IBM Training

IBM Security QRadar SIEM
IBM Training 7.2 Administration and

Configuration
Student Exercises
Course code XIS08 ERC 1.0
January 2014
IBM Security Systems

All files and material for this course (XIS08, IBM Security QRadar SIEM 7.2 Administration and Configuration) are IBM
copyright property covered by the following copyright notice.
© Copyright IBM Corp. 2014. All Rights Reserved.
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the
web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the
Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the
U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the
completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or
implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without
notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other
materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations
from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM
software.
References in this publication to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion
based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth, savings or other results.
Contents
About these exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Logging in to the Windows VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Logging in to the QRadar SIEM server VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Logging in to the QRadar SIEM console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
FileZilla login credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
1 Using administration tools exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Exercise 1. Access the lab environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 2. Configure the deployment editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Exercise 3. Define the difference between a soft clean and hard clean . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Exercise 4. Set up auto updates and context-sensitive help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Creating the network hierarchy exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Exercise 1. Set up network hierarchy objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Updated administration tools exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Exercise 1. Import data from a third-party scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Task 1. Add a scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Task 2. Update scan results file modification date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Task 3. Schedule a scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Exercise 2. Manage assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Task 1. View an asset profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Task 2. Edit an asset MAC and IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Task 3. Edit an asset name and operating system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Task 4. Search asset profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Exercise 3. Create a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Exercise 4. Import reference set data from a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Exercise 5. Use a reference set in rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Task 1. Create a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Task 2. Edit rules that include a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Task 3. View the content of a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Task 4. Generate events to trigger the rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Task 5. View the content of a reference set and log events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Task 6. View system notification messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Exercise 6. Manage the index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Task 1. Enable an index and view indexed properties data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
© Copyright IBM Corp. 2014 Student Exercises iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Contents
Task 2. Use an indexed property in a search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Task 3. Create and index a custom property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Task 4. Verify the indexed property is configured for use in searches or rules . . . . . . . . . . . . . . . . . . . . 32
Task 5. Configure an indexed property to use in rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4 Managing users exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Exercise 1. Configure and test remote authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Task 1. Configure remote authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Task 2. Create a QRadar SIEM user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Task 3. Create a user account in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Task 4. Log in to the QRadar SIEM console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Exercise 2. Manage users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Task 1. Create a user role and security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Exercise 3. Explore how user roles and security profiles work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Task 1. Explore how security profiles work with offenses and rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Task 2. Explore how security profiles work with log activity and assets . . . . . . . . . . . . . . . . . . . . . . . . . 45
Exercise 4. Examine remote authentication for user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Task 1. Assign a user the Admin user role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Task 2. Change the QRadar SIEM user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Task 3. Verify authentication credentials for the QRadar SIEM user . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5 Managing data exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Exercise 1. Configure a backup schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Exercise 2. Retain events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6 Collecting log and flow records exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Exercise 1. Define and manage log sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Task 1. Delete existing log sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Task 2. Observe log sources for an IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Task 3. Explore disabling coalescing events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Task 4. Configure the log source parsing order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Exercise 2. Create a log source manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Task 1. Add a log source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Task 2. Add a log source extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
7 Collecting Windows log records exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Exercise 1. Create an authentication token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Exercise 2. Install the WinCollect agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Exercise 3. Assign log sources to the WinCollect agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
8 Managing custom log sources exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Exercise 1. Export QRadar SIEM events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Exercise 2. Use regular expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Task 1. Write regular expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Task 2. Create a custom property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Exercise 3. Create a universal DSM and map unknown events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Task 1. Add a log source extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Task 2. Add an universal device support module (DSM) log source . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Task 3. Generate and view events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
iv IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
V7.0
Contents
Uempty Task 4. Create a log source extension document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Task 5. Verify the log source extension document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Task 6. Create a QID and map events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Task 7. Generate and view events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Exercise 4. Create a list of LogSource Event IDs from the PostgreSQL dsmevent table . . . . . . . . . . . . . 86
9 Using rules exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Exercise 1. Capture a RPC vulnerability exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Task 1. Add a VA scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Task 2. Schedule a scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Task 3. Add a log source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Task 4. Create a rule and generate an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
10 Creating rules exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Exercise 1. Write event rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Task 1. Write a rule to detect a new user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Task 2. Write a building block rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Task 3. Write a rule to detect Windows file access activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Task 4. Write a rule to detect deleted accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Task 5. Write a rule that combine the rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Exercise 2. Perform activities to trigger an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Task 1. Create a user account in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Task 2. Access a file as user, bad_person and delete the user account . . . . . . . . . . . . . . . . . . . . . . . .102
Task 3. Verify that an offense is created . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
11 Managing false positives exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Exercise 1. Manage excessive false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
12 Using Reference Maps in rules exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Exercise 1. Create reference maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Exercise 2. Create a custom rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Exercise 3. Create a search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Exercise 4. Create an ADE rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Exercise 5. Test the ADE rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Exercise 6. Refine the ADE rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Exercise 7. Test the refined ADE rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
© Copyright IBM Corp. 2014 Student Exercises v

Contents
vi IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
About these exercises
Virtual machines
The lab environment uses two virtual machines. They are:
• QRadar SIEM server - a virtual machine running IBM Security QRadar SIEM 7.2 licensed
program running on Red Hat Enterprise Linux server 6.3 licensed program.
• Windows DC - a virtual machine running Microsoft Windows 2003 Enterprise Server x64 Edition
Service Pack 1 licensed program with PuTTY licensed program and Mozilla Firefox licensed
program used to access the QRadar SIEM virtual machine.
Logging in to the Windows VM

To log in to the Windows VM, use the following credentials:
• User Name: Administrator
• Password: object00
Note: On a Windows VM, the key combination Ctrl+Alt+Ins is the same as Ctrl+Alt+Del.
Logging in to the QRadar SIEM server VM

To log in to the QRadar SIEM server VM, perform the following steps:
1. On the Windows VM desktop, double-click the PuTTY icon.
graphic
© Copyright IBM Corp. 2014 vii

2. Double-click the QRadar saved session.
3. Use the following credentials to log on to the QRadar SIEM server:

• User name: root
Logging in to the QRadar SIEM console

To log in to the QRadar SIEM console, perform the following steps:
1. On the Windows VM desktop, open the Firefox web browser.
The browser opens the QRadar SIEM console.
2. Click Login to QRadar.
Note: The credentials to log in to the QRadar SIEM console are user name admin and
password object00.
viii IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
V7.0
Uempty
FileZilla login credentials
To launch the FileZilla application, perform the following steps:
1. On the Windows VM desktop, double-click the FileZilla icon.
2. Use the following credentials to establish a FileZilla session with the QRadar SIEM server:
• Host: 192.168.10.10
• Username: root
• Port: 22
3. Verify that your credentials look like the ones in the following graphic.
4. Press Enter.
Pa
© Copyright IBM Corp. 2014 Student Exercises ix

x IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
1 Using administration tools exercises
Exercise 1. Access the lab environment

Follow the procedure provided by your instructor to access the lab environment.
Exercise 2. Configure the deployment editor

To configure the deployment editor, perform the following steps:
1. Log in to the QRadar SIEM console. Use the procedure “Logging in to the QRadar SIEM
console” on page viii.
2. Click the Admin tab.
3. Double-click Deployment Editor.
© Copyright IBM Corp. 2014 1

4. Click OK to open the adminconsole.cgi window with the Java(TM) Web Start Launcher.
5. Click Run to ignore the application security warning message.
6. Click No to ignore the component security warning.
2 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
V7.0
Uempty The Deployment Editor window opens.
7. Right-click the qflow0::COE component and click Configure.
The QFlow Configuration window opens.
8. Click Advanc.
© Copyright IBM Corp. 2014 Student Exercises 3

Exercise 3. Define the difference between a soft clean and hard clean
9. Explain the purpose and value assigned to the following parameters:

• Maximum Data Capture/Packet
________________________________________________________________________
____________________________________________
• Maximum Content Capture
____________________________________________
____________________________________________
Hint: Select the parameter name. The parameter’s explanation displays at the bottom of the
window.
10. Click Cancel.

11. Close the Deployment Editor. On the toolbar click File > Close editor.
Exercise 3. Define the difference between a soft

clean and hard clean
To understand the clean SIM model functionality, perform the following steps:
1. On the Admin tab toolbar, click Advanced.
2. Click Clean SIM Model.

Two options are available: soft clean and hard clean.
3. Use context-sensitive help to explain the difference between the two options.
Note: Click the small question mark located at the top right of the window to get
context-sensitive help.
V7.0
Exercise 4. Set up auto updates and context-sensitive help
Uempty Soft Clean:
_______________________________________________________________________
____________________________________________
Hard Clean:
_______________________________________________________________________
____________________________________________
4. Close the help window.
5. Close the Reset Clean SIM Data Model window.
Exercise 4. Set up auto updates and

context-sensitive help
To set up auto updates and view context-sensitive help, perform the following steps:
1. On the Admin tab, double-click Auto Update.
2. On the navigation menu, click Change Settings.

The Update Configuration window opens.
3. Click Advanced.
4. In the Web Server field, type http://www.ibm.com/support/fixcentral/.
5. In the Directory field, verify that autoupdates/ is listed.
6. Click Basic.
Note: Specify the auto-update strategy here.

Exercise 4. Set up auto updates and context-sensitive help
7. Configure the auto-update schedule as shown in the following table.
Field / Option Setting

Frequency Weekly
Hour 12 PM
Week Day Tuesday
Note: QRadar SIEM releases DSM and protocol updates weekly, on Monday. Remote network
configuration and X-Force IP reputation updates are also in the weekly updates.
8. Use context-sensitive help to view the instructions to configure a QRadar SIEM update server,
as described in the following steps.
a. Click the context sensitive help icon.
b. On the navigation menu, click Setting up QRadar SIEM > Setting up a QRadar SIEM
update server.
c. Review the information.
Hint: In a production environment, this topic is necessary if the QRadar SIEM console is unable
to access the Internet.
9. Close the help window.

10. Click Save.
11. Close the Update Configuration window.
2 Creating the network hierarchy
exercises
Exercise 1. Set up network hierarchy objects

To set up network hierarchy objects, perform the following steps:
1. In the QRadar SIEM console click the Admin tab.
2. Click Network Hierarchy.

The Network Views window opens.
3. Click the all group and click Add.
4. Next to the Group field, click Add Group.
5. For the new network group, type Europe.Sales.

2 Creating the network hierarchy exercises
Hint: Do not ignore the . (dot) between Europe and Sales.
6. Click OK.
7. Add a network object using the values in the following table.

