algorithm calculates the magnitude based on a number of values, such as:
rm
– number of involved log sources

– categories
– age of offense
Fo
– relevance, severity, credibility, number and frequency of events and flows

• Status:
The offense on the slide is in status active. QRadar SIEM does not display a status icon for the
active status. Other statuses are indicated with an icon in the Status field.
• Relevance:

V7.0
Uempty
Indicates the relative impact that the suspected attack or policy violation would have. QRadar
SIEM determines the relevance from the asset weights of the destinations of the offense.
QRadar SIEM administrators configure the asset weight in asset profiles.
• Severity:
Indicates the amount of threat a suspicious activity poses. Each event categorization configures
.R ial
a severity rating.
• Credibility:
Indicates the reliability of the witness. Credibility increases if multiple sources report the same
.N c
attack. QRadar SIEM administrators configure a credibility rating for each log source.
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Offense parameters (continued)

Offense Type:
General root cause of the offense; the offense
type determines which information is displayed in
.R ial
the next section of the Offense Summary
.N c
C pe
Description: Event count: Flow count:
Reflects the causes for the offense; the Number of events Number of flows
to es description can change when new events

or flows are associated with the offense
associated with this
offense
offense

ec n
Offense Type:
oy cio
The rule that created the offense determines the Offense Type. Example offense types include:
• Source IP
• Destination IP
• Event Name
pr a
• Username
rm
• Source MAC Address

• Destination MAC Address
• Log Source
Fo
• Host Name
• Source Port
• Destination Port
• Source IPv6
• Destination IPv6
• Rule
• App ID
• Custom properties

V7.0
Uempty
Source IP(s): Start:

Origin of the ICMP Date and time when the first event or flow
.R ial
scanning associated with the offense was created
.N c
C pe
to es Destination IP(s):
Targets of the ICMP
scanning
Duration:
Amount of time elapsed since the first event or
flow associated with the offense was processed

ec n
• Source IP(s):
oy cio
To get more information about the IP address, right-click, left-click, or hold the mouse over the
address.
Offenses of type Source IP always have exactly only one source IP address. Offenses of other
types can have more than one source IP address. In those cases, the Source IP(s) field
displays Multiple(n), where n indicates the number of source IP addresses.
pr a
Left-click Multiple(n) to view a list of the source IP addresses.

rm
• Destinations IP(s):
If the offense has only one target, its IP address is displayed. To get more information about the
IP address, right-click, left-click, or hold the mouse over it.
Fo
If the offense has multiple targets, the following terms are displayed:
– Local (n): Local IP addresses that were targeted.
– Remote (n): Remote IP addresses that were targeted.
Left-click an option to view a list of the local or remote IP addresses.

V7.0
Uempty
.R ial
.N c
C pe
Network(s): Assigned to:
Local networks of the QRadar SIEM user
to es local Destination IPs that

have been scanned
assigned to investigate
this offense

ec n
Network(s):
oy cio
QRadar SIEM considers all networks specified in the Network Hierarchy on the Admin tab as local.
The Network Hierarchy is introduced later in this course.
QRadar SIEM does not associate remote networks to an offense, even if they are specified as
Remote Network or Remote Service on the Admin tab.
pr a
rm
Fo

V7.0
Uempty
Offense Source Summary

To the security analyst, the Offense Source Summary provides information about the origin of the
ICMP scanning
.R ial
IP: Location:
Origin of the Network of the source
ICMP scanning IP address if it is local
.N c
C pe
to es Magnitude:
Indication about the level of risk that an IP
address poses relative to other IP addresses
Offense Source Summary (1 of 6)

Vulnerabilities:
A known vulnerability of a local host can have
been exploited and turned into an attacker

ec n
The example offense on the slide is of the type Source IP. For an offense of type Destination IP, the
fields display information about the destination.
oy cio
pr a
rm
Fo

V7.0
Uempty
Offense Source Summary (continued)

When you right-click the IP, you View By Network:
see navigation options for further Open a separate window with
statistical information about the
investigation
.R ial
network of the IP address
.N c
C pe

View Source Summary:
Open a separate window with
a list of the offenses that the
IP address is involved in
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
.R ial
.N c
C pe
WHOIS Lookup:
Port Scan: Find registered
nmap scans the owner of the IP
IP address address

Search Flows:
Find flows
associated with
the IP address
ec n
The last three menu items are only available if QRadar Risk Manager is licensed.
oy cio
• WHOIS Lookup:
By default, whois.arin.net is configured as the WHOIS server. It does not have the owners of
local IP addresses registered. QRadar SIEM must be able to reach whois.arin.net to lookup
registered owners of remote IP addresses.
pr a
• Port Scan:
On the Console, QRadar SIEM runs the command nmap -A for the IP address. Nmap is always
rm
installed with QRadar SIEM.

QRadar SIEM displays the Nmap scan results in a popup window. In addition to open ports and
services, Nmap detects operating system versions, and a few potential vulnerabilities, such as
anonymous FTP login. However, Nmap does not check for vulnerabilities provided by threat
Fo
intelligence feeds.
The result of the Port Scan does not create or update the asset profile in QRadar SIEM. Port
Scan is separate from vulnerability scanners, that QRadar SIEM administrators can configure
and run. The results of vulnerability scanners update asset profiles.
A QRadar SIEM user can run a Port Scan for a remote IP address, but the owner of the remote
system could consider this scan an attack. Therefore, do not scan remote IP addresses.

V7.0
Uempty

• Selecting Run Vulnerability Scan open a popup window to scan the IP address
• The Run Vulnerability Scan menu item is only available if QRadar Vulnerability Manager is licensed
.R ial
• Only scan IP addresses that your organization owns
.N c
C pe

ec n
QRadar SIEM administrators can configure Domains to separate IP addresses if they are used for
multiple hosts. This happens typically when organization merge and when a single QRadar SIEM
oy cio
deployment serves multiple tenants with overlapping private IP address ranges.

pr a
rm
Fo

V7.0
Uempty

• Selecting Plugin options > X-Force
Exchange Lookup loads the X-Force
IP Report for the IP address in new
.R ial
browser tab
• The X-Force IP Report contains a
variety of information about the IP
address, including its history of Spam
.N c
and botnet activity
C pe

ec n
• The example IP address is part of a range that is reserved for private use.
oy cio
• The X-Force Exchange Lookup requires Internet access for the browser but not for the QRadar
Console appliance.
pr a
rm
Fo

V7.0
Uempty
.R ial
Weight:
Relevance of the
asset with this
source IP address
.N c
C pe
Offenses: Events/Flows:
to es Number of offenses
source IP address

Number of events
and flows associated
with this offense

ec n
• User:
oy cio
User associated to this source IP address. If no user is identified, the field shows Unknown.
• MAC:
MAC address with the source IP address when the offense began. If unknown, the field shows
Unknown NIC.
pr a
• Host Name:
Host name associated with the source IP address. If unidentified, the field shows Unknown.
rm
• Asset Name:
Asset name associated with the source IP address. If unidentified, the field shows Unknown.
• Weight:
Fo
Asset weight of the source IP address, as configured by QRadar SIEM administrators in the
asset profile. The levels range from 0 (not important) to 10 (very important).

V7.0
Lesson 3 Investigating offense details
Uempty
.R ial
Lesson: Investigating offense details
.N c
C pe
to es
ec n
oy cio
Many details help the security analyst to investigate an offense. In this lesson, you learn how to use
further details to investigate an offense.
Reference:
• IBM Knowledge Center: Event Categories
pr a
http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_ad
m_event_categories.html
rm
Fo

V7.0
Uempty
Last 5 Notes
• QRadar SIEM users can document their investigation findings and actions as notes
• You cannot edit or delete notes
.R ial
Notes: Add Note:
• The maximum length of a note is 2000 characters View all notes Create new
of the offense note
.N c
C pe
Last 5 Notes
ec n
When closing an offense, you can enter a reason. QRadar SIEM adds the reason as a note to the
offense.
oy cio
pr a
rm
Fo

V7.0
Uempty
Last 5 Search Results

• Record of the most recent search results for offenses of type Scheduled Search
• Such offenses do not indicate any suspicious activity
.R ial
• Their purpose is to record results of complex searches
.N c
C pe
Last 5 Search Results

ec n
• Not used by other offense types.
oy cio
• Configure the creation of Scheduled Search offenses in the Report Wizard on the Reports tab.
pr a
rm
Fo

V7.0
Uempty
Top 5 Source IPs

• Of the IP addresses, from which the suspected attack or policy violation originates, QRadar SIEM lists
the five with the highest magnitudes
.R ial
• The table contains only one row because the example offense has only one source IP address
Location: Sources:
Hover the mouse over a View all source
shortened field value to IP addresses of
.N c
display the full value the offense
C pe
Top 5 Source IPs

ec n
The example offense on this slide is of type Source IP. Therefore, the Offense Source Summary
displays the same information as the columns in the Top 5 Source IPs. Refer to the previous lesson
oy cio
for explanations of the columns.

pr a
rm
Fo

V7.0
Uempty
Top 5 Destination IPs

• QRadar SIEM lists the five local IP addresses with the highest magnitude, which are targets of the
suspected attack
Destinations:
.R ial
• The table contains only two rows because only two local IP addresses were affected View all
destinations IP
Destination IP: Chained: addresses of
Hover the mouse over the asset name or Indicates whether the destination IP address the offense
IP address to display further information is the source IP address in another offense
.N c
C pe
Top 5 Destination IPs

ec n
• Chained:
oy cio
The field shows Yes if the destination IP address is the source IP address of other offenses.
Then, an attacker has taken control over the system with this IP address and uses it to attack
other systems. Click Yes to view the chained offenses.
• Magnitude:
pr a
The column displays the Aggregate CVSS Score if this value exists. If it does not exist, the
column displays the highest offense magnitude of all the offenses that the IP address is a part
rm
of.
• Destination Magnitude:
The bar displays the Aggregate CVSS Score if this value exists. If it does not exist, just 0 is
displayed.
Fo

V7.0
Uempty
Top 5 Log Sources

A firewall provided the log messages about firewall denies; this firewall is the major log source of the
offense
.R ial
Events: Log Sources:
Number of events sent by the View all log sources
log source added to the offense adding to the offense
.N c
C pe
Custom Rule Engine (CRE): Offenses: Total Events:
to es The QRadar SIEM CRE creates

events and adds them to offenses
Top 5 Log Sources

Number of offenses
related to the log source
Sum of all events received from this
log source while the offense is active

ec n
• Name and Description:
oy cio
QRadar SIEM administrators can choose the name and description of a log source. They also
choose the credibility for events received from the log source.
• Group:
Optionally, QRadar SIEM administrators can create log source groups.
pr a
rm
Fo

V7.0
Uempty
Top 5 Users
QRadar SIEM lists the five users with the most events added to the offense
.R ial
Users:
View all users associated
to the offense
.N c
C pe
Top 5 Users
ec n
For the example offense QRadar SIEM did not receive an event or flow with user information and
therefore does not list a user. The screen capture displays a user from a different offense.
oy cio
pr a
rm
Fo

V7.0
Uempty
Top 5 Categories
QRadar SIEM categorized most events Categories:
into the Firewall Deny category View all low-level categories of the
events contributing to the offense
.R ial
.N c
C pe
Name: Local Destination Count:
to es Low-level category
of the event
Top 5 Categories
Number of local destination IP
addresses affected by offenses
with events in this category

ec n
• QRadar SIEM classifies events into categories. Categories cannot be added, deleted, or
renamed.
oy cio
Refer to the QRadar SIEM product documentation about event categories

(http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_a
dm_event_categories.html) for a list of high-level categories (HLC) and low-level categories
(LLC).
pr a
Rules executed by the Custom Rules Engine (CRE) fired for the suspicious Firewall Deny
events. As an action of the rules, the CRE created the events in the Network Sweep and ICMP
rm
Reconnaissance categories, and created the offense tying these events together.
• Local Destination Count:
Displays 0 if all destination IP addresses are remote.
Fo
• Events/Flows:
Displays the number of events per low-level category that the CRE added to the offense.

V7.0
Uempty
Last 10 Events
Double-click anywhere on a row to open a window with details about the event
Dst Port: Events:
.R ial
The destination port is 0 for layer View all events
3 protocol traffic such as ICMP added to the offense
.N c
C pe
Last 10 Events
ec n
The last 10 events added to the offense provide the security analyst information about the latest
developments in the offense.
oy cio
pr a
rm
Fo

V7.0
Uempty
Last 10 Flows
The table does not display any flows, because QRadar SIEM did not detect flows relevant for the
offense
.R ial
Total Bytes: Flows:
Sum of bytes transferred View all flows added
in both directions to the offense
.N c
C pe
Last 10 Flows
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Annotations
• Annotations provide insight into why QRadar SIEM considers the event or observed traffic threatening
• QRadar SIEM can add annotations when it adds events and flows to an offense
.R ial
• Read the oldest annotation first, because it was added when the offense was created Annotations:
View all annotations
of the offense
Annotation:
Hold the mouse
.N c
over a shortened
annotation to show
the full annotation
C pe
Annotations
ec n
The QRadar SIEM rules add annotations when they create or update an offense, whereas QRadar
SIEM users cannot add, edit, or delete annotations.
oy cio
pr a
rm
Fo

V7.0
Uempty
Offense Summary toolbar

The Offense Summary toolbar provides direct links to the
information that you just investigated
Events:
.R ial
View all events
Summary: added to the offense
View the Offense
Summary
.N c
C pe
Flows:
View all flows added
Display: to the offense
View offense
information introduced
on previous slides
Offense Summary toolbar

ec n
• In order to review information about offense related Connections, or to use the View Attack
Path option you have to have QRadar Risk Manager deployed, which is not subject to this
oy cio
course.
• In the next Lesson we take a look at the possible Actions.
pr a
rm
Fo

V7.0
Lesson 4 Acting on an offense
Uempty
.R ial
Lesson: Acting on an offense
.N c
C pe
to es
ec n
oy cio
Security analysts draw conclusions from investigating an offense and can act accordingly. In this
lesson, you learn how to take action on an offense in QRadar SIEM.
pr a
rm
Fo

V7.0
Uempty
Offense actions
After investigating an offense, click Actions at the top of the Offense Summary page to set flags and
status
.R ial
Follow up:
Choose if you want to
revisit the offense
Hide:
.N c
Use with caution because
QRadar SIEM still
updates the offense;
alarming updates can
C pe
stay hidden
Protect Offense:
Prevent QRadar SIEM
from deleting the offense
Offense actions
Close:
When you have resolved
the offense, close it

ec n
• All actions on the Offense Summary page are also available on the Offense list with the
exception of Email and Add Note.
oy cio
• The Actions menu includes the following options:

– Hide:
An offense hidden by a QRadar SIEM user is also hidden for all other users.
pr a
The Offense Manager on the Offenses tab does not list hidden offenses by default.
To display hidden offenses, clear the Exclude Hidden Offenses filter.
rm
An inactive offense can be hidden, but a closed offense cannot be hidden.

If a user closes a hidden offense, QRadar SIEM displays it.
– Email and Add Note:
Fo
The Email and Add Note actions are available only on the Offense Summary page.
– Assign:
Delegate the offense to a QRadar SIEM user.

V7.0
Uempty
Offense status and flags

The actions available depend on the status of the offense
.R ial
Status: Icon indicates
- Protected - Follow up
- Inactive - Notes
- Closed - Assigned
.N c
Unprotect Offense:
Allow QRadar SIEM to
delete this protected offense
C pe
Offense status and flags

ec n
• This slide displays how the Status field and the Actions menu look after you have performed
the following actions:
oy cio
– Follow up
– Protect Offense
– Close
pr a
– Add Note
– Assign
rm
• Field descriptions:
– Status:
No icon exists for status active. An icon exists for status hidden, but it is not displayed in the
Fo
slide.
– Follow up, Email, Add Note, and Assign:
These actions are available for all offenses in any status, including the inactive status.
If you select Follow up for an offense with the Follow up flag already set, QRadar SIEM
removes the flag.
– Assigned to:
The offense is assigned to a QRadar SIEM user.

V7.0
Uempty
The Actions menu of the Offense Manager on the Offenses tab allows you to export offenses. You
can export offenses to keep records outside of QRadar SIEM. Exported offenses cannot be
imported back into QRadar SIEM.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Offense lifecycle
• A newly created offense is in status active
QRadar SIEM maintains up to 2,500 active offenses
.R ial
• QRadar SIEM changes the status from active to dormant when the offense has not received an event
or flow for 30 minutes
• QRadar SIEM changes the status from dormant to recalled when the offense receives an event or
flow
.N c
QRadar SIEM maintains up to 500 recalled offenses
QRadar SIEM changes the status from recalled back to dormant when the offense has not received an event or
C pe
flow for 30 minutes
• QRadar SIEM changes the status to inactive under the following occurrences
A user closes the offense
When the offense has not received an event or flow for five days
When the QRadar SIEM installation is upgraded
to es • If a rule fires, that would add an event or flow to an inactive offense, a new offense is created
• QRadar SIEM deletes unprotected offenses in inactive status after the retention period elapses;
administrators can change the default retention period of three days
Offense lifecycle
ec n
• Offenses tab:
oy cio
The search on the Offenses tab allows to exclude active offenses from the search result. There
the Active Offenses checkbox includes the statuses active, dormant and recalled.
• Protect Offense and the inactive status:
A protected active offense can become inactive but QRadar SIEM does not delete it. QRadar
pr a
SIEM stores a protected inactive offense indefinitely until a QRadar SIEM user unprotects it.
Only QRadar SIEM, but not users, can turn an offense inactive.
rm
Only users, but not QRadar SIEM, can protect, unprotect, hide, or close an offense.
• Close:
When a QRadar SIEM user closes an offense, the offense turns from the status of active to
Fo
inactive and closed.

• Maximum:
QRadar SIEM stores up to 100,000 offenses. However, any QRadar SIEM deployment with
more than one or two dozens of offenses requires tuning.

V7.0
Uempty
• Investigating the local DNS scanner offense
.R ial
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Explain the concept of offenses
.R ial
• Investigate an offense, which includes this information
Summary information
The details of an offense
• Respond to an offense
.N c
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 5 Investigating the Events of an
Offense
.R ial
.N c
C pe
Investigating the Events of an
Offense
to es
ec n
oy cio
pr a

rm
The investigation of an offense usually leads to the investigation of the events that contributed to
the offense. This unit teaches you how to find, filter, and group events in order to gain critical
insights about the offense. You also learn how to create and edit a search that monitors the events
of suspicious hosts.
Fo
References:
• Technote: Searching your QRadar data efficiently
http://www.ibm.com/support/docview.wss?uid=swg21689803
• Technote: QRadar: How does the Log Activity and Network Activity Real Time (streaming)
option work? http://www.ibm.com/support/docview.wss?uid=swg21622826

V7.0
Unit 5 Investigating the Events of an Offense
Objectives
Uempty
Objectives
• Use the list of events to navigate event details
.R ial
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
.N c
• Modify a saved search
C pe
to es Investigating the Events of an Offense
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Investigating event details
Uempty
.R ial
Lesson: Investigating event details
.N c
C pe
to es
ec n
Investigating the Events of an Offense © Copyright IBM Corporation 2017
oy cio
One of the first steps when investigating the events of an offense is to examine the event data at a
high level. In this lesson, you learn how to navigate the event details that are displayed in the list of
events.
pr a
rm
Fo

V7.0
Uempty
Definition event
.R ial
Event
--noun
A event is a record of an action on a
.N c
machine.
C pe
Definition event
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Navigating to the events

In the Offense Summary, click Events to open the list of events Events:
View all events
added to the offense
.R ial
.N c
C pe
Navigating to the events

ec n
You can also use the Log Activity tab to view events.
oy cio
pr a
rm
Fo

V7.0
Uempty
List of events
.R ial
.N c
C pe
List of events
Hide graphical charts
View event details by

double-clicking a row
ec n
• To sort events, click a column header.
oy cio
• To investigate suspicious activity, you must locate the information associated with the offense,
such as its events.
pr a
rm
Fo

V7.0
Uempty
Event details: Base information

The event information is similar the offense parameters
.R ial
.N c
C pe
to es Start Time:
The time when a QRadar
Event Collector started
working with the raw event
Investigating the Events of an Offense
Event details: Base information

Storage Time:
The time when a QRadar Event
Processor stored the normalized
event in its database
Log Source Time:
The time stamp that the
log source recorded in
the raw event
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Event details: Source and destination information

Typically, only a few fields under the source and destination information include data
.R ial
.N c
C pe
Event details: Source and destination information

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Event details: Reviewing the raw event

Each normalized event carries its raw event as the payload
.R ial
Review the raw event for information that
QRadar SIEM has not normalized into
fields, which therefore does not display in
.N c
the UI.
An example is the firewall profile name
C pe
Default_Atlantis.
Event details: Reviewing the raw event

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Event details: Additional details
QID:
A QID map specifies event name,
Protocol: description, severity rating, and links
.R ial
Network protocol to low-level and high-level category
.N c
C pe
Log Source: Event Count:
to es This log source provided the

raw event that QRadar SIEM
normalized into this event
Event details: Additional details

Number of raw
events bundled into
this normalized event

ec n
• The Event Details window provides more event information. This information is discussed in
more depth later in this course.
oy cio
• Field descriptions:
– Protocol:
In this example, the protocol is icmp_ip. ICMP is encapsulated into IP. Both are layer 3
pr a
protocols.
– QID:
rm
A QID number identifies a QID map. A QID map identifies an action of a software system or
network device that it logs as a raw event.
– Log Source:
Fo
A system on your network is a log source if QRadar SIEM receives raw events from it.
– Event Count:
For each individual log source, QRadar SIEM administrators can enable or disable
coalescing of multiple similar raw event into one normalized event. The number indicates
how many raw events have been coalesced into one normalized event. A coalesced,
normalized event contains only the first raw event in the payload.

V7.0
Uempty
Returning to the list of events

After investigating the event details, click Return to Event List, in the upper-left corner of the event
details window, to return to the event list
.R ial
Return to Event List: Offense:
Navigate to the list of Navigate to the offense to
events for the offense which the event was added
.N c
C pe
Returning to the list of events

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 2 Using filters to investigate events
Uempty
.R ial
Lesson: Using filters to investigate
events
.N c
C pe
to es
ec n
oy cio
Filters can temporarily hide events from the user interface, which makes it easier to focus on more
significant events. When investigating events, it can be helpful to filter the events. In this lesson,
you learn how to filter events.
References:
pr a

rm
Fo

V7.0
Uempty
Filtering events
• In the list of events, you can use filters to explore the offense further
• Most events in this offense are Firewall Deny
.R ial
• Because other events provide more insight, right-click the event name to filter for events that are not
Firewall Deny
.N c
C pe
Filtering events (1 of 3)
ec n
• You can right-click most fields to filter them.
oy cio
• Use the False Positive option to prevent that the CRE adds this and similar events to offenses.
• The menu item beginning with View path is only available if QRadar Risk Manager is licensed.
pr a
rm
Fo

V7.0
Uempty
Filtering events (continued)

By filtering Firewall Deny events, you can focus on other events
.R ial
.N c
C pe
The Custom Rule Engine (CRE) in QRadar SIEM created the events in this list to alert you to suspicious
activity
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Filtering events (continued)

The user interface displays the applied filters
.R ial
.N c
C pe
Clear Filter:
Click to view the Firewall
Deny events again
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Applying a Quick Filter to the payload

• The raw Firewall Deny events contain the
firewall profile that denied the connection
.R ial
• The firewall profile is not available as event
property
• To verify that the company's main profile,
Atlantis, was always active, filter events
.N c
without profile: Default_Atlantis in
the payload
C pe
Quick Filter:
Filter for events that do not contain
profile: Default_Atlantis in the payload
Applying a Quick Filter to the payload

Clear Filter:
Click to view all events
of the offense again
ec n
Quick Filter supports expressions with AND, OR, and NOT. For example, when you apply the NOT
"profile: Default_Atlantis" Quick Filter and no events show, you can assume that all the event's
oy cio
payloads mention the firewall profile Atlantis because no other firewall profile was active.
Refer to the QRadar SIEM Users Guide

(http://www.ibm.com/support/docview.wss?uid=swg27049537) for more information about the
expressions Quick Filter supports.
pr a
A coalesced event contains only the payload of one of the raw events bundled together. Therefore,
rm
quick filtering looks into only the one payload.

