D1L1 - Log Sources Lab Exercise

Course Exercises
IBM QRadar SIEM Workshop

IBM EEGSI Lab 2023
NOTICES
This information was developed for products and services offered in the USA.IBM may not offer the products, services, or features
discussed in this document in other countries. Consult your local IBM representative for information on the products and services
currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that
IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM
intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any
non-IBM product, program, or service.IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing,
to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties
in certain transactions, therefore, this statement may not apply to you.This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of
the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice. Any references in this information to non-IBM websites are provided for convenience only and do not in any
manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product
and use of those websites is at your own risk.IBM may use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you.Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources. IBM has not tested those products and cann ot
confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of
non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All names and references for organizations and other
business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.
All names and associated information for people in this deliverable’s scenarios are fictional. Any match with a real person is
coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at w ww.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Apache®, Apache Tomcat, Tomcat®, and the cat logo are either registered trademarks or trademarks of the Apache Software
Foundation in the United States and/or other countries. No endorsement by The Apache Software Foundation is implied by the use of
these marks.
Amazon Web Services, the “Powered by AWS” logo, [and name any other AWS Marks used in such materials] are trademarks of
Amazon.com, Inc. or its affiliates in the United States and/or other countries.
Dell Technologies, Dell, Dell EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Lenovo® is a trademark of Lenovo in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a world-wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware
vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are
trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
© Copyright International Business Machines Corporation 2023. This document may not be reproduced in whole or in part
without the prior written permission of IBM.US Government Users Restricted Rights - Use, duplication or disclosure restricted by
GSA ADP Schedule Contract with IBM Corp.
Contents
Unit 1 QRadar - Log Sources exercises ............................................................................................................ 11

Exercise 1 Analyzing unknown event ........................................................................................................................ 11
Exercise 2 Viewing autodiscovered log sources ...................................................................................................... 13
Exercise 3 Use Log Source Management app to configure a log source.............................................................. 14
Exercise 4 Analyzing a log event ................................................................................................................................16
Exercise 5 Bulk adding log sources ...........................................................................................................................18
Exercise 6 Bulk editing log sources ...........................................................................................................................22
Exercise 7 Testing a new log source .........................................................................................................................24
© Copyright IBM Corp. 2023 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1 QRadar - Log Sources exercises
QRadar collects data for events and flows in your traffic. An event is a moment in time, such
as when somebody logs in to your VPN. Log sources identify the events that QRadar tracks in
your traffic. When an event occurs on an IT system in your network, that IT system can send
that event to QRadar. For QRadar, the IT system is “log source”.
If QRadar has never received events from that log source before, the new events are listed
with a Low Level Category of “Unknown” in the Log Activity tab. QRadar can autodiscover
many log sources, and after a certain amount of time (or processed log events), QRadar will
properly assign the correct log source. Sometimes, however, QRadar cannot figure out the
proper log source behind the collected data, and those events are then showing a Low Level
Category of “Stored”.
In this lab, you configure QRadar to recognize an unknown event. You extract
additional properties from the raw event payload. You use the Log Source
Management (LSM) app to configure and manage single and bulk log sources. You
also test a new log source.
Exercise 1: - Analyzing unknown event.

In this exercise, you analyze an event that is received from an unknown log source. When
processed by the event pipeline, this type of event is labeled as UNKNOWN. When events
are detected for the wrong log source type, they are assigned the STORED low level category.
After they are analyzed, you might decide what new log sources you need to create.
To simulate sending the log sources to QRadar, you log in to the QRadar Console by using the SSH
terminal and run a script.
NOTE: Please choose any of the three convenient and faster methods mentioned in your Techzone Guide
to perform the Lab exercise.
1. Open the Firefox browser and click on the QRadar icon from the Bookmark bar.
2. Log in by using the below credential. (if it is not auto-populated)
Username: admin
Password: Q1d3m0.Demo
3. To load default search filters, double-click the Log Activity tab.