Name Ireland
Weight 50
IP/CIDR(s) 87.198.175.120/32 Click Add.
Color select any color
Database Length System - Network Object Default
Note: The Color and Database Length fields are no longer used, but are still shown in the user
interface, so you must enter a value.
8. Verify that your network object parameters look similar to the ones in the following graphic.
9. Click Save.
10. Click Return.
V7.0
Uempty 11. Verify that the Ireland network hierarchy object is under the group Europe and subgroup Sales.
12. Create three additional network objects using the values in the following table.
Group Name Field / Option Setting

Americas.HQ Name Sales
Weight 50
IP/CIDR(s) 55.0.0.0/8
Click Add.
10.1.121.0/24
Click Add.
Database Length System - Network Object
Americas.HQ Name Development
Weight 50
IP/CIDR(s) 74.0.0.0/8
Click Add.
Asia.Turkey Name Support
Weight 50
IP/CIDR(s) 94.122.0.0/16
Click Add.

13. Verify that the new groups and objects are in the network hierarchy and look similar to the ones
in the following graphic.
14. Close the Network Views window.
15. On the Admin tab, click Deploy Changes.
Note: It may take QRadar SIEM a few minutes to deploy the changes.
3 Updated administration tools
exercises
Exercise 1. Import data from a third-party

scanner
In this exercise, you add a scanner, update the scans results file, and schedule a scan in QRadar
SIEM.
Task 1. Add a scanner

To verify that no assets with vulnerabilities exist, perform the following steps:
1. In the QRadar SIEM console, click the Assets tab.
2. On the navigation menu, click Asset Profiles.
3. Click the Vulnerabilities column and sort in descending order.
Add a third-party scanner by performing the following steps:
4. In the QRadar SIEM console, click the Admin tab.
5. Click VA Scanners.
The VA Scanners window opens.
6. On the toolbar click Add.

The Add Scanner window opens.
7. Add the new scanner using the values in the following table.

3 Updated administration tools exercises
Exercise 1. Import data from a third-party scanner

Scanner Name Nessus Exercise
Description Exercise
Managed Host Default value
Type Nessus Scanner
Collection Type Scheduled Results Import
Remote Results Hostname 192.168.10.10
Remote Results Port 22
SSH Username root
SSH Password object00
Enable Key Authentication disable
Remote Results Directory /labfiles/VIS
Remote Results File Pattern .*\.nessus
Remote Results Max Age 7
CIDR Ranges 0.0.0.0/0
8. Verify that the configuration looks like the one in the following graphic.
9. Click Save.
V7.0
Uempty
Task 2. Update scan results file modification date
The Nessus scanner is configured to retrieve results from a scan performed during the last 7 days.
The Nessus result files are stored in the /labfiles/VIS directory on the QRadar SIEM server.
Because these files have a modification date older than 7 days, you must update the modification
date of these files to import the scan results.
To update the scan results file, perform the following steps:

1. Log in to the QRadar SIEM server. Use the procedure “Logging in to the QRadar SIEM server
VM” on page vii.
2. In the PuTTY command line, type:

cd /labfiles/VIS
touch *
3. Return to the QRadar SIEM console.
Task 3. Schedule a scan

To schedule the scan, perform the following steps:
1. In the VA Scanners window, select the Nessus Exercise VA scanner and click Schedule.
The Scan Scheduling window opens.
2. Click Add.
3. Create a new schedule using the values in the following table.

VA Scanner Nessus Exercise
Network CIDR 0.0.0.0/0
Priority Low
Ports 1-63553
Start Time <today’s date>
<2 minutes from the
current time>
Interval 0 Hours

4. Verify that the configuration looks similar to the one in the following graphic.
5. Click Save.
6. Wait two minutes and verify that the schedule’s Status changes to Complete.
7. Close the Scan Scheduling window and the VA Scanners window.
To verify that assets with vulnerabilities appear on the Assets tab, perform the following steps:
9. On the navigation menu, click Asset Profiles.
10. Click the Vulnerabilities column and sort in descending order.
V7.0
Exercise 2. Manage assets
Uempty

In this exercise, you view an asset profile, edit MAC and IP addresses, edit an asset’s name and
operating system, and search for vulnerable assets.
Important: This exercise requires that you complete the Exercise 1, "Import data from a
third-party scanner," on page 11.
Task 1. View an asset profile

To view an asset profile, perform the following steps:
1. In the QRadar SIEM console, on the Asset tab from the Asset Profiles list, select
the10.0.100.162 IP address.
The Asset Details window opens.
2. On the Asset Details window toolbar, click Display > Services.
3. Review the services recognized on this asset.

4. Close the Asset Details window.
5. On the Asset list, click the 192.168.10.10 IP address.
Note: This is the QRadar SIEM console IP address.
6. On the Asset Details window toolbar, click Applications.

The Flow Search window opens.
7. Click Search.
The flow search results show all the applications identified in the flow information captured for
this IP address.
8. Close the flow search results window.
Task 2. Edit an asset MAC and IP address

To update the MAC and IP address for the 192.168.10.10 asset, perform the following steps:
ifconfig
V7.0
Uempty 2. Note the HWaddr(MAC address) for each IP address. Verify that the output of the ifconfig
command looks similar to the output in the following graphic.
3. On the Asset Details window toolbar, click Edit Asset.

The Edit Asset Profile window opens.
4. In the MAC & IP Address pane, select Unknown NIC and click Edit.

5. Change the MAC to the hardware address highlighted in the graphic for Step 2 (Hwaddr for
eth0) and click OK.
6. Click New MAC Address and type the second hardware address highlighted in the graphic for
Step 2 (Hwaddr for eth1) and click Add.
7. Select the new MAC address that you entered for eth1 and click New IP Address.
8. Type the IP address for eth1 as shown in the graphic for Step 2 then click Add.
9. Verify that your configuration looks similar to the one in the following graphic.
Note: Make sure that the MAC address and IP address for your configuration match the output
of the ifconfig command information for your system. This information is likely to be similar to the
graphic shown in Step 2.
V7.0
Uempty
Task 3. Edit an asset name and operating system
To edit an asset DNS name, and operating system, perform the following steps:
1. Expand the Names & Description pane.
2. In the DNS Name field, type COE.ibm.com and click Add.
3. In the NetBios Name field, type COE.ibm.com and click Add.
4. In the Given Name field, type QRadar.
5. Expand the Operating System pane and select the following options:

Vendor Red Hat
Product Enterprise Linux
Version 5.4.0
6. Click Add.
7. Scroll down and click Save.

8. On the top right of the Asset Details window, click the refresh icon and expand the Network
Interface Summary pane.

9. Verify that your asset profile looks similar to the one in the following graphic.
10. Close the Asset Details window.
Task 4. Search asset profiles

Perform the following steps to create an asset profiles search to show vulnerabilities on port 445:
1. On the Asset list toolbar, click Search > New Search.
2. Add the Vulnerabilities On Open Port Equals 445 filter.
3. Click Search.
4. Verify that your search results look similar to the results in the following graphic.
The system searches the asset datastore and finds asset profiles with vulnerabilities on port 445.
V7.0
Exercise 3. Create a reference set
Uempty
Exercise 3. Create a reference set

To create the newly created users reference set, perform the following steps:
2. Click Reference Set Management.

The Reference Set Management window opens.
Note: The default reference sets provided by QRadar SIEM have no elements.
3. Click Add.
4. Create a reference set using the values in the following table.

Name Newly created users
Type AlphaNumeric
Time to Live of Elements 5 Days
Since first seen <Enable>
Lives Forever <Disable>
5. Verify that your configuration looks like the one in the following graphic.
6. Click Create.

Exercise 4. Import reference set data from a file
Exercise 4. Import reference set data from a file

To update from a file the elements of the HR Data reference set, perform the following steps:
1. On the Windows VM desktop, create a new text file with the following lines, each terminated by
a new line character:
a. C:\labfiles\HR
b. C:\labfiles\HR\Resource Actions.txt
2. Save the file on the desktop as HR files.txt.
3. In the Reference Set Management window, double-click HR Data.

The Reference Set Editor window opens and displays the current contents of the HR Data
reference set.
4. Click Import.
5. In the pop-up window, click Browse.
6. Select the HR files.txt file on the Windows desktop and click Open.
7. Click Import.
The import adds the content of the text file to the reference set.
8. Verify that your HR Data reference set content looks like the content in the following graphic.
9. Close the Reference Set Editor window.
V7.0
Exercise 5. Use a reference set in rules
Uempty

In this exercise you create a reference set, incorporate it into rules, and verify that the reference set
is updated.
Task 1. Create a reference set

To create the High Surveillance reference set, perform the following steps:
1. In the Reference Set Management window, click Add.
2. Create the reference set using the values in the following table.

Name High Surveillance
Type AlphaNumeric (Ignore Case)
Time to Live of Elements 14 Days
Since first seen <Enable>
Lives Forever <Disable>
3. Click Create.
4. On the Windows desktop, create another text file with the following lines, each terminated by a
new line character:
a. PeggyBundy
b. Marcyd’Arcy
c. KellyBundy
5. Save the file on the desktop as Surveillance.txt.

6. In the Reference Set Management window, double-click High Surveillance.
7. Click Import.
8. In the pop-up window, click Browse.
9. Select the Surveillance.txt file on the Windows desktop and click Open.
10. Click Import.

Note: Observe that the content is in lowercase. The case is ignored.
11. While looking at the elements in the High Surveillance reference set, click the Refresh icon
several times for approximately one minute.
12. Verify that the Time to Live value changes.
13. To manually add elements to the reference set, click Add.

a. In the new window, type cary.
b. Click Add.
14. Close the Reference Set Editor and the Reference Set Management windows.
Task 2. Edit rules that include a reference set

To edit rules that include the High Surveillance reference set, perform the following steps:
1. In the QRadar SIEM console, click the Offenses tab.
2. Click Rules.
3. From the Group list, select Exercises.
4. Double-click the DEMO: Add locked account to Surveillance list rule.
5. In the Rule Wizard window, click Next until you see the Rule Wizard - Rule Response window.
6. In the Rule Wizard - Rule Response window, change the IT Admins-AlphaNumeric reference
set to High Surveillance - AlphaNumeric (Ignore Case).
7. Click Finish.
8. Double-click the DEMO:Accounts under Surveillance rule.
V7.0
Uempty 9. In the Rule Editor - Rule Test Stack Editor window, change the IT Admins testable object to High
Surveillance - AlphaNumeric (Ignore Case) by performing the following steps:
a. Select the IT Admins testable object.
b. In the Selected Items list, click IT Admins and click Remove.
c. In the pop-up window, click High Surveillance and click Add.
d. Click Submit.
10. Verify that your rule looks like the one in the following graphic.
11. Click Finish.
Note: You modified two sample rules to use the High Surveillance reference set. The first rule
adds any account that is locked out to the reference set, while the second rule generates a new
event with the EventName User Surveillance Event whenever one of the listed users generates
activity.
Task 3. View the content of a reference set

To view the content of the High Surveillance reference set before generating events that updates it,
perform the following steps:
2. Click Reference Set Management.
3. Click High Surveillance

4. How many records are listed?
________________________________________________________________________
5. Click References.
6. List the rule that is configured to add elements to the reference set.
____________________________________________
Task 4. Generate events to trigger the rules

To generate events that trigger the rules, perform the following steps:
cd /labfiles
./sendWindows.sh
2. Let the script run for two minutes.
3. To stop the script, press CTRL+C.
Task 5. View the content of a reference set and log events.