Fo

V7.0
Uempty
Using another filter option

• To create a filter, click the Add Filter icon
• You can use each
.R ial
event property as
a filter
.N c
C pe

ec n
• Instead of an IP address, you can enter a range of IP addresses, in CIDR notation, such as
10.100.0.0/16.
oy cio
• To build an OR expression, use Equals any of.

pr a
rm
Fo

V7.0
Uempty

A wide variety of Parameters and
Operators are available for filtering
.R ial
.N c
C pe

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Optimizing search execution efficiency

Searches can consume a lot of resources and run for a long time. To run searches efficiently, utilize the
following recommendations:
.R ial
• An index on a filtered property significantly reduces the run-time of a search
[Indexed] behind a property in the Parameter drop-down list indicates that QRadar SIEM maintains an index
for values of the property
If you search for a property without index, add indexed properties as filter to lower the number of events that
QRadar SIEM needs to search
.N c
• Narrow the time range
The relationship between time range and resource consumption is nearly linear
C pe

• If you know which appliances store the relevant events and flows, select from the Parameters drop-
down list the Event Processor parameter and then the names of the appliances
The Event Processor parameter is not only available for events but also for flows because the same event and
flow processor functionality is provided by the same software component
to es • The Log Activity and Network Activity tabs always display the result of a search; if you add a filter,
QRadar SIEM performs the test of the filter only to this search result
Optimizing search execution efficiency

ec n
In deployments with more than one appliance, network bandwidth and latency can be a bottleneck.
Therefore, narrow the time range and add filters to limit the size of the search result that event and
oy cio
flow processor appliances transfer to the Console appliance.
Refer to the Searching your QRadar data efficiently technote

(http://www.ibm.com/support/docview.wss?uid=swg21689803) for more information about search
optimization.
pr a
rm
Fo

V7.0
Lesson 3 Using grouping to investigate events
Uempty
.R ial
Lesson: Using grouping to
investigate events
.N c
C pe
to es
ec n
oy cio
Grouping events arranges the events so you can view them from different perspectives. In this
lesson, you learn how to group the events of an offense.
Reference:
• Technote: QRadar: How does the Log Activity and Network Activity Real Time (streaming)
pr a
option work? http://www.ibm.com/support/docview.wss?uid=swg21622826

rm
Fo

V7.0
Uempty
Grouping events
Default (Normalized):
By default, QRadar SIEM shows Raw Events:
.R ial
normalized events without grouping Instead of grouping, QRadar SIEM
shows the raw events stored in the
payload of each normalized event
Low Level Category:

Explore the events further by
.N c
grouping them; for example, group
them by their Low Level Category
C pe
Grouping events
ec n
After changing the grouping, events are organized accordingly. All filters are retained.
oy cio
pr a
rm
Fo

V7.0
Uempty
Grouping events by low-level category

In this example, exploring by grouping indicates a second protocol
.R ial
Grouping By:
QRadar SIEM shows the Protocol:
Some events recorded an additional
.N c
currently selected
grouping above the filters protocol; click Multiple (2)
C pe
All events are aggregated
by their low-level category
Grouping events by low-level category

ec n
• Grouping summarizes all events by the chosen field. In this example, grouping events by
low-level category displays a column of all the unique low level categories and summary
oy cio
information of the other columns, such as the number of unique protocols for each low-level
category.
• In the Protocol column, Multiple (x) is displayed, where x is the number of unique protocols. If
only one protocol exists for a low-level category, that value displays instead of Multiple (x).
pr a
When you double-click the Multiple (x) protocols, a browser window that groups these
protocols opens. The new window displays the unique protocols summarized by the previous
rm
grouping of low-level category.

Fo

V7.0
Uempty
Grouping events by protocol

In the Protocol column, click Multiple (2) to open a window with events grouped by protocol; you learn
that the firewall denied udp_ip in addition to icmp_ip
.R ial
Grouping By:
QRadar SIEM can group
.N c
by Protocol
C pe
Current Filters:
The previous grouping,
Low Level Category,
became a filter
Grouping events by protocol

ec n
To explore the event further, click Multiple (2) to view the two destinations IP addresses that the
source IP address wanted to contact using udp_ip. When finished, close the window.
oy cio
pr a
rm
Fo

V7.0
Uempty
Removing grouping criteria
Display:
.R ial
Group by Default
(Normalized) to
remove the grouping by
Low Level Category
.N c
C pe
Removing grouping criteria

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Pause/Play Refresh
Viewing a range of events
If events are still added to the
investigated offenses, view them
.R ial
• Real Time (streaming):
Shows events as they arrive;
grouping and sorting are not
available
.N c
• Last Interval (auto refresh):
Shows the last minute of
C pe
events; refreshes
automatically after 1 minute
Viewing a range of events

ec n
• In addition to viewing incoming events, you can select a time range from the View drop-down
list. When you open the List of events window from the Offense Summary, QRadar SIEM
oy cio
automatically sets a time range to include all events added to the offense.
• Last Interval (auto refresh):
The last minute of events can be delayed by up to 1 minute from the time the event reached the
Event Processor refresh cycle.
pr a
• Real Time (streaming):

rm
To view the details of an event, pause streaming and double-click the event.
Refer to the QRadar: How does the Log Activity and Network Activity Real Time (streaming)
option work? technote (http://www.ibm.com/support/docview.wss?uid=swg21622826) for more
information about Real Time (streaming).
Fo

V7.0
Lesson 4 Saving a search
Uempty
.R ial
Lesson: Saving a search
.N c
C pe
to es
ec n
oy cio
The event list is the result of the search criteria that you chose. In this lesson, you learn how to save
a search and use it to investigate the events that are included in an offense. The scenario that is
used as an example in this lesson monitors a possibly compromised host.
pr a
rm
Fo

V7.0
Uempty
Monitoring the offending host

The event list always displays search
results; to view traffic to and from the
offending host, edit this search, save
.R ial
it, and add it to the dashboard
Clear Filter:
To monitor all traffic,
.N c
remove the offense filter
C pe
Filter:
Right-click a Source IP to
see the filter pop-up
Monitoring the offending host (1 of 3)

ec n
To monitor a offending host, filter on the IP address and then clear the offense filter. If you clear the
offense filter first, all the events in the given time range show, making it difficult to find the IP
oy cio
address of interest.
pr a
rm
Fo

V7.0
Uempty
Monitoring the offending host (continued)
.R ial
.N c
C pe
Display:
View: Group by High
List events of the Level Category
last 24 hours
Monitoring the offending host (2 of 3)

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Save Criteria: Save Results:

Monitoring the offending host (continued) Save the criteria of Save the results of
the current search the current search
Now the screen shows
the selected time range,
grouping, and filtering
.R ial
Time Range
.N c
Grouping
C pe
Filtering
Monitoring the offending host (3/3)

ec n
• The key components of a search are time range, grouping, and filtering.
oy cio
• You can save the search criteria, save the results, or both.
pr a
rm
Fo

V7.0
Uempty
Saving search criteria Prepend name with

department or organization
Save the search with name for easy identification
the criteria specified
.R ial
.N c
Assign to group
C pe
Add the saved search to the
to es Quick Searches drop-down list
Saving search criteria

ec n
• Manage Groups:
oy cio
Add, edit, or remove search groups.

• Include in Quick Searches:
Add the saved search to the Quick Searches drop-down list.
• Share with Everyone:
pr a
Include this search in other users' lists of available searches.

rm
• Set as Default:
The Log Activity tab shows the result of this search by default.
• Include in my Dashboard:
Fo
Allows you to add the search as an item to a dashboard.

Only grouped searches can be included in the dashboard. The checkbox is grayed out if the
search is not grouped.

V7.0
Uempty
Event list using the saved search
.R ial
.N c
Using Search:
The event list shows the
C pe
result of the saved search
Event list using the saved search

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 5 Modifying saved searches
Uempty
.R ial
Lesson: Modifying saved searches
.N c
C pe
to es
ec n
oy cio
To use QRadar SIEM effectively, manage and modify saved searches. In this lesson, you learn how
to work with saved searches.
pr a
rm
Fo

V7.0
Uempty
About Quick Searches

When you select Include in
my Quick Searches when
.R ial
saving a search, QRadar
SIEM lists the saved search
in the Quick Searches
drop-down list
.N c
C pe
About Quick Searches

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Using alternative methods to create and edit searches

• Most predefined saved searches are not listed under Quick Searches
• To find, use, and edit saved searches, select Search in the top menu bar
.R ial
New Search:
.N c
Load a saved search; edit the loaded Edit Search:
search or create a new search The Event List is the result of a
search; edit this current search
C pe
or edit another saved search
Manage Search Results:

QRadar SIEM stores the result from
each search for 24 hours; you can

revisit, save, or delete results
Using alternative methods to create and edit searches

ec n
• The New Search and Edit Search menu items are about search criteria.
oy cio
• The Manage Search Results menu item is about search results.

• Managing Search Results:
QRadar SIEM might delete unsaved search results earlier than 24 hours if it requires the disk
space.
pr a
You can use the Manage Search Results option, to complete the following tasks:
– Save results for auditing or forensics
rm
– Delete previously saved search results

– Cancel long running searches
– Send an email when the search in progress finishes
Fo
Note: Users see only the searches they create in the Manage Search Results window.
Administrators see all searches.
• Canceling a search:
When a search is queued or in progress, you can cancel the search in the Manage Search
Results window or by clicking the Cancel button in the top menu bar. Any search results
computed before the cancellation are maintained.

V7.0
Uempty
Finding and loading a saved search

If you select New Search or Edit Search, the Event Search window opens
.R ial
Type Saved Search:
To find saved searches easily, type
your department name, if you
.N c
prepended your saved searches with it
C pe
Finding and loading a saved search

ec n
The Event Search window provides more search features, such as custom time range, grouping by
two or more fields, and column arrangement for the results.
oy cio
pr a
rm
Fo

V7.0
Uempty
Search actions
Show All:
.R ial
Export: Clear all filters
You can resend exported events as
raw events to QRadar SIEM
Delete:
Notify: Delete the result of the currently
Send an email when the search in displayed search;
.N c
progress finishes only the search result as a
collection is deleted but not the
events included in the search
result
C pe
Search actions
ec n
• Export to XML, Export to CSV and Print:
oy cio
These menu items are not available when viewing Real Time (streaming) or viewing partial
results from a canceled search.
• Delete:
This menu item is available only when no search is in progress.
pr a
• Notify:
This menu item is available only when a search is in progress.
rm
Fo

V7.0
Uempty
• Look for events contributing to an offense
.R ial
• Save search criteria and search results
• Investigate event details
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Use the list of events to navigate event details
.R ial
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
.N c
• Modify a saved search
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 6 Using Asset Profiles to
Investigate Offenses
.R ial
.N c
C pe
Using Asset Profiles to Investigate
Offenses
to es
ec n
oy cio
pr a

rm
QRadar SIEM stores security-relevant information about systems in your network in asset profiles.
This unit teaches you how asset profiles are created and updated, and how to use them as part of
an offense investigation.
References:
Fo
• Forum of Incident Response and Security Teams (FIRST): Common Vulnerability Scoring
System SIG https://www.first.org/cvss/
• PCI Security Standards Council https://www.pcisecuritystandards.org
• Technote: Vulnerability results and how they display in QRadar SIEM
• QRadar SIEM Administration Guide
• QRadar SIEM Vulnerability Assessment Configuration Guide

V7.0
Unit 6 Using Asset Profiles to Investigate Offenses
Objectives
Uempty
Objectives
• Describe how asset profiles are identified, created, and updated
.R ial
• Investigate asset profile details
• Navigate the Assets tab
.N c
C pe
to es Using Asset Profiles to Investigate Offenses
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Asset profiles overview
Uempty
.R ial
Lesson: Asset profiles overview
.N c
C pe
to es
ec n
Using Asset Profiles to Investigate Offenses © Copyright IBM Corporation 2017
oy cio
The asset profiles of QRadar SIEM store security-relevant data of systems in your network. In this
lesson, you are introduced into asset profiles and also learn how QRadar SIEM creates and
updates asset profiles.
pr a
rm
Fo

V7.0
Uempty
Definition asset profile
.R ial
Asset profile
--noun
An asset profile maintains technical and
.N c
organizational information about a system
in your organization's network.
C pe
Definition asset profile

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
About asset profiles

• Asset profiles store a wealth of information about a system in your local network, such as these
examples
.R ial
Name
IP addresses
MAC addresses
Operating system
Services
.N c
Owner
Other resource information
C pe
• Asset profiles are used to investigate local source and destination IP addresses of an offense
About asset profiles

ec n
QRadar SIEM is not a full-fledged asset management system. For example, it does not show which
computer hosts a virtual machine. QRadar SIEM also cannot represent storage in asset profiles.
oy cio
pr a
rm
Fo

V7.0
Uempty
Data sources for asset profiles

• QRadar SIEM automatically creates and updates asset profiles for systems found in incoming data
• DHCP, DNS, VPN, proxy, firewall NAT, and wireless access point logs
.R ial
• Passively gathered bidirectional flows
• Results from vulnerability scanners
Only flows and vulnerability scan data add and update information about ports and services to asset
profiles
.N c
• QRadar SIEM administrators can create assets by using these methods
• Manually in the user interface
Importing a CSV file in this format
C pe
•
IP address, Name, Weight (1-10), Description
Data sources for asset profiles

ec n
QRadar SIEM Administrators can delete asset profiles. A previously deleted asset profile is
re-created if a vulnerability scanner finds the system, or QRadar SIEM detects it in flows.
oy cio
The REST API of QRadar SIEM allows you to list and update asset profiles. It cannot create or
delete asset profiles.
pr a
rm
Fo

V7.0
Uempty
Identity information
• To provide gathered data to the right profile, the Asset Profiler uses the following identity information
in priority order to identify an asset uniquely
.R ial
• MAC address
• NetBIOS name
• DNS name
• IP address
.N c
For example, if a detected MAC address is not known to any asset profile, the Asset Profiler creates a new
profile, even if the IP address belonging to this new MAC address is already assigned to an existing profile
C pe
because the Asset Profiler assumes the system of the existing asset profile has been replaced
• The Asset Profiler can merge asset profiles if it determines that the same system is represented
Identity information
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 2 Investigating asset profile details
Uempty
.R ial
Lesson: Investigating asset profile
details
.N c
C pe
to es
ec n
oy cio
Information regarding a system in your network is often beneficial to an offense investigation. In this
lesson, you learn how to browse details of an asset profile.
References:
• Forum of Incident Response and Security Teams (FIRST): Common Vulnerability Scoring
pr a
System SIG https://www.first.org/cvss/

• PCI Security Standards Council https://www.pcisecuritystandards.org
rm
• Technote: Vulnerability results and how they display in QRadar SIEM

Fo

V7.0
Uempty
Navigating from an IP address to an asset profile

To investigate the asset profile of an IP address of an offense, perform the following steps:
1. Right-click the IP address
.R ial
2. Click Information > Asset Profile
.N c
C pe
Navigating from an IP address to an asset profile

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Assets tab
You can also click the Assets tab to locate asset profiles
.R ial
.N c
C pe
Assets tab
Click the Id or IP address to open the
Asset Details in a separate window
Double-click a row to open the
Asset Details in the Assets tab

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Asset summary
The Asset
Details
open with
.R ial
the Asset
Summary
.N c
C pe
Aggregate
CVSS Score:
Level of
concern
about this
asset
Asset summary
All Users:
Display previous users of the host
ec n
• The Asset Weight measures the importance of the asset. The levels range from 0 (not
important) to 10 (very important). QRadar SIEM administrators configure the Asset Weight
oy cio
manually.
• The Forum of Incident Response and Security Teams (FIRST) maintains the Common
Vulnerability Scoring System (CVSS). It maintains only the specification, not the scores
themselves. Refer to https://www.first.org/cvss/ for further information about CVSS.
pr a
rm
Fo

V7.0
Uempty
Network Interface Summary
.R ial
Collapse the Asset
Summary to view
more asset profile
details
.N c
An asset profile
C pe
can have multiple
network interfaces
Network Interface Summary

ec n
• MAC Address:
oy cio
A MAC address can be provided in two ways to an asset profile:

– It is manually entered by a QRadar SIEM administrator, or
– It is populated by the scan result of a vulnerability scanner.
Flows do not provide MAC addresses.
pr a
• History:
rm
Click this button to open the event search.

• Applications:
Click this button to open the flow search.
Fo
• Search Connections and View Topology:

These two buttons are only available if QRadar Risk Manager is licensed.

V7.0
Uempty
Vulnerabilities
• Verify the vulnerability
instances to determine
to which degree the
.R ial
investigated offense is Risk: Details:
a concern Likelihood of Hover the mouse to Risk Score:
exploitation learn more about the Level of concern about
• Vulnerability instances and impact vulnerability instance this vulnerability instance
are provided by
.N c
QRadar Vulnerability
Manager or third-party
C pe
vulnerability scanners
Severity:
Payment Card
Industry (PCI)
severity level
Vulnerabilities
ec n
• Following are the Severity levels:
oy cio
Low, Medium, High, Critical, Urgent

Refer to https://www.pcisecuritystandards.org for further information on PCI severity levels.
• The Risk rating is provided by IBM. Following are the Risk levels:
Warning, Low, Medium, High
pr a
• QRadar SIEM stores information about known vulnerabilities. QRadar SIEM usually downloads
updates every night. Still, a third-party vulnerability scanner can already know about a new
rm
vulnerability and detect it, when QRadar SIEM has not yet received this vulnerability
information. QRadar SIEM only displays instances of this vulnerability after it has received the
information. It matches its stored vulnerability information with the scan results from third-party
vulnerability scanners by common vulnerability identifiers, such as CVE, Bugtraq ID, and
Fo
X-Force ID. So if third-party vulnerability scanners detect issues without identifier, such as
misconfigurations, QRadar SIEM cannot display them.
Refer to the Vulnerability results and how they display in QRadar SIEM technote
(http://www.ibm.com/support/docview.wss?uid=swg21665232) for more information.

V7.0
Uempty
Display additional information

• By default, the asset details display the vulnerability instances of the asset
• Use the Display drop-down
.R ial
menu to select additional
information
• If available, QRadar Risk
Gathered from flows
Manager provides or vulnerability scanners
.N c
Risk Policies information
• All other information is
C pe
provided by vulnerability
scanners Provided by
QRadar Risk
• Information about Services Manager
can QRadar SIEM get from
both vulnerability scanners
to es and flows
Using Asset Profiles to Investigate Offenses
Display additional information

ec n
The following items of the Display drop-down list only provide information for assets running
Microsoft Windows:
oy cio
• Windows Services
• Windows Patches
• Properties
pr a
The following item of the Display drop-down list only provides information for assets running Linux:
• Packages
rm
Fo

V7.0
Uempty
Services
In the Display menu, click Services to investigate the known
services of the asset
.R ial
Last Seen Passive: Last Seen Active:
Services detected in passively Services detected actively by
.N c
gathered network flows scanners
Last Seen Passive: Last Seen Active:
C pe
Services detected in Services detected
passively gathered by vulnerability
network flows scanners
Services
ec n
• SSH:
oy cio
Vulnerability scanners only detect services that are running when they scan the asset. In the
example on the slide, SSH was not running during scanning,
Sometimes vulnerability scanners are not configured to scan less commonly used ports. These
services are also only found in flows.
pr a
• Web:
Vulnerability scanners detect unused services. In the example on the slide, the service listening
rm
on port 8080 did not have any network activity. Best practice is to stop unused services.
Fo

V7.0
Uempty
Products
QRadar SIEM
displays only
these items:
.R ial
• Operating
systems
• Products
.N c
providing a
service
C pe
Products
To learn why a product
is vulnerable, hover the
mouse over Multiple
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 3 Navigating the Assets tab
Uempty
.R ial
Lesson: Navigating the Assets tab
.N c
C pe
to es
ec n
oy cio
Searching, filtering, and sorting of asset profiles can make it easier to focus an investigation on the
most relevant asset profiles. In this lesson, you learn how to leverage the features of the Assets
tab.
References:
pr a

rm
• QRadar SIEM Vulnerability Assessment Configuration Guide

Fo

V7.0
Uempty
Locating asset profiles

You can search, filter, and sort asset profiles in a similar way as on other tabs
.R ial
.N c
C pe
Locating asset profiles

ec n
If a system has two IP addresses on two different networks and a QRadar SIEM user is granted
permission to view only one of the networks, the user does not see the system's asset profile at all.
oy cio
pr a
rm
Fo

V7.0
Uempty
Filtering asset profiles

You can use most asset profile
properties as a filter
.R ial
.N c
C pe
Filtering asset profiles

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Searching asset profiles

QRadar SIEM provides predefined searches and
search options in a similar way as on other tabs
.R ial
.N c
C pe
Searching asset profiles

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Server Discovery and VA Scan

• Security analysts use the Assets tab to investigate asset profiles
• QRadar SIEM administrators can use asset profiles to approve services and run vulnerability
.R ial
assessment (VA) scans
.N c
QRadar SIEM administrators can approve IP addresses for one or more server types, such as web, mail,
and Windows. Services of such server types listen on standard ports, such as 80 and 443 for web.
C pe
To help QRadar SIEM administrators finding IP addresses matching a server type, the Server Discovery
lists asset profiles with one of the server type's standard ports open.
The Server Discovery does not probe the IP address for open ports. It also does not look for open ports
in events, flows, and scan results. The Server Discovery only looks in asset profiles for open ports.
Server Discovery and VA Scan

QRadar SIEM administrators can schedule the import of results from vulnerability assessments (VA)
scans of systems on the network. QRadar SIEM ingests scan results from vulnerability scanners other
than QRadar Vulnerability Manager. They create and update asset profiles.

ec n
• Depending on your permissions, you might not see all three options.
oy cio
• Refer to the QRadar Administration Guide

(http://www.ibm.com/support/docview.wss?uid=swg27049537) for more information about
Server Discovery.
• Refer to the QRadar Vulnerability Assessment Configuration Guide
pr a
Vulnerability Assessment Scanning.

rm
Fo

V7.0
Summary
Uempty
Summary
• Describe how asset profiles are identified, created, and updated
.R ial
• Investigate asset profile details
• Navigate the Assets tab
.N c
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 7 Investigating an Offense
Triggered by Flows
.R ial
.N c
C pe
Investigating an Offense Triggered by
Flows
to es
ec n
oy cio
pr a

rm
QRadar SIEM correlates flows into an offense if it determines suspicious network activities. This
unit teaches you how to investigate the flows that contribute to an offense. You also learn how to
create and tune false positives and investigate superflows.
References:
Fo

• QRadar SIEM Default Applications Configuration Guide
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/kc_gen/toc-gen25.html

V7.0
Unit 7 Investigating an Offense Triggered by Flows
Objectives
Uempty
Objectives
• Describe flows
.R ial
• Investigate the summary of an offense that is triggered by flows
• Investigate flow details
• Tune false positives
.N c
• Investigate superflows
C pe
to es Investigating an Offense Triggered by Flows
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Flows overview
Uempty
.R ial
Lesson: Flows overview
.N c
C pe
to es
ec n
Investigating an Offense Triggered by Flows © Copyright IBM Corporation 2017
oy cio
A flow provides information about a network activity between two or more systems. In this lesson,
you learn from which data QRadar SIEM creates flows and which information they provide.
pr a
rm
Fo

V7.0
Uempty
Definition flow
.R ial
Flow
--noun
A flow is a record of the communication
.N c
between network sockets.
C pe
to es IP address, port, and transport protocol uniquely identify a network socket.
Investigating an Offense Triggered by Flows
Definition flow
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
About flows
• From the network activity information that QRadar SIEM receives, it creates flows
• Like a phone bill, QRadar SIEM records in flows who talked to whom, at which time, but not the
.R ial
content of the conversation
From unencrypted communications, QFlow can capture layer 7 payload up to a configurable number of bytes
• A flow can include information about the conversation, such as these examples
Start Time
.N c
End Time
Source and destination IP addresses
C pe
Source and destination ports
Number of bytes transferred
Number of packets transferred
Network protocol
Application protocol
to es TCP flags
About flows
ec n
• While an event occurs at a single point of time, a flow has a start and end time. Most flows have
only a short duration, but flows representing the transfer of a huge file or streaming of a movie
oy cio
can last for hours.

• Flows update asset profiles of servers with the ports and services that are running on them.
pr a
rm
Fo

V7.0
Uempty
Creating flows from network activity information

• External sources: Network devices
Flow collectors create flows from IPFIX/NetFlow, sFlow, J-Flow, Packeteer, and Flowlog file received from
.R ial
network devices
Network devices provide only a subset of the control information in network packet headers and no payload
To determine the application protocol, flow collectors look up which application protocol commonly uses the
recorded network protocol and destination port
• Internal sources: QFlow and QRadar Network Insights (QNI)
.N c
Flow collectors create flows from network activity monitored by QFlow and QNI similar a network sniffer
Both provide the first bytes of packets to QRadar SIEM in order to detect the application protocol without
C pe
regard to the network protocol and destination port being used
Both extract the same control information that is available in network activity information from external sources
QFlow can capture layer 7 payload up to a configurable number of bytes unless it is encrypted
í QFlow can extract user-defined Custom Flow Properties from the part of the payload that it captured
í QFlow stores the part of the payload that it captured
to es QNI analyzes complete layer 7 payload unless it is encrypted

í
í
QNI can extract pre-defined properties, such as DNS queries, HTTP headers, and MD5 checksums of transferred files
QNI does not store payload other than the extracted properties
Creating flows from network activity information

ec n
For flows created from IPFIX/NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files QRadar SIEM
cannot detect the Skype application protocol because Skype uses many ports. QFlow and QNI
oy cio
detect Skype because they analyze the first bytes of packets. QFlow and QNI perform the same
application protocol detection.
The QFlow application detection is unrelated to its ability to capture and store a configurable
number of bytes from each packet. Therefore, the QFlow application detection still works if a
pr a
QRadar administrator configures QFlow to capture and store 0 bytes from packets. However,
Custom Flow Properties are not extracted any more if payload capture is disabled.
rm
Fo

V7.0
Uempty
Network Activity tab

• Click the Network Activity tab to perform these tasks
Investigate flows
.R ial
Perform detailed searches
View network
activity
.N c
C pe
To navigate to the
offense a flow
contributes to,
to es click this icon
Network Activity tab

ec n
• In addition to the Dashboard and Offenses tabs, you can navigate to offenses from the Network
Activity and Log Activity tabs.
oy cio
• If rules added a flow or event to more than one offense, clicking its red icon does have an effect.
• About the Source and Destination Bytes columns:
– The (C) behind the number of bytes indicates that the flow contains captured layer 7
pr a
payload.
– The number of captured bytes is not displayed. By default, QRadar SIEM captures 64 bytes
rm
in each direction.
– The number of bytes in the Source Bytes and Destination Bytes columns indicates how
many bytes the source and destination sent.
Fo

V7.0
Uempty
Network specific properties

• Flows on the Network Activity tab are shown in a similar way as events are on the Log Activity tab
• The Network Activity tab displays properties specific to network communication
.R ial
.N c
C pe
Network specific properties

ec n
Protocol:
oy cio
Only flows, but not events, have the properties shown in the screen capture with the exception of
Protocol. However, only events from firewalls and other network systems usually carry protocol
information.
pr a
rm
Fo

V7.0
Uempty
Grouping flows
Some flow grouping options differ from event grouping options
.R ial
Display:
.N c
Group by Application for an
overview of the application data
transported in the flows
C pe
Grouping flows
ec n
• Display > Default (Normalized):
oy cio
To remove a grouping, select Default (Normalized).

