Documente Academic
Documente Profesional
Documente Cultură
January 2014
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the
web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the
Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the
U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the
completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or
implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without
notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other
materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations
from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM
software.
References in this publication to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion
based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth, savings or other results.
Contents
iv IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents
vi IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
About these exercises
Virtual machines
The lab environment uses two virtual machines. They are:
• QRadar SIEM server - a virtual machine running IBM Security QRadar SIEM 7.2 licensed
program running on Red Hat Enterprise Linux server 6.3 licensed program.
• Windows DC - a virtual machine running Microsoft Windows 2003 Enterprise Server x64 Edition
Service Pack 1 licensed program with PuTTY licensed program and Mozilla Firefox licensed
program used to access the QRadar SIEM virtual machine.
• Password: object00
Note: On a Windows VM, the key combination Ctrl+Alt+Ins is the same as Ctrl+Alt+Del.
• Password: object00
Note: The credentials to log in to the QRadar SIEM console are user name admin and
password object00.
viii IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
About these exercises
Uempty
FileZilla login credentials
To launch the FileZilla application, perform the following steps:
1. On the Windows VM desktop, double-click the FileZilla icon.
2. Use the following credentials to establish a FileZilla session with the QRadar SIEM server:
• Host: 192.168.10.10
• Username: root
• Password: object00
• Port: 22
3. Verify that your credentials look like the ones in the following graphic.
4. Press Enter.
Pa
x IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
1 Using administration tools exercises
4. Click OK to open the adminconsole.cgi window with the Java(TM) Web Start Launcher.
2 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
1 Using administration tools exercises
Exercise 2. Configure the deployment editor
8. Click Advanc.
________________________________________________________________________
____________________________________________
____________________________________________
____________________________________________
Hint: Select the parameter name. The parameter’s explanation displays at the bottom of the
window.
3. Use context-sensitive help to explain the difference between the two options.
Note: Click the small question mark located at the top right of the window to get
context-sensitive help.
4 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
1 Using administration tools exercises
Exercise 4. Set up auto updates and context-sensitive help
_______________________________________________________________________
____________________________________________
Hard Clean:
_______________________________________________________________________
____________________________________________
3. Click Advanced.
6. Click Basic.
Note: QRadar SIEM releases DSM and protocol updates weekly, on Monday. Remote network
configuration and X-Force IP reputation updates are also in the weekly updates.
8. Use context-sensitive help to view the instructions to configure a QRadar SIEM update server,
as described in the following steps.
a. Click the context sensitive help icon.
b. On the navigation menu, click Setting up QRadar SIEM > Setting up a QRadar SIEM
update server.
Hint: In a production environment, this topic is necessary if the QRadar SIEM console is unable
to access the Internet.
6 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
2 Creating the network hierarchy
exercises
6. Click OK.
Note: The Color and Database Length fields are no longer used, but are still shown in the user
interface, so you must enter a value.
8. Verify that your network object parameters look similar to the ones in the following graphic.
9. Click Save.
8 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
2 Creating the network hierarchy exercises
Exercise 1. Set up network hierarchy objects
Uempty 11. Verify that the Ireland network hierarchy object is under the group Europe and subgroup Sales.
12. Create three additional network objects using the values in the following table.
13. Verify that the new groups and objects are in the network hierarchy and look similar to the ones
in the following graphic.
Note: It may take QRadar SIEM a few minutes to deploy the changes.
10 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3 Updated administration tools
exercises
5. Click VA Scanners.
The VA Scanners window opens.
7. Add the new scanner using the values in the following table.
8. Verify that the configuration looks like the one in the following graphic.
9. Click Save.
12 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 1. Import data from a third-party scanner
Uempty
Task 2. Update scan results file modification date
The Nessus scanner is configured to retrieve results from a scan performed during the last 7 days.
The Nessus result files are stored in the /labfiles/VIS directory on the QRadar SIEM server.
Because these files have a modification date older than 7 days, you must update the modification
date of these files to import the scan results.