To verify the reference set content after the Demo: Add locked account to Surveillance list rule
updates it, perform the following steps:
1. In the QRadar SIEM console, double-click the Log Activity tab.
2. Add the Event Name Equals User Surveillance Event filter.
Hint: When browsing for the user surveillance event to include in the filter, in the Event Browser
window in the QID/Name field, type User Surveillance Event.
3. From the View list, select Last 5 minutes.
V7.0
Uempty 4. How many events are listed?
____________________________________________
5. Where are these user names also listed?
____________________________________________
6. View the content of the High Surveillance reference set.
Task 6. View system notification messages

You use a reference set to monitor special accounts. Imagine that you closely monitor a list of
privileged accounts with unrestricted access to all system data and it is a requirement to receive a
notification when these accounts are used. The DEMO:Accounts under Surveillance rule sends a
notification to the QRadar SIEM console to satisfy this requirement.
1. To see such a notification, in the QRadar SIEM console on the toolbar, click Messages.
2. Click View All.
3. In the List of Events window, double-click the User Account Locked Out event.
All the User Account Locked Out events are displayed.
These events are also in the System Monitoring dashboard under System Notifications. If time
permits, examine these events and explain which rule sends these events to the System Monitoring
dashboard. (Check the responses defined for the demo rules that were triggered by these events.)
Another application of this functionality is to monitor the actions of employees leaving the company.
To restrict events monitored for these employees, add another test to the DEMO: Accounts under
Surveillance rule and test for user accounts that access files listed in the sensitive data reference
set.

Exercise 6. Manage the index

In this exercise, you create an index for two properties. Then you use the indexed properties in
searches and observe how the statistics for the indexed properties are updated.
Task 1. Enable an index and view indexed properties data

To view data for indexed properties, perform the following steps:
2. Click Index Management.

The Index Management window opens.
3. Verify that some indexed properties have data written values by sorting the Data Written
column in descending order.
Note: Management information for the indexed property updates every hour.
4. Right-click AccountName (custom) and click Enable Index.
5. Click Save.
6. Close the Index Management window.
Task 2. Use an indexed property in a search

./sendWindows.sh
3. Create a new search using the following criteria:

a. View the events from the last 24 hours.
b. Add the AccountName (custom) is not N/A filter.
V7.0
Uempty c. Edit the search.

i. In the columns definition pane, group the search results by AccountName.
ii. From the Columns list, select Event Name and Event Count.
iii. From the Order By list, select Event Count.
4. Click Search.
5. Verify that your search results look similar to the results in the following graphic.
6. Click Save Criteria to save the search.
7. Save the search using the values in the following table.

Search Name DEMO Index management
Timespan options Recent (enable)
Last 24 hours
Include in my Quick Searches <enable>

9. Wait five minutes for the sendWindows.sh script to finish.
To view the data for the indexed property used in the search, perform the following steps:
12. Verify that the AccountName property now includes statistics for the indexed property. (The
statistics update only hourly, so you might need to wait an hour before you see the property’s
statistics.)
13. Close the Index Management window.
Task 3. Create and index a custom property

Perform the following steps to configure indexed properties to use in rules.
2. In the Quick Filter search field type “Logon Type”.
Hint: Be sure to include the quotation marks.
3. From the View list, select Last 24 hours.
4. Double-click any event in the search results list.
5. In the Event Details window on the toolbar, click Extract Property.

The Custom Event Property Definition window opens.
6. Create a new property using the values in the following table.
V7.0
Uempty
New Property WinLogonType
Description Windows log on type determines how the log
on was issued: interactive, network, local,
batch, etc.
Category <Enable>
High Level category Any (Enable Category first)
Low Level category Any
RegEx Logon\sType:.*?(\d{1,2})
Capture Group 1
All other fields <Keep the default values>
8. Click Save.
11. Search for the WinLogonType property.
12. Right-click WinLogonType and click Enable Index.
13. Click Save.

Task 4. Verify the indexed property is configured for use in

searches or rules
To use the indexed property in a search, perform the following steps:
2. Create a search using the following criteria:

a. Add the WinlogonType (custom) equals any of 3 filter.
b. View the events for the last 24 hours.
Note: You can use the new property in searches and reports.
To use an indexed property in a rule, perform the following steps:
4. Click Rules.
5. From the Group list, select Exercises.
6. Edit the DEMO: Accounts under Surveillance rule by changing the Username testable object to
WinLogonType(Custom).
7. Can you change the testable object to WinLogonType?
________________________________________________________________________
Task 5. Configure an indexed property to use in rules

To configure an indexed property to use in a rule, perform the following steps:
2. Click Custom Event Properties.
3. Double-click the WinLogonType property.
4. In the Property Definition window, enable the Optimize parsing for rules, reports, and
searches option.
V7.0
Uempty
5. Click Save.
6. Edit the DEMO: Accounts under Surveillance rule and change the AccountName(Custom)
testable object to WinLogonType (custom).
7. Can you make the modification now? Why?
____________________________________________
____________________________________________
Note: If you disable indexing for the WinLogon Type property and keep parsing optimized for
rules, reports, and searches, you can continue to use the property in searches and rules.
8. Click Cancel to close the Rule Wizard window.

4 Managing users exercises
Exercise 1. Configure and test remote

authentication
In this exercise, you configure remote authentication, create a user account in QRadar SIEM, and
add the new user account in Active Directory.
Task 1. Configure remote authentication

To use a third-party authentication process to validate the password to log in to the QRadar SIEM
console, perform the following steps:
2. Click Authentication.
The Authentication Configuration window opens.
3. From the Authentication Module list, click Active Directory.
4. Configure Active Directory authentication using the values in the following table.

Server URL ldap://192.168.10.12:389
LDAP Context DC=coe,DC=ibm,DC=com
LDAP Domain coe.ibm.com

Exercise 1. Configure and test remote authentication
6. Click Save.
7. Close the Authentication Configuration window.
Task 2. Create a QRadar SIEM user account

To create a QRadar SIEM user account with the All role, perform the following steps:
1. On the Admin tab, click Users.
The User Management window opens.
2. Click New.
3. Create a QRadar SIEM user using the values in the following table.

Username PeggyBundy
E-mail peggy.bundy@coe.ibm.com
Password object00
Confirm Password object00
User Role All
Security Profile Admin
Note: Selecting the All user role disables the Password field. A password is not required for
users with non-administrative roles using Active Directory.
V7.0
Uempty 4. Verify that your configuration looks like the one in the following graphic.
5. Click Save and Close.
6. Close the User Management window.
To test the authentication changes, perform the following steps:
8. Log out of the QRadar SIEM console as user admin.
9. Log in to the QRadar SIEM console with the following credentials:

• User name: PeggyBundy
A log in failure occurs because the PeggyBundy user is not known to Active Directory.
Task 3. Create a user account in Active Directory

To create an user account in Active Directory, perform the following steps:
1. In the Windows command line, type dsa.msc.
The Active Directory Users and Computers window opens.
2. Expand the coe.ibm.com node.
3. Expand the Users node and click Users.

4. On the toolbar, click Action > New > User.
5. Create a normal user using the values in the following table.

First name Peggy
Last name Bundy
User logon name PeggyBundy
V7.0
7. Click Next.
8. Configure the user password using the values in the following table.

Password object00
User must change password at next log on Disable
User cannot change password Enable
Password never expires Enable
Account is disabled Disable

10. Click Next and Finish.
11. Exit Active Directory.
12. Return to the QRadar SIEM log in window.
Task 4. Log in to the QRadar SIEM console

PeggyBundy is now logged in to the QRadar SIEM console.
2. Click Preferences > User Preferences.
3. Can you change the password for PeggyBundy? Why?
________________________________________________________________________
4. Log out of the QRadar SIEM console.
V7.0
Exercise 2. Manage users
Uempty
Important: Before performing this exercise, complete the following exercises: “Set up network
hierarchy objects” on page 7, “Create a reference set” on page 21, and “Configure and test remote
authentication” on page 35.
A user account must be created for each user requiring access to the QRadar SIEM console. Each
user account is assigned a user role and security profile. A user role defines the function a user
accesses in the QRadar SIEM console. A security profile grants a user permission to view and
search log sources and networks.
Task 1. Create a user role and security profile

To create user roles, and security profiles, perform the following steps:
2. In the QRadar SIEM console. click the Admin tab.
3. Click Security Profiles.

The Security Profile Management window opens.
4. Click New.
5. Create a new profile using the values in the following table.

Security Profile Name WinAud
Description Auditor with privileges to see windows event
logs and networks
Permission Precedence Networks OR Log Sources
Networks Europe.Sales.Ireland
Regulatory_Compliance_Servers
Log Sources WindowsAuthServer@10.0.120.11

6. Verify that your security profile network configuration looks like the one in the following graphic.
7. Verify that your security profile log source configuration looks like the one in the following
graphic.
9. Click User Roles.

The User Role Management window opens.
10. Click New.
11. Create a new user role using the values in the following table.
V7.0
Uempty
Field Value
User Role Name WinAud
Admin <Disable>
Offenses <Enable>
Log Activity <Enable>
Network Activity <Disable>
Assets <Enable>
Reports <Enable>
IP Right Click Menu Extensions <Disable>
Note: Selecting a role grants the user access to all functionality for the role. Within the role, you
can grant access to individual function. For example, selecting Offenses grants the user access to
all functionality within the Offenses tab. Within the Offenses role, you can grant individual access
to the following permissions; assign offenses to user, maintain custom rules, manage offense
close reasons, or view custom rules.