• Display > Application:
QRadar SIEM detects the kind of application data transported in flows.
• Display > Geographic:
pr a
To summarize flows by the geographic country/region of their destination IP addresses, group

by Geographic.
rm
• Display > Flow Bias:

To summarize flows by the ratio between bytes leaving from and arriving at your organization's
perimeter, group by Flow Bias.
Fo
• QRadar SIEM works in 1-minute cycles. With QFlow and QNI, QRadar SIEM can update flows
that it created in previous cycles. For network activity, that spans more than once cycle and is
received in IPFIX/NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files, QRadar SIEM creates a
new flow during each 1-minute cycle. To display such flows together, group By Source IP,
Source port, Destination IP, Destination port, Protocol, and enable capturing of time series data.

V7.0
Uempty
Lesson 2 Using summary information to
investigate an offense
.R ial
.N c
Lesson: Using summary information
to investigate an offense
C pe
to es
ec n
oy cio
An offense bundles information about a suspicious activity, including flows. In this lesson, you learn
how to use offense summary information related to flows to begin your offense investigation.
pr a
References:
rm
• QRadar SIEM Default Applications Configuration Guide
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/kc_gen/toc-gen25.html
Fo

V7.0
Uempty
Offense parameters
The parameter at the top of the offense summary provides the first clues to investigate the offense
.R ial
Description:
From suspicious DNS traffic, QRadar SIEM concluded Flows added to
botnet activity; rules compile the description this offense
.N c
C pe
Offense parameters
ec n
Description:
oy cio
Misc.domain refers to domain name resolution traffic.
Refer to the QRadar SIEM Default Applications Configuration Guide

(https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/kc_gen/toc-gen25.html) for
further information.
pr a
rm
Fo

V7.0
Uempty
Top 5 Source and Destination IPs

• Source and destination IP addresses provide information about the origin of the offense and its local
targets
.R ial
• Remote source IP addresses are displayed, but remote destination IP addresses are not
.N c
C pe
Top 5 Source and Destination IPs

ec n
Right-click anywhere in the row to view more information about the source IP address.
oy cio
pr a
rm
Fo

V7.0
Uempty
Top 5 Log Sources
.R ial
.N c
C pe
Events:
The Custom Rule Engine (CRE) of QRadar
SIEM created all events of this offense
Top 5 Log Sources

ec n
In the example on the slide, no events created from log messages contribute to the offense. Only
events created by the Custom Rules Engine (CRE) contribute to the offense.
oy cio
pr a
rm
Fo

V7.0
Uempty
Top 5 Categories
QRadar SIEM classified the events and the flows into categories
.R ial
.N c
C pe
Top 5 Categories
ec n
Each flow and event is classified into one category.
oy cio
Refer to the QRadar Administration Guide

(http://www.ibm.com/support/docview.wss?uid=swg27049537) for a list of high-level categories
(HLC) and low-level categories (LLC).
pr a
rm
Fo

V7.0
Uempty
Last 10 Events
The Custom Rule Engine (CRE) created events with information about suspicious activities
.R ial
.N c
C pe
Last 10 Events
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Last 10 Flows
• This table provides information about what happened most recently
• Double-click a row to open a window with details about the flow
.R ial
.N c
C pe
Last 10 Flows
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 3 Navigating flow details
Uempty
.R ial
Lesson: Navigating flow details
.N c
C pe
to es
ec n
oy cio
A flow in QRadar SIEM provides much information about the network activity it represents. In this
lesson, you learn how to navigate the details of a flow.
pr a
rm
Fo

V7.0
Uempty
Base information
Flow base information is
similar to event base information
.R ial
.N c
QRadar SIEM extracted only the
C pe
HTTP version; you have two
options to extract more
properties:
• For QFlow, QRadar SIEM

administrators can increase
the content capture length to
to es •
capture more payload so that
QRadar SIEM can extract
more properties
Use QRadar Network Insights
instead QFlow
Base information
ec n
• In the example on the slide, the Event Description, Application detected with state based
decoding, means that QFlow or QRadar Network Insights provided the first bytes of network
oy cio
packets to QRadar SIEM's state-based decoder so that it was able to detect the application
protocol of this flow. QRadar SIEM applies the following methods ordered by priority to
determine which kind of application data a network connection transports:
a. user defined application mapping
pr a
b. state-based decoder
rm
c. signature matching
d. matching protocol and destination port against defaults

For flows created from IPFIX/NetFlow, sFlow, J-Flow, Packeteer, and Flowlog file, QRadar
Fo
SIEM can only perform the last method. These accounting technologies do not provide the first
bytes of network packets, and therefore QRadar SIEM can only use the port number to take a
guess about the application protocol.
• QRadar SIEM administrators can create Custom Flow Properties. Their field names in the
example on the slide end with (Custom). Only QFlow and QNI can extract Custom Flow
Properties from network activity. QFlow only captures from the limited number of payload bytes
that it captures and therefore might miss information. QNI examines the complete payload.

V7.0
Uempty
Source and destination information

QRadar SIEM provides
network connection
details about the flow
.R ial
.N c
C pe
Source and destination information

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Layer 7 payload
This example shows the layer 7 payloads for an HTTP GET request and response; both show only the
first 64 bytes of payload by default
.R ial
.N c
C pe
to es Note: QRadar SIEM administrators can increase the content capture length to provide more layer 7
payload
Layer 7 payload
ec n
A layer 7 content capture length greater than 1024 bytes negatively impacts QRadar SIEM's
performance.
oy cio
pr a
rm
Fo

V7.0
Uempty
Additional information
.R ial
Custom Rules:
Rules fired for this flow
.N c
Custom Rules Partially Matched:
C pe
At least one test condition of a rule
was met and an occurrence
counter was incremented but the
rule did not fire
Annotations:
to es Added by rules
Additional information
ec n
The Flow Direction field can include the following values:
oy cio
L2L: Traffic from a local network to a local network
L2R: Traffic from a local network to a remote network
R2L: Traffic from a remote network to a local network

pr a
R2R: Traffic from a remote network to a remote network
QRadar SIEM considers all networks local that are configured in the Network Hierarchy. You find
rm
the Network Hierarchy on the Admin tab. The Network Hierarchy is introduced later in this course.
Fo

V7.0
Lesson 4 False positives overview
Uempty
.R ial
Lesson: False positives overview
.N c
C pe
to es
ec n
oy cio
Each organization has legitimate network activity that can trigger false positive flows and events.
This traffic creates noise that makes it difficult to identify true security incidents. In this lesson, you
learn how to tune a flow or event as false positive.
pr a
rm
Fo

V7.0
Uempty
Preventing false positives

• If an event or flow is legitimate, you can
order the CRE to ignore similar events and
flows in the future
.R ial
• In the top menu bar, click the False
Positive icon
.N c
The QID uniquely identifies the kind of
application data that the flow transports
C pe
to es This option is rarely useful because it
eliminates every occurrence of the
above selection every time
Preventing false positives

ec n
The example on the slide removes any event and flow that includes the specified QID and targets
the 93.158.65.201 IP address without regard for the origin.
oy cio
For events, the QID uniquely identifies a specific action of a device. For example, firewall denies
issued from different firewall models have different QIDs. For flows, the QID uniquely identifies
which kind of application data is transported by the flow.
pr a
To edit a false positive, edit the User-BB-FalsePositive: User Defined False Positives Tunings
building block. To locate this building block, navigate to Rules on the Offenses tab. Rules and
rm
building blocks are introduced later in this course.

Fo

V7.0
Uempty
False positive flow or event

• QRadar SIEM ignores flows and events that you tagged as false positives for offenses, but searches
and reports still include them
.R ial
• To prevent unwanted offenses, QRadar SIEM administrators must perform these tasks
Keep the Network Hierarchy up-to-date
Keep building blocks that identify approved services up-to-date
Disable rules that create numerous pointless offenses
.N c
The next modules of this course provide an introduction to these topics; QRadar SIEM administrators
perform these tasks
C pe
False positive flow or event

ec n
Many rules test whether the destination IP address and port of an event or flow is an approved
service of your organization. The port numbers used for services in your organization are stored in
oy cio
building blocks with names beginning with BB:PortDefinition. The IP addresses of approved
services are stored in building blocks with names beginning with BB:HostDefinition. QRadar SIEM
administrators need to update these building blocks manually or run the Server Discovery on the
Assets tab.
pr a
By default, QRadar SIEM has many rules disabled. In a production environment, it may be
necessary to enable some rules. In most deployments, a professional services consultant performs
rm
initial tuning for a new QRadar SIEM deployment.

Fo

V7.0
Lesson 5 Investigating superflows
Uempty
.R ial
Lesson: Investigating superflows
.N c
C pe
to es
ec n
oy cio
A superflow is an aggregate of similar network activity that otherwise would result in a large number
of separate flows. In this lesson, you learn about the three different types of superflows.
pr a
rm
Fo

V7.0
Uempty
About superflows
Flow processors aggregate network activity with common characteristics into superflows that indicate
common attack types
.R ial
• Type A: Network sweep
one source IP address > many destination IP addresses
• Type B: Distributed denial of service (DDOS) attack
many source IP addresses > one destination IP address
.N c
• Type C: Portscan
one source IP address > many ports on one destination IP address
C pe
About superflows
ec n
Benefits of superflows include:
oy cio
• Only a single flow stored to disk

• Reduced bandwidth usage from flow processor appliances to the console appliance
pr a
rm
Fo

V7.0
Uempty
Superflow source and destination information

• Navigate to the flow details to further investigate a superflow
• This example shows a Type B Superflow that indicates a DDOS
.R ial
Source IP addresses and ports
from where the DDOS originates Target of the DDOS
.N c
C pe
Superflow source and destination information

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Superflow additional information
.R ial
.N c
C pe
Tagged by DoS
to es building block
Superflow additional information

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
• Investigating an offense that is triggered by flows
.R ial
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Describe flows
.R ial
• Investigate the summary of an offense that is triggered by flows
• Investigate flow details
• Tune false positives
.N c
• Investigate superflows
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 8 Using Rules
.R ial
.N c
C pe
Using Rules
to es
ec n
oy cio

Rules and building blocks test and correlate incoming events, flows, and offenses in QRadar SIEM
pr a
for indicators of an attack or policy violation. Building blocks are used as variables in other rules or
reports. Unlike building blocks, rules can perform an action or response if they evaluate to true. This
rm
unit teaches you the significance of rules and building blocks, and how to locate and understand
their tests, actions and responses.
References:
Fo
• QRadar Administration Guide http://www.ibm.com/support/docview.wss?uid=swg27049537

• QRadar: An Example of How an Anomaly Rule Triggers Over Time technote

V7.0
Unit 8 Using Rules
Objectives
Uempty
Objectives
• Navigate rules and rule groups
.R ial
• Locate the rules that fired for an event or flow, and triggered an offense
• Investigate which test conditions caused a rule to fire
• Investigate building blocks and function tests
• Examine rule actions and responses
.N c
• Use rules in searches
C pe
• Examine for which indicators anomaly detection rules can fire
to es Using Rules
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Lesson 1 Rules overview
Uempty
.R ial
Lesson: Rules overview
.N c
C pe
to es
ec n
Using Rules © Copyright IBM Corporation 2017
oy cio
QRadar SIEM uses rules and building blocks to monitor for attacks and policy violations. This
lesson introduces you to custom rules and building blocks, and you learn how to locate them in
general and find specific rules and building blocks that fired for an event, flow, and offense.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Definition rule
.R ial
Rule
--noun
A rule tests for an indicator, that is a sign of
.N c
an attack or policy violation.
C pe
to es Using Rules
Definition rule
ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Testing for indicators

• The tests of rules correlate information to monitor for the following kind of indicators
Indicator of Compromise
For example
.R ial
í Reconnaissance from local hosts
í Beaconing
Indicator of Concern
For example
.N c
í Reconnaissance from remote hosts
í DDOS attack ramping up
C pe
• This module follows the common practice to use the following terms, instead of using the rule evaluate
to true
a rule fires
a rule matches
a rule tags an event or flow
to es a rule contributes to an offense
Using Rules
Testing for indicators

ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Finding the rules that fired for an event or flow

QRadar SIEM shows the rules that fired for an event or flow on its details page
.R ial
.N c
C pe
To navigate to the rule
details, double-click the row
to es Using Rules
Finding the rules that fired for an event or flow

ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Finding the rules that triggered an offense

Select Display > Rules menu of the Offense Summary to navigate to the rules that triggered the offense
.R ial
.N c
C pe
To navigate
to es Using Rules
Finding the rules that triggered an offense

to the rule
details,
double-click
the row

ec n
• QRadar SIEM displays only the rules that added an event or flow to the offense. The event and
flow details display all rules that fired for their event or flow regardless of whether they added it
oy cio
to an offense or not.
• To view and manage custom rules, the user must have the View Custom Rules or Maintain
Custom Rules role permissions.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Navigating to rules
Select Rules in the Actions menu on the Log Activity tab or Network Activity tab
.R ial
.N c
C pe
to es Using Rules
Navigating to rules
ec n
The Rules List opens in a separate window.
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Navigating to rules (continued)

Select Rules on the Offenses tab to navigate to rules
.R ial
.N c
C pe
to es Using Rules

ec n
• Rules are organized in groups.
oy cio
• You can click the column headers to sort rules.

pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty

Click the Groups button to open the Groups window
.R ial
.N c
C pe
to es Using Rules

ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Lesson 2 Using rule definitions during an investigation
Uempty
Lesson 2 Using rule definitions during an
investigation
.R ial
.N c
Lesson: Using rule definitions during
an investigation
C pe
to es
ec n
oy cio
Rules and building blocks define what QRadar SIEM considers an attack or policy violation. As part
of an offense investigation, you might need to find out in detail QRadar SIEM created an offense. In
this lesson, you learn how to understand what a rule or building block tests for.
pr a
Reference:
rm
• QRadar Administration Guide http://www.ibm.com/support/docview.wss?uid=swg27049537

Fo

V7.0
Unit 8 Using Rules
Uempty
Rule Wizard demonstration
.R ial
.N c
C pe
to es Using Rules
Rule Wizard demonstration

ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Rule Wizard
Double-click a rule to open
the Rule Test Stack Editor
in the Rule Wizard
.R ial
.N c
C pe
Learn from the rule's tests what it detects;
Refer to the next slide for more information
To navigate to the rule's actions

and responses, click Next
to es Using Rules
Rule Wizard
Learn about the rule's purpose

ec n
If you have the Maintain Custom Rules permission, QRadar SIEM opens the Rule Test Stack Editor
to edit the rule as shown on the slide. If you have the View Custom Rules permission, but not the
oy cio
Maintain Custom Rules permission, QRadar SIEM displays the rule summary read only.
Refer to the QRadar Administration Guide

developing rules.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Rule tests
To find out in detail why a rule fired, investigate what it tests
Logical operators Test conditions
.R ial
Simple tests with one
test condition each
.N c
C pe
• The Custom Rules Engine (CRE) executes the tests
• When a CRE receives a flow, the CRE evaluates the example rule in the following steps
1. Test whether the context of the flow is Local to Local
2. If true, stop evaluating this rule for the flow
3. If false, move to the next test
to es 4.
5.
6.
Test whether the flow duration is greater than 48 hours
If true, the rule fires
If false, the rule does not fire
Using Rules
Rule tests
ec n
• CRE instances run on the Console appliance and on each event and flow processor appliance.
oy cio
• All CRE instances in a QRadar SIEM deployment share the same rules.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Custom rules
• The tests of more complex rules correlate events and flows that by themselves record only one
unsuspicious activity in your IT environment
.R ial
• Many policy violations can be detected without correlation by only a single event or flow, such as
unencrypted telnet traffic
Also, an event from an IDS, IPS, or other security service can notify about an attack without further
correlation
.N c
• If a rule fires for an event or flow, the CRE performs the actions and responses configured for the rule,
such as these examples
Adding the event or flow to an offense
C pe

í If the appropriate offense does not yet exist it is created
Creating a new event
Adding an annotation
Sending an email
Generating system notifications
to es
Rule actions and responses are introduced later in this module
Using Rules
Custom rules
ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Building blocks
• Building blocks are the same
as custom rules, but they do
not have actions or
.R ial
responses
• Select Display > Building
Blocks to display them
.N c
C pe
to es Using Rules
Building blocks
ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Building blocks and function tests

Custom rules and building blocks can use other custom rules and building blocks in function tests for
the following purposes
.R ial
• Combine custom rules and building blocks in complex tests
• Reuse existing test logic and information
• Improve efficiency because the CRE executes a custom rule or building block only one time per event
or flow regardless of how many custom rules and building blocks use it
.N c
C pe
to es Using Rules
Building blocks and function tests

ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Function tests
• For function tests, the CRE keeps track of matches to test conditions
• Most function tests use more than one test condition
.R ial
• Function tests primarily serve the following two purposes
Monitoring frequency: Keep count whether conditions become true as many times as a triggering value in a
time frame
.N c
C pe
- In the example, only if the first test evaluates to true is the function test evaluated and can increment its
counters
- If the first test evaluates to false, the function test is not evaluated and cannot increment its counters
Monitoring order: Monitor whether conditions become true in a certain sequence and time frame
to es Using Rules
Function tests
ec n
• Under the Functions - Simple section, the Rule Test Stack Editor provides the following function
test:
oy cio
when an event matches any of the following rules

This is the only function test that does not require the CRE to keep track of an occurrence.
• Stateless tests operate only on the current event or flow.
pr a
• Stateful tests operate on the current event or flow, and information from previous events and
flows.
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Partial match
• For function tests, the CRE
maintains counters to track how
many events or flows meet a
.R ial
condition in a time frame
• If an event or flow meets such a
condition and a counter is
incremented, but the custom rule
.N c
does not fire, the event or flow
records the custom rule under
C pe
Custom Rules Partially Matched
to es Using Rules
Partial match
ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Custom rule and building block types

• Each custom rule and building block falls into one of the following four rule types
Event
.R ial
í Test only incoming events
í Example test: when the user name matches the following regex
Flow
í Test only incoming flows
í Example test: when the destination TCP flags are exactly these flags
.N c
Common
í Test only incoming events and flows
í Example test: when the source is located in this geographic location
C pe
Offense
í Test only offenses
í Example test: when the number of categories involved in the offense is greater than
to es Using Rules
Custom rule and building block types

ec n
The type of a custom rule or building block chosen during its creation cannot be changed
afterwards.
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Lesson 3 Custom rule actions and responses
Uempty
.R ial
Lesson: Custom rule actions and
responses
.N c
C pe
to es
ec n
oy cio
Like the if-then statement in programming languages, a custom rule executes actions and
responses if it evaluates to true. In this lesson, you learn about some of the available rule actions
and responses.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Rule actions
When a rule fires, QRadar SIEM executes its actions
The CRE requests
.R ial
the Magistrate to
add the tested
event or flow to the
offense
If an offense with
the chosen Source
.N c
IP Index and the IP
address value, that
A rule can change the
is the same as the
C pe
magnitude of the event or flow
source IP address
of the tested flow,
does not yet exist,
the Magistrate
creates such an The rule specifies the offense type
offense
to es Refer to the next

slide for more
information about
the Magistrate and
offense creation
Using Rules
Rule actions
ec n
Dropping an event or flow prevents the CRE from executing any further rules that have not already
been executed. At this point, some of the rules that have already been executed might have fired
oy cio
and the CRE has already executed or initiated their actions and responses.
Dropping an event or flow does not delete it. The event or flow is still stored and searchable;
therefore, it shows up in search results and reports.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Based on the index, the Magistrate maintains offenses

• The Magistrate component of QRadar SIEM maintains all offenses and determines whether to add an
event or flow to an existing offense or create a new offense
.R ial
• The Magistrate assumes that rules firing for the same index property and property value relate to the
same security issue; therefore, the Magistrate maintains only one active offense indexed on the same
property and property value at any given time
Example: A rule fires and requests that the Magistrate add the event or flow to an offense indexed on
.N c
source IP address 192.168.10.10
If such an offense already exists, the Magistrate adds the event or flow to it
C pe
If such an offense does not exist, the Magistrate creates an offense indexed on the source IP address
192.168.10.10, and adds the event or flow to it
• A rule should index its offense on the key property in its tests; for example, the Username property is
the appropriate index for a rule that tests for 5 login failures with same user name
• More than one rule can fire for an event or flow
to es For rules firing with the same index property and property value, the Magistrate adds the event or flow to the
same offense; therefore, more than one rule can add events and flows to one single offense
For each rule firing with different index properties or property values, the Magistrate adds the event or flow to
each of the separate offenses
Using Rules
Based on the index, the Magistrate maintains offenses

ec n
• To identify an offense uniquely, the Magistrate requires both the property and its value. The
value alone is not enough. For example, an offense can be indexed on the source IP address
oy cio
192.168.10.10, and another offense can be indexed on the same IP address 192.168.10.10, but
as the destination IP address. This happens when a compromised machine attacks other
targets. QRadar SIEM chains such offenses.
• The difference between the CRE and Magistrate is as follows:
pr a
– The CRE tests events and flows. It tags each event and flow with each custom rule and
building block that fires for it, regardless of the Rule Action and Rule Response.
rm
– The Magistrate maintains offenses. It adds events and flows to offenses if told so by the
Rule Action and Rule Response. The Magistrate only runs on the Console.
Fo

V7.0
Unit 8 Using Rules
Uempty
Rule response
.R ial
The CRE
requests the
Magistrate to
create an
offense, if an
.N c
offense with the
same property The rule requests the
chosen as CRE to create a new
C pe
index and same event for these purposes:
property value • Name the offense
as the tested appropriately
flow does not • Simplify searching and
already exist reporting on the
detected indicator
The Magistrate
to es
adds the new
event to the
existing or
newly created
offense
Using Rules
Rule response
ec n
• The Custom Rule Engine (CRE) is the log source of the new event, because the CRE creates
all events that are triggered by custom rules.
oy cio
• The user interface often refers to the name of an offense as the description.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Rule response (continued)
.R ial
Send email to addresses
.N c
C pe
Limit how often
to es the CRE
executes the
configured rule
responses
Using Rules
Rule response (continued)

ec n
• Each CRE in a QRadar SIEM deployment maintains the counter and time frame separately.
Therefore, you can, for example, receive more emails than the configured limit if a rule fires with
oy cio
separate CREs.
• The Response Limiter configuration limits every option under Rule Response, including the
frequency of dispatched or forwarded events.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Adding and removing property values to and from reference sets

A Reference Set
is a collection of
unique values,
.R ial
such as a
watchlist of IP Click to manage
reference sets
addresses that
can be looked up
.N c
Add property
C pe
value to
reference set
Remove property
to es value from
reference set
Using Rules
Adding and removing property values to and from reference sets

ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Lesson 4 Using rules as search parameters
Uempty
.R ial
Lesson: Using rules as search
parameters
.N c
C pe
to es
ec n
oy cio
The custom rules engine tags each offense with the rules that added an event or flows to it. The
custom rules engine also tags each event and flow with the custom rules and building blocks that
fired for it. In this lesson, you learn how to search for tagged offenses, events and flows.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Searching offenses by contributing rules

Find all offenses to which the selected rule has contributed an event or flow
.R ial
.N c
C pe
to es Using Rules
Searching offenses by contributing rules

ec n
The drop-down list can contain building blocks and custom rules that are not configured to
contribute an event or flow to an offense. Searching for those does not find any offenses because
oy cio
this search only finds offenses for which the selected rule contributed an event or flow.
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Searching events and flows

Find all events and flows that the
selected rules have fired
.R ial
.N c
C pe
to es Using Rules
Searching events and flows

ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Disabled custom rules and unused building blocks

• The CRE evaluates a custom rule only if it is enabled
• The CRE evaluates a building block only if at least one test of an enabled custom rule uses it
.R ial
• If you search for events or flows for which a disabled custom rule or unused building block has fired,
the CRE will not find any
• To make the CRE evaluate a custom rule, enable it
.N c
• Add any unused building blocks required by searches used in report templates to the
Load Basic Building Blocks custom rule
C pe
to es Using Rules
Disabled custom rules and unused building blocks

ec n
The following information pertains to the Load Basic Building Blocks rule:
oy cio
• It does not have any actions or responses.

• It already contains many building blocks because many predefined report templates rely on
saved searches that filter on matching custom rules and building blocks.
• It is of type event. Therefore, you can add building blocks of types event and common, but not
pr a
building blocks of type flow.

