Professional Documents
Culture Documents
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at w ww.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Apache®, Apache Tomcat, Tomcat®, and the cat logo are either registered trademarks or trademarks of the Apache Software
Foundation in the United States and/or other countries. No endorsement by The Apache Software Foundation is implied by the use of
these marks.
Amazon Web Services, the “Powered by AWS” logo, [and name any other AWS Marks used in such materials] are trademarks of
Amazon.com, Inc. or its affiliates in the United States and/or other countries.
Dell Technologies, Dell, Dell EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Lenovo® is a trademark of Lenovo in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a world-wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware
vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are
trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
© Copyright International Business Machines Corporation 2023. This document may not be reproduced in whole or in part
without the prior written permission of IBM.US Government Users Restricted Rights - Use, duplication or disclosure restricted by
GSA ADP Schedule Contract with IBM Corp.
Contents
If QRadar has never received events from that log source before, the new events are listed
with a Low Level Category of “Unknown” in the Log Activity tab. QRadar can autodiscover
many log sources, and after a certain amount of time (or processed log events), QRadar will
properly assign the correct log source. Sometimes, however, QRadar cannot figure out the
proper log source behind the collected data, and those events are then showing a Low Level
Category of “Stored”.
In this lab, you configure QRadar to recognize an unknown event. You extract
additional properties from the raw event payload. You use the Log Source
Management (LSM) app to configure and manage single and bulk log sources. You
also test a new log source.
To simulate sending the log sources to QRadar, you log in to the QRadar Console by using the SSH
terminal and run a script.
NOTE: Please choose any of the three convenient and faster methods mentioned in your Techzone Guide
to perform the Lab exercise.
1. Open the Firefox browser and click on the QRadar icon from the Bookmark bar.
Username: admin
Password: Q1d3m0.Demo
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
Exercise 1 Analyzing unknown event
Follow the steps from 6 to 9 if you are getting some real-time events while accessing the QRadar Log activity
Tab. Otherwise please skip these steps and Go to Step 11
8. Click Browse And select the High and Low levels category as in the screenshot below.
9. In the QID name field type “search” and click on the search button again.
cd /labfiles/logsources/
/opt/qradar/bin/logrun.pl -f checkpoint1.syslog 1
Note: The Console detected three events with the STORED Low Level Category. Because we use
the localhost context for these events (127.0.0.1), the Event Name can vary. In the screen
captures below you see an Event Name of “Search Results Message”, but it can also be
“Anomaly Detection Engine” or others.
13. To open any of the events, click the pause icon in the upper-right part of the Console.
This action pauses the real-time event capturing.
5
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
14. To review the event details, double-click any of the three events.
15. On the Event details page, scroll down to the Payload Information section and click Wrap
Text.
16. Analyze the raw payload and note that the source and destination IP addresses are not parsed
correctly by comparing the addresses with the ones listed in the Source and Destination
Information section.
17. If you have created any filter mentioned in (step 6 to step 9). Clear the filter that we created
while going for the next exercise. Click on clear filter besides the Event name from the Log
activity Tab.
At this point, you conclude that QRadar did not correctly process this event. You can determine
the source of the generated log and create a proper log source. Also, on many occasions, if
QRadar receives enough log events to process, it can autodiscover the log source and decide on
the log source that best matches the events.
Exercise 2 Viewing autodiscovered log sources
2. Then, in the QRadar SSH terminal, run the following script from this directory - /labfiles/logsources/
/opt/qradar/bin/logrun.pl -f checkpoint.syslog 10
3. Go back to the browser window and observe the events that are displayed in the Console.
4. If you are not able to identify the logs → Navigate to the Log source management app from the
Admin Tab.
6
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
5. Sort by creation date and select the Events after clicking the three dots associated with the check point
log source name and it will open the recent logs in the Log Activity Tab
6. Either you can wait for about 30 to 40 seconds or you can perform the step 2 again.
7. Now you notice that the Event Name column starts to show Firewall Permit, the
LogSource is named Check Point, and Low Level Category is updated to Firewall Permit.
8. To pause the real-time events, in the upper-right part of the Console, click the pause icon.
9. Double-click any Firewall Permit event and note that the parsed Source IP and Destination
IP match the IP addresses in the raw payload.
7
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
You learned that QRadar can autodiscover some logs after it receives some events. However, not
all logs are auto discovered, and for these, you must create log sources manually by using the
Log Source Management app. If you do not want to lose some of the information in the early
events while you wait for QRadar to parse them, you can also use this method for the
autodiscovered log sources.
2. In the Admin Console, scroll to the Data Sources section and click on Log Source which will open
the Log Source Management app
Hint: Instead of scrolling, from the main menu in the left panel, you can click QRadar Log Source
Management.
4. In the LSM app dashboard, in the upper-right part of the window, click New Log Source.
8
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
9
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
11. In the Configure Log Source Parameters step, complete the parameters by using the following
table.
16. In the Admin Console, you see the message that “There are undeployed changes.” Click
Deploy Changes.