2. Click Add.
4. Verify that the configuration looks similar to the one in the following graphic.
5. Click Save.
6. Wait two minutes and verify that the schedule’s Status changes to Complete.
To verify that assets with vulnerabilities appear on the Assets tab, perform the following steps:
14 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 2. Manage assets
Uempty
Important: This exercise requires that you complete the Exercise 1, "Import data from a
third-party scanner," on page 11.
7. Click Search.
The flow search results show all the applications identified in the flow information captured for
this IP address.
16 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 2. Manage assets
Uempty 2. Note the HWaddr(MAC address) for each IP address. Verify that the output of the ifconfig
command looks similar to the output in the following graphic.
4. In the MAC & IP Address pane, select Unknown NIC and click Edit.
5. Change the MAC to the hardware address highlighted in the graphic for Step 2 (Hwaddr for
eth0) and click OK.
6. Click New MAC Address and type the second hardware address highlighted in the graphic for
Step 2 (Hwaddr for eth1) and click Add.
7. Select the new MAC address that you entered for eth1 and click New IP Address.
8. Type the IP address for eth1 as shown in the graphic for Step 2 then click Add.
9. Verify that your configuration looks similar to the one in the following graphic.
Note: Make sure that the MAC address and IP address for your configuration match the output
of the ifconfig command information for your system. This information is likely to be similar to the
graphic shown in Step 2.
18 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 2. Manage assets
Uempty
Task 3. Edit an asset name and operating system
To edit an asset DNS name, and operating system, perform the following steps:
1. Expand the Names & Description pane.
2. In the DNS Name field, type COE.ibm.com and click Add.
5. Expand the Operating System pane and select the following options:
6. Click Add.
9. Verify that your asset profile looks similar to the one in the following graphic.
3. Click Search.
4. Verify that your search results look similar to the results in the following graphic.
The system searches the asset datastore and finds asset profiles with vulnerabilities on port 445.
20 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 3. Create a reference set
Uempty
Note: The default reference sets provided by QRadar SIEM have no elements.
3. Click Add.
5. Verify that your configuration looks like the one in the following graphic.
6. Click Create.
4. Click Import.
6. Select the HR files.txt file on the Windows desktop and click Open.
7. Click Import.
The import adds the content of the text file to the reference set.
8. Verify that your HR Data reference set content looks like the content in the following graphic.
22 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 5. Use a reference set in rules
Uempty
2. Create the reference set using the values in the following table.
3. Click Create.
4. On the Windows desktop, create another text file with the following lines, each terminated by a
new line character:
a. PeggyBundy
b. Marcyd’Arcy
c. KellyBundy
7. Click Import.
9. Select the Surveillance.txt file on the Windows desktop and click Open.
11. While looking at the elements in the High Surveillance reference set, click the Refresh icon
several times for approximately one minute.
b. Click Add.
14. Close the Reference Set Editor and the Reference Set Management windows.
2. Click Rules.
3. From the Group list, select Exercises.
5. In the Rule Wizard window, click Next until you see the Rule Wizard - Rule Response window.
6. In the Rule Wizard - Rule Response window, change the IT Admins-AlphaNumeric reference
set to High Surveillance - AlphaNumeric (Ignore Case).
7. Click Finish.
8. Double-click the DEMO:Accounts under Surveillance rule.
24 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 5. Use a reference set in rules
Uempty 9. In the Rule Editor - Rule Test Stack Editor window, change the IT Admins testable object to High
Surveillance - AlphaNumeric (Ignore Case) by performing the following steps:
a. Select the IT Admins testable object.
d. Click Submit.
10. Verify that your rule looks like the one in the following graphic.
Note: You modified two sample rules to use the High Surveillance reference set. The first rule
adds any account that is locked out to the reference set, while the second rule generates a new
event with the EventName User Surveillance Event whenever one of the listed users generates
activity.