4. Do NOT close the browser. While your browser is waiting to display real-time events, open
the putty terminal from the task bar and Provide the
QRadar IP under Hostname field: 192.168.252.10 -→Click open
5. Provide the below credential for accessing CLI of QRadar
Username: root
Password: Q1d3mo
Exercise 5 Bulk adding log sources
Exercise 1 Analyzing unknown event
Follow the steps from 6 to 9 if you are getting some real-time events while accessing the QRadar Log activity
Tab. Otherwise please skip these steps and Go to Step 11
6. From the Log Activity Tab → Add filter
7. Parameter Type Event Name [Indexed]
8. Click Browse And select the High and Low levels category as in the screenshot below.
9. In the QID name field type “search” and click on the search button again.
10. Now to generate events, type the following commands:
11. Navigate to the Logsources folder by providing the below command
cd /labfiles/logsources/
12. Execute the below command to replay the syslog to QRadar.
/opt/qradar/bin/logrun.pl -f checkpoint1.syslog 1
Note: The Console detected three events with the STORED Low Level Category. Because we use
the localhost context for these events (127.0.0.1), the Event Name can vary. In the screen
captures below you see an Event Name of “Search Results Message”, but it can also be
“Anomaly Detection Engine” or others.
13. To open any of the events, click the pause icon in the upper-right part of the Console.
This action pauses the real-time event capturing.
5
14. To review the event details, double-click any of the three events.
15. On the Event details page, scroll down to the Payload Information section and click Wrap
Text.
16. Analyze the raw payload and note that the source and destination IP addresses are not parsed
correctly by comparing the addresses with the ones listed in the Source and Destination
Information section.
17. If you have created any filter mentioned in (step 6 to step 9). Clear the filter that we created
while going for the next exercise. Click on clear filter besides the Event name from the Log
activity Tab.
At this point, you conclude that QRadar did not correctly process this event. You can determine
the source of the generated log and create a proper log source. Also, on many occasions, if
QRadar receives enough log events to process, it can autodiscover the log source and decide on
the log source that best matches the events.
Exercise 2 Viewing autodiscovered log sources
Exercise 2: - Viewing auto-discovered log sources.

QRadar auto-discovers many log sources after it receives several logs of a specific type. You don’t
need to configure the log source for QRadar to recognize the events from that log source. In this
exercise, you analyze an auto-discovered log source.
1. Start with the Console. To load default search filters, double-click the Log Activity tab.
2. Then, in the QRadar SSH terminal, run the following script from this directory - /labfiles/logsources/
/opt/qradar/bin/logrun.pl -f checkpoint.syslog 10
3. Go back to the browser window and observe the events that are displayed in the Console.
4. If you are not able to identify the logs → Navigate to the Log source management app from the
Admin Tab.
6
5. Sort by creation date and select the Events after clicking the three dots associated with the check point
log source name and it will open the recent logs in the Log Activity Tab
6. Either you can wait for about 30 to 40 seconds or you can perform the step 2 again.
7. Now you notice that the Event Name column starts to show Firewall Permit, the
LogSource is named Check Point, and Low Level Category is updated to Firewall Permit.
8. To pause the real-time events, in the upper-right part of the Console, click the pause icon.
9. Double-click any Firewall Permit event and note that the parsed Source IP and Destination
IP match the IP addresses in the raw payload.
7
You learned that QRadar can autodiscover some logs after it receives some events. However, not
all logs are auto discovered, and for these, you must create log sources manually by using the
Log Source Management app. If you do not want to lose some of the information in the early
events while you wait for QRadar to parse them, you can also use this method for the
autodiscovered log sources.
Exercise 3 -Use Log Source Management app to

configure a log source
In this exercise, you configure a Symantec Endpoint Protection log source and analyze the events
from this log source. To configure a log source, you must use the Log Source Management (LSM)
app.
1. From the browser, go to the Admin Console.
2. In the Admin Console, scroll to the Data Sources section and click on Log Source which will open
the Log Source Management app
Hint: Instead of scrolling, from the main menu in the left panel, you can click QRadar Log Source
Management.
3. In the LSM app, click Log Sources again.
4. In the LSM app dashboard, in the upper-right part of the window, click New Log Source.
8
5. Click Single Log Source