17. Click on the Admin Tab again if you are not seeing the Deploy changes option.
Hint: Deploying changes in the lab environment can take ~ 1-2 minutes.
You manually created a new log source that uses the syslog protocol. After you create a new log
source, you must deploy changes to the Console.
2. Then, in the QRadar SSH terminal, from the / la bf ile s/lo g so urces directory, run the
following script:
sh runSEP.sh
3. Follow the same step in Exercise 2 – step 5 to open recent events from the Endpoint
Protection log source (choose Endpoint Protection Log source name )
4. Go back to the browser window and note one new event that is displayed in the Console, Virus
Detected, Actual Action: Quarantined.
6. In the event details page, analyze the properties that were parsed from the event, such as
10
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
Username, Log Source Time, Machine Identifier.
7. Go to the Payload information section, review the raw payload, and compare it with
the extracted properties.
8. Note that the raw payload also contains the MD5 hash value of the malware.
9. To extract this value from the raw payload, in the event menu, click Extract Property.
10. Scroll to the Property Definition section of the Custom Event Properties window.
12. Select Enable for use in Rules, Forwarding Profiles and Search Indexing.
13. In the Property Expression Definition section, select Category and leave the default for
High Level Category as Malware and Low Level Category as Virus Detected.
14. To extract a hash signature from the payload, in the Regex field, type
hash:\s([a-f0-9]{32})
15. Ensure that Capture Group is 1 and observe the results after clicking Test.
Hint: You may need to resize the Custom Event Property Definition window. The property is
highlighted in the Test Field.
16. To save the property, at the lower right of the screen, click Save.
17. The Custom Event Property Definition window closes, and the event details page refreshes.
11
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
18. Note that on the event details page, the Event Information section contains the new hash
(custom) property.
You learned how to analyze a raw payload and extract an extra property by using a regular
expression. You can use the new custom property in a rule engine, which is explored in a separate
lab.
10. To view all the template options for the log source name, locate Name Template, then click
the Show More link.
You can use the template to define a naming style for all log sources without entering names
individually.
13. Leave all other values as the default and click Step 4: Configure Common Protocol
Parameters.
13
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
Here, you can change the encoding for all log sources, or clear the option to configure
encoding for individual log sources later. In this exercise, leave the option selected.
14. Leave default payload encoding to UTF-8, and click Step 5: Configure Individual
Parameters.
On this screen, you can either upload a spreadsheet with parameters for all log sources or
enter values manually. The one parameter that you cleared was Description. On this screen,
you enter descriptions for four log sources manually.
20. Modify the value in the Log Source Identifier field to s n o r t_ 2 and click Add.
The Log Sources list now has two entries.
21. Continue modifying the Description and Log Source Identifier values to add two more log
sources with the same description and log source identifier format.
14
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 5 Bulk adding log sources
22. After you enter a total of four log sources, click Finish.
In this exercise, you learned how to perform bulk adding of the log sources and how to use the
variables to automate editing of certain fields.
15
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 6 Bulk editing log sources
2. Select snort_3.
3. Click Edit.
In the Edit window, you can modify the overview and protocol parameters that are displayed
for the selected log sources.
16
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 6 Bulk editing log sources
6. Click Save.
11. To display the Log Sources list and complete this exercise, click the Settings icon (gear) again.
Note: The two selected log sources now display snort_east in the Description column. You may
have to scroll right to see that column.
Important: QRadar shows Deploy changes. To save time, wait for the step in Exercise 7,
“Testing a new log source” to deploy the changes.
In this exercise, you used the bulk editing option to update the description field of two log
sources, which labels them to belong to the same group. In a similar way, you can update the
event collector for multiple log sources.
17
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 7 Testing a new log source
The testing tool identifies many issues with log sources. You can troubleshoot and repair log
source issues to confirm that the log source functions properly.
In this exercise, you create a new log source and test the log source in the Log Source
Management app.
1. Open the Log Source Management app, click Log Sources, then click New Log Source.
3. To filter the Universal DSM log source type, in the Look up Log Source Type field, type
Un i ve r s a l .
Name vm log
Description Pull the VM logs from the workstation
11. At the Configure the protocol parameters step, use the values from the following table.
18
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 7 Testing a new log source
Important: A fifth option, Test Protocol Parameters, is displayed in the wizard when you select a
protocol that supports testing.
This test is successful. It shows you the steps that the Log Source Management app carried out
with the new log source.
Many log source issues are the result of authentication issues. You test that now.
14. Click Step 4: Configure Protocol Parameters to return and change user authentication
parameters.
19
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 7 Testing a new log source
19. To complete this lab, from the LSM app dashboard, disable the
vm log log source. Ensure that the Enabled switch is set to Off.
21. Because you created a few log sources, including the disabled one,
you must deploy the changes.
20
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
Exercise 7 Testing a new log source
This completes the exercises in this unit. You learned to configure log sources,
manage, and test them by using the Log Source Management app. You also
reviewed the event details and learned how to use a regular expression to
extract additional properties from the raw payload.
21
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.