________________________________________________________________________
5. Click References.
6. List the rule that is configured to add elements to the reference set.
____________________________________________
Hint: When browsing for the user surveillance event to include in the filter, in the Event Browser
window in the QID/Name field, type User Surveillance Event.
26 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 5. Use a reference set in rules
____________________________________________
____________________________________________
3. In the List of Events window, double-click the User Account Locked Out event.
These events are also in the System Monitoring dashboard under System Notifications. If time
permits, examine these events and explain which rule sends these events to the System Monitoring
dashboard. (Check the responses defined for the demo rules that were triggered by these events.)
Another application of this functionality is to monitor the actions of employees leaving the company.
To restrict events monitored for these employees, add another test to the DEMO: Accounts under
Surveillance rule and test for user accounts that access files listed in the sensitive data reference
set.
3. Verify that some indexed properties have data written values by sorting the Data Written
column in descending order.
Note: Management information for the indexed property updates every hour.
5. Click Save.
28 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 6. Manage the index
4. Click Search.
5. Verify that your search results look similar to the results in the following graphic.
8. Verify that your configuration looks like the one in the following graphic.
To view the data for the indexed property used in the search, perform the following steps:
10. In the QRadar SIEM console, click the Admin tab.
12. Verify that the AccountName property now includes statistics for the indexed property. (The
statistics update only hourly, so you might need to wait an hour before you see the property’s
statistics.)
30 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 6. Manage the index
Uempty
Field / Option Setting
New Property WinLogonType
Description Windows log on type determines how the log
on was issued: interactive, network, local,
batch, etc.
Category <Enable>
High Level category Any (Enable Category first)
Low Level category Any
RegEx Logon\sType:.*?(\d{1,2})
Capture Group 1
All other fields <Keep the default values>
7. Verify that your configuration looks like the one in the following graphic.
8. Click Save.
9. In the QRadar SIEM console, click the Admin tab.
Note: You can use the new property in searches and reports.
4. Click Rules.
6. Edit the DEMO: Accounts under Surveillance rule by changing the Username testable object to
WinLogonType(Custom).
________________________________________________________________________
4. In the Property Definition window, enable the Optimize parsing for rules, reports, and
searches option.
32 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
3 Updated administration tools exercises
Exercise 6. Manage the index
Uempty
5. Click Save.
6. Edit the DEMO: Accounts under Surveillance rule and change the AccountName(Custom)
testable object to WinLogonType (custom).
____________________________________________
____________________________________________
Note: If you disable indexing for the WinLogon Type property and keep parsing optimized for
rules, reports, and searches, you can continue to use the property in searches and rules.
34 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
4 Managing users exercises
2. Click Authentication.
The Authentication Configuration window opens.
4. Configure Active Directory authentication using the values in the following table.
5. Verify that your configuration looks like the one in the following graphic.
6. Click Save.
2. Click New.
3. Create a QRadar SIEM user using the values in the following table.
Note: Selecting the All user role disables the Password field. A password is not required for
users with non-administrative roles using Active Directory.
36 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
4 Managing users exercises
Exercise 1. Configure and test remote authentication
Uempty 4. Verify that your configuration looks like the one in the following graphic.
• Password: object00
A log in failure occurs because the PeggyBundy user is not known to Active Directory.
38 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
4 Managing users exercises
Exercise 1. Configure and test remote authentication
Uempty 6. Verify that your configuration looks like the one in the following graphic.
7. Click Next.
8. Configure the user password using the values in the following table.
9. Verify that your configuration looks like the one in the following graphic.
• Password: object00
________________________________________________________________________
40 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
4 Managing users exercises
Exercise 2. Manage users
Uempty
Important: Before performing this exercise, complete the following exercises: “Set up network
hierarchy objects” on page 7, “Create a reference set” on page 21, and “Configure and test remote
authentication” on page 35.
A user account must be created for each user requiring access to the QRadar SIEM console. Each
user account is assigned a user role and security profile. A user role defines the function a user
accesses in the QRadar SIEM console. A security profile grants a user permission to view and
search log sources and networks.