6. In the Select a Log Source Type step, in the Look up Log Source Type field, type Symantec .
7. From the list, select Symantec Endpoint Protection.
8. Click Step 2: Select Protocol Type.
9. In the Select Protocol Type step, confirm that Syslog is highlighted.
10. Click Step 3: Configure Log Source Parameters.
9
11. In the Configure Log Source Parameters step, complete the parameters by using the following
table.
Name Endpoint Protection

Description Symantec Endpoint Protection
Coalescing Events OFF (disabled)
12. Click Step 4: Configure Protocol Parameters.
13. In the Log Source Identifier field, type 10.64.2.200.
14. Click Finish.
15. Close the Log Source Management app.
16. In the Admin Console, you see the message that “There are undeployed changes.” Click
Deploy Changes.
17. Click on the Admin Tab again if you are not seeing the Deploy changes option.
Hint: Deploying changes in the lab environment can take ~ 1-2 minutes.
You manually created a new log source that uses the syslog protocol. After you create a new log
source, you must deploy changes to the Console.
Exercise 4:- Analyzing a log event

In this exercise, you analyze the log event that the Endpoint Protection log source parses.
1. Start with the Console. To load default search filters, double-click the Log Activity tab.
A double-click resets the search filters to their default settings.
2. Then, in the QRadar SSH terminal, from the / la bf ile s/lo g so urces directory, run the
following script:
sh runSEP.sh
3. Follow the same step in Exercise 2 – step 5 to open recent events from the Endpoint
Protection log source (choose Endpoint Protection Log source name )
4. Go back to the browser window and note one new event that is displayed in the Console, Virus
Detected, Actual Action: Quarantined.
5. Pause real-time events and double-click the virus detected event.
6. In the event details page, analyze the properties that were parsed from the event, such as
10
Username, Log Source Time, Machine Identifier.
7. Go to the Payload information section, review the raw payload, and compare it with
the extracted properties.
8. Note that the raw payload also contains the MD5 hash value of the malware.
9. To extract this value from the raw payload, in the event menu, click Extract Property.
10. Scroll to the Property Definition section of the Custom Event Properties window.
11. In the New Property field, type hash.
12. Select Enable for use in Rules, Forwarding Profiles and Search Indexing.
13. In the Property Expression Definition section, select Category and leave the default for
High Level Category as Malware and Low Level Category as Virus Detected.
14. To extract a hash signature from the payload, in the Regex field, type
hash:\s([a-f0-9]{32})
15. Ensure that Capture Group is 1 and observe the results after clicking Test.
Hint: You may need to resize the Custom Event Property Definition window. The property is
highlighted in the Test Field.
16. To save the property, at the lower right of the screen, click Save.
17. The Custom Event Property Definition window closes, and the event details page refreshes.
11
18. Note that on the event details page, the Event Information section contains the new hash
(custom) property.
You learned how to analyze a raw payload and extract an extra property by using a regular
expression. You can use the new custom property in a rule engine, which is explored in a separate
lab.
Exercise 5:- Bulk adding log sources

In this exercise, you use the Log Source Management app to add several similar log sources,
which share many common properties, at the same time. You modify only the properties that
differ between the log sources.
1. Go to the Admin Tab.
2. Open the Log Source Management app.
3. Click Log Sources.
4. From the LSM app dashboard, click New Log Source.
5. Click Multiple Log Sources.
6. In the Look up Log Source Type field, type snort .

12
8. In the Select a protocol type step, select Syslog.
9. Click Step 3: Configure Common Log Source Parameters.

In the Configure Common Log Sources parameters step, you define the properties that are
shared among all of the log sources that you create.
10. To view all the template options for the log source name, locate Name Template, then click
the Show More link.
You can use the template to define a naming style for all log sources without entering names
individually.
11. To close the list, click the Show Less link.
12. Clear the Description Template checkbox.