Exercise 3. Explore how user roles and security profiles work
14. Assign PeggyBundy the WinAud user role and security profile.
a. On the Admin tab, click Users.
b. Double-click the user PeggyBundy.
c. Change the User Role and Security Profile to WinAud.
d. Click Save and Close.
Exercise 3. Explore how user roles and security

profiles work
In this exercise, you explore how security profiles work with offenses and rules and log activity and
assets.
Task 1. Explore how security profiles work with offenses

and rules
Perform the following steps to see how security roles and profiles affect offenses and rules:
1. Log in to the QRadar SIEM console as the PeggyBundy user.

a. How many offenses are listed?
________________________________________________________________________
3. To see how security roles affect rules, click Rules.
4. From the Action menu, click New Event Rule.
5. Continue to click Next and from the All Test Group, select the when the local network is one of
the following networks test.
6. Select the one of the following networks testable object.
7. List the network objects available for you to select.
________________________________________________________________________
8. Click Cancel.
V7.0
Exercise 3. Explore how user roles and security profiles work
Uempty 9. From the All Test Group, select the when the event(s) were detected by one or more of these
log sources.
10. Select the these log sources testable object.
11. List the log sources available for you to select.
_______________________________________________________________________
12. Click Cancel.
13. Click Cancel.
Task 2. Explore how security profiles work with log

activity and assets
Perform the following steps to see how security roles and profiles affect viewing log events and
assets:
2. Click Add Filter to add a Log Source filter.
3. List the log sources available for you to select.
_______________________________________________________________________
4. Click Add Filter to add a Source or Destination Network filter.
5. List the network objects available for you to select.
_______________________________________________________________________
6. Click the Asset tab.

7. How many assets are in the list?
_______________________________________________________________________
8. Log in to the QRadar SIEM console as user admin and perform Step 2 to Step 6 again.
Compare the data shown when accessing the QRadar SIEM console as admin and as
PeggyBundy, In general, what is the differences between the two users?
_______________________________________________________________________
____________________________________________

cd /etc/init.d
service sendevents start

Exercise 4. Examine remote authentication for user accounts
After one minute, events and flows are sent to QRadar SIEM.
10. Log in to the QRadar SIEM console as the PeggyBundy user and view the following:
a. Log Activity
b. Network Activity
c. Assets
d. Offenses
i. Why are no offenses listed?
________________________________________________________________________
____________________________________________

service sendevents stop
12. Log in to the QRadar SIEM console as user admin and perform Step 9 to Step again.
13. If time permits, assign the PeggyBundy user account to the All security role and repeat Step 2
to Step 6.
Note: Note that the security profile controls what data a user can see and the security role
controls the function a user is authorized to perform.
14. Log out of the QRadar SIEM console as the PeggyBundy user.
Exercise 4. Examine remote authentication for

user accounts
In this exercise you explore how the password is authenticated for user accounts assigned the
Admin security role when remote authentication is configured. This is an optional exercise.
V7.0
Uempty
Task 1. Assign a user the Admin user role
To assign a user to the Admin user role, perform the following steps:
3. Click Users.
4. Assign the Admin user role to the PeggyBundy user.
5. Close the User Management window.
7. Log out of the QRadar SIEM console as the admin user.
Task 2. Change the QRadar SIEM user password

To change a user password, perform the following steps:
2. Click Preferences > User Preferences.
3. Can you change the password for PeggyBundy?
_______________________________________________________________________
4. Change the QRadar SIEM password for PeggyBundy from object00 to object11.
Task 3. Verify authentication credentials for the QRadar

SIEM user
To verify that user can authenticate to QRadar SIEM, perform the following steps:
2. Can you log in?
_______________________________________________________________________

3. Based on the password used to log in, which user directory is used to authenticate
PeggyBundy, QRadar SIEM or Active Directory?
________________________________________________________________________

6. Can you log in?
________________________________________________________________________
7. Based on the password used to log in, which user directory is used to authenticate
PeggyBundy, QRadar SIEM or Active Directory?
________________________________________________________________________
8. What did you learn by doing this exercise?
________________________________________________________________________
____________________________________________
____________________________________________
____________________________________________
9. Log out of the QRadar SIEM console as the Peggy Bundy user.
5 Managing data exercises
Exercise 1. Configure a backup schedule

To configure a backup schedule, perform the following steps:
3. Click Backup and Recovery.

The Backup Archives window opens.
4. On the Backup Archives window toolbar, click Configure.
Important: The backup process starts at midnight and should finish before 02:00 AM every day,
on each event or flow processor relative to the local system time of the processor.
5. Configure the backup using the values in the following table.
Field Value
Backup Repository Path /tmp
Backup Retention Period(days) 2
No Nightly Backups <Disable>
Configuration Backup Only <Disable>
Configuration and Data Backups <Enable>
COE :: 192.168.10.10 Event Data <Enable>
COE :: 192.168.10.10 Flow Data <Disable>

Exercise 1. Configure a backup schedule
6. Verify that your backup configuration looks similar to the one in the following graphic.
Note: To prevent backup failure, the backup repository path was changed to /tmp. By default,
the process backs up only the configuration data stored on the QRadar SIEM console.
7. Click Save.
8. Close the Backup Archives window.

QRadar SIEM detects a configuration and displays this message: There are undeployed
changes.
9. To view the configuration changes available for deployment, click View Details > Expand All.

unalias ls
ls -al /store/configservices/deployed/globalconfig/backup-recovery-config.xml
What is the last modification date of this file?
________________________________________________________________________

ls -al /store/configservices/staging/globalconfig/backup-recovery-config.xml
V7.0
Exercise 2. Retain events
Uempty What is the last modification date of this file?
___________________________________________________________________________
13. Wait until the deployment completes. It may take 5 minutes.

ls -al /store/configservices/deployed/globalconfig/backup-recovery-config.xml
What is the last modification date of this file now?
___________________________________________________________________________

To retain events in QRadar SIEM, perform the following steps:
1. On the Admin tab, click Event Retention.
The Event Retention window opens.
2. Click row 1.
3. On the Event Retention window toolbar, click Edit.
4. Configure the event retention properties using the values in the following table.

Name PCI servers
Keep data in this bucket for 3 months
Allow data in this bucket to be compressed Never
Delete data in this bucket When storage space is required


Description This bucket keeps the data related
to PCI servers for at least 3 months
Current Filters Source or Destination Network
Equals
Regulatory_Compliance_Servers.
Regulatory_Compliance_Servers
6. Click Save twice.
6 Collecting log and flow records
exercises
QRadar SIEM automatically discovers log sources that send syslog messages. The log sources
automatically discovered appear in the Log Sources window located on the Admin tab. You must
manually define log sources that QRadar SIEM does not automatically discover. Log sources might
have more than one event source. For example, an AIX machine can host DB2 and SAP
applications. AIX operating system, DB2 and SAP logs are event sources for the same IP address.
When there are multiple event sources for the same IP address using the same protocol, you can
order the importance of these events by defining the log source parsing order.
In this unit you perform the following exercises:

• Define and manage log sources
• Create a log source and define the parsing order
Exercise 1. Define and manage log sources

In this exercise, you delete log sources, review log sources for an IP address, disable coalescing
events, and configure the log source parsing order.
Task 1. Delete existing log sources

To delete existing log sources, perform the following steps:
1. In the QRadar SIEM console click the Admin tab.
2. Click Log Sources.

The Log Sources window opens.

6 Collecting log and flow records exercises
3. Select all the log sources and delete them. The list of log sources is now empty.
4. Close the Log Sources window.
Task 2. Observe log sources for an IP address

To observe events for an IP address, perform the following steps:
cd /labfiles
./sendAIX.sh
2. In the QRadar SIEM console, click the Log Activity tab.
3. From the View list, select Real Time (Streaming).
4. Observe the events until you see events with the following log sources:
• LinuxServer@10.0.120.10
• IBMAIXServer@10.0.120.10
5. Stop the generating events. In the PuTTY command line, press CTRL+C.
V7.0
Uempty 6. In the QRadar SIEM console, click the Admin tab.

8. Assume that the 10.0.120.10 IP address is an AIX system. Delete the

LinuxServer@10.0.120.10 entry.
9. In the Log Sources list, select LinuxServer@10.0.120.10.
10. On the toolbar, click Delete.
11. Return to the Log Activity window.

./sendAIX.sh
13. Verify that the same events are now parsed as IBMAIXServer events only.
Task 3. Explore disabling coalescing events

By default, events are coalesced. Events with similar attributes received within a specific time
period are coalesced or bundled and display as one event. The event count indicates the number of
events coalesced. When the Event Count column shows a number higher than one, the event is
coalesced. Note the event count in the graphic for “Observe the events until you see events with
the following log sources:” on page 56.
To disable coalescing events for the IBMAIXServer log source, perform the following steps:

3. Double-click IBMAIXServer@10.0.120.10.
Edit a log source window opens.
4. Disable Coalescing Events.
5. Click Save.

6. Close the Edit a log source window.
7. Navigate to the Log Activity window and verify that all incoming events have an event count
value of 1.
Task 4. Configure the log source parsing order

Assume that the 10.0.120.10 system also has an Oracle instance sending syslog messages to the
QRadar SIEM server. To configure the log source parsing order, perform the following steps:
1. Open a second PuTTY session with the QRadar SIEM server using “Logging in to the QRadar
SIEM server VM” on page vii.

cd /labfiles
./sendOracle.sh
3. On the Admin tab, click Log Sources.
4. Verify that the OracleOSAudit@10.0.120.10 log source is listed.

6. Click Log Source Parsing Order.
7. Verify that the following log sources for the 10.0.120.10 machine are listed:
• IBMAIXServer@10.0.120.10
• OracleOSAudit@10.0.120.10
• LinuxServer@10.0.120.10
Only the LinuxServer is disabled. Events from the 10.0.120.10 machine are first parsed by the
IBMAIXServer parser and next by the OracleOSAudit parser. Because the system is a database
server, assume that the Oracle instance generates most of the events.
8. To change the parsing order, select OracleOSAudit@10.0.120.10 and click the UP icon to
move the selected log source up one row.
9. Click Save.
QRadar SIEM processes the OracleOSAudit log source first for the 10.0.120.10 host.
V7.0
Exercise 2. Create a log source manually
Uempty 10. Disable coalescing for the OracleOSAudit log source.
11. To complete this exercise, perform the following steps:

a. Terminate both scripts. In each PuTTY command line, press CTRL-C.
b. Close one PuTTY session. In the PuTTY command line, press ALT+PF4.
c. In the Log Sources window, delete all log sources.

In this exercise, you add a log source and a log source extension.
Hint: For a list of DSMs that have auto-discovery disabled, check the Supported DSM list in the
IBM Security QRadar DSM Configuration Guide.
Task 1. Add a log source

To manually create a log source, perform the following steps:
1. On the Log Sources window toolbar, click Add.
2. Create a new log source using the values in the following table.