6. Verify that your security profile network configuration looks like the one in the following graphic.
7. Verify that your security profile log source configuration looks like the one in the following
graphic.
11. Create a new user role using the values in the following table.
42 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
4 Managing users exercises
Exercise 2. Manage users
Uempty
Field Value
User Role Name WinAud
Admin <Disable>
Offenses <Enable>
Log Activity <Enable>
Network Activity <Disable>
Assets <Enable>
Reports <Enable>
IP Right Click Menu Extensions <Disable>
Note: Selecting a role grants the user access to all functionality for the role. Within the role, you
can grant access to individual function. For example, selecting Offenses grants the user access to
all functionality within the Offenses tab. Within the Offenses role, you can grant individual access
to the following permissions; assign offenses to user, maintain custom rules, manage offense
close reasons, or view custom rules.
12. Verify that your configuration looks like the one in the following graphic.
14. Assign PeggyBundy the WinAud user role and security profile.
a. On the Admin tab, click Users.
b. Double-click the user PeggyBundy.
________________________________________________________________________
5. Continue to click Next and from the All Test Group, select the when the local network is one of
the following networks test.
________________________________________________________________________
8. Click Cancel.
44 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
4 Managing users exercises
Exercise 3. Explore how user roles and security profiles work
Uempty 9. From the All Test Group, select the when the event(s) were detected by one or more of these
log sources.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8. Log in to the QRadar SIEM console as user admin and perform Step 2 to Step 6 again.
Compare the data shown when accessing the QRadar SIEM console as admin and as
PeggyBundy, In general, what is the differences between the two users?
_______________________________________________________________________
____________________________________________
After one minute, events and flows are sent to QRadar SIEM.
10. Log in to the QRadar SIEM console as the PeggyBundy user and view the following:
a. Log Activity
b. Network Activity
c. Assets
d. Offenses
i. Why are no offenses listed?
________________________________________________________________________
____________________________________________
12. Log in to the QRadar SIEM console as user admin and perform Step 9 to Step again.
13. If time permits, assign the PeggyBundy user account to the All security role and repeat Step 2
to Step 6.
Note: Note that the security profile controls what data a user can see and the security role
controls the function a user is authorized to perform.
14. Log out of the QRadar SIEM console as the PeggyBundy user.
46 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
4 Managing users exercises
Exercise 4. Examine remote authentication for user accounts
Uempty
Task 1. Assign a user the Admin user role
To assign a user to the Admin user role, perform the following steps:
1. Log in to the QRadar SIEM console. Use the procedure “Logging in to the QRadar SIEM
console” on page viii.
3. Click Users.
• Password: object00
_______________________________________________________________________
4. Change the QRadar SIEM password for PeggyBundy from object00 to object11.
5. Log out of the QRadar SIEM console.
• Password: object00
_______________________________________________________________________
3. Based on the password used to log in, which user directory is used to authenticate
PeggyBundy, QRadar SIEM or Active Directory?
________________________________________________________________________
• Password: object11
________________________________________________________________________
7. Based on the password used to log in, which user directory is used to authenticate
PeggyBundy, QRadar SIEM or Active Directory?
________________________________________________________________________
________________________________________________________________________
____________________________________________
____________________________________________
____________________________________________
9. Log out of the QRadar SIEM console as the Peggy Bundy user.
48 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5 Managing data exercises
Important: The backup process starts at midnight and should finish before 02:00 AM every day,
on each event or flow processor relative to the local system time of the processor.
Field Value
Backup Repository Path /tmp
Backup Retention Period(days) 2
No Nightly Backups <Disable>
Configuration Backup Only <Disable>
Configuration and Data Backups <Enable>
COE :: 192.168.10.10 Event Data <Enable>
COE :: 192.168.10.10 Flow Data <Disable>
6. Verify that your backup configuration looks similar to the one in the following graphic.
Note: To prevent backup failure, the backup repository path was changed to /tmp. By default,
the process backs up only the configuration data stored on the QRadar SIEM console.