Because the Description option is not selected, you enter a description for each log source on
the fifth screen of the log source entry wizard. To enter any values manually for each log
source later, you can clear any of the common parameters.
13. Leave all other values as the default and click Step 4: Configure Common Protocol
Parameters.
13
Here, you can change the encoding for all log sources, or clear the option to configure
encoding for individual log sources later. In this exercise, leave the option selected.
14. Leave default payload encoding to UTF-8, and click Step 5: Configure Individual
Parameters.
On this screen, you can either upload a spreadsheet with parameters for all log sources or
enter values manually. The one parameter that you cleared was Description. On this screen,
you enter descriptions for four log sources manually.
15. Click Manual.
16. In the Description field, type snort 1.
17. In the Log Source Identifier field, type snort_1 .
18. Click Add.

The values that you entered are now displayed in the Log Sources list.
19. Modify the value in the Description field to s n o r t 2 .
20. Modify the value in the Log Source Identifier field to s n o r t_ 2 and click Add.
The Log Sources list now has two entries.
21. Continue modifying the Description and Log Source Identifier values to add two more log
sources with the same description and log source identifier format.
14
22. After you enter a total of four log sources, click Finish.
23. At the success prompt, click Close.

The four new log sources appear in the Log Sources list and the exercise is complete.
In this exercise, you learned how to perform bulk adding of the log sources and how to use the
variables to automate editing of certain fields.
15
Exercise 6 Bulk editing log sources
Exercise 6:- Bulk editing log sources

You can save time by adding multiple log sources at the same time. You can also edit parameters
for multiple log sources at the same time. In this exercise, you edit the description parameter for
two of the four log sources that you added in the last exercise.
1. In the Log Sources list, select the checkbox next to snort_4.
2. Select snort_3.
3. Click Edit.
In the Edit window, you can modify the overview and protocol parameters that are displayed
for the selected log sources.
4. Select Description Template.

You can enter a template in this field to give each log source a different description, but add a
common description for both.
5. In the Description Template field, type s n o r t _e a s t , and then press Enter.
16
Exercise 6 Bulk editing log sources
6. Click Save.
7. At the success prompt, click Close.
8. In the Edit window, click Close.
9. In the upper-right corner, click the Settings icon (gear).
10. From the popup menu, enable the Description column.
11. To display the Log Sources list and complete this exercise, click the Settings icon (gear) again.
Note: The two selected log sources now display snort_east in the Description column. You may
have to scroll right to see that column.
12. Close the Log Source Management app.
Important: QRadar shows Deploy changes. To save time, wait for the step in Exercise 7,
“Testing a new log source” to deploy the changes.
In this exercise, you used the bulk editing option to update the description field of two log
sources, which labels them to belong to the same group. In a similar way, you can update the
event collector for multiple log sources.
17
Exercise 7 Testing a new log source
Exercise 7:- Testing a new log source

The Log Source Management app has a testing tool for many log source protocols. The list of
protocols that support the testing features is always expanding. If the protocol for your log source
supports testing, a testing option appears at the end of the log entry wizard. You can test the log
source when you create it, or you can test it later.
The testing tool identifies many issues with log sources. You can troubleshoot and repair log
source issues to confirm that the log source functions properly.
In this exercise, you create a new log source and test the log source in the Log Source
Management app.
1. Open the Log Source Management app, click Log Sources, then click New Log Source.
2. Click Single Log Source.
3. To filter the Universal DSM log source type, in the Look up Log Source Type field, type
Un i ve r s a l .
4. Select Universal DSM.
6. In the Look up Protocol Type field, type Log.
7. Click Log File.
8. Click Step 3: Configure Log Source Parameters.
9. Enter the following values for Name and Description.
Name vm log
Description Pull the VM logs from the workstation
10. Click Step 4: Configure Protocol Parameters.
11. At the Configure the protocol parameters step, use the values from the following table.
Log Source Identifier 192.168.252.10

Service Type SFTP
Remote IP or Hostname 192.168.252.10
Remote User root
Remote Password Q1d3m0
18
Remote Directory /labfiles/logsources/log

FTP File Pattern .*
Important: A fifth option, Test Protocol Parameters, is displayed in the wizard when you select a
protocol that supports testing.
12. Click Step 5: Test Protocol Parameters.
13. Click Start Test.
This test is successful. It shows you the steps that the Log Source Management app carried out
with the new log source.
Many log source issues are the result of authentication issues. You test that now.
14. Click Step 4: Configure Protocol Parameters to return and change user authentication
parameters.
15. Change the value in the Remote User field to user .
16. Click Step 5: Test Protocol Parameters.
19
17. Click Start Test.