• The CRE evaluates its building blocks of type common on both events and flows.
rm
Fo

V7.0
Unit 8 Using Rules
Lesson 5 Anomaly detection rules
Uempty
.R ial
Lesson: Anomaly Detection rules
.N c
C pe
to es
ec n
oy cio
Anomaly Detection rules alert to deviations from recorded past activities. This lesson introduces
you to the differences to custom rules and the purposes of the three types of anomaly detection
rules.
References:
pr a
1. QRadar: An Example of How an Anomaly Rule Triggers Over Time technote

rm
Fo

V7.0
Unit 8 Using Rules
Uempty
About anomaly detection rules

• An anomaly detection rule tests the results of a saved event or flow search to detect deviations from
usual activity patterns
.R ial
• The saved search needs to be grouped and needs to have capturing of time series data enabled
• The Anomaly Detection Engine (ADE) executes the anomaly detection rules
• An anomaly detection rule only tags the event that it creates as a rule response but not the event or
flow that triggered it; this has two implications
.N c
It is not possible to search and report on events and flows that triggered an anomaly detection rule
In the Rule Wizard, an anomaly detection rule has only a Rule Response but not a Rule Action because the
C pe
Rule Action only works on the triggering event or flow
• Typically anomaly detection rules monitor over longer timespans than custom rules
to es Using Rules
About anomaly detection rules

ec n
Like CRE instances, ADE instances run on the Console appliance and on each event and flow
processor appliance.
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Navigating to anomaly detection rules

• QRadar SIEM displays both anomaly detection rules and custom rules under on the Offenses tab
• Three types of anomaly detection rules are available
.R ial
.N c
C pe
to es Using Rules
Navigating to anomaly detection rules

ec n
Rule groups can contain custom rules and anomaly detection rules. The predefined rule group with
the name Anomaly is not restricted to anomaly detection rules.
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Threshold rules
Test whether a property Rule Triggers
value surpasses an upper
or lower boundary
.R ial
Threshold
.N c
C pe
value
to es Using Rules
Threshold rules
time

ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Anomaly rules
Test whether the average
property value during the Rule Triggers
current short time range
.R ial
deviates above the
configured percentage from
the baseline over a longer
time range
.N c
Average over long period
C pe
value
Average over short period
to es Using Rules
Anomaly rules
time

ec n
Refer to the QRadar: An Example of How an Anomaly Rule Triggers Over Time technote
(http://www.ibm.com/support/docview.wss?uid=swg21903306) for more information.
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
Behavioral rules
• Test whether current
property values deviate
from seasonal patterns
.R ial
• A behavior rule learns the
rate or volume of a
property value over the Rule Triggers
configured time to
.N c
establish a baseline
C pe
value
to es Using Rules
Behavioral rules
M T W T F S SM T W T F S S M T W T F S SM T W T F S S
time

ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Uempty
• Create an event rule
.R ial
• Analyze the rule that contributed to the Local DNS Scanner offense
• Work with rule parameters
• Delete changes made to a rule
.N c
• Search for a rule
C pe
to es Using Rules
ec n
oy cio
pr a
rm
Fo

V7.0
Unit 8 Using Rules
Summary
Uempty
Summary
• Navigate rules and rule groups
.R ial
• Locate the rules that fired for an event or flow, and triggered an offense
• Investigate which test conditions caused a rule to fire
• Investigate building blocks and function tests
• Examine rule actions and responses
.N c
• Use rules in searches
C pe
• Examine for which indicators anomaly detection rules can fire
to es Using Rules
Summary
ec n
oy cio
pr a
rm
Fo

Unit 9 Using the Network Hierarchy
.R ial
.N c
C pe
Using the Network Hierarchy
to es
ec n
oy cio

The Network Hierarchy reflects your environment from a security perspective. This unit teaches you
pr a
the significance of the Network Hierarchy and the many ways that QRadar SIEM uses and displays
its information.
rm
Fo

V7.0
Objectives
Uempty
Objectives
• Locate and explain the structure of the Network Hierarchy
.R ial
• Use networks in investigations
• Use Flow Bias and Direction in investigations
• Use the Network Hierarchy in rules
.N c
C pe
to es Using the Network Hierarchy
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Network Hierarchy overview
Uempty
.R ial
Lesson: Network Hierarchy overview
.N c
C pe
to es
ec n
Using the Network Hierarchy © Copyright IBM Corporation 2017
oy cio
The network information, that QRadar SIEM displays and uses, is configured in the Network
Hierarchy. This lesson introduces you to the Network Hierarchy including its tree structure.
pr a
rm
Fo

V7.0
Uempty
Purpose Network Hierarchy

• QRadar SIEM displays and uses network information, such as
IP address in the DMZ
.R ial
Network connections initiated from an IP address belonging to your organization
The subnet storing and processing customer data that is the target of more offenses than any other subnet
.N c
C pe
• QRadar SIEM draws such network information from the Network Hierarchy
• QRadar SIEM considers every IP address that is part of a network configured in the Network
Hierarchy as local to your organization's network
• QRadar SIEM considers any other IP address as remote
to es • Many rules, searches, and reports use the Network Hierarchy
Purpose Network Hierarchy

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Navigating to the Network Hierarchy

Click the Network Hierarchy icon on the Admin tab to open the Network Hierarchy
.R ial
.N c
C pe
Navigating to the Network Hierarchy

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Predefined Network Hierarchy

A newly installed QRadar SIEM comes with
some network objects predefined that are
used by predefined rules, searches, and
.R ial
reports
The Network Hierarchy comes preconfigured
.N c
with the IP address ranges reserved for private
use because they cannot be routed through the
public internet and therefore can only be local
C pe
Predefined Network Hierarchy

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Crown jewels
• Many organizations specify their crown
jewels in the Network Hierarchy and monitor
them more granularly for indicators, and run
.R ial
specific searches and reports
• The term crown jewels refers to the hosts that
store and process data most critical for an
organization's mission
.N c
• Crown jewels handle the following kinds of
C pe
data:
Customer
Employee
Financial
Intellectual property
Crown jewels
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Tree structure
• If an IP address is part of a CIDR range of
a network object, QRadar SIEM tags the IP
address with this network object and its
.R ial
groups
Parent nodes are called Groups.
They cannot have CIDR ranges configured
.N c
Leaf nodes are called Network Objects
C pe
They represent one or more CIDR ranges
• If an IP address matches more than one

network object, QRadar SIEM tags the IP
to es address with the network object with the

smallest IP range
Tree structure
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
CIDR ranges
• The CIDR ranges do not need to
match the tree structure
.R ial
• A CIDR of a network object can
include a CIDR range of another
network object regardless of its
location in the hierarchy
.N c
• The primary purpose of the
hierarchy is to provide a
C pe
structure for CIDR ranges that
rules, searches, and reports can
use
CIDR ranges
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
About the Network Hierarchy

• The Network Hierarchy structures your network according security policies, requirements and
concerns
.R ial
• The Network Hierarchy does not need to reflect your technical network layout
• Usually the names of groups and network objects reflect purpose, department, and location because
they determine security requirements
• QRadar SIEM's Asset Profiler creates and updates asset profiles only for IP addresses that are part of
.N c
any of the CIDR ranges in the Network Hierarchy
C pe
About the Network Hierarchy

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 2 Using networks in investigations
Uempty
.R ial
Lesson: Using networks in
investigations
.N c
C pe
to es
ec n
oy cio
The network hierarchy is often beneficial to security related analysis, including offense
investigation. In this lesson, you learn how to locate and use network information.
pr a
rm
Fo

V7.0
Uempty
Network of an IP address
• Hover the mouse over an IP
address to learn its groups and
network object
.R ial
• The remainder of this module
refers to both groups and network
objects as network
.N c
C pe
Network of an IP address
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Filtering by network
• You can use
networks in many
ways for
.R ial
investigations, for
example for
filtering
• If you select a
.N c
group, QRadar
SIEM filters for all
C pe
CIDR ranges of
the group's
descendants
Filtering by network
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Grouping by network
Log Network
Activity Activity
.R ial
tab tab
.N c
C pe
Grouping by network
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Number of offenses Number of offenses with

Offenses overview by network with one or more one or more attackers
targets in the network in the network
Survey your threat landscape from the perspective of your networks
.R ial
.N c
C pe
to es other includes all IP
addresses that are
not part of a network
configured in the
Network Hierarchy

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Networks of Source and Destination IP addresses in Offense Summary

The Offense Summary
enriches local Source
and Destination IP
.R ial
addresses with
network information
from the Network
Hierarchy
.N c
C pe
Networks of Source and Destination IP addresses in Offense Summary

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Networks in the Offense Summary

Investigate the
networks under
attack of an offense
.R ial
.N c
C pe
Networks in the Offense Summary

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 3 Using Flow Bias and Direction in Investigations
Uempty
Lesson 3 Using Flow Bias and Direction in
Investigations
.R ial
.N c
Lesson: Using Flow Bias and
Direction in Investigations
C pe
to es
ec n
oy cio
Most importantly the Network Hierarchy defines which IP addresses are local because they belong
to your organization. In this lesson, you learn how QRadar SIEM uses this information to measure
the Flow Bias and Direction which can hint to suspicious activities.
pr a
rm
Fo

V7.0
Uempty
Flow Bias
• A flow records characteristics
of the network activity that it
represents, including its Flow
.R ial
Bias
• The bias of a flow marks the
ratio between bytes leaving
from and arriving at your
.N c
organization's perimeter
C pe
• QRadar SIEM uses the
Network Hierarchy to
determine whether bytes
transfer inbound or outbound
Flow Bias
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Flow Bias (continued)

QRadar SIEM distinguishes between the following flow biases
Out only: Unidirectional outbound
.R ial
This bias indicates outbound connection attempts that are being blocked by a firewall, such as beaconing
attempts by a malware to its command-and-control (C&C) servers
In only: Unidirectional inbound
This bias indicates inbound connection attempts that are being blocked by a firewall or a port scan attempt of a
publicly reachable IP address of your organization
.N c
Mostly out: 70% to 99% of bytes outbound
This bias indicates data leaving your organization. Only your publicly reachable servers should have many flows
C pe
with this bias
Mostly in: 70% to 99% of bytes inbound
This bias is typical for end-user machines
Near same: inbound-outbound byte ratio between 31% and 69%
This bias is typical for VOIP, chat, and SSH
to es Other
This bias usually indicates traffic between local machines. It can also indicate traffic between two remote
machines that either points to a misconfiguration of an organization’s network or notifies you that a local network
is missing in the Network Hierarchy
Flow Bias (continued)

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Flow Direction
For the network activity that a

flow represents, the Flow
.R ial
Direction indicates
Whether the network activity
has been initiated from inside
or outside your organization's
network perimeter
.N c
Whether a host inside or
outside your organization's
C pe
network perimeter is the destination of the network activity
• The Flow Direction takes the following values
L2L: Traffic from a local network to another local network
L2R: Traffic from a local network to a remote network
R2L: Traffic from a remote network to a local network
to es
R2R: Traffic from a remote network to another remote network
Usually R2R indicates a network misconfiguration or a local network missing in the Network Hierarchy
Flow Direction
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Flow Bias and Direction difference

• The difference between Flow Direction and Flow Bias is as follows
Flow Bias marks the ratio between bytes leaving from and arriving at your organization's perimeter regardless
of where the network activity has been initiated
.R ial
Flow Direction indicates whether source and destination are located inside or outside your organization's
network perimeter regardless of the number of bytes transferred in each direction
• Events cannot have the equivalent of a Flow Bias, but events have a Direction
.N c
The Source and Destination IP addresses of an event determine its Direction in the same way as for
flows
C pe
Flow Bias and Direction difference

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 4 Using the Network Hierarchy in rules
Uempty
.R ial
Lesson: Using the Network Hierarchy
in rules
.N c
C pe
to es
ec n
oy cio
Network information is crucial to detect indicators of compromise and concern. In this lesson, you
learn how rules and building blocks can use the Network Hierarchy, and how they can tag events
and flows based on CIDR ranges.
pr a
rm
Fo

V7.0
Uempty
Rule test conditions

Rules can perform the following tests
• IP address belongs to network
.R ial
• Flow Bias
Only available for rules of type Flow
• Context
The Event and Flow Direction are equivalent to the Context
.N c
C pe
Rule test conditions

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Tagging by custom rules and building blocks

• Custom rules and building blocks can tag by CIDR range, too
• While the Network Hierarchy tag IP addresses, custom rules and building blocks tag events and flows
.R ial
.N c
C pe
Tagging by custom rules and building blocks

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
• Create a network object
.R ial
• View network objects in flows
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Locate and explain the structure of the Network Hierarchy
.R ial
• Use networks in investigations
• Use Flow Bias and Direction in investigations
• Use the Network Hierarchy in rules
.N c
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 10 Index and Aggregated Data
Management
.R ial
.N c
C pe
Index and Aggregated Data
Management
to es
ec n
oy cio
pr a

rm
Searches leverage indexes and data aggregation. This unit teaches you about indexes and
aggregated data.
Fo

V7.0
Unit 10 Index and Aggregated Data Management
Objectives
Uempty
Objectives
• Use the Index Management administration tool to enable, disable, and configure an index
.R ial
• Use the Aggregated Data Management administration tool to see Aggregated Data View statistics and
manage the data that QRadar SIEM accumulates
• Use the information provided by the Aggregated Data Management tool in combination with Index
Management to optimize search and rule performance
.N c
C pe
to es Index and aggregated data management
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Using the Index Management tool
Uempty
.R ial
Lesson: Using Index Management
tool
.N c
C pe
to es
ec n
Index and aggregated data management © Copyright IBM Corporation 2017
oy cio
Indexes can significantly reduce the run-time of a searches on the expense of storage space. In this
lesson, you learn how to manage indexes.
pr a
rm
Fo

V7.0
Uempty
Instructor demonstration of the Index management tool
.R ial
.N c
C pe
Instructor demonstration of the Index management tool

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Index Management tool

Use the Index Management tool to analyze the effectiveness of indexes and the need for extra indexes
Enable/Disable Indexes or search
.R ial
for an index in the Display context
Define a display context based on the

time window, status, or type
.N c
C pe
Index Management tool

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Index information
• You can search for indexes by name using the query window
• Use the Quick Filter property to create indexes for the free text
payload searches
.R ial
Properties that already
By default, index include an index display
information is a green bullet icon; to
.N c
updated every hour enable an index for a
property, right-click the
property and select
C pe
Enable Index
% of Searches fields
• Using Property: Indicates how many executed searches use the property
• Hitting Index: Indicates how many executed searches benefit from the
property index
Index information
• Missing Index: Indicates how many executed searches might benefit if the
property was indexed
Benchmark numbers generate every hour and are combined in wider views
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 2 Using the Aggregated Data Management tool
Uempty
Lesson 2 Using the Aggregated Data
Management tool
.R ial
.N c
Lesson: Using the Aggregated Data
Management tool
C pe
to es
ec n
oy cio
Time-series charts and reports use aggregated data. In this lesson, you learn how to manage
aggregated data.
pr a
rm
Fo

V7.0
Uempty
Instructor demonstration of the Aggregated data management tool
.R ial
.N c
C pe
Instructor demonstration of the Aggregated data management tool

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Aggregated Data Management tool

• Use the Aggregated Data Management tool to analyze the organization of data used for
Aggregated Data Views
.R ial
• Aggregated Data Views contain accumulated data that is used by the saved searches that include a
Group By Column clause
.N c
C pe
Aggregated Data Management tool

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Enable or disable a view

• By default, every
aggregated data view
is enabled after it is
.R ial
created
• When you disable a
view, searches no
longer use the
.N c
aggregated data
C pe
• Disabled views can be
enabled again
• When you enable or
disable a view, a list of
the searches, reports,
to es ADE rules, and Time

Series that depend on
the view is displayed
Index and aggregated data management
Enable or disable a view

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Aggregated view of report data

Aggregated data views in reports display the following information
• Which aggregated data views are used in which reports
.R ial
• Charts in the reports that use the aggregated data view
• Searches that generate the aggregated data view
• How often the view was triggered
.N c
• Disk space used by the view in the event database
• If unique count is enabled for the search; views with unique count enabled require more disk space
C pe
Aggregated view of report data

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Aggregated view of time series data

• When displaying Time Series data, the result shows aggregated data that includes captured time
series data
.R ial
• The Time Series view displays the accumulated field or fields used by the search
.N c
C pe
The saved search Event
Category Distribution
accumulates across two
properties: count and
SUM eventCount
Aggregated view of time series data

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Aggregated view of ADE rules data
.R ial
.N c
Anomaly Detection Engine (ADE) rules use aggregated data
and this view shows what view is used by each ADE rule
C pe
This view displays the aggregated data views by
ID and how often the view is referenced and was
triggered
Aggregated view of ADE rules data

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 3 Gathering index statistics
Uempty
.R ial
Lesson: Gathering index statistics
.N c
C pe
to es
ec n
oy cio
Statistics about the use and resource consumption of indexes help you decide whether to enable or
disable them. In this lesson, you learn how to locate index statistics.
pr a
rm
Fo

V7.0
Uempty
Instructor demonstration of gathering index statistics
.R ial
.N c
C pe
Instructor demonstration of the index management tool

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Creating a custom event property and using it in a search

• The Logon Type property captures the
Windows Logon Type value in authentication
.R ial
events
• This property is used in the search to filter
authentication events that relate to the console
or network logon (values 2 or 3) attempts on
.N c
Windows hosts
C pe
Creating a custom event property and using it in a search

ec n
RegEx: Logon Type: (\d+)
oy cio
pr a
rm
Fo

V7.0
Uempty
Analyze the Search and Index metrics

• Run a search, check the Current Statistics, and ask the
system to provide more details so you can view the
data comprehensively
• Pay attention to the number of Data Files searched,
Index Files searched, and how many results are
.R ial
returned
.N c
C pe
Check Index Management for the % of Searches performed that missed the index for the property
After enabling an index for the Logon

Type property that was missed by
almost 80% of all performed searches
Analyze the Search and Index metrics

using this property, searches using the
property can now start using the index

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
• Manage indexes
.R ial
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Unit summary
Uempty
Unit summary
• Use the Index Management administration tool to enable, disable, and configure an index
• Use the Aggregated Data Management administration tool to see Aggregated Data View statistics and
.R ial
manage the data that QRadar SIEM accumulates
• Use the information provided by the Aggregated Data Management tool in combination with Index
Management to optimize search and rule performance
.N c
C pe
Unit summary
ec n
oy cio
pr a
rm
Fo

Unit 11 Using Dashboards
.R ial
.N c
C pe
Using Dashboards
to es
ec n
oy cio

QRadar SIEM displays the Dashboard tab after you have signed in. Items on a dashboard display
pr a
information about activities in your network. The items enable you to focus on specific areas of
interest. You can customize and add new items and dashboards. This unit teaches you how to
rm
navigate and customize the Dashboard tab.

Fo

V7.0
Objectives
Uempty
Objectives
• Navigate the Dashboard tab
.R ial
• Customize dashboard items
• Utilize time-series charts
.N c
C pe
to es Using Dashboards
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Navigating the Dashboard tab
Uempty
.R ial
Lesson: Navigating the Dashboard
tab
.N c
C pe
to es
ec n
Using Dashboards © Copyright IBM Corporation 2017
oy cio
A dashboard hosts several dashboard items in order to provide real-time visibility into activity in
your environment. In this lesson, you learn how to manage dashboards and how to add a saved
search as an item to a dashboard.
pr a
rm
Fo

V7.0
Uempty
Instructor demonstration of the Dashboard tab
.R ial
.N c
C pe
Instructor demonstration of the Dashboard tab

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Dashboard tab
.R ial
.N c
C pe
The Dashboard
tab displays
Dashboard
items.
Dashboard tab
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Dashboards
Dashboards are like a canvas for dashboard items
You can create custom dashboards to focus on your security or operations responsibilities
.R ial
Each dashboard is associated with a user; changes that you make to a dashboard do not affect the
dashboards of other users
Show Dashboard: New Dashboard: Rename Dashboard: Delete Dashboard:

Select a dashboard to Create a new empty Rename the currently Delete the currently
.N c
display its items dashboard selected dashboard selected dashboard
C pe
Dashboards
ec n
Use multiple dashboards to better organize data; for example create dashboards for the following
purposes:
oy cio
• Databases
• Critical Applications
pr a
rm
Fo

V7.0
Uempty
Adding a saved search as a dashboard item

• You can only add a saved search, that has a grouping, as a dashboard item
• More than 15 items on a dashboard can negatively impact performance
.R ial
.N c
C pe
Adding a saved search as a dashboard item

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Adding a saved search as a dashboard item (continued)

You can add searches with a grouping that you created yourself
.R ial
.N c
C pe

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty

• Items are added at the bottom of dashboards
• Press the header of an item to move it
.R ial
.N c
C pe

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Enabling a search to be used as a dashboard item
.R ial
.N c
C pe
Include in my Dashboard:
Enabling a search to be used as a dashboard item

Add the search to the Add
item drop-down list on the
Dashboard tab

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 2 Customizing a dashboard item
Uempty
.R ial
Lesson: Customizing a dashboard
item
.N c
C pe
to es
ec n
oy cio
You can customize which data a dashboard item displays in which way. In this lesson, you learn
about the options to leverage dashboard items for your needs and responsibilities.
pr a
rm
Fo

V7.0
Uempty
Configuring dashboard items Delete item from dashboard.

Use the Add item drop-
Settings provides a wide variety of down list if you want it back
options to configure items for their
purpose Open settings of item
.R ial
Open item in separate
browser window
.N c
C pe
Configuring dashboard items

ec n
QRadar SIEM keeps updating items in separate browser windows, even if you close the main
window without logging out from QRadar SIEM.
oy cio
pr a
rm
Fo

V7.0
Uempty
Select what to display
.R ial
.N c
C pe
Select what to display

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Select how to display
.R ial
.N c
C pe
Select how to display

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 3 Utilize time-series charts
Uempty
.R ial
Lesson: Utilize time-series charts
.N c
C pe
to es
ec n
oy cio
A time-series chart plots data against time in order to observe trends. To provide time-series charts,
QRadar SIEM needs to keep track of data over time. In this lesson, you learn how to leverage
time-series charts.
pr a
rm
Fo

V7.0
Uempty
Enabling time-series data

• Capturing time-series data
means that QRadar SIEM
counts incoming events or
.R ial
flows according your search
criteria, grouping, and chosen
value to graph
• Most of the predefined
.N c
searches capture time-series
data
C pe
The asterisk (*) Select Capture
• Capturing time-series data indicates that Time Series
increases resource QRadar SIEM Data and click
accumulates Save to
consumption of QRadar SIEM time-series data accumulate time-
for this value series data to
count events or
Enabling time-series data

Only some time-series
data accumulations
are pre-configured
flows

ec n
• The settings do not display the asterisk and checkmark for Capture Time Series Data, if
time-series data accumulation for a property has been enabled elsewhere, for example by a
oy cio
report. Therefore, time-series charts can display without asterisk and checkmark.
• User permissions control the ability to configure and view time-series data.
pr a
rm
Fo

V7.0
Uempty
Investigating data trends

• Time-series charts are graphical representations of
log or network activity over time
.R ial
• Peaks and valleys displayed in the chart depict
high- and low-volume activity
• Time-series charts are useful to investigate short-
term and long-term data trending
.N c
C pe
Investigating data trends

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Details one-minute time interval

To investigate the details of a particular one-minute
time interval, hover the mouse pointer over the chart
.R ial
.N c
C pe
Details one-minute time interval

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Zooming in
To zoom in to a shorter chart interval, hold the left
mouse button pressed while moving the mouse
pointer to the left or right; release the mouse button
.R ial
when you have highlighted the interval that you want
to zoom in to
.N c
C pe
Zooming in
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Focusing on less prevalent data

To hide a dominating kind of data from the chart, click its legend
.R ial
.N c
C pe
Focusing on less prevalent data

ec n
• To unhide, click the legend again.
oy cio
• Hiding and unhiding works with and without zoom.

pr a
rm
Fo

V7.0
Uempty
Resetting the zoom

To return to the original time range, click Reset
Zoom in the upper-left corner
.R ial
.N c
C pe
Resetting the zoom

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Navigating to activity tabs

• To investigate the flows further on the Network
Activity tab of the QRadar SIEM web interface,
click the View in Network Activity link at the
.R ial
bottom
• Items displaying event data provide the View in
Log Activity link
.N c
C pe
Navigating to activity tabs

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Activity tabs
• The same way as
with the charts in
the dashboard
.R ial
items, you can
zoom in, hover
over, and hide data
• If you want to
.N c
configure what the
chart displays, click
C pe
the yellow icon in
the header
Activity tabs
ec n
The Log Activity and Network Activity tabs display only one time-series chart. QRadar SIEM
displays this chart even if it did not capture time-series data for the chart. Any missing time-series
oy cio
data is computed as needed. This can require considerable processing time.

pr a
rm
Fo

V7.0
Uempty
• Creating a new dashboard
.R ial
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Navigate the Dashboard tab
.R ial
• Customize dashboard items
• Utilize time-series charts
.N c
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 12 Creating Reports
.R ial
.N c
C pe
Creating Reports
to es
ec n
oy cio

Reports condense data to statistical views on your environment for various purposes, in particular
pr a
to meet compliance requirements. This unit teaches you how to generate a report using a
predefined template and create a report template.
rm
Reference:
• IBM App Exchange https://exchange.xforce.ibmcloud.com/hub
Fo

V7.0
Objectives
Uempty
Objectives
• Navigate and use the Reports tab
.R ial
• Generate and view a report
• Use the Report Wizard to create a custom report template
.N c
C pe
to es Creating Reports
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Navigating the Reports tab
Uempty
.R ial
Lesson: Navigating the Reports tab
.N c
C pe
to es
ec n
Creating Reports © Copyright IBM Corporation 2017
oy cio
QRadar SIEM and extensions provide many templates you can use to generate reports. In this
lesson, you learn how to access the report templates and generate a report.
Reference:
• IBM App Exchange https://exchange.xforce.ibmcloud.com/hub
pr a
rm
Fo

V7.0
Uempty
Reporting introduction
• A QRadar SIEM report is a means of scheduling and automating one or more saved searches
• QRadar SIEM reports perform the following tasks
.R ial
Present measurements and statistics
Provide users the ability to create custom reports
Can brand reports and distribute them
• Predefined report templates serve a multitude of purposes, such as the following examples
.N c
Regulatory compliance
Authentication activity
C pe
Operational status
Network status
Executive summaries
Reporting introduction
ec n
QRadar SIEM administrators can install extensions to add report templates for the following
regulatory schemas:
oy cio
• HIPAA: Health Insurance Portability and Accountability Act

• COBIT: Control Objectives for Information and Related Technology
• SOX: Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act
pr a
• PCI: Visa Payment Card Industry Data Security Standard

• GLBA: Gramm-Leach-Bliley Privacy Act
rm
• FISMA: Federal Information Security Management Act

• NERC: The North American Electric Reliability Council
• GSX: Government Secure Extranet
Fo

V7.0
Uempty
Reporting demonstration
.R ial
.N c
C pe
ec n
Demonstrate finding a template and generating a report and have the students follow along. Make
sure your QRadar SIEM contains security data to generate a report. The
oy cio
/labfiles/sendCheckpoint.sh script provided the events displayed in the screen captures in this
unit.
pr a
rm
Fo

V7.0
Uempty
Reports tab
You can search and sort report templates in a similar way as events and flows
.R ial
.N c
C pe
Reports tab
ec n
QRadar SIEM administrators can select Branding on the left side to upload logos for your reports.
Once a logo is uploaded, users can use the logo when creating or editing report templates.
oy cio
pr a
rm
Fo

V7.0
Uempty
Finding a report
• QRadar SIEM and extensions provide many report templates
Before you create a new template, check the installed templates and the templates provided by extensions
available on the IBM App Exchange
.R ial
.N c
Hide Inactive Reports: IBM App Exchange:
C pe
Disable to display all QRadar SIEM administrators can add
inactive report templates more report templates by downloading
and installing extensions
Reporting Groups: Search:

Display report Display report templates whose title,
templates of a description, group name, or author user
Finding a report
reporting group name matches the search criteria

ec n
• Inactive reports: QRadar SIEM does not automatically generate reports for inactive templates.
oy cio
• Active reports: QRadar SIEM generates reports for active templates automatically according
to the schedule, unless the schedule is set to Manual. QRadar SIEM lists active templates with
a manual schedule if the Hide Inactive Reports check box is enabled.
• To learn about available extensions, visit the IBM App Exchange
(https://exchange.xforce.ibmcloud.com/hub)
pr a
rm
Fo

V7.0
Uempty
Running a report
.R ial
.N c
Run Report:
Generate a report for the
selected report template
C pe
immediately, regardless of
its schedule or
active/inactive state
Toggle scheduling:
Run Report on Raw Data: Toggle the active and
Generate a report on raw inactive state of the
data if QRadar SIEM has selected template
Running a report
not captured the required
time-series data Delete Generated
Content:
Delete any generated
report for the selected
template
ec n
• Exclamation mark:
oy cio
The leftmost column with the exclamation mark includes an error icon when a report fails to
generate
• Run Report:
Initiate the generation of a report for the selected template. The generation uses accumulated
pr a
time series data. If no accumulated data is available when the report runs, the generated report
displays the message that accumulated data is not available. Refer to the next lesson to learn
rm
more about time series data for report generation.