Log Source Name AS400
Log Source Description Exercise
Log Source Type IBM AS/400 iSeries
Protocol Configuration Syslog
Log Source Identifier 10.0.120.11
Enabled enable
Credibility 5
Target Event Collector default
Coalescing Events disable
Incoming Payload Encoding UTF-8
Store Event Payload enable
Log Source Language English

3. Verify that the log source configuration looks like the one in the following graphic.
4. Click Save.
5. Close the Log Source window.
7. Generate AS400 events. In the PuTTY command line, type:

./sendAS400.sh
8. Verify that events from the AS400 log source are included:
a. In the QRadar SIEM console, double-click the Log Activity tab.
b. From the View list, select Real Time (Streaming).
V7.0
Uempty
Task 2. Add a log source extension
To add a log source extension, perform the following steps:
2. Click Log Source Extensions.

The Log Source Extensions window opens.
3. Click Add.
4. Create a log source extension using the values in the following table.

Name AS400
Use Condition Parsing Enhancement
Log Source Types IBM AS400 iSeries
Upload Extension C:\Document and
Settings\Administrator\Desktop\IBM_AS400_EXT.xml
Hint: From the Log Source Types pane, in the Available column, select IBM AS/400 iSeries
and click the right arrow to move it to the Set to default for column.
Click Browse and select the C:\Document and

Settings\Administrator\Desktop\IBM_AS400_EXT.xml file.

6. Click Upload.
7. Click Save.
8. Close the Log Source Extensions window.
9. Define a log source extension for the AS400 log source by performing the following steps:
a. On the Admin tab, click Log Sources.
b. From the Log Sources list, double-click the AS400 log source.
c. From the Log Source Extension list, select AS400.
A log source extension includes instructions to improve the parsing of events performed by
the DSM. QRadar SIEM applies the instructions in the log source extension after processing
the default parser for the IBM AS/400 iSeries DSM. The instructions in the extension
supersede the default DSM instructions for all fields except EventName. QRadar SIEM
detects whether a log extension is used for parsing enhancement or override. Therefore,
you can choose either Extension Use Condition.
d. Click Save.
e. Close the Log Sources window.
7 Collecting Windows log records
exercises
To collect Windows log records, you must perform the following exercises:
• Create an authentication token
• Install the WinCollect agent
• Assign log sources to the WinCollect agent
Exercise 1. Create an authentication token

To create an authorization token, perform the following steps:
2. Click Authorized Services.
3. Click Add Authorized Service.
4. Configure the authorization service using the values in the following table.

Service Name WinCollectFSPDC
User Role Admin
No Expiry Enable

7 Collecting Windows log records exercises
Exercise 2. Install the WinCollect agent
6. Click Create Service.
7. On the Authorized Services list, select WinCollectFSPDC.
8. In the Selected Token field, highlight the token, right-click it and click Copy.
Note: The authentication token is a required parameter for the WinCollect installation. The
authentication token allows the WinCollect agent to automatically register with the QRadar SIEM.

To install the WinCollect agent, perform the following steps:
1. On the desktop double-click the Agent-WinCollect icon.
The WinCollect install starts.

2. In the Welcome window, click Next.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
V7.0
Uempty
3. Accept the license agreement and click Next.

4. On the Customer Information window, enter the values shown in the following table.

User Name Student
Organization COE

6. Click Next twice.

7. In the Dialog Bold Title window, enter the values shown in the following table.

Host Identifier FSPDC
Authentication Token Paste the authentication token copied
in Step 8
Configuration Console 192.168.10.10
Note: The hostname of the Windows VM is FSPDC.
V7.0
Exercise 3. Assign log sources to the WinCollect agent
Uempty 8. Verify that your Dialog Bold Title window looks like the one in the following graphic.
.
9. Click Next.
10. Click Install.
11. Click Finish.

The WinCollect agent automatically registers with the QRadar SIEM console.
Exercise 3. Assign log sources to the

WinCollect agent
To add log sources to the WinCollect agent, perform the following steps:
1. On the Admin tab, click WinCollect.
2. Verify that WinCollect@FSPDC appears in the WinCollect agent list.

3. To create a Windows security event log source for the FSPDC WinCollect agent, select
WinCollect@FSPDC and click Log Sources on the toolbar.
4. Click Add.
5. Configure the log source using the values in the following table.

Name FSPDC
Log Source Description Exercise
Log Source Type Microsoft Windows Security Event Log
Protocol Configuration WinCollect
Log Source Identifier FSPDC
User Name administrator
Password object00
Confirm Password object00
Standard Log Types
Security Enable
DNS Server Enable
Event Types
Informational Enable
Warning Enable
Error Enable
Success Audit Enable
Failure Audit Enable
WinCollect Agent WinCollect@FSPDC
Note: If a configuration parameter is not in the table, use the default value.
V7.0
Uempty 6. Verify that your log source configuration looks like the one in the following graphic.
7. Click Save.
9. Close the WinCollect window.
11. Verify that the FSPDC log source sends events to QRadar SIEM.
a. In the QRadar SIEM console double-click the Log Activity tab.
b. From the View list, select Real Time (Streaming).

Graphic

8 Managing custom log sources
exercises
The exercises in this chapter are examples of how to create UDSM log sources in the QRadar
SIEM console.
Exercise 1. Export QRadar SIEM events

In this exercise, you export incorrectly parsed events from the QRadar SIEM console. These events
are processed correctly by QRadar SIEM later.
To export events from the QRadar SIEM console, perform the following steps:
./sendAIX.sh
3. From the View list, select Real Time (streaming).
4. Let the system receive these events for 5 minutes.
5. Stop the execution of the script. In the PuTTY command line, press Ctrl+C.
6. List the log sources for the events for the 10.0.120.10 IP address.
_______________________________________________________________________
____________________________________________
7. From the View list, select Last 15 Minutes.
8. From the Display list, select Low Level Category.
9. Double-click the Stored low-level category.

The List of events window for the Stored low-level category opens.

8 Managing custom log sources exercises
10. From the Actions list, select Export to XML > Full Export.
11. Save the zip file to the host system and browse to where the file is saved. The file is typically
saved in the, C:\Documents and Settings\Administrator\My Documents\Downloads folder.
Note: The name of the file is YYYY-MM-DD-data_export.xml.zip, where YYYY-MM-DD is the

year, month, and day.
12. To extract the contents of the file, right-click the file and click Extract All.
Use Filezilla to copy a file to the QRadar SIEM server
13. Use FileZilla to copy the YYYY-MM-DD-data_export.xml file to the QRadar SIEM server.
a. Launch FileZilla using the “FileZilla login credentials” on page ix. Copy the extracted file to
the /labfiles directory on the QRadar SIEM server.
b. In the Local Site pane, navigate to the C:\Documents and Settings\Administrator\My

Documents\Downloads\YYYY-MM-DD-data_export.xml folder and select the
YYYY-MM-DD-data_export.xml file.
c. In the Remote Site pane, navigate to the /labfiles folder.
V7.0
Uempty d. Verify that your configuration looks similar to the one in the following graphic.
e. In the Filename pane, right-click the selected file and select Upload.
f. Click Successful Transfers to verify that the file transfer was successful.
g. Exit FileZilla.

Exercise 2. Use regular expressions
Note: You just exported events to a file and copied the file to the same QRadar SIEM server.
Typically events are exported to a file on one QRadar SIEM server and that file is copied to
another QRadar SIEM server.
14. Exit Filezilla

./xml2logfile.pl YYYY-MM-DD-data_export.xml > /tmp/AIXevents.log
16. Wait until the script finishes. In the PuTTY command line, type:
tail /tmp/AIXevents.log
You see the extracted events.
18. From the View list, select Real Time (streaming).

/opt/qradar/bin/logrun.pl -f /tmp/AIXevents.log -u 10.0.120.10 35
The events previously categorized as Unknown Stored are now parsed by the AIX parser.
You successfully exported events, extracted the event payload, and sent the raw events to the
same QRadar SIEM for processing. In real life you use this process if you want the events parsed
by the correct DSM. You can also send the exported events to be processed on a different QRadar
SIEM server instance. Use this scenario to instruct a third party to export events and analyze them.

In this exercise you gain experience using regular expressions. All of the regular expressions used
in this exercise are found in the RegExcersise.txt file on the Windows desktop. You can copy and
paste the regular expressions in the file into the Extract Property window if you require assistance
writing regular expressions.
V7.0
Uempty Task 1. Write regular expressions

To use regular expressions, perform the following steps:
2. Double-click any event.
3. Click Extract Property.
4. On the Windows desktop, find the SampleAIXevent.txt file.
5. Copy the following text from the SampleAIXevent.txt file and paste it into the Test Field pane.
<125>Jul 8 06:38:56 10.0.120.10 <10>Jan 24 17:17:49 Message forwarded from
ibm.aix.test.com: syslog[1855696]: [CLSLog.Handler.File/LogFile
0x10100BE](P/PP/TID 1855696/2195608/2314)
File(/apps/MANH/wmdev/logs/PkMHEInboundS-1855696-0124.log).Write()
6. In the RegEx field, type:

File\(.*\)\.Write\(\)
7. What does this regular expression match?
_______________________________________________________________________
8. In the RegEx field, type:

File\((.*)\)\.Write\(\)
_______________________________________________________________________
10. Close the Custom Event Properties Definition window.
11. Which expression replaces the string Write in the regular expression so that the RegEx
matches other alphabetical values, like Read, for example? Select one.
• \D+
• \.*
• \w+
• (Read|Write)

Task 2. Create a custom property

To create a custom property, perform the following steps:
./sendWindows.sh
2. Let the script run for 10 minutes. While the script runs, return to the QRadar SIEM console.
4. In the View list, select Real Time (streaming).
5. Add a filter named User Account Added:

a. In the Log Activity window, click Add Filter.
b. Select Category and Equals.
c. Add a filter for the high-level category Authentication and the low-level category User
Account Added.
6. In the Event Name column, look for the event, A user account was created.
7. Pause the stream and double-click any A user account was created event.
9. Write a regular expression that captures the SAM Account NAME.
Hint: EventID=4720.*?SAM Account Name:\s(.*?)\s{2}Display
10. The Windows 2003 events that represent account creation or activation are eventids 624 and
626. Assume that the event format for the Windows 2003 events 624 and 626 are the same as
the 4720 event. How do you extend your regular expression to capture the Security ID in a 624
or 626 event?
Hint: EventID=(4720|624|625).*?SAM Account Name:\s(.*?)\s{2}Display. Notice that you had to

change the capture group.
V7.0
Exercise 3. Create a universal DSM and map unknown events
Uempty 11. In the RegEx field, type:

.*?Account\s(\w+)
_______________________________________________________________________
13. Modify the .*? to .*. Explain the purpose of the ? token.
_______________________________________________________________________
14. What does the {2} token, after the \s token, mean?
_______________________________________________________________________
15. Close the Custom Event Properties Definition window.
Hint: Use the following websites to build regular expression skills:

• http://www.gskinner.com/RegExr/
• http://www.regexplanet.com/advanced/java/index.html
• http://www.zytrax.com/tech/web/regex.htm
Exercise 3. Create a universal DSM and map

unknown events
Task 1. Add a log source extension

To add a log source extension, perform the following steps:
2. Click Log Source Extensions.