Now the test is unsuccessful. The test results show an authentication error. You
can use information like this to troubleshoot issues with your log sources as
you create them.
18. Click Finish.
19. To complete this lab, from the LSM app dashboard, disable the
vm log log source. Ensure that the Enabled switch is set to Off.
20. Close the LSM app.
21. Because you created a few log sources, including the disabled one,
you must deploy the changes.
20
This completes the exercises in this unit. You learned to configure log sources,
manage, and test them by using the Log Source Management app. You also
reviewed the event details and learned how to use a regular expression to
extract additional properties from the raw payload.
21

D1L1 - Log Sources Lab Exercise

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D1L1 - Log Sources Lab Exercise

Uploaded by

Copyright:

Available Formats

Course Exercises

IBM QRadar SIEM Workshop

Unit 1 QRadar - Log Sources exercises ............................................................................................................ 11

© Copyright IBM Corp. 2023 iii

Exercise 1: - Analyzing unknown event.

2. Log in by using the below credential. (if it is not auto-populated)

3. To load default search filters, double-click the Log Activity tab.

6. From the Log Activity Tab → Add filter

7. Parameter Type Event Name [Indexed]

10. Now to generate events, type the following commands:

11. Navigate to the Logsources folder by providing the below command

12. Execute the below command to replay the syslog to QRadar.

Exercise 2: - Viewing auto-discovered log sources.

Exercise 3 -Use Log Source Management app to

3. In the LSM app, click Log Sources again.

5. Click Single Log Source

7. From the list, select Symantec Endpoint Protection.

8. Click Step 2: Select Protocol Type.

9. In the Select Protocol Type step, confirm that Syslog is highlighted.

10. Click Step 3: Configure Log Source Parameters.

Name Endpoint Protection

12. Click Step 4: Configure Protocol Parameters.

13. In the Log Source Identifier field, type 10.64.2.200.

14. Click Finish.

15. Close the Log Source Management app.

Exercise 4:- Analyzing a log event

5. Pause real-time events and double-click the virus detected event.

11. In the New Property field, type hash.

Exercise 5:- Bulk adding log sources

2. Open the Log Source Management app.

3. Click Log Sources.

4. From the LSM app dashboard, click New Log Source.

5. Click Multiple Log Sources.

6. In the Look up Log Source Type field, type snort .

7. Click Step 2: Select Protocol Type.

8. In the Select a protocol type step, select Syslog.

9. Click Step 3: Configure Common Log Source Parameters.

11. To close the list, click the Show Less link.

12. Clear the Description Template checkbox.

15. Click Manual.

16. In the Description field, type snort 1.

17. In the Log Source Identifier field, type snort_1 .

18. Click Add.

19. Modify the value in the Description field to s n o r t 2 .

23. At the success prompt, click Close.

Exercise 6:- Bulk editing log sources

4. Select Description Template.

5. In the Description Template field, type s n o r t _e a s t , and then press Enter.

7. At the success prompt, click Close.

8. In the Edit window, click Close.

9. In the upper-right corner, click the Settings icon (gear).

10. From the popup menu, enable the Description column.

12. Close the Log Source Management app.

Exercise 7:- Testing a new log source

2. Click Single Log Source.

4. Select Universal DSM.

5. Click Step 2: Select Protocol Type.

6. In the Look up Protocol Type field, type Log.

7. Click Log File.

8. Click Step 3: Configure Log Source Parameters.

9. Enter the following values for Name and Description.

10. Click Step 4: Configure Protocol Parameters.

Log Source Identifier 192.168.252.10