• Run Report on Raw Data:
You can choose this option if QRadar SIEM has not accumulated time series data for your
required reporting period. When a report runs on raw data, QRadar SIEM queries the data in its
Fo
data store to generate the report. Running a report on raw data takes a longer time to process
than running a report on accumulated time series data.

V7.0
Uempty
Selecting the generated report
.R ial
Estimated 34 seconds until
.N c
the report is generated
C pe
Selecting the generated report

Select a generated report from the list
and click the PDF icon to view it
ec n
QRadar SIEM generates reports one at a time. When you start a report generation while another
report is already generating, the your report displays Queued in the Next Run Time column.
oy cio
pr a
rm
Fo

V7.0
Uempty
Viewing a report
.R ial
.N c
C pe
Viewing a report
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 2 Creating a report template
Uempty
.R ial
Lesson: Creating a report template
.N c
C pe
to es
ec n
Creating Reports © Copyright IBM Corporation 2017
oy cio
If the provided default report templates do not meet your specific needs, you can create a
customized report template. In this lesson, you learn how to use the Report Wizard to create a new
report template and generate the report.
pr a
rm
Fo

V7.0
Uempty
.R ial
.N c
C pe
ec n
Demonstrate creating a new report template and have the students follow along.
oy cio
pr a
rm
Fo

V7.0
Uempty
Creating a new report template

To watch specific activity in a daily report, Click Create to start
create a custom report template the Report Wizard
.R ial
.N c
C pe
Creating a new report template

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Choosing a schedule and data time range

Configure the following settings
• When QRadar SIEM generates the report
.R ial
The selection in the example screen capture configures QRadar SIEM
to generate a report on each Monday, Tuesday, Wednesday, Thursday
and Friday at 2:00 am
• Default data time range to use
.N c
Regardless of when a report template is configured to run, it uses the
data from the previous time period by default
C pe
Hourly uses the data from the previous hour
Daily uses data from the previous day, 12:00 am through 11:59 pm
Weekly uses the data from the previous week, Monday 12:00 am through
Sunday 11:59 pm
Monthly uses data from the previous month, 1st of the month 12:00 am
to es
through last day of the month 11:59 pm
For Daily, Weekly and Monthly, a later wizard page allows to change the
default time ranges stated above
Creating Reports
Choosing a schedule and data time range

ec n
Manually uses the data from the time range configured on a later wizard page.
oy cio
QRadar SIEM generates a report for a template configured to be started Manually only when a
QRadar user initiates a run.
The screen capture displays the default configuration for Daily. By default Daily reports use the data
from the previous day. Therefore, the configuration generates reports that use data from Sunday
pr a
through Thursday but not Friday and Saturday.

rm
Fo

V7.0
Uempty
Time series data for report generation

• With the exception of Manually, all time ranges start time
series data accumulation for the saved searches that you
choose on a later wizard page
.R ial
• While Hourly reports substitute missing time series data by
directly using raw data, Daily, Weekly, and Monthly reports
can only use time series data and therefore have only
complete time series data available on their second or third
.N c
scheduled run; example:
On a Tuesday, you configure a report to run weekly on each
C pe
Wednesday; time series accumulation begins
1st Wednesday: The generated report is empty because data
accumulation started after the previous week had ended
2nd Wednesday: The generated report displays incomplete data
because data accumulation started only on Tuesday in the
to es
previous week
3rd Wednesday: The generated report displays data from the
previous week because accumulated data is available for the
whole week
Creating Reports
Time series data for report generation

ec n
If you need to generate a report for a time period without time series data, select in the Actions
drop-down list Run Report on Raw Data.
oy cio
If you select Run Report, the report generates from time series data. If time series data is not
available for the required reporting period, the generated report displays the message that
accumulated data is not available.
pr a
Templates configured be started Manually do not kick off time series data accumulation implicitly
like the other scheduling options do.
rm
Fo

V7.0
Uempty
Choosing a layout
QRadar SIEM uses
containers to separate
report pages so that
.R ial
different data sets can
display on the same
report page
.N c
C pe
Choosing a layout
ec n
When you select the layout of a report, consider the type of report you want to create. For example,
do not choose a small chart container for graph content that displays a large number of objects.
oy cio
Choose a container large enough to hold the data.

pr a
rm
Fo

V7.0
Uempty
Selecting the type of the top chart
.R ial
The report saves with the name
.N c
entered in the Report Title field
C pe
Selecting the type of the top chart

ec n
On the Reports tab under Branding, QRadar SIEM administrators can upload logos. All uploaded
logos are available from the Logo drop-down list.
oy cio
pr a
rm
Fo

V7.0
Uempty
Configuring the top chart
.R ial
Enter chart title
.N c
C pe
to es Select the previously
saved search to report
firewall activity
Creating Reports
Configuring the top chart

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Configuring the top chart (continued)
.R ial
Select the graph type.
The available graph types
depend on the chart type
.N c
Select the property to
graph for both axis
C pe
Optionally record the
runs of the selected
saved search in an
Configuring the top chart (continued)

offense of type
Scheduled Search

ec n
The Offense Summary lists the most recent search results under Last 5 Search Results.
oy cio
pr a
rm
Fo

V7.0
Uempty
Selecting the type of the bottom chart
.R ial
.N c
C pe
Selecting the type of the bottom chart

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Configuring the bottom chart
.R ial
Select graph type Table to list
the reported data in a table
.N c
C pe
Select which kind of offenses
you want to report
Configuring the bottom chart

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Layout preview
• The Layout Preview
provides only the layout of
the report; it does not show
.R ial
the actual data
• Reports can take a long
time to generate. Therefore,
the preview helps you
.N c
configure the layout
correctly before running a
C pe
potentially large amount of
real data for a long time
Layout preview
ec n
Reports can take a long time to generate. Therefore, the preview helps you configure the layout
correctly before running a potentially large amount of real data for a long time.
oy cio
pr a
rm
Fo

V7.0
Uempty
Choosing a format
Select any or all of the available output
formats for your report
.R ial
.N c
C pe
Choosing a format
ec n
You will most likely use the PDF format for most of your reports, but you can also generate reports
in HTML and RTF format. XML and RTF facilitate further processing and the extraction of report
oy cio
data.
pr a
rm
Fo

V7.0
Uempty
Distributing the report
.R ial
Allow users to view
.N c
the generated report
C pe
Distribute the report
by email
Distributing the report

ec n
You can distribute the report to multiple email addresses. Use commas to separate email
addresses listed in the Enter the report destination email address(es) field.
oy cio
pr a
rm
Fo

V7.0
Uempty
Adding a description and assigning to groups

• Organize report templates by groups much like
rules and log sources
.R ial
• Use reporting groups to sort report templates
by purpose, such as a specific regulatory or
executive requirement
.N c
C pe
Adding a description and assigning to groups

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Verifying the report summary
.R ial
.N c
C pe
Verifying the report summary

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Viewing the generated report
.R ial
.N c
C pe
Viewing the generated report

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Best practices when creating reports

• For comparison and review, present charts and event tables together
• Consider the purpose of the report and choose the least number of page containers necessary to
.R ial
communicate the data
• Do not choose a small page division for a graph that might contain a large number of objects
• Executive summary reports use one-page or two-page divisions to simplify the report focus
.N c
C pe
Best practices when creating reports

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
• View an existing report
.R ial
• Create a new event report
• Create a new search and report
.N c
C pe
Student exercises
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Navigate and use the Reports tab
.R ial
• Generate and view a report
• Use the Report Wizard to create a custom report template
.N c
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 13 Using Filters
.R ial
.N c
C pe
Using Filters
to es
ec n
oy cio

Filters limit a search result to the data that meets the conditions of the applied filters. Use filters to
pr a
look for specific activities or to view your environment from various angles. This unit teaches you
about some of the many available filters.
rm
Reference:
Fo

V7.0
Objectives
Uempty
Objectives
• Apply filters that include or exclude specific events and flows
.R ial
.N c
C pe
to es Using Filters
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Filters overview
Uempty
.R ial
Lesson: Filters overview
.N c
C pe
to es
ec n
Using Filters © Copyright IBM Corporation 2017
Filters overview
oy cio
QRadar SIEM provides filters so that you can focus on specific data. This lesson introduces you to
operators and indexes.
Reference:
pr a

rm
Fo

V7.0
Uempty
Filters introduction
• Filters are a search criteria
• Use filters to look for specific activities and narrow down search results
.R ial
• Right-click a property value in a list of events or flows to open a menu with a few filter options
To use other filters, click the Add Filter icon
.N c
C pe
• A wide variety of parameters is available for filtering. Previous course modules have already
introduced the following parameters
Source and Destination IP addresses
Source and Destination port numbers
to es

Event and Flow Direction
Rules and building blocks that have fired
Groups and network objects as defined in the Network Hierarchy
Using Filters
Filters introduction
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Using Filters demonstration
.R ial
.N c
C pe
to es Using Filters
Using Filters demonstration

ec n
Navigate the Log Activity and Network Activity tabs and point out the topics in this unit.
oy cio
pr a
rm
Fo

V7.0
Uempty
Operators
• A wide variety of
operators is available
for filtering
.R ial
• The nature of the
parameters determines
which kind of operators
are available
.N c
C pe
to es Using Filters
Operators
ec n
To build an OR expression, use Equals any of.
oy cio
pr a
rm
Fo

V7.0
Uempty
Indexes
• [Indexed] behind a property in the Parameter drop-down list indicates
that QRadar SIEM maintains an index for values of the property
.R ial
• An index on a filtered property significantly reduces the run-time of a
search
• If you use a property without index in a filter, add additional filters with
indexed properties to lower the number of events or flows that QRadar
.N c
SIEM needs to search
C pe
to es Using Filters
Indexes
ec n
Refer to the Searching your QRadar data efficiently technote
(http://www.ibm.com/support/docview.wss?uid=swg21689803) for more information about search
oy cio
optimization.
pr a
rm
Fo

V7.0
Uempty
Source and Destination IP

The very often used Source or Destination IP filter is not appended with [Indexed] although it uses the
indexes of Source IP and Destination IP
.R ial
.N c
C pe
to es Using Filters
Source and Destination IP

ec n
Instead of an IP address, you can enter a range of IP addresses, in CIDR notation, such as
10.100.0.0/16.
oy cio
pr a
rm
Fo

V7.0
Lesson 2 Filtering events and flows
Uempty
.R ial
Lesson: Filtering events and flows
.N c
C pe
to es
ec n
oy cio
Use filters to focus only on data relevant for a purpose. This lesson introduces you to filters on
events and flows.
pr a
rm
Fo

V7.0
Uempty
Continents, countries, and regions

Use filters for events or flows
to include or exclude traffic
from or to IP addresses
.R ial
located in the selected
continents, countries, or
regions
.N c
C pe
to es Using Filters
Continents, countries, and regions

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Associated With Offense

Use the Associated With Offense filter to include or exclude events or flows that QRadar SIEM added to
one or more offenses
.R ial
.N c
C pe
to es Using Filters
Associated With Offense

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Payload Matches Regular Expression

• When applying a regular expression (regex) to the payload of events, QRadar SIEM tests the raw
events from which the event collector created the normalized events
.R ial
• When applying a regex to the payload of flows, QRadar SIEM tests the captured layer 7 content sent
by the source or destination
socket
• Performing a regex on
.N c
payloads consumes more
computational resources
C pe
than any other filter
With a regex filter, do not
select real time or last
interval viewing of log
activity or network activity
The Log Activity and
to es Network Activity tabs

always display the result
of a search; if you add a filter, QRadar SIEM performs the test of the filter only to this search result
Using Filters
Payload Matches Regular Expression

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Payload Contains
• The only difference between Payload Matches Regular Expression filters and the Payload Contains
filters is that the latter performs a substring test instead of a regular expression test
.R ial
• Follow the same best practices as for regular expressions, because the substring operation is less
expensive than regular expression matching but still consumes much more computational resources
than other filters
.N c
C pe
to es Using Filters
Payload Contains
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Event Processor
• The appliances that store events and flows perform searches and transfer the result to the Console
appliance
.R ial
• If you know which appliances store the relevant events and flows, add a filter on these Event
Processor appliances
• The Event Processor parameter is not only available for events but also for flows because the event
and flow processor functionality is provided by the same software component
.N c
C pe
to es Using Filters
Event Processor
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 3 Filtering events
Uempty
.R ial
Lesson: Filtering events
.N c
C pe
to es
ec n
oy cio
events.
pr a
rm
Fo

V7.0
Uempty
Log Source
Use the log source filter to include or
exclude events from a specific service
.R ial
.N c
C pe
to es Using Filters
Log Source
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Log Source (continued)

• Use the log source filter with
the Does not equal any of
operator to exclude events
.R ial
from the selected log sources
• For example,
you can
exclude the
.N c
log sources
that Qradar
C pe
SIEM uses
for its own
services
to es Using Filters
Log Source (continued)

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Log Source Type

Use the log source type filter to
include or exclude events from
services of the selected type
.R ial
.N c
C pe
to es Using Filters
Log Source Type

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Event Is Unparsed
• Use the Event Is Unparsed filter to include or exclude events that event collectors linked to a generic
log source
.R ial
• Event collectors link events to a generic log source when they cannot automatically discover the kind
of software or device sending the raw events, and no log source type has been configured manually
by a QRadar administrator
.N c
C pe
to es Using Filters
Event Is Unparsed
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
AccountID Custom Event Property

• Custom event and flow
properties can be used
as filters
.R ial
• Extensions and QRadar
administrators can add
custom event and flow
properties in order to
.N c
parse information specific
to certain kinds of
C pe
software or devices; for
example the HTTP
version from web servers
to es Using Filters
AccountID Custom Event Property

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 4 Filtering flows
Uempty
.R ial
Lesson: Filtering flows
.N c
C pe
to es
ec n
oy cio
flows.
pr a
rm
Fo

V7.0
Uempty
Flow Source and Flow Interface

Use the Flow Source and
Flow Interface filter to include
or exclude network activity
.R ial
captured by the selected flow
sources or interfaces
.N c
C pe
to es Using Filters
Flow Source and Flow Interface

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
TCP Flags
Use the Source and Destination Flags filters to include or exclude flows with the selected TCP flags
.R ial
.N c
C pe
to es Using Filters
TCP Flags
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
DSCP
Use the Source and Destination DSCP filters to include or exclude flows with the selected Quality of
Service precedence in IP headers
.R ial
.N c
C pe
to es Using Filters
DSCP
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
ICMP Type/Code
Use the
ICMP
Type/Code
.R ial
filter to
include or
exclude
flows with
.N c
the selected
ICMP Type
C pe
and Code
to es Using Filters
ICMP Type/Code
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Data Loss
Combine filters to look for large amounts of data leaving your organization
.R ial
.N c
C pe
to es Using Filters
Data Loss
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Applications using nonstandard port

• Combine filters to look for applications listening on non-standard ports
• Use a similar filter to look for non-web applications using the standard web ports 80 and 443
.R ial
.N c
C pe
to es Using Filters
Applications using nonstandard port

ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Apply filters that include or exclude specific events and flows
.R ial
.N c
C pe
to es Using Filters
Summary
ec n
oy cio
pr a
rm
Fo

Unit 14 Using the Ariel Query Language
(AQL) for Advanced Searches
.R ial
.N c
C pe
Using the Ariel Query Language
(AQL) for Advanced Searches
to es
ec n
oy cio
pr a

rm
Ariel Query Language (AQL) queries can retrieve stored data more flexibly than interactively built
searches. This unit teaches you how to build use AQL.
Reference:
QRadar Ariel Query Language Guide http://www.ibm.com/support/docview.wss?uid=swg27049537

Fo

V7.0
Unit 14 Using the Ariel Query Language (AQL) for Advanced Searches
Objectives
Uempty
Objectives
• Describe the basics of AQL
.R ial
• Build AQL queries in advanced searches
.N c
C pe
to es Using AQL for advanced searches
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 1 Describe the basics of AQL
Uempty
.R ial
Lesson: Describe the basics of AQL
.N c
C pe
to es
ec n
Using AQL for advanced searches © Copyright IBM Corporation 2017
oy cio
In this lesson, you learn the syntax of AQL.
Reference:
• QRadar Ariel Query Language Guide
pr a
rm
Fo

V7.0
Uempty
Ariel Query Language overview

• The Ariel Query Language (AQL) is a structured query language that you use to communicate with the Ariel
databases
.R ial
• Use AQL to retrieve, filter, and perform actions on events and flows from the Ariel database of QRadar SIEM
• AQL is used for advanced searches to get data that might not be easily accessible from the user interface. This
provides extended functionality to the search and filtering capabilities in QRadar SIEM
• AQL V3 represents the current structure of the Ariel Database. Older versions are deprecated because property
names in the Ariel database have been changed or properties were removed. If you have queries that use these
.N c
properties, you must replace them
C pe
Ariel Query Language overview

ec n
Refer to the QRadar Ariel Query Language Guide
(http://www.ibm.com/support/docview.wss?uid=swg27049537) for further information.
oy cio
pr a
rm
Fo

V7.0
Uempty
AQL query flow
.R ial
.N c
C pe
AQL query flow

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Structure of an AQL query

• AQL queries begin with a SELECT statement to select event or flow data from the Ariel database
• Refine the data output of the SELECT statement by using the WHERE, GROUP BY, HAVING,
.R ial
ORDER BY, LIMIT, and LAST clauses
• Operators are used in AQL statements to determine any equality or difference between values. By
using operators in the WHERE clause of an AQL statement, the results are filtered by those results
that match the conditions in the WHERE clause
.N c
• A variety of functions exists in AQL. They are used in the SELECT statement with properties where
the function returns specific data from
C pe
Structure of an AQL query

ec n
Refer to the QRadar Ariel Query Language Guide
(http://www.ibm.com/support/docview.wss?uid=swg27049537) for further information.
oy cio
pr a
rm
Fo

V7.0
Uempty
SELECT statement
• Use the SELECT statement to select properties of events or flows
• For example, select all properties from events or flows by typing
.R ial
SELECT * FROM events, or SELECT * FROM flows
• Use the SELECT statement to select the columns that you want to display in the query output
SELECT sourceip, destinationip, username FROM events
• A SELECT statement can include the following elements:
.N c
Properties from the events or flows databases
Custom properties from the events or flows databases
C pe
Functions that you use with properties to represent specific data that you want to return
SELECT statement
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Examples for SELECT statements

• SELECT sourceip, * FROM flows
Returns the sourceip column first, which is followed by all columns from the flows database.
.R ial
• SELECT sourceip AS 'MY Source IPs', FROM events
Returns the sourceip column as the alias or renamed column 'MY Source IPs'
.N c
• SELECT ASSETHOSTNAME(sourceip) AS 'Host Name', sourceip FROM events
Returns the output of the function ASSETHOSTNAME as the column name Host Name, and the sourceip
C pe
column from the events database
Examples for SELECT statements

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
WHERE clause
• Use the WHERE clause to insert a condition that filters the output, for example:
WHERE logsourceid='65'
.R ial
• A search condition is a combination of logical and comparison operators that together make a test.
Only those input rows that pass the test are included in the result
• You can apply the following filters when you use WHERE clause in a query
Equal sign (=) , Not equal to symbol (<>)
.N c
Less than symbol (<), Greater than symbol (>)
Less that or equal to symbol (<=), Greater than or equal to symbol (>=)
C pe
BETWEEN between two values, for example (64 AND 512)
LIKE case sensitive match, ILIKE case insensitive match
IS NULL is empty
AND / OR combine conditions or either condition
TEXT SEARCH text string match
WHERE clause
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Examples of WHERE clauses

• The following query example shows events that have a severity level of greater than nine and are
from a specific category
.R ial
SELECT sourceIP, category, credibility
FROM events
WHERE
severity > 9
AND
.N c
category = 5013
• Change the order of evaluation by using parentheses. The search conditions that are enclosed in
C pe
parentheses are evaluated first
SELECT sourceIP, category, credibility
FROM events
WHERE
(severity > 9 AND category = 5013)
to es OR
(severity < 5 AND credibility > 8)
Using AQL for advanced searches
Examples of WHERE clauses

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
GROUP BY clause
• Use the GROUP BY clause to aggregate your data by one or more columns. To provide meaningful
results of the aggregation, usually, data aggregation is combined with arithmetic functions on
remaining columns
.R ial
• When you use the GROUP BY clause with a column name or AQL function, only the first value is
returned for the GROUP BY column, by default, even though other values might exist
.N c
C pe
GROUP BY clause
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Examples of GROUP BY clauses

• The following query example shows IP addresses that sent more than 1 million bytes within all flows in
a specific time
.R ial
SELECT sourceIP, SUM(sourceBytes)
FROM flows where sourceBytes > 1000000
GROUP BY sourceIP
• To view the number of average events from a source IP, use the following syntax
.N c
SELECT AVG(eventCount), PROTOCOLNAME(protocolid)
FROM events
GROUP BY sourceIP
C pe
Examples of GROUP BY clauses

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
HAVING clause
• Use the HAVING clause in a query to apply more filters to specific data by applying filters to the
results after the GROUP BY clause
.R ial
• The HAVING clause follows the GROUP BY clause
• You can apply the following filters when you use a HAVING clause in a query:
Equal sign (=) , Not equal to symbol (<>)
Less than symbol (<), Greater than symbol (>)
.N c
Less that or equal to symbol (<=), Greater than or equal to symbol (>=)
BETWEEN between two values, for example (64 AND 512)
C pe
LIKE case sensitive match, ILIKE case insensitive match
SUM/AVG total or average values
MAX/MIN maximum or minimum values
HAVING clause
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Examples of HAVING clauses

• The following query example shows results for users who triggered VPN events from more than four
IP addresses (HAVING 'Count of Source IPs' > 4) in the last 24 hours
.R ial
SELECT username, UNIQUECOUNT(sourceip) AS 'Count of Source IPs'
FROM events
WHERE LOGSOURCENAME(logsourceid) ILIKE '%vpn%'
AND username IS NOT NULL
GROUP BY username
.N c
HAVING "Count of Source IPs" > 4
LAST 24 HOURS
C pe
• The following query groups results by source IP but displays only results where the magnitude
(HAVING magnitude > 5) is greater than five
SELECT sourceIP, magnitude
FROM events
GROUP BY sourceIP
to es HAVING magnitude > 5
Using AQL for advanced searches
Examples of HAVING clauses

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
ORDER BY clause
• Use the ORDER BY clause to sort the resulting view that is based on expression results. The result is
sorted by ascending or descending order
.R ial
• Note: When you type an AQL query, use single quotation marks for a string comparison, and use
double quotation marks for a property value comparison
• You can use the ORDER BY clause on one or more columns
• Use the GROUP BY and ORDER BY clauses in a single query
.N c
• Sort in ascending or descending order by appending the ASC or DESC keyword to the ORDER BY
clause
C pe
ORDER BY clause
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Examples of ORDER BY clauses

• To query the Ariel database to return results in descending order, use the following syntax
SELECT sourceBytes, sourceIP
.R ial
FROM flows
WHERE sourceBytes > 1000000
ORDER BY sourceBytes DESC
• To determine the top abnormal events or the most bandwidth-intensive IP addresses, you can
.N c
combine GROUP BY and ORDER BY clauses in a single query. For example, the following query
displays the most traffic intensive IP address in descending order
C pe
SELECT sourceIP, SUM(sourceBytes)
FROM flows
GROUP BY sourceIP
ORDER BY SUM(sourceBytes) DESC
Examples of ORDER BY clauses

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Single or Double quotation marks in AQL queries

• In an AQL query, query terms and queried columns sometimes require single or double quotation
marks so that QRadar SIEM can parse the query
.R ial
• When you enter an AQL query, use single quotation marks for a string comparison, and use double
quotation marks for a property value comparison
• You can call a custom property directly in your AQL statements. If the custom property contains
spaces you must use double quotation marks to encapsulate the custom property
.N c
C pe
Single or Double quotation marks in AQL queries

ec n
Use single quotation mark to specify any American National Standards Institute (ANSI) VARCHAR
string to AQL such as parameters for a LIKE or equals (=) operator, or any operator that expects a
oy cio
VARCHAR string.
Examples:
SELECT * from events WHERE sourceip = '173.16.152.214'
SELECT * from events WHERE userName LIKE '%james%'
pr a
SELECT * from events WHERE userName = 'james'

SELECT * FROM events WHERE INCIDR('10.45.225.14', sourceip)
rm
SELECT * from events WHERE TEXT SEARCH 'my search term'
Use double quotation marks for the following query items to specify table and column names that
contain spaces or non-ASCII characters, and to specify custom property names that contain spaces
Fo
or non-ASCII characters.
Examples:
SELECT "username column" AS 'User name' FROM events
SELECT "My custom property name" AS 'My new alias' FROM events
Use double quotation marks to define the name of a system object such as property, function,
database, or an existing alias.