The Log Source Extensions window opens.
3. Click Add.
4. Configure the custom log parser using the values in the following table.


Name CustomLogParser
Description Custom Application
Use Condition Parsing Override
Upload Extension LSX_Template.xml
Note: LSX_Template.xml is located on the Windows desktop.
6. Click Upload.
7. Click Save.
Task 2. Add an universal device support module (DSM) log

source
To create a universal DSM, perform the following steps:
1. On the toolbar, click Log Sources.
2. Click Add.
3. Configure the universal DSM using the values in the following table.

Log Source Name CustomLog
Log Source Description Custom Application
Log Source Type Universal DSM
Protocol Configuration Syslog
V7.0
Uempty
Enabled Enable
Credibility 5
Target Event Collector default
Coalescing Events Disable
Incoming Payload Encoding UTF-8
Store Event Payload Enable
Log Source Language English
Log Source Extension CustomLogParser
Extension Use Condition Parsing Override
5. Click Save.
Task 3. Generate and view events

To generate and view events from the universal DSM, perform the following steps:
./sendUDSM.sh

3. From the Display list, select Raw Events.
4. From the View list, select View Real Time (streaming).

5. Pause the stream and double-click any event for the log source CustomLog.
6. Verify that the Username is N/A.
7. Click Map Event and verify that the Log Source Event ID is blank.
8. Stop the execution of the script. in the PuTTY command line, press CRTL+C.
9. Close the Log Source Event window.
Task 4. Create a log source extension document

A prepared LSX_UDSM.xml file is in the C:\coursefiles directory. Use the file to compare your
solution to the exercise or to simplify the exercise.
To create a log source extension document, perform the following steps:

2. Create a single regular expression to capture the following values:
• Timestamp value of the event (DD/MM/YYYY:hh:mm:ss)
• Location value
• ID value
• Name value
• Entrance value
• Access value
• Direction value
V7.0
Uempty
Hint: (\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2})\tLocation:(.*?)\tID:(.*?)\tName:(.*?)\tEntrance:(.*?)\tAcce
ss:(.*?)\tDirection:(.*)
3. On the Windows desktop, make a copy of the LSX_Template.xml file.
4. Name the copy UDSM_LSX.xml.
5. Edit the UDSM_LSX.xml file and insert the regular expression create in Step 2 into the inner
square brackets of the EventName pattern:
<pattern id="EventName" xmlns=""><![CDATA[]]></pattern>
Hint: <pattern id="EventName"

xmlns=""><![CDATA[(\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2})\tLocation:(.*?)\tID:(.*?)\tName:(.*?)\tEntran
ce:(.*?)\tAccess:(.*?)\tDirection:(.*)]]></pattern>
6. Delete all other pattern ID lines and matcher field lines until the extension contains only the
patterns ID and matcher field lines shown in the following graphic:
7. Format the normalized fields as follows:

• EventName = “Access”:Direction value:Access value
• DeviceTime = timestamp value
• UserName = Name value:ID value

• HostName = Entrance value
Create the appropriate capture groups for these fields.

Hint: EventName: pattern-id="EventName" capture-group=”Access:\7:\6”

enable-substitutions=true”, Devicetime: pattern-id="EventName" capture-group="1"
ext-date="dd/MMM/YYYY:hh:mm:ss", UserName: pattern-id="EventName" capture-group="\4:\3"
enable-substitutions="true", HostName = pattern-id="EventName" capture-group="5"
8. Update and save the UDSM_LSX.xml file and upload it to the CustomLogParser log source
extension.
9. Click Save.
Task 5. Verify the log source extension document

To verify that log source extension document correctly parses the events, perform the following
steps:
./sendUDSM.sh
2. After 60 seconds, stop the execution of the script. In the PuTTY command line, press CRTL+C.
4. View events from the CustomLog log source received in the last 5 minutes.
5. Double-click any event.
6. What is the value of the Username?
________________________________________________________________________
V7.0
Uempty 7. Click Map Event and acknowledge that the Log Source Event ID now contains one of the
following values:
• Access:In:Granted
• Access:In:Denied
• Access:Out:Granted
You created a log source extension document and a universal DSM that captures custom
events and uses the event identifier of the raw event to map it to a log source event ID. For this
exercise, the log file is a simplified physical access log.
Task 6. Create a QID and map events

To create a QID, perform the following steps:
/opt/qradar/bin/qidmap_cli.sh -c --qname "Physical entry success"
--qdescription "Exercise" --severity 5 --lowlevelcategoryid 4014
2. Verify that the output of the script looks like the one in the following graphic.

Note: The QID is 2000001.
To map the Log Source Event ID to an Event Name and appropriate HLC and LLC, perform the
following steps:
4. Search for an event that is assigned the Access:In:Granted Log Source Event ID.
a. In the Quick Filter search field type: “Access\:Granted”.
5. Double-click any event to view the event details.
6. Click Map Event.

a. In the QID/Name field type: 2000001.
b. Click Search.
7. To accept the choice, click OK.
Task 7. Generate and view events

To verify that the events are processed correctly, perform the following steps:
./sendUDSM.sh
2. After 60 seconds, stop the execution of the script. In the PuTTY command line, press CRTL+C.
4. In the View list, select View Real Time (streaming).
V7.0
Uempty 5. Verify that Physical entry success events appear as shown in the following graphic.
6. Create additional QIDs for the Access:In:Denied (use LLC=4015) and Access:Out:Granted (use
LLC=4014) log source event IDs and define appropriate qnames for each of these log source
event IDs.
Note: When applying the qidmap_cli.sh tool, choose to use lowlevelcategoryid 4014 or 4015. If
you have a list of LLC names and their LLC IDs, you can assign an event a low-level category that
best categories the event. Instead of creating new QID entries for log source event IDs, you can
reuse existing QIDs with QID names that end with the string Event CRE.
8. Verify that new assets are created with names matching the entrance values found in the log
file and extracted by the UDSM_LSX.xml log source extension document. The asset name
looks like the ones shown in the following graphic.

Exercise 4. Create a list of LogSource Event IDs from the PostgreSQL dsmevent table
Exercise 4. Create a list of LogSource Event IDs

from the PostgreSQL dsmevent table
To create a list of log source event IDs from the PostgreSQL dsmevent table, perform the following
steps:
psql -U qradar -o /tmp/Windows_supportedevents.txt -q
2. From the psql prompt, type:

select distinct (deviceeventid) from dsmevent where devicetypeid in (select
id from sensordevicetype where devicetypedescription = 'Microsoft Windows
Security Event Log') order by deviceeventid;
Hint: The sql command must be typed as written. Pay attention to the spaces.
3. Type \q to exit the psql prompt.
4. Verify that the query results return eventid 624.

a. In the PuTTY command line, type:
grep -w 624 /tmp/Windows_supportedevents.txt
b. Verify that the grep command output looks like the one in the following graphic.
graphic
9 Using rules exercises
Exercise 1. Capture a RPC vulnerability exploit

This exercise reflects a simplified scenario of a worm attack similar to Conficker. The structure of
this attack is maintained, but the following regular request patterns from infected machines are
missing:
• DNS on UDP port 53
• HTTP on TCP port 80
Also look for HTTP on ports 1024-10000 from machines that are not approved to run web servers.
Task 1. Add a VA scanner

To add a vulnerability scanner, perform the following steps:
2. Click VA Scanners.
3. Click Add.
4. Create a NESSUS scanner using the values in the following table.

Scanner Name Nessus attack
Description Attack
Managed Host Default value
Type Nessus Scanner
Collection Type Scheduled Results Import
Remote Results Host Name 192.168.10.10
SSH Username root
SSH Password object00
Enable Key Authentication disable


Remote Results Directory /labfiles/attack
Remote Results File Pattern .*\.nessus
Results File Max. Age 7
CIDR Ranges 0.0.0.0/0
5. Click Save.
Task 2. Schedule a scan

To schedule a scan, perform the following steps:
cd /labfiles/attack
touch *.nessus
2. In the VA Scanners window, select the VA scanner you just created and click Schedule.
3. Click Add.
4. Create a new schedule using the values in the following table.

VA Scanner Nessus attack
Network CIDR 0.0.0.0/0
Priority Low
Ports 1-63553
Start Time <today’s date>
<2 minutes from the
current time>
Interval 0 Hours
5. Click Save.
6. Close the Scan Scheduling window.
7. Close the VA Scanners window.
V7.0
Uempty Task 3. Add a log source

To add a log source, perform the following steps:
1. From the Admin tab, click Log Sources.
2. Click Add.
3. Add a new log source using the values in the following table.

Log Source Name SNORT
Log Source Description Attack Log
Log Source Type Snort Open Source IDS
Coalescing Events disable
4. Click Save.
Task 4. Create a rule and generate an offense

To create a rule and generate events, perform the following steps:
1. Create a flow rule similar to the one in the following graphic.


cd /labfiles
./startAttack.sh
3. Check and analyze the offense.
Note: Allow 5 to 10 minutes for the creation of the offense.
10 Creating rules exercises
This exercises in this unit create rules that capture the following security scenario.
A domain administrator creates an account for a friend who needs temporary access to the lab
files on a Windows system. Normally, this friend is not allowed to access these files and he tells
the administrator that he does not want to elevate the authorizations of his own account. They
agree that the administrator will create a temporary account with sufficient privileges. When the
administrator creates the account, the friend uses it to access files on the Windows system.
When he finishes, he informs the administrator. The administrator deletes the account quickly
because he knows that he is only allowed to create accounts when a change management
account creation ticket exists. The administrator’s actions violates the company security policy,
because the account he created was part of the privileged user groups that can access the files.
The administrator hopes nobody notices that an account with sufficient privileges accessed
sensitive files.
An offense that captures this security scenario, is created by the following parts:
• Rules that detect the following activity:
• A new user account
• Access to sensitive data by the newly created account
• Account deletion
• Rules combinations that capture multiple rules
• The performance of tasks to trigger the rules

Exercise 1. Write event rules

In this exercise, you write various rules and combine them
Task 1. Write a rule to detect a new user account

To create a rule to detect a new user account, perform the following steps:
1. In the QRadar SIEM console, click Offenses > Rules.
2. From the Actions list, select New Event Rule.
4. To create an event rule, perform the following steps:
a. In the Apply field, type:
Exploit: Administrator social engineering account added
b. From the All Test Group, select the when an event matches any|all of the following
rules test.
c. For the rules testable object, select BB: CategoryDefinition: Superuser Accounts.
d. From the All Test Group, select the when the event category for the event is one of
the following categories test.
e. For the categories testable object, select Authentication.User Account Added.

a. Add the rule to the Exercises rule group.
b. In the Note field, type:

Administrator creates a user account in the Windows environment.
6. Click Next.
7. Configure the rule action and response using the values in the following table.
V7.0
Uempty .