V7.0
Uempty
Example:
SELECT "Application Category", sourceIP,
EventCount AS 'Count of Events'
FROM events GROUP BY "Count of Events"
Use double quotation marks to specify an existing alias that contains a space when you use a
.R ial
WHERE, GROUP BY, or ORDER BY clause
Examples:
SELECT sourceIP, destinationIP, sourcePort,
.N c
EventCount AS 'Event Count',
category, hasidentity, username, payload, UtF8(payLoad),
C pe
QiD, QiDnAmE(qid) FROM events
WHERE (NOT (sourcePort <= 3003 OR hasidentity = 'True'))
AND (qid = 5000023 OR qid = 5000193)
AND (INCIDR('1.1.1.0/4', sourceIP)
to es OR NOT INCIDR('1.1.1.0/4', sourceIP)) ORDER BY "Event Count"

DESC LAST 60 MINUTES
SELECT sourceIP, destinationIP, sourcePort, EventCount

AS 'Event Count',
ec n
category, hasidentity, username, payload, UtF8(payLoad),
QiD, QiDnAmE(qid)
oy cio
FROM events ORDER BY "Event Count"

DESC LAST 60 MINUTES
Use single quotation marks to specify an alias for a column definition in a query.
Example:
pr a
SELECT username AS 'Name of User', sourceip AS 'IP Source' FROM events

rm
Use double quotation marks to specify an existing alias that contains a space when you use a
WHERE, GROUP BY, or ORDER BY clause.
Example:
SELECT sourceIP AS 'Source IP Address',
Fo
EventCount AS 'Event Count', QiD, QiDnAmE(qid)

FROM events
GROUP BY "Source IP Address"
LAST 60 MINUTES

V7.0
Uempty
Instructor demonstration of advanced searches
.R ial
.N c
C pe

ec n
oy cio
pr a
rm
Fo

V7.0
Lesson 2 Build AQL queries in advanced searches
Uempty
Lesson 2 Build AQL queries in advanced
searches
.R ial
.N c
Lesson: Build AQL queries in
advanced searches
C pe
to es
ec n
oy cio
Using AQL for advanced searches © Copyright IBM Corporation 2017
The QRadar SIEM user interface provides an easy way to create AQL queries. In this lesson, you
learn how to build an AQL query in the user interface.
pr a
rm
Fo

V7.0
Uempty
Build AQL queries from the QRadar GUI

• Go to the Log Activity tab and switch from Quick Filter, which is the default setting, to Advanced
Search using the drop-down list
.R ial
.N c
C pe
Build AQL queries from the QRadar GUI

ec n
You can perform AQL on flows on the Network Activity tab.
oy cio
pr a
rm
Fo

V7.0
Uempty
Prepare the search window

• Long AQL statements are better readable when broken into multiple lines. Therefore it is best practice
to enlarge the search field to see more than one line, which is the default setting
.R ial
• Drag the Search field on the right side and pull it down. Now you can start entering an AQL query
.N c
C pe
Prepare the search window

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty

Together with your instructor, develop AQL queries for the following scenarios:
1. Select all events from the last hour where the magnitude was 5 or higher. Order these
.R ial
events by magnitude descending
2. Find all events with the ID 2 that belong to offense
3. How many events do you have in the Ariel database? (How many of these have a
magnitude of 5 or greater?)
.N c
4. List all categories and category names from events with the ID 3 that belong to the
offense. Group the events by category
C pe

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
• Using AQL in advanced searches
.R ial
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Describe the basics of AQL
.R ial
• Build AQL queries in advanced searches
.N c
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Unit 15 Analyzing a Real-World
Large-Scale Attack
.R ial
.N c
C pe
Analyzing a Real-World Large-Scale
Attack
to es
ec n
oy cio
pr a

rm
This unit evaluates a large-scale advanced persistent attack against a US retailer. You will evaluate
how a properly implemented Security Intelligence solution could have helped to fend off the
attackers.
This unit is based on the “Kill Chain” Analysis of the 2013 Target Data Breach study by the
Fo
Committee On Commerce, Science and Transportation, which is available at the following URL:
https://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-a3a67f183883/23
E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf

V7.0
Unit 15 Analyzing a Real-World Large-Scale Attack
Objectives
Uempty
Objectives
In this unit, you focus on the following tasks:
• Analyze the provided attack scenario
.R ial
• Discuss in your team how a proper centralized Security Intelligence approach could have avoided this
nightmare scenario
.N c
C pe
to es Analyzing a real-world large-scale attack
Objectives
ec n
After investigating what happened during the attack, you will have an opportunity to discuss in
teams how this incident could have been mitigated or avoided by implementing properly configured
oy cio
and connected security solutions from the Security Immune System.

pr a
rm
Fo

V7.0
Objectives
Uempty
About Target Corporation
“Target Corporation is an American retailing company, founded in 1902 and headquartered in Minneapolis,
Minnesota. It is the second-largest discount retailer in the United States, Walmart being the largest. The company is
.R ial
ranked 36th on the Fortune 500 as of 2013 and is a component of the Standard & Poor's 500 index. Its bullseye
trademark is licensed to Wesfarmers, owners of the separate Target Australia chain, which is unrelated to Target
Corporation.”
.N c
“The first Target store was opened in 1962 in Roseville, Minnesota. Target grew and eventually became the largest
C pe
division of Dayton Hudson Corporation, culminating in the company being renamed as Target Corporation in August
2000. Target operates 1,916 stores in the United States; it began operations in Canada in March 2013 and operates
127 locations through its Canadian subsidiary. In December 2013, a data breach of Target's systems affected
up to 110 million customers.”
to es Source: Wikipedia
Analyzing a real-world large-scale attack
About Target Corporation

ec n
The Target Corporation is an American retailing company, founded in 1902 and headquartered in
Minneapolis, Minnesota. It is the second-largest discount retailer in the United States. Target
oy cio
operates 1,916 stores in the United States. It also began operations in Canada in March 2013.
In December 2013, a data breach of Target's systems affected up to 110 million customers.
pr a
rm
Fo

V7.0
Objectives
Uempty
The situation
“In November and December 2013, cyber thieves executed a successful cyber attack against Target, one of the
largest retail companies in the United States. The attackers gained access to Target’s computer network, stole the
.R ial
financial and personal information of as many as 110 million Target customers, and then removed this sensitive
information from Target’s network to a server in Eastern Europe.”
.N c
“John Mulligan, Target’s Executive Vice President and Chief Financial Officer, testified that his company “had in
C pe
place multiple layers of protection, including firewalls, malware detection software, intrusion detection and
prevention capabilities and data loss prevention tools.” He further stated that Target had been certified in
September 2013 as compliant with the Payment Card Industry Data Security Standards (PCI-DSS), which credit
card companies require before allowing merchants to process credit and debit card payments.”
to es Source: “Kill Chain” Analysis of the 2013 Target Data Breach; Committee On Commerce, Science and Transportation
Analyzing a real-world large-scale attack
The situation
ec n
Within a very short time period of two months, cyber thieves executed a successful cyber attack
against Target. The attackers gained access to Target’s computer network, stole the financial and
oy cio
personal information of as many as 110 million Target customers, and then removed this sensitive
information from Target’s network to a server in Eastern Europe.
Target had in place multiple layers of protection, including firewalls, malware detection software,
intrusion detection and prevention capabilities, and data loss prevention tools. Additionally, target
pr a
had been certified in September 2013 as compliant with the Payment Card Industry Data Security
Standards (PCI-DSS), which credit card companies require before allowing merchants to process
rm
credit and debit card payments.
How could this happen?
This investigative data has been made publicly available through the United States Committee On
Fo
Commerce, Science, And Transportation.

V7.0
Objectives
Uempty
Phases of the intrusion kill chain
.R ial
.N c
C pe
Source: Lockheed Martin
Phases of the intrusion kill chain

ec n
In order to better understand the Target attack, we are going to take a look at the different phases of
an intrusion, also called an intrusion kill chain. Because most attacks follow this pattern, as
oy cio
defenders, we can learn a great deal by analyzing the individual stages.
Every attack begins with a reconnaissance phase where the attackers select their main targets.
Once they have their data identified, they research and identify external and potentially vulnerable
connections. These can include direct network access points or systems, as well as employees or
pr a
third party vendors and business partners.

rm
In the weaponization phase the attackers pair remote access malware with well known exploits into
a deliverable payload, such as Adobe PDF or Microsoft Office files.
The delivery phase consists of the actual transmission of the weapon to a target. The most
common approach is to use phishing attacks via email attachments, websites, or even physical
Fo
USB drives.
Once delivered, the weapon’s code is triggered on the target systems, exploiting vulnerable
applications or systems.
During the installation phase the weapon now installs a backdoor on a target’s system, allowing
persistent access. It is also very common for the weapon to regularly install new variants to avoid or
distract detection.
Once the weapon is activated it begins communicating with outside servers that provide real-time
system access for the attackers, who can now extend their reconnaissance from within the attacked
network and systems.

V7.0
Objectives
Uempty
After final weapons and communication paths are established, the attackers work to achieve the
objective of the intrusion. Most likely, this includes exfiltration, encryption or destruction of data.
Let us now investigate the Target kill chain timeline and find out what really happened.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Objectives
Uempty
Kill chain timeline
.R ial
.N c
1
C pe
Kill chain timeline

ec n
<1>
oy cio
Roughly at the same time when Target was PCI-DSS certified, the first phases of the attack were
executed.
In the first reconnaissance phase the attacker gathered as much information about the victim. In
this case, the attackers were able to find information about a Target’s third-party vendor through
pr a
simple Internet searches. Target even displayed a public Internet portal for vendors, which gave
away the kind of software that was used for their online vendor billing. Equipped with this
rm
knowledge, the attacker then started their reconnaissance on one particular vendor, Fazio.
In the weaponization phase the attackers created malware stricken emails, likely attaching a PDF
or Microsoft Office document.
Fo
In the first part of the delivery phase, the attacker sent infected emails to the vendor in a so-called
phishing attack. Once deployed, the malware started to record passwords and provided the
attackers with their key to Target’s external billing system.

V7.0
Objectives
Uempty
Kill chain timeline
.R ial
.N c
2
C pe
Kill chain timeline

ec n
<2>
oy cio
In the second part of the delivery phase, the attackers leveraged their access to this vendor’s
system to enter Target’s network. Weak security at the perimeter of Target’s network may have
contributed to the attackers’ success in breaching the most sensitive area of Target’s network
containing cardholder data. Using the vendor’s credentials to gain access to Target’s inner network,
it appears the attackers then directly uploaded their RAM scraping malware to POS terminals.
pr a
rm
Fo

V7.0
Objectives
Uempty
Kill chain timeline
.R ial
.N c
3
C pe
Kill chain timeline

ec n
<3>
oy cio
In the exploitation phase, the RAM scraping malware and exfiltration malware began recording
millions of card swipes, and storing the stolen data for later exfiltration.
Reports suggest, that the attacker maintained access to the vendor’s systems for some time while
attempting to further breach Target’s network during the installation phase. It is unclear exactly how
pr a
the attacker could have escalated its access from the external billing system to deeper layers of
Target’s internal network. But given the installation of the Black POS malware on Target’s POS
rm
terminals, the compromise of 70 million records of non-financial data, and the compromise of the
internal Target servers used to gather stolen data, it appears that the attackers succeeded in
moving through various key Target systems by exploiting default account names in Target’s IT
management system.
Fo
Based on the reported timeline of the breach, the attackers had access to Target’s internal network
for over a month and compromised internal servers with exfiltration malware by November 30.
While the exact method by which the attackers maintained command and control is unknown, it is
clear, that the attackers were able to maintain a line of communication between the outside Internet
and Target’s cardholder network.
The attackers transmitted the stolen data to outside servers – at least one of which was located in
Russia – in plain text via FTP (a standard method for transferring files) over the course of two
weeks.

V7.0
Objectives
Uempty
On December 12, the US Department of Justice notified Target that their stolen credit card
credentials have been identified on a Russian Dark Web site where they were offered for sale. At
this point in time, no one at Target had realized that there was an attack.
Target immediately started intense investigations and was able to stop further activities to exfiltrate
data, and three days later most of the malware had been removed.
.R ial
It was at this time when Target found out not only about the loss of 40 million credit card records but
also an additional 70 million customer data records without financial information.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Objectives
Uempty
First trigger - already compromised
.R ial
• Fire eye event
• False position prone
Users do not fully trust
• No additional activity
information
.N c
What traffic preceded and followed,
from and to where?
• Business context
C pe
Are critical assets exposed?
• Network context
Can the attackers reach critical
assets?
• No business process for
triaging and analyzing was
defined
First trigger - already compromised

• The attack was ignored

ec n
Revisiting the investigative timeline shows that the first security relevant events from FireEye and
Symantec endpoint were recorded on November 30.
oy cio
Firewall and endpoint analysts may have disregarded these events as false positives, because no
action was initiated. The reason for that can be founded in the complexity, where those point
solutions do not communicate with one another. It is hard to retrieve additional activity information
about the preceding and following traffic, and to realize business and network context by just
pr a
looking at individual incidents without any correlation. The ability to include business context and
risk management can show if any high value assets are exposed by a certain attack pattern.
rm
Network context shows if those assets can be physically reached by the malware.
Without the means for correlating the individual events the attack was ignored.
Fo

V7.0
Objectives
Uempty
More alerts - no linkage
.R ial
• More alerts
• Different areas of network
.N c
• Not correlated with other
activity or in the context of
the business or network
C pe
• Not enough visibility or
context
• Still ignored
More alerts - no linkage

ec n
Once the exfiltration began the Target security tools recorded more alerts. But again, without proper
correlation to the earlier events and network traffic logs, there was simply not enough visibility into
oy cio
the ongoing malware deployment and data exfiltration. This resulted in the fact that the ongoing
attack was still being ignored.
pr a
rm
Fo

V7.0
Objectives
Uempty
DOJ notification - 40 million records gone
.R ial
.N c
• Too Late
• Nightmare business
scenario unfolds
C pe
DOJ notification - 40 million records gone

ec n
At the time when the DOJ called the Target executive management it was too late to react. The
started forensic investigation enabled the security team to find malware on POS terminals and on
oy cio
backend data servers as well as ongoing exfiltration transmissions to external FTP servers. The
communication lines were then severed and the malware removed from the systems.
pr a
rm
Fo

V7.0
Objectives
Uempty
Continued breaches undetected
.R ial
.N c
C pe
Continued breaches undetected

•
•
Nightmare
Worst case business scenario

ec n
Only within their forensic activities the security staff found out about the additional 70 million
non-financial data records that had been compromised.
oy cio
It was an awakening of the worst case business scenario any organization can possibly face.
pr a
rm
Fo

V7.0
Objectives
Uempty
Missed opportunities
.R ial
.N c
C pe
Missed opportunities
ec n
In summary, several situational actions and reactions lead to the disaster.
oy cio
First, the attackers took advantage of weak security at a Target vendor, and thus, gaining an initial
foothold in Target’s inner IT network.
This happened while Target missed initial warnings from their anti-intrusion software that attackers
were installing malware on their deployed assets.
pr a
Then the attackers took advantage of further weak controls within Target’s network and
successfully maneuvered into the network’s most sensitive areas.
rm
During the final phase of the attack Target missed more information by its anti-intrusion software
about the attackers’ escape plan, allowing them to steal as many as 110 million customer records.
Fo

V7.0
Objectives
Uempty
• Investigate the Target kill chain timeline
.R ial
• Suggest improvements
.N c
C pe
ec n
How could this scenario have been avoided?
oy cio
In this exercise, you find a few dedicated questions and investigate possible solutions to improve
correlation and reaction for a security team.
Revisit the idea of the Security Immune System and apply your understanding to this exercise.
Also, revisit the “Kill Chain” Analysis of the 2013 Target Data Breach study by the Committee On
pr a
Commerce, Science and Transportation.
Source:
rm
https://www.commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db-a3a67f183883/23
E30AA955B5C00FE57CFD709621592C.2014-0325-target-kill-chain-analysis.pdf
Fo

V7.0
Objectives
Uempty
Potential improvements
• Security logs and events
.R ial
• Network flow data
• Vulnerability data
• Network topology
• Asset profile with business
context, risk, ownerships
.N c
• Correlation rules
• User behavioral analysis
C pe
• Increased incident
relevance
• One incident case and
analysis workflow
• Integrated forensics -
Rapid confirmation of
Potential improvements
•
attack
Massive reduction of
window of exposure

ec n
Refer to the answer keys for this Exercise to discuss possible improvements.
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
In this unit, you performed the following tasks:
• Analyze the provided attack scenario
.R ial
• Discuss in your team how a proper centralized Security Intelligence approach could have avoided this
nightmare scenario
.N c
C pe
Summary
ec n
In this unit, you investigated what happened during the attack, and you have discussed how this
incident could have been mitigated or avoided by implementing properly configured and connected
oy cio
security solutions from the Security Immune System.

pr a
rm
Fo

Appendix A A real-world scenario
introduction to IBM QRadar
.R ial
SIEM
.N c
C pe
to es Appendix:
A real-world scenario introduction to
IBM QRadar SIEM
ec n
oy cio
pr a
rm

In this appendix you can study a real world attack scenario to explain the following details:
• How to instigate a successful attack by infecting portable computers outside of an
organization’s physical network infrastructure using a “watering hole” attack
Fo
• How this infected computer then spreads the malicious code and how it contacts a remote
command and control server once it returns to the organization’s environment
• How the overall timeline works for the bad guys
• That this type of attack can only be mitigated by correlation and collaboration (Security
Intelligence) inside an organization using a variety of detection tools across several IT
disciplines

V7.0
Appendix A A real-world scenario introduction to IBM QRadar SIEM
Objectives
Uempty
Objectives
• Investigate the anatomy of an attack
.R ial
.N c
C pe
to es Appendix: A real-world scenario introduction to IBM QRadar SIEM
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Objectives
Uempty
Anatomy of an attack - Lions at the watering hole

In July 2012, several high-profile institutions in the financial and technology sectors were
victimized by a 䇾 watering hole䇿 attack
.R ial
MA
Step 1: Stake out the watering hole NY
Watering holes Metro
Insert iFrame that redirects visitors to a Regional financial
zero-day malware download services institutions
Step 2: Catch the visiting 䇾gazelles䇿 DC
.N c
… visits compromised consumer banking site …
C pe
… redirected to a zero-day malware download
Employee using
corporate laptop at
home …
Employees bring their infected laptops to work the next day …
to es Step 3: The prey returns to the herd
Appendix: A real-world scenario introduction to IBM QRadar SIEM
Anatomy of an attack - Lions at the watering hole

… and infected laptops siphon off
sensitive data to a command and
control server in China

ec n
This slide shows an example of a watering hole attack that took place in 2012 and was
subsequently analyzed by the IBM X-Force Research team.
oy cio
Note: This slide uses animation to sequentially display Steps 1-3.

pr a
Attack vectors
rm
• Fraudulent malware download (maybe as part of a JPG, a PDF, or just by visiting a website that
downloads a malicious JavaScript) that is not detected by antivirus software
• Spear phishing - luring people to click on something “interesting”
• Network attack vectors - command and control malware uses “unusual ports” on the client’s
Fo
machine to communicate with remote control server
The next slides look at the timeline, the actual vulnerabilities that were involved, and the malicious
communication scheme.

V7.0
Objectives
Uempty
Anatomy of an attack - Timeline

• July 13-15, 2012
Several regional consumer financial services websites are hacked
.R ial
The hackers plant a hidden iframe on the consumer portal
• July 13-22, 2012

Customers of the bank are redirected to a malicious download site when they visit to do their online banking
• July 15-18, 2012
.N c
Infections are detected at several IBM clients
IBM Emergency Response Services are deployed for incident response
C pe
IBM collaborates with the FBI, major antivirus (AV) vendors, and others to protect its clients
Hidden iFrame
Anatomy of an attack - Timeline

ec n
This slide demonstrates how fast and efficiently the attackers used a zero-day vulnerability to
infiltrate many organizations.
oy cio
Note: This slide uses animation to sequentially display the bullet point groups.
pr a
The next slide talks about the specific vulnerabilities.

rm
Fo

V7.0
Objectives
Uempty
Anatomy of an attack - Vulnerable hosts were infected

Attackers used different variants of the Gh0st RAT remote access Trojan horse,
making detection very hard
.R ial
.N c
C pe
Variant A Variant B
• Exploited a known Microsoft vulnerability • Exploited a known Java vulnerability (CVE-

(CVE-2012-1889, 6/12/2012) 2012-1723, 6/16/2012)
• Patch for all Microsoft operation systems was • Patch was released by Oracle 6/12/2012
released on 7/10/2012 • Variant was recognized by McAfee VSE as of
to es • Variant was not recognized by any AV vendor

when IBM first detected it
Anatomy of an attack - Vulnerable hosts were infected

July 17, 2012

ec n
oy cio
Note: This slide uses animation to sequentially display the two variants sequentially.
Sources:
pr a
http://resources.infosecinstitute.com/gh0st-rat-complete-malware-analysis-part-1/#gref
http://resources.infosecinstitute.com/gh0st-rat-part-2-packet-structure-defense-measures/#gref
rm
The next slide explains what happens after a computer has been infected.
Fo

V7.0
Objectives
Uempty
Anatomy of an attack - Host response
After being infected, compromised hosts made contact with a remote command and control server in
China
.R ial
.N c
C pe
• Infected machines attempt to communicate with one of two Chinese command and control (C&C) servers,
58.64.155.57 and 58.64.155.59, on ports 53, 80, and 443
• If communications are successfully established, the C&C server gains complete, real-time control of a system on
the protected network
• The malware, a remote access Trojan, allows a remote attacker to access data, log system activity, capture key
logs, take screenshots, activate the system’s camera, and record from the system’s microphone
to es • The remote attacker can also drop additional downloads and programs on the controlled machine, and use it as
a launching point for further attacks
Anatomy of an attack - Host response

ec n
oy cio
Note: This slide uses animation to sequentially display the bullet points.
pr a
rm
Fo

V7.0
Objectives
Uempty
Anatomy of an attack - The risk of delaying a response to an attack

If the attack is not detected fast enough, the infected machine becomes the new launch point of
deepening the penetration
.R ial
.N c
C pe
• The infected machine “legitimately” distributes more malware inside the enterprise network to gain a stronger
foothold if detected
• The malware’s first goal is to obtain privileged user identities, which it then uses to gain access to valuable
assets inside the enterprise network
• Most attacks use ports and scans that typically are not executed from either the infected machines or user IDs
to es • After valuable assets are found, they are slowly exfiltrated to not raise any suspicion
Anatomy of an attack - The risk of delaying a response to an attack

ec n
oy cio
Note: This slide uses animation to sequentially display the bullet points. Use the details below to
address controls and counter measures for each of these attack vectors.
pr a
rm
Fo

V7.0
Objectives
Uempty
The following details describe how each of these attack vectors can be countered by proper
measures.
• The infected machine “legitimately” distributes more malware inside the enterprise network to
gain a stronger foothold if detected
– Endpoint management negation - Additional software gets installed on machine by remote
.R ial
malware.
– Control: Endpoint management software should immediately detect any new software
deployments, report them, and either remove them or deny network access.
.N c
• The malware’s first goal is to obtain privileged user identities, which it then uses to gain access
to valuable assets inside the enterprise network
C pe
– Privileged user access - If a machine of a privileged user is found, that credential is going to
open many doors for the attackers.
– Control: A privileged user access control system can negate the chance of any attacker
gaining privileged access because those ID have to be signed out through a particular
to es –
process using multi-factor authentication and other security means.
Control: If privileged user access is maliciously gained, a data access monitoring solution
can realize that large amounts of privileged data is being accessed in a behavioral pattern
that does not reflect usual routines and report on it.
ec n
• Most attacks use ports and scans that typically are not executed from either the infected
machines or user IDs
oy cio
– Network anomalies - Unusual ports or scan activity is detected from IT systems that usually
do not display such activity.
– Control: The flow control system shows traffic records involving on-site and off-site IT
systems and immediately logs and reports this.
pr a
• These attacks are rarely an isolated event, and the attacked organization is one out of many
who are being probed by those remote command and control systems.
rm
– Control: Public threat research feeds the recognized IP addresses and ports into a blacklist
of malicious hosts that can be incorporated into the organizations Security Intelligence
solution.
Fo
Only the correlation of all these single events in almost real-time enables an organization to detect
and hopefully stop threats before they can be exploited and cause any damage.
The next slide summarizes those challenges in a broader term.

V7.0
Objectives
Uempty
Apply Big Data to Security Intelligence and threat management
Collection, storage, and processing

Collection and integration
.R ial
Logs
Log
ogs Size and speed
Basic maturity Events
s Alerts Enrichment and correlation
Configuration Analytics and workflow

information
Visualization
.N c
System Identity Unstructured analysis
audit trails context Learning and prediction
C pe
Network flows Customization
and anomalies Sharing and export
External threat Full packet and
Global intelligence
intelligence feeds DNS captures
Campaign identification
Web pag
page Business
IP reputation covering
to es Optimized
maturity
text
Email and
social activity
Apply Big Data to Security Intelligence and threat management

process data
Customer
transactions
attacker, industry, and region
Comparisons
Anomaly detection

ec n
Generally, security intelligence has focused on real-time or near-real-time security analysis, but
now new motivations exist for extending the role of security intelligence.
oy cio
First, data is available to be processed; security data will need to be persisted for longer times to
detect longer-running attack patterns. New cyberdata sources have more security relevance now,
such as DNS. Business application data can be correlated with security data and unstructured
content.
pr a
Second, there is the need for more advanced analytics that does not make sense to employ in a
rm
real-time environment. Depth of analysis performed by sophisticated algorithms, such as

regression analysis or predictive algorithms, will be longer running and might offer greater security
insights. Newer analytical behaviors on the part of security analysts need to be supported.
Fo

V7.0
Objectives
Uempty
A dynamic, integrated system to help detect and stop advanced threats

Attack Chain
1 Break
ak-
k-in
.R ial
2 L
Latch
ch-
h-on
.N c
3 Expand
C pe
4 Gather
5 Exfiltrate
E
A dynamic, integrated system to help detect and stop advanced threats

ec n
From the previous slides, you learned about the typical “attack chain.”
oy cio
Having heard about the chaos throughout the overall IT security domain, you should now
understand that you must design a proper security solution that can help you prevent some of the
break-ins, and quickly detect the remaining ones to devise proper responses to mitigate the overall
impact to your IT operations.
pr a
The IBM QRadar solution focuses mainly on the Detect phase.
From here, you can cycle back to Unit 1: Introduction

rm
Fo

V7.0
Summary
Uempty
Summary
• Investigate the anatomy of an attack
.R ial
.N c
C pe
Summary
ec n
oy cio
pr a
rm
Fo

Appendix B IBM QRadar architecture
.R ial
.N c
C pe
IBM QRadar architecture
to es
ec n
oy cio

pr a
Security who is concerned with solutions in the overall security immune system. By learning how
the central Security Intelligence components are designed to take in and process log events and
rm
flow data, you will be better equipped to holistically work as a Security Analyst.
In this unit we start at the functional architecture level and explain how IBM QRadar was designed
as a modular Security Intelligence solution from the ground up. After taking a look at this modular
Fo
design, its extensibility and deployment pattern, we closely examine the component architecture so
that the analyst understands how data is ingested and processed. When the analysts later examine
bits and pieces of a larger security incident investigation, this architectural understanding can
substantially enhance their capability for detailed and fast analysis.

V7.0
Objectives
Uempty
Objectives
.R ial
.N c
C pe
to es Appendix: Extended component architecture and data flows
Objectives
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Lesson 1 QRadar functional architecture and
deployment models
.R ial
.N c
Lesson: QRadar functional
architecture and deployment models
C pe
to es
ec n
oy cio
Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017
This lessons explains the QRadar functional architecture and deployment models. It shows how
IBM QRadar was designed as a modular Security Intelligence solution from the ground up.
pr a
rm
Fo

V7.0
Uempty

• IT Log Management
Collect and securily archive log event and network flow records for forensic analysis
.R ial
• IT Regulatory Compliance
Collect and securily archive log records a for audit and compliancy
Generate reports required by internal or external regulations to succesfully pass compliance audits
• IT Internal monitoring
.N c
Frequently collect, correlate, and analyze data to alert on security policy violations
• Security breach detection
C pe
Analyze data to detect and alert on IT security risk management related issues

ec n
In order to describe the functional components of the IBM QRadar solution you need to understand
the basic functional requirements for an overall SIEM solution.
oy cio
The first requirement addresses IT log management for forensic analysis. The archived event and
network flow records are used to analyze incidents and gather evidence. The data must be
collected and stored reliably in its original format to stand up as evidence in a court of law or to be
used for compliance reporting. Also, the data must be archived for several years and it must be
pr a
searchable.
rm
To fulfill the compliance audit requirement, the archived data is used to prove that relevant audit
information has been collected and securely stored. Furthermore, the data must be used to create
reports required by the regulation, and the regulatory compliance reports must be stored for a
period of time.
Fo
The next requirement addresses IT internal monitoring to alert on security policy violations. This in
itself requires an organizational IT Security Policy that defines appropriate use of the IT
environment. High risk offenses to the policy must be identified and reported upon, and offenses
must be managed. IT usage that is not in compliance with the policy must be reported upon.
The most prevalent requirement today, however, revolves around IT security risk management for
the overall organization. All of the previously described functional requirements apply here as well.
In addition, an extensive knowledge of the IT environment, and the threats to which it is exposed, is
required. To perform anomaly detection it is also necessary to understand data patterns within the
captured events and network flows.

V7.0
Uempty
.R ial
.N c
C pe

ec n
The QRadar console is the central interface for all analyst related tasks. It provides a number of
tabs that allow insight into different views of the collected and correlated data.
oy cio
No matter how many QRadar applications are leveraged, or how many appliances constitute a
deployment, all capabilities are leveraged through a single, Web-based console, with all the
associated benefits that a common interface delivers in terms of speed of operation, transference of
skills, ease of adoption, and a universal learning curve.
pr a
• Dashboard
rm
The Dashboard tab allows an organization to define many different views into the collected and
processed data. QRadar provides many predefined dashboards, but you can create and
maintain your own.
• Offenses
Fo
Use the Offenses tab to view all the offenses that occur on your network and complete the
following tasks:
– Investigate offenses, source and destination IP addresses, network behaviors, and
anomalies on your network
– Correlate events and flows that are sourced from multiple networks to the same destination
IP address
– Go to the various pages of the Offenses tab to investigate event and flow details
– Determine the unique events that caused an offense
• Log Activity

V7.0
Uempty
The Log Activity tab displays event information as records from a log source, such as a firewall
or router device. Use the Log Activity tab to do the following tasks:
– Investigate event data
– Investigate event logs that are sent to QRadar SIEM in real time
– Search event
.R ial
– Monitor log activity by using configurable time-series charts
– Identify false positives to tune QRadar SIEM
.N c
If the content capture option is enabled, the Network Activity tab displays information about
C pe
how network traffic is communicated and what was communicated. Here, you can do the
following tasks:
– Investigate the flows that are sent to QRadar SIEM in real time
to es –
–
Search network flows
Monitor network activity by using configurable time-series charts
• Assets
QRadar automatically creates asset profiles by using passive flow data and vulnerability data to
ec n
discover your network servers and hosts.
Asset profiles provide information about each known asset in your network, including the
oy cio
services that are running. Asset profile information is used for correlation purposes, which helps
to reduce false positives.
Use the Assets tab to do the following tasks:
– Search for assets
pr a
– View all the learned assets

rm
– View identity information for learned assets

– Tune false positive vulnerabilities
• Reports
Fo

V7.0
Uempty
Report templates are grouped into report types, such as compliance, device, executive, and
network reports. Use the Reports tab to complete the following tasks:
– Create, distribute, and manage reports for QRadar SIEM data
– Create customized reports for operational and executive use
– Combine security and network information into a single report
.R ial
– Use or edit preinstalled report templates
– Brand your reports with customized logos. Branding is beneficial for distributing reports to
different audiences
.N c
– Set a schedule for generating both custom and default reports
C pe
– Publish reports in various formats
• Vulnerabilities
If the QRadar Vulnerability Manager license has been deployed, you will see a Vulnerabilities
to es tab, which you can use for the following tasks:

–
–
–
Create and manage Scan Policies and Scan Profiles
Execute vulnerability scans for your deployed assets
Create, distribute, and manage vulnerability reports to stake holders
ec n
– Integrate with endpoint management systems to fix vulnerabilities
oy cio
• Admin
The Admin tab provides all tools to manage and maintain the QRadar deployment. Analysts
typically do not have access to these tools.
The example in this screen shot depicts the integration of the QRadar console with QRadar
pr a
Vulnerability Manager on the Dashboard tab.
Designed to integrate Log Management, SIEM, Vulnerability and Risk Management, Incident
rm
Forensics, and an extensible application framework into one solution, QRadar Security Intelligence
can deliver a large log management scale without any compromise on SIEM “Intelligence.”
As a QRadar analyst you can switch from log events, to network flows, to risk and compliance
Fo
policy reports and prioritized lists of network wide vulnerabilities, and complete analysis of incidents
after an offense has occurred. This allows an organization to reduce the time before an initial
breach is detected and avoid the actual exploit.

V7.0
Uempty

What was the attack?
.R ial
Is the attack credible?
How
valuable are Where are they located?
.N c
the targets
to the Who was responsible
business? for the attack?
C pe
What was
stolen and
where is the
evidence?

Are any assets vulnerable?
How many targeted assets
are involved?
ec n
IBM QRadar SIEM can analyze large amounts of data and uses context to transform it into useful,
actionable information as is depicted in this slide.
oy cio
Here is what you can see as a security analyst when you begin to investigate an offense record that
was triggered by a correlation rule. You can quickly investigate the who, what, and where behind an
offense and quickly determine if it is a legitimate threat or a false positive.
pr a
IBM QRadar SIEM provides strong event-management and analysis capabilities and is very
effective in detecting threats because it can leverage a broad range of data, analyze it, and apply
rm
context from an extensive range of sources. This helps to reduce false positives, report on actual
exploits, and show what kind of activity is taking place. This can result in faster threat detection and
response.
QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context
Fo
in which systems are operating. That context includes security and network device logs,
vulnerabilities, configuration data, network traffic telemetry, application events and activities, user
identities, assets, geolocation, and application content. This activity generates a staggering amount
of data, which makes the automation in QRadar very important because it can correlate this large
amount of data down to a small number of actionable offenses.
QRadar SIEM leverages this data to establish very specific context around each potential area of
concern, and uses sophisticated analytics to accurately detect more and different types of threats.
For example, a potential exploit of a web server reported by an intrusion detection system can be
validated by unusual outbound network activity detected by QRadar.

V7.0
Uempty
QRadar uses intelligence, automation, and analytics to provide actionable security information
including the number of targets involved in a threat, who was responsible, what kind of attack
occurred, whether it was successful, vulnerabilities, evidence for forensics, and so on.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty

To enable security analysts to perform investigations, QRadar SIEM correlates information such as:
• Point in time
.R ial
• Offending users
• Origins
• Targets
.N c
• Vulnerabilities
C pe
• Known threats

ec n
The previous slide showed what a typical security analyst can see after QRadar SIEM analyzed
large amounts of data and used context to transform this data into useful, actionable information.
oy cio
This slide provides an overview where all this data is coming from.
• Point in time
Everything that QRadar investigates needs to provide an exact point in time. This timestamp
pr a
allows QRadar to correlate the most complex relationships between disparate log sources and
network flows to present those as one connected event.
rm
• Offending users
QRadar extracts user information wherever possible allowing an analyst to further investigate
individual users. QRadar also uses this information for user behavioral analytics.
Fo
• Origins
The origin represents the starting point for all QRadar correlation activity. The origin is captured
as an IP address.
• Targets
The target represents the final point for all QRadar correlation activity. The target is captured as
an IP address.
QRadar maintains a centralized asset database that is used to record a variety of details for
each asset that has been discovered. Assets can be discovered in two ways. Actively, by using

V7.0
Uempty
vulnerability scans with QRadar Vulnerability Manager, or passively through network flow
records. Asset data can also be imported by using other enterprise tools for asset management.
Details can include IP address, host name, running applications and services, as well as
vulnerabilities.
• Vulnerabilities
.R ial
QRadar maintains a list of vulnerabilities for each asset. These can either be discovered by
using QRadar Vulnerability Manager or any other 3rd party vulnerability management solution.
Asset related vulnerabilities are being used for QRadar correlations and analytics, and they can
influence several factors throughout the incident management process.
.N c
• Known threats
C pe
QRadar is able to connect to external threat feeds, such as the IBM X-Force Exchange. This
threat information can also be used for QRadar correlations and analytics to influence the
incident management process.
to es Utilizing some of the above mentioned data in combination with other enterprise wide collected
information QRadar can analyze user behavior to alert whenever abnormal activity has been
detected.
ec n
After all this data has been correlated it is presented to the analysts in the QRadar Console. If a
particularly important threat is discovered, an analyst has to investigate it with an utmost urgency.
oy cio
To support this task QRadar now provides Cognitive Analytics. This capability augments a security
analyst's ability to identify and understand sophisticated threats, by tapping into unstructured data
(such as blogs, websites, research papers) and correlating it with local security offenses.
pr a
rm
Fo

V7.0
Uempty

• Provides insight into raw network traffic
Attackers can interfere with logging to erase their tracks, but they
cannot cut off the network (flow data)
.R ial
• Allows deep packet inspection for Layer 7 flow data
Pivoting, drill-down, and data-mining activities on flow sources
allow for advanced detection and forensics
• Helps to detect anomalies that might otherwise be missed
.N c
• Helps to detect zero-day attacks that have no signature
• Provides visibility into all attacker communications
C pe
• Uses passive monitoring to build asset profiles and classify
hosts
• Improves network visibility and helps resolve traffic
problems

ec n
While log events are critical, they can leave gaps in visibility. When attackers compromise an IT
system, they first turn off logging to obfuscate their tracks. Traditional SIEMs are blind at this point.
oy cio
However, no attacker can disable the network, or they cut themselves off as well.
Network flow analytics in QRadar allows deep packet inspection for OSI Layer 7 flow data, which
can contain very helpful information for advanced forensics. Network flow information helps to
detect communication flow anomalies, zero-day attacks that have no signature yet, and provides
pr a
visibility into all attacker communications.

rm
Using passive monitoring, flow analytics builds up an asset database and profiles your assets. For
example, an IT system that has responded to a connection on port 53 UDP is obviously a DNS
server. Another IT system that has accepted connections on ports 139 or 445 TCP is a Windows
server.
Fo
Adding application detection can confirm this not only at a port level, but the application data level
as well.
Source: To learn more about the OSI Layer model please visit:
http://searchnetworking.techtarget.com/definition/OSI

V7.0
Uempty
.R ial
Cognitive Analytics
• QRadar Sense Analytics

allows you to inspect events,
flows, users, and more
.N c
• Speed analysis with visuals,
query, and auto-discovery
C pe
across the platform
• Augment your analysts’
knowledge and insights with
QRadar Advisor with
Watson

ec n
The QRadar functional architecture is extensible by design. The framework allows you to add on
additional functionality as needed in an organization.
oy cio
Security Analysts today are more and more overwhelmed by the amount of data that requires
investigation and by the mounting time pressure to act. Cognitive analytics augments your analysts’
knowledge and insights with QRadar Advisor with Watson to speed up analysis with visuals, query,
and auto-discovery across the platform where you can inspect events, flows, users, and more by
pr a
tapping into unstructured data (such as blogs, websites, research papers) and correlating it with
local security offenses.
rm
closer look at the Cognitive Analytics now.
Fo

V7.0
Uempty

• Natural language processing with security that understands, reasons, learns, and interacts
.R ial
.N c
C pe
to es Watson determines the specific campaign (Locky),
discovers more infected endpoints, and sends results
to the incident response team
Appendix: Extended component architecture and data flows

ec n
The cognitive era is here. “Digital everything” means that technology’s number one job in business
now is handling and responding to data. Cognitive capabilities are being applied to security to
oy cio
establish a relationship between machines and humans. The role of technology can now change
from enabler to advisor. We are ushering in this new era of cognitive security to out-think and
outpace threats with security that understands, reasons, and learns.
IBM Watson enables fast and accurate analysis of security threats, saving precious time and
pr a
resources. This empowers the analysts to perform faster investigations and clear their backlog
easier. It will also help to increase the investigative skills for individual analysts over time.
rm
With the help of IBM Watson, security analysts will be able to spend less time on the mundane
tasks of manual and time consuming threat analysis, and more time being human.
Fo

V7.0
Uempty
.R ial
• QRadar Sense Analytics • IBM Security App Exchange

allows you to inspect events, provides access to apps from
flows, users, and more
.N c
• Speed analysis with visuals, • Out-of-the-box integrations
query, and auto-discovery for 500+ third-party security
C pe
across the platform products
• Augment your analysts’ • Open APIs allow for custom
knowledge and insights with integrations and apps
QRadar Advisor with
Watson

ec n
QRadar provides open APIs to allow for custom integrations and applications, which can be found
at the IBM Security App Exchange. One example here is the User Behavior Analytics app, which is
oy cio
available free of charge and provides early visibility to insider threats.
closer look at the Open Ecosystem now.
pr a
rm
Fo

V7.0
Uempty

• Application extensions to enhance visibility and productivity
.R ial
.N c
C pe

ec n
Today’s attackers share tools. They collaborate in creating malware that is difficult to discover.
oy cio
On the defensive side, organizations have to deal with a large number of siloed security solutions
from an equally large number of vendors. It is estimated that an average enterprise can have up the
85 security products from 40 vendors. With this mix, it is difficult to link the products together so
they can support each other.
pr a
To fill this gap, IBM has introduced the IBM Security App Exchange. The exchange is a marketplace
for the security community to create and share applications that integrate with IBM Security
rm
solutions. The first offering in which customers, business partners, and other developers can build
custom apps is QRadar.
Releasing application programming interfaces (APIs) and software development kits for QRadar
fosters the integration with third-party technologies. This provides organizations with better visibility
Fo
into more types of data, and also offers new automated search and reporting functions that can
help security specialists focus on the most pressing threats.
The IBM Security App Exchange has a number of customized apps that extend security analytics
into areas like user behavior, endpoint data, and incident visualization.
Before releasing the app IBM Security tests them to will be closely testing every application to
ensure the integrity of these community contributions.
In the future the App Exchange will offer the opportunity to produce apps for additional IBM Security
products.

V7.0
Uempty
.R ial
and Analysis
• QRadar Sense Analytics • IBM Security App Exchange • IBM X-Force Exchange
allows you to inspect events, provides access to apps from helps you stay ahead of the
flows, users, and more latest threats and attacks
.N c
• Speed analysis with visuals, • Out-of-the-box integrations • Extend investigations to cyber
query, and auto-discovery for 500+ third-party security threat analysis with i2
C pe
across the platform products Enterprise Insight Analysis
• Augment your analysts’ • Open APIs allow for custom • Powered by the X-Force
knowledge and insights with integrations and apps Research team and 700TB+ of
QRadar Advisor with threat data
Watson
• Share data with a collaborative

portal and STIX / TAXII
standards

ec n
You can further extend the QRadar functionality with threat intelligence data and analytic functions
from the IBM X-Force Exchange and the IBM i2 Enterprise Insight Analysis solution.
oy cio
closer look at the Deep Threat Intelligence and Analysis now.
pr a
rm
Fo

V7.0
Uempty

• Crowd-sourced information sharing based on 700+TB of threat intelligence
.R ial
.N c
C pe

ec n
One element that the offense have mastered is collaboration. According to the United Nations
Office on Drugs and Crime upwards to 80% of cybercrime acts are estimated to originate in some
oy cio
form of organized activity. Cyber criminals have learned to collaborate. They share vulnerability,
targeting, and countermeasure information. They also share tools to ensure that their attacks can
be successful. Collaboration is a force multiplier for the hacking community. Organizations have
been using threat intelligence in an effort to stay abreast of the threats, but these efforts are limited.
pr a
To succeed requires much more information, shared among security professionals, researchers,
and practitioners.
rm
IBM has built a collaboration platform called the X-Force Exchange to facility the collaboration that
will allow organizations to have a much greater understanding of threats and actors. X-Force
Exchange is a cloud-based threat intelligence sharing platform that enables users to rapidly
research the latest global security threats, aggregate actionable intelligence, consult with experts
Fo
and collaborate with peers. IBM X-Force Exchange provides timely, curated threat intelligence
insights, which adds context to machine-generated data. The platform facilitates making
connections with industry peers to validate findings and research threat indicators.
Leveraging the open and powerful infrastructure of the cloud, users can collaborate and tap into
over 700 terabytes of information from multiple data sources. This includes one of the largest and
most complete catalogs of vulnerabilities in the world, threat information based on monitoring of
more than 15 billion monitored security events per day, and malware threat intelligence from a
network of 270 million endpoints. This threat information is based on over 25 billion web pages and
images and deep intelligence on more than 8 million spam and phishing attacks.
Source: https://exchange.xforce.ibmcloud.com

V7.0
Uempty

• Log, flow, vulnerability, and identity correlation
SIEM • Sophisticated asset profiling
• Offense management and workflow
.R ial
• Layer 7 application monitoring
Network and
• Content capture for deep insight and forensics
Application Visibility
• Physical and virtual environments
• Configurable network traffic analysis for
.N c
Network Insights real time threat detection and long-term
retrospective analysis
C pe
Risk & Vulnerability • Network security configuration monitoring
Management • Vulnerability scanning and prioritization
• Predictive threat modeling and simulation
• Event processors for remote site

Scalability • High Availability and Disaster Recovery (HADR)
• Data node to increase storage and performance
to es Network Forensics

Incident Forensics
• Reconstructs network sessions
• Data pivoting and visualization tools
• Accelerated clarity around who, what, and when

ec n
Security Intelligence can be delivered through a family of QRadar products.
oy cio
• For many organizations, the starting point is to address the log management challenge, which
is why IBM offers a family of “log management only” appliances. These log management
appliances can be upgraded to full SIEM capability by configuring an additional license key.
• The full SIEM implementation provides integration of log management with threat, fraud,
network, and security intelligence. Network activity data, vulnerability assessment, and external
pr a
threat data are added as data sources along with sophisticated correlation and behavioral
analytics.
rm
• For application layer visibility and forensic content capture, the QFlow and VFlow flow collectors
can be deployed in physical or virtual infrastructures. These appliances provide extensive
application-level surveillance of all activity at key locations.
Fo
• QRadar Network Insights can provide configurable network traffic analysis for real time threat
detection and long-term retrospective analysis to detect insider threats, data exfiltration and
malware activity.
• Risk and Vulnerability management capabilities can be activated by configuring an additional
license keys. Risk Manager requires an additional dedicated appliance as well, while
Vulnerability Manager can be deployed on existing appliances. Risk Manager provides network
security configuration monitoring, while Vulnerability Manager focuses on vulnerability scanning
and prioritization. Together they can be used for predictive threat modeling and simulation.
• For some organizations, the full SIEM scale can be met with a single appliance; for others who
have higher scale, or remote collection and storage requirements, QRadar processors enable

V7.0
Uempty
massive deployments. This horizontal, stackable expansion supports a massive scale and
geographic distribution, while maintaining exactly the same user experience.
Network Forensics appliances allow you to fully reconstruct network sessions that can provide
clarity around questions like “who”, “what”, and “when” in great detail.
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Deployment models
All-in-One
.R ial
(2100/31XX) Flow Processor
Console
(17XX)
(31XX)
Event Processor
QFlow (16XX)
.N c
Collector
(12XX/13XX)
C pe
All-in-One is a single appliance used to collect events and flow A Distributed deployment consists of multiple appliances for different purposes
to es data from various security and network devices, perform data

correlation and rule matching, report on alerts and threats, and
provide all administrative functions through a web browser
Deployment models
• Event Processor to collect, process, and store log events
• Flow Processor to collect, process, and store several kinds of flow data generated from network
devices; optional QFlow Collector is used to collect Layer 7 application data
• Console to correlate data from managed processors, generate alerts and reports, and provide all
administrative functions

ec n
Based on the previously introduced functional requirements and the layout of an organization’s IT
infrastructure, different types of appliances are available to address different deployment models.
oy cio
The selection depends on the amount of collected and processed events, data storage estimations,
high availability and disaster recovery requirements, organizational network topology, and other
factors.
An all-in-one deployment uses a single appliance to collect events and flow data from various
pr a
security and network devices, perform data correlation and rule matching, report on alerts and
threats, and provide all administrative functions through a web browser.
rm
A distributed deployment consists of multiple appliances for different purposes. You can deploy
Event Collectors and Processors to collect, process, and store log events. Flow Collectors and
Processors are used to collect, process, and store several kinds of flow data generated from
network devices, and optionally, you can deploy QFlow Collectors to collect Layer 7 application
Fo
data. A Console is used to correlate data from managed processors, generate alerts and reports,
and provide all administrative functions.
This remainder of this course material does not pay any closer attention to currently available exact
appliance configurations and models.

V7.0
Uempty
Lesson 2 QRadar SIEM component
architecture
.R ial
.N c
Lesson: QRadar SIEM component
architecture
C pe
to es
ec n
oy cio
Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017
This lesson describes the high-level architecture of the major IBM QRadar SIEM components,
including the flow collector, event collector, event processor, and console. You also learn about the
flow of a captured event.
pr a
rm
Fo

V7.0
Uempty
.R ial
• Console
.N c
• Dissecting the flow of a captured event
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty

• Flow and event data is stored in the Ariel database on the
Identities event processors
Assets
.R ial
Offenses If accumulation is required, accumulated data is stored in Ariel
Configuration accumulation data tables
As soon as data is stored, it cannot be changed (tamper proof)
Data can be selectively indexed
Console services
User interface
Magistrate
• Offenses, assets, and identity information are stored in
.N c
Reporting the master PostgreSQL database on the Console
Provides one master database with copies on each processor
for backup and automatic restore
C pe
Flows
Events Event processor
Accumulations • Secure SSH communication between appliances in a
distributed environment is supported
Flow collector Event collector
to es Network packet
interface, sFlow,
and 3rd party

Events from log
sources

ec n
Let us begin by looking at the high level architecture one more time. (We have already done this
briefly on slide 5)
oy cio
Events from individual log sources and network flow data is collected by the QRadar Event and
Flow collectors. Once the flow and event data is forwarded to the Event Processor it is stored in the
Ariel database on the Event Processor. If accumulation is required, the accumulated data is stored
in Ariel accumulation data tables. To fulfill the tamper proof data storage aspects for compliance
pr a
mandates, data cannot be changed as soon as it is stored in the Ariel database. At any point in
time, data can be selectively indexed to support specific search and report requirements.
rm
Once the Event Processor is finished processing, the data is passed on to the QRadar Console,
where further consolidated processing occurs. Offenses, assets, identity, and configuration
information are stored in the master PostgreSQL database on the Console. There is one master
database with optional copies on each processor for backup and automatic restore.
Fo
Secure SSH communication between appliances in a distributed environment is supported.