Rule Action
Ensure the detected event is part enable
of an offense
Index offense based on list Source IP
Annotate this offense • enable
• Administrator creates an
account
Annotate event • enable
• Administrator creates an
account
Rule Response
Add to a Reference Set enable
Property to add to reference set AccountName(custom)
Reference Set Name Newly created users
8. Verify that your configuration looks similar to the one in the following graphic.
9. Click Next.
10. Click Finish.

Task 2. Write a building block rule

To create building block rule, perform the following steps:
1. To categorize the sensitive data, create the BB: CategoryDefinition: Sensitive data building
block.
a. From the Actions list, select New Event Rule.
b. Click Next twice.
c. From the All Test Group, select the when any of these properties match this regular
expression test.
d. For the these properties testable object, select EventID(custom).
Hint: If you do not see the EventID property in the list, go to Custom Event Properties and
review the configuration for EventID.
e. For the this regular expression testable object, type 560.
f. From the All Test Group, select the when the Event Payload contains this string test.
g. For the this string testable object, type labfiles.
Note: Optimize this building block for EventID 560. To test for the value 560, use the custom
property EventID along with the rule, when any of these properties match this regular expression.
Make sure to test for the EventID before you test the payload. The payload test is very expensive
on its own.
V7.0
3. Click Export as Building Block.

4. In the Building Block Name field, type:
BB: CategoryDefinition: Sensitive data
5. Click Save.
Note: When you click Export as Building Block, the rule is saved as a building block and the
rules wizard remains open for you to create another rule.
Task 3. Write a rule to detect Windows file access activity

To create a rule that captures Windows file access activity, perform the following steps:
1. In the Apply field, type:
Exploit: New user accesses sensitive data
a. From the All Test Group, select the when any of these event properties are contained in
any of these reference set(s) test:
b. For the these event properties testable object, select Username.
c. For the these reference set(s) testable object, select Newly created users.
d. From the All Test Group, select the when the event category for the event is one of the
following categories test.
e. For the categories testable object, select Access.
f. From the All Test Group, select the when an event matches any|all of the following rules
test.

g. For the rules testable object, select BB: CategoryDefinition: Sensitive data.
3. Add the rule to the rule group Exercises.

4. Click Next.
5. Configure the rule action using the values in the following table.

Ensure the detected event is part of enable
an offense
• Recently created account used to access
sensitive data
• Recently created account used to access
sensitive data
6. Verify that your rule action looks like the one in the following graphic.
7. Click Next.
8. Click Finish.
V7.0
Uempty Task 4. Write a rule to detect deleted accounts

To create a rule that captures deleted accounts, perform the following steps:
1. To capture account deletion actions, perform the following steps:
a. From the Actions list, select New Event Rule.
b. Click Next twice.
c. In the Apply field, type:

Exploit: Administrator social engineering new account deleted
d. From the All Test Group, select the when an event matches any|all of the following rules
test.
e. For the rules testable object, select BB: CategoryDefinition: Superuser Accounts.
f. From the All Test Group, select the when the event category for the event is one of the
following categories test.
g. For the categories testable object, select Authentication.User Account Removed.
h. From the All Test Group, select the when any of these event properties are contained in
any of these reference set(s) test.
i. For the these event properties testable object, select Account Name(custom).
j. For the these reference set(s) testable object, select Newly created users.
3. Add the rule to the Exercises rule group.

4. Click Next.

Rule Action
of an offense


• Administrator deletes newly
created account.
• Administrator deletes newly
created account.
6. Verify that your rule action looks like the one in the following graphic.
7. Click Next.
8. Click Finish.
Task 5. Write a rule that combine the rules

To combine the three rules that you created, perform the following steps:
1. From the Actions list, select New Event Rule.
a. Click Next twice.
b. In the Apply field, type:

Exploit: Social engineering used to access sensitive data
c. From the All Test group, select the when these rules match at least this many times
in this many minutes after these rules match test.
d. For the these rules testable object, select Exploit: Administrator social engineering new
account deleted.
e. For the this many testable object, type 1.
f. For the this many testable object, type 5.
g. For the minutes testable object, select day(s).
h. For the these rules testable object, select Exploit: Administrator social engineering
account added and Exploit: New user accesses sensitive data.
V7.0
Uempty 2. Verify that your rule looks like the one in the following graphic.
3. Add the rule to the Exercises rule group.

4. Click Next.

of an offense
Index offense based on Source IP
• Account created then used to access sensitive
data and then deleted.
• Account created then used to access sensitive
data and then deleted.
6. Verify that your rule action looks in the one in the following graphic.
7. Click Next.
8. Click Finish.
You created a set of rules to capture the individual events that, in combination, triggers an
offense.

Exercise 2. Perform activities to trigger an offense
Exercise 2. Perform activities to trigger an

offense
In this exercise, you trigger offenses.
Task 1. Create a user account in Active Directory

To create a user account in Active Directory, perform the following steps:
1. On the Windows system, log on as the Administrator user and create a new user account in
Active Directory with the properties shown in the following table.
ddddddd

First name Bad
Last name Person
User logon name bad_person
Password object00
Account is disabled Disable
Hint: For detailed steps to create a user in Active Directory, see Task 3, "Create a user account
in Active Directory," on page 37.
V7.0
Uempty Assign the user account to the Domain Admins group
2. Assign the bad_person user account to the Domain Admins group.

a. Right-click bad_person and select Add to a group.
b. In the Enter the object name to select field, type Domain Admins and click Check Names.
ssssssss
c. Click OK.
3. Log out of the Windows system as the Administrator user.

Task 2. Access a file as user, bad_person and delete the

user account
To perform the activities to trigger an offense, perform the following steps:
1. Log on to the Windows system as the bad_person user.
2. Open Windows Explorer.
3. Navigate to the C:\labfiles\Finance directory.

4. Modify the salary.txt file.
5. Log out of the Windows system as the bad_person user.
6. Log on to the Windows system as the Administrator user and delete the bad_person user
account.
Task 3. Verify that an offense is created

To verify that the activities performed creates an offense, perform the following steps:
console” on page viii
3. Confirm that the User Account Deleted event triggers an offense.
The red icon in the first column denotes that the event triggered an offense.
Note: It takes some time for offenses to appear in the Log Activity tab. Make sure you give the
system enough time to update the reference set with the newly created user account. Otherwise
the system will not find the account in the reference set.
11 Managing false positives exercises
Exercise 1. Manage excessive false positives

The rule created in “Write a rule that combine the rules” on page 98 leads to false positives
because the test requires a match of either one of the Exploit: Administrator social engineering
account added or Exploit: New user accesses sensitive data rules.
To reduce the number of false positive modify the Exploit: Administrator social engineering rule
used to access sensitive data such that an offense is triggered only when the Exploit: Administrator
social engineering account added and Exploit: New user accesses sensitive data rules match.
To modify the rule, perform the following steps:

2. Click Rules.
3. Edit the Exploit: Administrator social engineering used to access sensitive data rule.
a. Delete the single test.
b. Add the when all of these rules, in|in any order, from the same|any source IP
to the same|any destination IP, over this many seconds test.
c. Modify the testable object to reflect the rules that should fire in the right order at least one
time in 24 hours.
d. Verify your rule looks like the one in the graphic.
e. Save the rule.

4. Change the time to live of elements in the Newly created users reference set, as shown in the
following steps:
a. In the QRadar SIEM console, click the Admin tab.
b. Click Reference Set Management.

11 Managing false positives exercises
Exercise 1. Manage excessive false positives
c. Select the Newly created users reference set and click Edit.
d. Change the Time to Live of elements to 1 day Since first seen.
12 Using Reference Maps in rules
exercises
These exercises illustrate how to implement reference maps. You will walk through the following
exercises:
• Create reference maps
• Create a custom rule
• Create different searches
• Create an anomaly detection (ADE) rule
• Test the ADE rule
• Refine the ADE rule
• Test the refined ADE rule
Note: Before you begin this exercise, install the WinCollect agent on the Windows VM. Refer to
the exercise “Create an authentication token” on page 63.
Exercise 1. Create reference maps

To create reference maps, perform the following steps:
1. Copy the SampleRefSet.txt file located in the C:\Documents and
Settings\Administrator\Desktop directory to the /tmp directory on the QRadar SIEM server.
Note: For detailed instructions about copying the file using FileZilla, refer to “Use Filezilla to copy
a file to the QRadar SIEM server” on page 72.

12 Using Reference Maps in rules exercises
Exercise 2. Create a custom rule
2. Log in to the QRadar SIEM server. Use the procedure “Logging in to the QRadar SIEM server
VM” on page vii.
3. To create the reference map of sets, in the PuTTY command line, type:
cd /opt/qradar/bin
./ReferenceDataUtil.sh create PrivilegedAccess MAPofSETS
4. To populate the reference map of sets with records, in the PuTTY command line, type:
./ReferenceDataUtil.sh load PrivilegedAccess /tmp/SampleRefSet.txt
5. To check the contents, in the PuTTY command line, type:
./ReferenceDataUtil.sh list PrivilegedAccess displayContents
6. Verify that the contents of the reference map of sets look like the contents in the following
graphic.

To create a custom rule, perform the following steps:
2. Click Rules.
3. From the Actions list, click New Event Rule.

5. In the Apply field, type:
DEMO: Granted privileged access to sensitive data
6. From the All Test Group, select the when any of these event properties is the key and
any of these event properties is the value in any of these reference map of sets
test.
7. For the first these event properties testable object, select Username.
8. For the second these event properties testable object, select ObjectName(custom).
V7.0
Uempty 9. For the these reference map of sets testable object, select PrivilegedAccess.
10. Add the rule to the Exercises group.
11. In the Note field, type:
This rule is used to monitor privileged access to sensitive data.
13. Do not configure an action or response.
14. Click Finish.

Exercise 3. Create a search

To create a search, perform the following steps:
2. Add the Custom Rule Partial or Full Matched Equals DEMO: Granted privileged access to
sensitive data filter:
a. Click Add Filter on the toolbar.
b. In the first list, select the Custom Rule Partial or Full Matched search parameter.
c. From the second list, select Equals.
d. From the Rule Group list, select Exercises.
e. From the Rule list, select DEMO: Granted privileged access to sensitive data.
f. Verify that your filter looks like the one in the following graphic.
g. Click Add Filter.

3. Edit the search and format the columns in the search results. Group the search results by
Username. Include ObjectName(custom) in the search results. Order the search results by
Count in descending order.
4. Verify that the Column Definition looks like the ones in the following graphic.
V7.0
Uempty
5. Save the search criteria.
You can create a search instead of using a custom rule. While this is not necessary in a production
environment, it demonstrates that you can get the same results with a search that you get when
you create a rule.
To create a second search, perform the following steps:

6. Add the Reference Map of Sets Exists in any of Reference Map of Sets filter:
a. Click Add Filter on the toolbar.
b. In the first list, select the Reference Map of Sets search parameter,.
c. From the Data Entry as the key list, select Username.
d. From the Data Entry as the value list, select ObjectName(custom).
e. From the Reference Maps of Sets list, select PrivilegedAccess.
f. Click the plus sign to add the filter.
g. Verify that your filter looks like the one in the following graphic.
h. Click Add Filter.

Exercise 4. Create an ADE rule
7. Edit the search and do the following:

a. Set the Time Range to the last 7 days.
b. Format the columns in the search results. Group the search results by Username. Include
ObjectName(custom) in the search results. Order the search results by Count in
descending order.
8. Click Filter and wait for the results to display.

9. Configure the search to accumulate data:
a. Select the Top 10 Username Results By Count graph and click the configure icon.
b. From the Chart Type list, select Time Series.
c. Select the Capture Time Series Data check box.
d. Verify that your configuration looks like the one in the following graphic.
10. Click Save.

11. Name the search Privileged User Monitoring Access.
12. Assign the Search to the Report Group(s) Authentication, Identity and User Activity.
Exercise 4. Create an ADE rule

To create an ADE rule that uses the accumulated data generated by either of the two searches you
defined, perform the following steps:
1. In the Log Activity tab, click Rules > Add Behavioral Rule.
V7.0
Exercise 5. Test the ADE rule
Uempty 2. Click Next twice.

3. Configure the behavior rule.
DEMO: ADR Privleged Access
b. For the this accumulated property testable object, select Count(Count).

5. Click Next.
6. Click Finish.

1. To test this rule, verify that the Exercise 7, "Collecting Windows log records exercises," on
page 63 is complete.
2. Edit the FSPDC log source and disable coalescing events.
3. Create a user account in Active Directory using the values in the following table.

First name Al
Last name Bundy
User log on name AlBundy
Password object00
Hint: Refer to Task 3, "Create a user account in Active Directory," on page 37 for detailed steps
to create a user account in Active Directory.

4. Add the AlBundy user account to the Domain Admins group.
Hint: Refer to “Assign the user account to the Domain Admins group” on page 101 for detailed
steps to add a user account r to the Domain Admins group.
To generate events, complete the following steps:

5. Log out of the Windows VM as the Administrator user.
6. Log on to the Windows VM as the AlBundy user.
7. Follow these steps to run the AlBundysLoop.bat script:
a. Launch Windows Explorer and navigate to the C:\Documents and
Settings\Administrator\Desktop directory.
b. Double-click the AlBundysLoop.bat file.

8. Log in to the QRadar SIEM console.
a. On the Windows VM desktop, open the Firefox web browser.
b. In the url field, type https://192.168.10.10/console.
c. Log in to the QRadar SIEM console with the following credentials:

• User name: admin

10. From the View list select Real Time (Streaming). Verify that events appear.
11. When the events appear, apply the finance Quick Filter.
12. From the View list, select Last 5 minutes. Verify that the list contains Object Opened
Successfully events.
V7.0
Exercise 6. Refine the ADE rule
Uempty 13. Open the event detail for any event and verify that the event triggered the DEMO: Granted
privileged access to sensitive data rule.
Note: In a production environment, let the script and QRadar SIEM run for at least 24 hours. The
next day, run additional instances (three extra is sufficient) of the same script simultaneously using
the AlBundy account. The following day, verify that the behavioral rule ran.
This concludes the setup of the ADE rule, but follow these steps to finish the exercise:
14. Stop the execution of the AlBundysLoop.bat script by pressing CTRL+C.
15. Log out of the Windows VM as the AlBundy user.

When new sensitive data is created, company security policies require the file is monitored for i
privileged user’s access. Assuming that the user who accesses the data is by default a privileged
user, you can configure a rule to monitor who accesses the sensitive data. To configure this type of
rule, perform the following steps:
1. Log on the Windows VM as the Administrator user.
2. Log on to the QRadar SIEM console by using the procedure “Logging in to the QRadar SIEM
console” on page viii
4. From the navigation menu, click Rules.
5. From the Actions list, click New Event Rule.

7. To create a building block, perform the following steps:

a. From the All Test Group, select the when any of these properties match this regular
expression test.
b. For the these properties testable object, select ObjectName (custom).
c. For the this regular expression testable object, type:

C:\\labfiles\\.*?\\.*
d. In the Note field, type:

This Building Block is reserved to classify the datasets that are
considered sensitive.
9. Export this rule as a building block and name it DEMO: BB: Sensitive data sets.
10. To create another event rule, perform the following steps:

DEMO: Rule to add new records to the Privileged access reference map of sets
b. From the All Test Group, select the when an event matches any|all of the following
rules test.
c. For the any/all testable object, select all.
d. For the rules testable object, select DEMO: BB: Sensitive data sets.
e. From All Test Group, select the when the event QID is one of the following QIDs
test.
f. For the QID testable object, select 5000026.
Hint: In the Browse or search for QID window, type 5000026 in the QID/Name field and click
Search.
g. Assign the rule to the Exercises group.
V7.0
Uempty h. In the Notes field, type:

This rule when triggered adds the username and objectname to the Privileged
Access reference maps of sets.
12. Click Next.

13. Configure the rule response using the values in the following table.

Rule Response
Add to Reference Data enable
Add to a Reference Map of Sets enable
Property to define as the key Username

Exercise 7. Test the refined ADE rule

Property to define as the value ObjectName(custom)
Reference Map of Sets Privileged Access
14. Verify that your rule response looks like the one in the following graphic.
15. Click Finish.

To test the updated ADE rules requires that you access a file in the C:\labfiles directory. The ADE
rules detect when a user accesses a file in the C:\labfiles directory and add a record that contains
the user name and the name of the file accessed in the PrivilegeAcess reference map of sets. You
will create the Backdoor.txt file in the C:\labfiles\development directory to test the ADE rules. The
Backdoor.txt file may be an empty file because an event is created when the file is opened.
To test the refined ADE rule, perform the following steps:

2. From the View list, select Real Time(Streaming).
3. In the Quick Filter search field, type Backdoors*
4. Create a file named Backdoors.txt in the C:\labfiles\Development directory.
5. Open and close the Backdoors.txt file several times.
6. In the Log Activity tab, verify that Object Opened Successfully events are displayed.
7. Double-click any of the Object Opened Successfully events and view the event detail.
V7.0
Uempty 8. Verify the ObjectName(custom) property value is C:\labfiles\development\Backdoors.txt.
9. Verify that the event triggered the DEMO: Rule to add new records to the Privileged access
reference map of sets rule.
10. Log on to the QRadar SIEM server by using the procedure “Logging in to the QRadar SIEM
server VM” on page vii,
cd /opt/qradar/bin
./ReferenceDataUtil.sh list PrivilegedAccess displayContents
12. Verify that your output looks similar to the one in the following graphic.

You created a mechanism to automatically add new privileged access records to the reference map
of sets. The reference map of sets is used by the behavioral rule to check for suspicious privilege
access patterns.
More
Back pa about IBM Security Systems
You can find the latest information about IBM Security Systems education offerings online at the following
location:
www.ibm.com/training
Security user groups

You can get even more out of Security software by participating in one of the 91 independently run Security
user groups around the world. Learn about online and in-person user group opportunities near you at
www.tivoli-ug.org/up/global/#sec.
Certification
All IBM certifications are based on job roles. They focus on a job a person must do with a product, not just
the product’s features and functions. Online certification paths are available to guide you through the
process for achieving certification in many IBM Security areas. See ibm.com/training for more information
about certification.
Authorized
Training
ibm.com/training

IBM Training

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

IBM Training

Încărcat de

Drepturi de autor:

Formate disponibile

IBM Security QRadar SIEM

IBM Training 7.2 Administration and

IBM Security Systems

© Copyright IBM Corp. 2014. All Rights Reserved.

About these exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

1 Using administration tools exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Creating the network hierarchy exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Updated administration tools exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

© Copyright IBM Corp. 2014 Student Exercises iii

Task 2. Use an indexed property in a search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4 Managing users exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5 Managing data exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6 Collecting log and flow records exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

7 Collecting Windows log records exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

8 Managing custom log sources exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Uempty Task 4. Create a log source extension document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

9 Using rules exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

10 Creating rules exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

11 Managing false positives exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

12 Using Reference Maps in rules exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

© Copyright IBM Corp. 2014 Student Exercises v

Logging in to the Windows VM

Logging in to the QRadar SIEM server VM

© Copyright IBM Corp. 2014 vii

2. Double-click the QRadar saved session.

3. Use the following credentials to log on to the QRadar SIEM server:

Logging in to the QRadar SIEM console

2. Click Login to QRadar.

© Copyright IBM Corp. 2014 Student Exercises ix

Exercise 1. Access the lab environment

Exercise 2. Configure the deployment editor

2. Click the Admin tab.

3. Double-click Deployment Editor.

© Copyright IBM Corp. 2014 1

5. Click Run to ignore the application security warning message.

6. Click No to ignore the component security warning.

Uempty The Deployment Editor window opens.

7. Right-click the qflow0::COE component and click Configure.

The QFlow Configuration window opens.

© Copyright IBM Corp. 2014 Student Exercises 3

9. Explain the purpose and value assigned to the following parameters:

• Maximum Content Capture

10. Click Cancel.

Exercise 3. Define the difference between a soft

2. Click Clean SIM Model.

Uempty Soft Clean:

4. Close the help window.

5. Close the Reset Clean SIM Data Model window.

Exercise 4. Set up auto updates and

2. On the navigation menu, click Change Settings.

4. In the Web Server field, type http://www.ibm.com/support/fixcentral/.

5. In the Directory field, verify that autoupdates/ is listed.

Note: Specify the auto-update strategy here.

© Copyright IBM Corp. 2014 Student Exercises 5

7. Configure the auto-update schedule as shown in the following table.

Field / Option Setting

c. Review the information.

9. Close the help window.

11. Close the Update Configuration window.

Exercise 1. Set up network hierarchy objects

2. Click Network Hierarchy.

3. Click the all group and click Add.

4. Next to the Group field, click Add Group.

5. For the new network group, type Europe.Sales.