V7.0
Uempty
.R ial
• Console
.N c
C pe
to es Appendix: Extended component architecture and data flows © Copyright IBM Corporation 2017
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty

Event Processor • A flow is a record of a conversation between
To Event Processor every 60 seconds two devices on a network
.R ial
Flow reporting and routing - Create superflows
• Flow data packets are collected from a variety
of network device vendors and directly from the
Application Detection Module (appId = eventId)
network interface
• Collected flow data can update asset profiles
.N c
Aggregator with the ports and services that are running on
each host
C pe
Raw data packets received • If the flow license limit is exceeded, an overflow
(NetFlow, sFlow, NIC, and so on)
record is created with SRC/DST address
QFlow
127.0.0.4/5
Flow data packets
• (Custom) applications are detected

• Superflows are created
• QFlow provides Layer 7 insights into the
payload if it is unencrypted
ec n
A network flow record provides information about a conversation between two devices using a
specific protocol, and can include fields that provide details about the conversation. Examples
oy cio
include the source and destination IP addresses, the port, and other fields.
Flow data packets can be collected from a variety of network device vendors, and directly from the
network interface. Collected flow data can update asset profiles with the ports and services that are
running on each host. If a new host is detected through network flow data, a new asset is created in
pr a
the QRadar Asset database.

rm
Next in line is the Aggregator. This component enforces the license limit for the Flow Collector,
which is measured in “flows per minute”, or FPM. If the license limit is exceeded, flows are
temporarily stored in an overflow buffer, which will be processed with the next set of flows. Every
log source protocol has an overflow buffer of 5 GB, and if the overflow buffer fills up, the additional
flows are dropped.
Fo
The Application Detection Module uses four methods of determining the application of the flow.
• The first is the User Defined method.
This method is mainly used when users have a proprietary application running on their network.
For example, all traffic going to host 10.100.100.42 on port 443 is recognized to be
MySpecialApplication.
• The second method uses State-based decoders.

V7.0
Uempty
This method is implemented by looking at the source code. It determines the application by
analyzing the payload for multiple markers, for example, if you see A followed by B, then
application = X; and if you see A followed by C, then application = Y.
• The next method uses Signature matching.
This method relies on basic string matching in the payload (see the Application Configuration
.R ial
Guide for signature customization).
• The final method uses Port-based matching.
In this case, applications are matched based on their port use, for example, port 80 = http.
.N c
Finally, the flow data packets reach the Flow reporting and routing component. This component
C pe
is responsible to create superflows. Superflows only store one single flow with the collection of IP
addresses, which allows processing of flows to be faster, and require less storage space. There are
three types of superflows.
• Type A superflows contain a single source and multiple destination addresses with the same
to es destination port, byte count, and source flags or ICMP codes. An example for a type A
superflow is a network sweep.
• Type B superflows contain multiple source and a single destination address with the same
destination port, byte count, and source flags or ICMP codes. An example for a type B
superflow is a Distributed Denial of Service attack.
ec n
• Type C superflows contain a single source and destination address with changing source and
destination ports. An example for a type C superflow is a port scan.
oy cio
Specific rule tests can leverage the flow type to determine if an offense needs to be created. The
creation of superflows can be disabled.
Up to a configurable number of bytes, QFlow provides layer 7 insights into the payload if it is
pr a
unencrypted. Using a tap or span port, QFlow collects raw packets and places them into 60-second
chunks. QFlow can also receive layer 4 flows from other network devices in IPFIX/NetFlow, sFlow,
rm
J-Flow, Packeteer, and Flowlog file accounting technologies.
Note: The following slides contain some additional information about the Flows per minute
burst handling, application detection, and Superflows. The explanations for these slides have
Fo
already been incorporated in this overview slide.

V7.0
Uempty
Flows per minute (FPM) burst handling

• Flows are temporarily stored in an overflow buffer if the FPM license is exceeded
.R ial
• Every log source protocol has an overflow buffer of 5 GB
• If the overflow buffer fills up, the additional flows are dropped
.N c
C pe
Flows per minute (FPM) burst handling

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Application detection
Methods of determining the application of the flow
• User defined
.R ial
This method is mainly used when users have a proprietary application running on their network
For example: All traffic going to host 10.100.100.42 on port 443 is recognized to be MySpecialApplication
• State-based decoders
This method is implemented in the source code and determines the application by analyzing the payload for
.N c
multiple markers
For example: If you see A followed by B then application = X; if you see A followed by C, then application = Y
C pe
• Signature matching
Basic string matching in the payload
Custom signatures are allowed (see Application Configuration Guide for signature customization)
• Port-based matching (port 80 = http, and so on)
Application detection
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Superflows
• Types of superflows
Type A
Single SRC, Multiple DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
.R ial
(for example, network sweeps)
Type B
Multiple SRC, Single DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
(for example, DDoS attacks)
.N c
Type C
Single SRC and DST, TCP/UDP Only, Changing SRC/DST ports
(for example, port scans)
C pe
• Only store the single flow with the collection of IP addresses
• Specific rule tests can leverage the flow type to determine if an offense needs to be created
• Creation of superflows can be disabled
Superflows
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
.R ial
• Console
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty

Event processor
• Each event collector gathers events from local and
remote sources
.R ial
• EPS license is checked Coalescing filter
• Log Sources are automatically discovered after

record analysis in the Traffic Analysis module
Device Support Module (DSM)
• The event collector normalizes events and classifies Parser threads
.N c
them into low- and high-level categories DSM normalization filter
• Events are parsed by log source parser threads Traffic Analysis
C pe
(Log source detection)
• The event collector bundles identical events to
conserve system usage through a process that is Overflow filter
known as coalescing (enforce license limit)
Raw data packets received

Event collector
Log Sources

ec n
Each Event Collector gathers events from local and remote log sources. Once the raw data packets
have been received, the license limit is checked first. On the Event Collector, this limit is measured
oy cio
in Events per Second, or EPS. Events are temporarily stored in an overflow buffer if the EPS
license is exceeded, and those events are processed during the next cycle. Should the overflow
buffer fill up, the additional events are dropped, and a message is logged for the administrators.
Log Sources are automatically discovered after record analysis in the Traffic Analysis module. This
pr a
is an essential module for automating a successful evaluation or deployment, because it

categorizes traffic from devices that are unknown to the system. Log source detection creates a
rm
new QRadar log source, if detection is successful on an IP address. The Traffic Analyses module
only carries out detection on event protocols that are “pushed” to the event collector, for example,
syslog.
After the correct log source has been detected, such as a Checkpoint Firewall, the individual
Fo
Device Support Modules begin to parse the events. First, the events are normalized, where source
specific data fields are mapped into QRadar terminology for further processing. The log source
parser then extracts the log source event ID from the log record and maps that to the QRadar
Identifier, or QID. This is a unique ID that links the extracted log source event ID to a QID. Each QID
relates to a custom event name and description, as well as severity and event category information.
The event category information is structured into High Level Categories (HLC) and Low Level
Categories (LLC). Every QID is linked to one of the low-level categories, for example, a valid
category combination is "Authentication” (being a High Level Category) and “Admin Login
Successful” being a Low Level Category.

V7.0
Uempty
Finally, the coalescing filter can optionally bundle identical events to conserve system usage before
handing the data off to the Event Processor.
Note: The following slides contain some additional information about the Autodiscovery of log
sources, Log source parsing and QID mapping, and Events per second burst handling. The
.R ial
explanations for these slides have already been incorporated in this overview slide.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Autodiscovery of log sources

• Is an essential module for automating a successful evaluation or deployment
.R ial
• Categorizes traffic from devices that are unknown to the system
• Creates a new log source if detection is successful on an IP address
.N c
• Carries out detection only on event protocols that are “pushed” to the event collector,
for example, syslog
C pe
Autodiscovery of log sources

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Log source parsing uses QID mapping

• The log source parser extracts the log source event ID from the log record
.R ial
• The QID (QRadar identifier) is a unique ID that links the extracted log source event ID to a QID
• Each QID number relates to a custom event name and description, as well as severity and event
category information
.N c
• The event category information is structured into High Level Categories (HLC) and Low Level
C pe
Categories (LLC); every QID is linked to one of the low-level categories
For example, "Authentication (HLC) - Admin Login Successful (LLC)" is a category combination
Log source parsing uses QID mapping

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Events per second (EPS) burst handling

• Events are temporarily stored in an overflow buffer if the EPS license is exceeded
.R ial
• Every log source protocol has an overflow buffer of 5 GB
• If the overflow buffer fills up, the additional events are dropped
.N c
C pe
Events per second (EPS) burst handling

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
.R ial
• Console
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Event processor architecture Anomaly New host

Magistrate
Detection Engine or port event
• EPS license is checked and enforced
• Every single event and flow is tested against all
.R ial
Accumulator Host profiler Exit filter
enabled rules in the rules engine Accumulations
• New offenses can be triggered and sent to the Flows Event storage filter
Events
Magistrate (see Console)
• Events and flows are stored in the events or flows
.N c
Ariel database
• If a new port or host is detected, an asset profile is
C pe
Overflow filter
updated or created in the PostgreSQL database
(see Console) Event or flow sources received
• Events are accumulated every minute and stored Event processor
in the accumulator Ariel database
Event processor architecture

Event Processor
Event processor
Event Processor
Event collector
Event Processor
Flow collector

ec n
The Event Processor can receive event and flow data from Event and Flow Collectors as well as
other Event Processors that may be distributed throughout the organizations IT deployment. First,
oy cio
the Overflow Filter enforces the license in a similar way to the collectors.
Next, the Custom Rule Engine, or CRE, tests every single event or flow against all enabled rules.
Matched rules can have responses or results. For example, a matched rule might trigger the
creation of an offense, or create a new CRE event that triggers the creation of an offense. However,
pr a
actual offenses are not created here at the Event Processor, but rather at the Console.
rm
It is possible that multiple matched events, flows, and matched rules might correlate into a single
offense. On the other hand, a single event or flow can also be correlated into multiple offenses.
By default, rules are tested against events or flows received by a single event processor (local
rules). The Exit Filter sends on any events or flows that have been marked for further processing by
Fo
the Magistrate component on the Console.
Every event and flow is then sent on to the Event Storage Filter, where they are stored in the events
or flows Ariel database.
If a new port or host is detected at this time, an asset profile needs to be updated or created in the
PostgreSQL database. The Host Profiler, or Host Profiling Filter, sends the collected information
about the new host to the Console, so that a new asset can be created or updated.
Finally, if an analyst has defined any searches to collect and investigate specific sets of data,
events and flow records are accumulated every minute and stored in the accumulator Ariel
database. These accumulations create time-series statistical metadata that is used for Dashboards,

V7.0
Uempty
event and flow forensics and searching, reporting, and the Anomaly Detection Engine on the
Console. Accumulated time intervals can be defined as 1 minute, 1 hour, and 1 day. The
Accumulator is a distributed component that operates on each Event Processor.
Note: The following slides contain some additional information about the Custom Rule Engine
.R ial
and the Accumulator. The explanations for these slides have already been incorporated in this
overview slide.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty

• Every single event or flow is tested against all enabled rules; matched rules can have a response or
result
.R ial
• Matched rules might trigger the creation of an offense or create a CRE event that triggers the creation
of an offense
.N c
• Multiple matched events, flows, and matched rules might correlate into a single offense
C pe
• A single event or flow can be correlated into multiple offenses
• By default, rules are tested against events or flows received by a single event processor (local rules)
to es • Global cross correlation (GCC) allows rules testing across multiple event processors in the QRadar
SIEM deployment

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Accumulator
• Accumulations are defined by “grouped by” searches
.R ial
• Accumulations create time-series statistical metadata (counts) that is used for the following purposes
Dashboards
Event and flow forensics and searching
Reporting
.N c
Anomaly and behavior alerts
• Accumulated intervals are 1 minute, 1 hour, and 1 day
C pe
• The Accumulator is a distributed component that operates on each event processor
Accumulator
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
.R ial
• Console
.N c
C pe
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
• The Magistrate creates and stores offenses
in the PostgreSQL database; these offenses Offenses
are then brought to the analyst’s attention in
.R ial
the interface
• The Magistrate instructs the Ariel Proxy Magistrate
Custom rule
engine
Server to gather information about all events Assets
and flows that triggered the creation of an
.N c
offense Overflow filter
Ariel Vulnerability Anomaly
Proxy Information Detection
• The Vulnerability Information Server (VIS)
C pe
Server Server Engine
creates new assets or adds open ports to

Event Sources received
existing assets based on information from the
Console
EPs
• The Anomaly Detection Engine (ADE) Ariel Host
to es searches the Accumulator databases for

anomalies, which are then used for offense
evaluation
Event
Exit Filter
Eventprocessor
processor
Query Server profiler
Accumulators

ec n
The Console receives data from the deployed Event Processors for further analysis by the
Magistrate component, which creates and stores offenses in the PostgreSQL database. These
oy cio
offenses are then brought to the analyst’s attention in the user interface. The Magistrate instructs
the Ariel Proxy Server to gather information about all related events and flows that triggered the
creation of an offense. The collected data is then available for further investigation by the analyst.
If data is collected from multiple Event Processors, the Console’s Custom Rules Engine can utilize
pr a
Global Cross Correlation to test rules on data from all deployed Event Processors. This helps to
locate more complex attacks, which can span across the overall IT infrastructure and are not
rm
confined to being detected by a single Event Processor.
The Vulnerability Information Server (VIS) creates new assets, or adds open ports or discovered
services to existing assets, based on information from the Host Profiler on the Event Processors.
This happens when hosts, services, or vulnerabilities that cannot be mapped to existing assets are
Fo
discovered.

V7.0
Uempty
The Anomaly Detection Engine (ADE) searches the Accumulator databases for anomalies, which
are then used for offense evaluation. There are three categories of Anomaly Detection Rule types.
• The Threshold rule examines a numeric range, such as greater than, less than, or a particular
range. This rule can help detect the bandwidth of an application, the number of users connected
to a VPN, or a large and unusual outbound data transfer.
.R ial
• The Anomaly rule looks at a change in short term when comparing against a longer time frame.
This can help to locate new service activity or a change in the bandwidth volume on a specific
link.
• The Behavioral rule can detect changes from the same time yesterday or last week. This
.N c
includes mail traffic, for example, the increase on external SMTP server traffic, which could be a
relay. This rule can also be used for regular IT services, such as backup monitoring, where the
C pe
rule would trigger if a backup failed.
Let us take one closer look at how Offenses are being managed by the Magistrate component.
Events and flows that have been tagged by the Custom Rules Engine for further processing in the
to es Event Processors are being handed over to the Console through the Exit Filter.
Note: The following slides contain some additional information about the Offense management
ec n
by the Magistrate, the new asset and service detection by the Vulnerability Information
Server, and Anomaly Detection Engine rule types. The explanations for these slides have
already been incorporated in this overview slide.
oy cio
pr a
rm
Fo

V7.0
Uempty
Offense management by the Magistrate

• Rules can correlate events and flows into a single offense
.R ial
• A single event or flow can belong to multiple offenses
• While rules are tested, they might lead to the creation of an offense
.N c
• Pending offenses tag the events and flows as long as the rule that triggered the creation of the offense
C pe
remains at least partially matched
• A maximum of 100,000 offenses can be stored
Offense management by the Magistrate

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
New asset and service detection by Vulnerability Information Server
• Generates a new asset based on an event when hosts, services, and vulnerabilities that cannot be
mapped to existing assets are discovered
.R ial
• Detects new or modifies assets and automatically checks the asset information against uploaded
vulnerability information using flow information
.N c
C pe
New asset and service detection by Vulnerability Information Server

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Anomaly Detection Engine rule types

The three categories of rule types are as follows
• Threshold: greater than, less than, and range
.R ial
Bandwidth of an application
Failed service
Number of users connected to a VPN
Large outbound transfer
.N c
• Anomaly: Change in short term when comparing against a longer time frame
New service activity
C pe
Change in the bandwidth volume on a link
• Behavioral: Change from the same time yesterday or last week
Mail traffic, for example, increase on external SMTP server traffic (could be a relay)
Backup monitoring (backup failed)
Just about anything with a repetitive pattern
Anomaly Detection Engine rule types

ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
.R ial
• Console
.N c
C pe
ec n
Until now, we have examined the QRadar component structure from a deployment viewpoint. Let
us now take a final look into dissecting the flow of a captured event.
oy cio
pr a
rm
Fo

V7.0
Uempty
Dissecting the flow of a captured event

Recap the architectural components by examining the flow of a captured event
.R ial
• How the events arrive at their first collection point, the Event Collector
• How the events proceed through correlation, accumulation, and storage on the Event Processor
.N c
• How the events end up as part of a larger offense on the Console
C pe
Dissecting the flow of a captured event

ec n
We want to recap the architectural components by examining the flow of a captured event. This
starts at the time when the events arrive at their first collection point, the Event Collector. We will
oy cio
follow the events as they proceed through correlation, accumulation, and storage on the Event
Processor and finally end up as part of a larger offense on the Console.
pr a
rm
Fo

V7.0
Uempty
Dissecting the flow of a captured event (2 of 4)
FW
FWDeny events Event processor
FW Deny
Denyevent
event
.R ial
1
Overflow filter
.N c
2
3 5
C pe
License No Traffic Analysis Log source No Create new
Coalescing Filter
exceeded? (Log source discovery) known? log source
Yes Yes
Buffer overflow events 4

and feed back into stream Device Support Module (DSM)
when input below limit Parser for firewall
to esEvent collector

DSM normalization filter

ec n
In this scenario we follow a stack of Checkpoint Firewall deny events through the stack of QRadar
components.
oy cio
1. The firewall denies a large amount of communication requests from an individual IP source and
logs those.
These large amounts of FW Deny events now arrive at the QRadar Event Collector.
pr a
2. The overflow filter counts all the incoming raw events to ensure the license limit for the
appliance is not exceeded.
rm
If the license limit (here: events per second) IS exceeded, the events are buffered and fed back
into stream when the input is below the license limit.
If the buffer is already full, the new events are dropped and a special event for the console is
generated.
Fo
In our case the limit is not exceeded and the FW Deny events are passed on to the Traffic
Analysis module.
3. The Traffic Analysis module performs the autodiscovery of log sources.

If the log source is already known (like in our case: Checkpoint Firewall), the records are
handed over to the appropriate DSM module.
If the log source is not known yet but is recognized, a new log source is generated. Then the
event is handed over to the appropriate DSM module.
If the event cannot be attributed to either a known or a new log source, the event is stored as
“unknown” and listed as such on the Console.

V7.0
Uempty
4. The individual FW Deny events are now parsed inside the applicable (Firewall) Device Support
Module, the Event ID is extracted from the event data, and a QID (QRadar Identifier) gets
assigned to the event.
This QID is later used in the CRE (custom rules engine) to evaluate and correlate our events
together with other events and flows.
.R ial
5. Before handing the normalized data (with QID) off to the Event Processor all events are parsed
through the coalescing filter.
Here, duplicate events (examined within 10 second intervals) are combined into one event with
a counter, which helps to reduce storage space and processing capability when data is handed
.N c
to the Event Processor.
C pe
In our case many FW Deny events are being coalesced because they have occurred within 10
second intervals.
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty

Streaming to Log Activity tab in real time
Firewall Deny 1
Firewall
Event Deny
collectors Console
Event
Event Rule fired – Console handles Offense
.R ial
Normalized events
Yes
Overflow filter
2
.N c
New host or
port found?
C pe
License No
exceeded?
Flows
Ariel DB Host Profiler Ariel DB Accumulations
Yes Events
3
Buffer overflow events 6
and feed back into stream
when input below limit
to esEvent processor

Rule Processing and
Correlation
No
Custom Rule Engine (CRE)
Event Storage
4
Accumulator

ec n
1. The Event Collector sends our normalized FW Deny events to an Event Processor for further
processing.
oy cio
Events can come from multiple Event and Flow Collectors, and there can also be multiple Event
Processors in your deployment.
2. The overflow filter counts the incoming normalized events to ensure the license limit for the
pr a
If the license limit IS exceeded, the events are buffered and fed back into stream when the input
is below the license limit.
rm
generated.
3. The CRE evaluates every single event against every active rule.
Fo
If none of the rules fires on the event, the event is dropped from further processing.
If at least one rule fires (which happens in our FW Deny events example, because the amount
of events within a certain time period exceeds a threshold value in a test rule), the event is
properly marked for further processing. This way the Magistrate on the Console knows how to
actually handle this event (create a new offense, add the event to any number of existing
offenses).
In our case, the amount of accumulated FW Deny events is sufficient evidence to instruct the
Magistrate that these events are worthy of an offense.

V7.0
Uempty
The CRE can also stream every incoming event to the Log Activity tab if you have configured
any live streaming views on the Console. This way, all of our FW Deny events are displayed in
a streaming Dashboard on the Console.
4. The Event Storage component is responsible for storing all events (and flows) in the Ariel DB.
The filter then passes on the data to the Accumulator.
.R ial
5. The Accumulator manages all the defined searches (Reports, Dashboards, and such) that have
been set up by an analyst on the Console.
Based on the search parameters the Accumulator stores data in the Accumulations Ariel DB.
.N c
This data is later being used by the Console to display results through the GUI or by creating
Reports.
C pe
6. The Host Profiler also receives the event data and searches for any new host or port events.
If any new hosts or ports are detected they are being sent to the Console’s Vulnerability Information
Server.
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Uempty
Ariel Query Flows

Ariel DB Accumulator Host Profiler
Server Events
Event processors
.R ial
Processed events
1
Overflow filter
.N c
2 Ariel Proxy 4 5 6
C pe
Custom Rule Engine
License No Anomaly Detection Vulnerability
(CRE)
exceeded? Engine Information Server
Magistrate
Yes
Buffer overflow events

3
and feed back into stream Offenses Assets
when input below limit (PostgreSQL) (PostgreSQL)
to esConsole

ec n
1. The Event Processor(s) send(s) the processed events, including the coalesced FW Deny
events, to the Console for final processing.
oy cio
Events can come from multiple Event Processors in your deployment.
2. The overflow filter counts the incoming normalized events to ensure the license limit for the
pr a
If the license limit IS exceeded, the events are buffered and fed back into stream when the input
is below the license limit.
rm
generated.
3. The Magistrate receives our FW Deny events from the Event Collector.
Based on the Index Property and Index Property Value the Magistrate knows that these events
Fo
need to be raised as an offense.

Before creating the new offense, the CRE inside the Magistrate now makes sure if these events
should either be assigned a new offense or if they can be attributed to other existing offenses.
Collecting this additional data also helps to provide a clearer view to analysts in the GUI (by
displaying related events and flows).
4. In case the Magistrate needs to access additional event and flow records it utilizes the Ariel
Proxy to communicate with Ariel Query Servers that are located on other Event Processor
appliances.

V7.0
Uempty
5. In addition to the Magistrate component the Console also houses the Anomaly Detection
Engine.
It examines behavioral, anomaly, or threshold based rules that can be used to create new
offenses or add additional evidence and details to existing offenses.
6. Based on collected event and flow data the Vulnerability Information Server component on the
.R ial
Console receives information about new hosts or ports that are not yet contained in its Asset
database.
Those new assets are added to the PostgreSQL Asset database.
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo

V7.0
Summary
Uempty
Summary
• Describe how QRadar SIEM collects and processes events and flows
.R ial
• Describe how QRadar SIEM collects vulnerability data
.N c
C pe
Summary
ec n
In this unit we covered the functional architecture level and explained how IBM QRadar was
designed as a modular Security Intelligence solution from the grounds up. After taking a look at this
oy cio
modular design, its extensibility and deployment pattern, we examined the component architecture
so that the analyst understands how data is ingested and processed.
When the analysts now examine bits and pieces of a larger security incident investigation, this
architectural understanding should substantially enhance their capability for detailed and fast
pr a
analysis.
rm
Fo

V7.0
Uempty
IBM Training
.R ial
.N c
C pe
to es
ec n
oy cio
pr a
rm
Fo
© Copyright IBM Corporation 201. All Rights Reserved.

BQ103 Course

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BQ103 Course

Uploaded by

Copyright:

Available Formats

®

trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

ITIL is a Registered Trade Mark of AXELOS Limited.

© Copyright International Business Machines Corporation 2017.

IBM QRadar Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

QRadar embedded intelligence directs focus for investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Unit 2 IBM QRadar SIEM component architecture and data flows . . . . . . . . . . . . . . . . . . . . . . . . . 27

Functional solution requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

© Copyright IBM Corp. 2017 iii

Unit 3 Using the QRadar SIEM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Unit 4 Investigating an Offense Triggered by Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Offenses on Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Lesson 2 Using summary information to investigate an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Offense Summary window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Offense Source Summary (1 of 6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

© Copyright IBM Corp. 2017 iv

Unit 5 Investigating the Events of an Offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

to es Definition event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Lesson 2 Using filters to investigate events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Using another filter option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Optimizing search execution efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Removing grouping criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

© Copyright IBM Corp. 2017 v

Unit 6 Using Asset Profiles to Investigate Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Server Discovery and VA Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Unit 7 Investigating an Offense Triggered by Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Lesson 1 Flows overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

About flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Lesson 2 Using summary information to investigate an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

© Copyright IBM Corp. 2017 vi

to es Finding the rules that triggered an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207

Custom rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

Custom rule and building block types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220

Rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

Lesson 4 Using rules as search parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

© Copyright IBM Corp. 2017 vii

Unit 9 Using the Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

to es Offenses overview by network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

Lesson 4 Using the Network Hierarchy in rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Unit 10 Index and Aggregated Data Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Lesson 2 Using the Aggregated Data Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

© Copyright IBM Corp. 2017 viii

Unit 11 Using Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

to es Lesson 3 Utilize time-series charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Activity tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Unit 12 Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Reporting introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

Selecting the generated report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318

© Copyright IBM Corp. 2017 ix

Unit 13 Using Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

to es Using Filters demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344

Payload Contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352

Log Source Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357

AccountID Custom Event Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359

ICMP Type/Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364

© Copyright IBM Corp. 2017 x

Unit 15 Analyzing a Real-World Large-Scale Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Kill chain timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400

Continued breaches undetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406

Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408

Appendix A A real-world scenario introduction to IBM QRadar SIEM . . . . . . . . . . . . . . . . . . . . . 411

© Copyright IBM Corp. 2017 xi

to es Flow collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Event processor architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459