7. Click Save.
9. To view the configuration changes available for deployment, click View Details > Expand All.
________________________________________________________________________
52 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
5 Managing data exercises
Exercise 2. Retain events
___________________________________________________________________________
___________________________________________________________________________
2. Click row 1.
4. Configure the event retention properties using the values in the following table.
5. Verify that your configuration looks like the one in the following graphic.
54 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
6 Collecting log and flow records
exercises
QRadar SIEM automatically discovers log sources that send syslog messages. The log sources
automatically discovered appear in the Log Sources window located on the Admin tab. You must
manually define log sources that QRadar SIEM does not automatically discover. Log sources might
have more than one event source. For example, an AIX machine can host DB2 and SAP
applications. AIX operating system, DB2 and SAP logs are event sources for the same IP address.
When there are multiple event sources for the same IP address using the same protocol, you can
order the importance of these events by defining the log source parsing order.
3. Select all the log sources and delete them. The list of log sources is now empty.
4. Observe the events until you see events with the following log sources:
• LinuxServer@10.0.120.10
• IBMAIXServer@10.0.120.10
5. Stop the generating events. In the PuTTY command line, press CTRL+C.
56 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
6 Collecting log and flow records exercises
Exercise 1. Define and manage log sources
13. Verify that the same events are now parsed as IBMAIXServer events only.
To disable coalescing events for the IBMAIXServer log source, perform the following steps:
1. In the QRadar SIEM console, click the Admin tab.
5. Click Save.
7. Navigate to the Log Activity window and verify that all incoming events have an event count
value of 1.
7. Verify that the following log sources for the 10.0.120.10 machine are listed:
• IBMAIXServer@10.0.120.10
• OracleOSAudit@10.0.120.10
• LinuxServer@10.0.120.10
Only the LinuxServer is disabled. Events from the 10.0.120.10 machine are first parsed by the
IBMAIXServer parser and next by the OracleOSAudit parser. Because the system is a database
server, assume that the Oracle instance generates most of the events.
8. To change the parsing order, select OracleOSAudit@10.0.120.10 and click the UP icon to
move the selected log source up one row.
9. Click Save.
QRadar SIEM processes the OracleOSAudit log source first for the 10.0.120.10 host.
58 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
6 Collecting log and flow records exercises
Exercise 2. Create a log source manually
b. Close one PuTTY session. In the PuTTY command line, press ALT+PF4.
Hint: For a list of DSMs that have auto-discovery disabled, check the Supported DSM list in the
IBM Security QRadar DSM Configuration Guide.
2. Create a new log source using the values in the following table.
3. Verify that the log source configuration looks like the one in the following graphic.
4. Click Save.
8. Verify that events from the AS400 log source are included:
a. In the QRadar SIEM console, double-click the Log Activity tab.
60 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
6 Collecting log and flow records exercises
Exercise 2. Create a log source manually
Uempty
Task 2. Add a log source extension
To add a log source extension, perform the following steps:
1. In the QRadar SIEM console, click the Admin tab.
3. Click Add.
4. Create a log source extension using the values in the following table.
Hint: From the Log Source Types pane, in the Available column, select IBM AS/400 iSeries
and click the right arrow to move it to the Set to default for column.
5. Verify that your configuration looks like the one in the following graphic.
6. Click Upload.
7. Click Save.
9. Define a log source extension for the AS400 log source by performing the following steps:
a. On the Admin tab, click Log Sources.
b. From the Log Sources list, double-click the AS400 log source.
A log source extension includes instructions to improve the parsing of events performed by
the DSM. QRadar SIEM applies the instructions in the log source extension after processing
the default parser for the IBM AS/400 iSeries DSM. The instructions in the extension
supersede the default DSM instructions for all fields except EventName. QRadar SIEM
detects whether a log extension is used for parsing enhancement or override. Therefore,
you can choose either Extension Use Condition.
d. Click Save.
62 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
7 Collecting Windows log records
exercises
To collect Windows log records, you must perform the following exercises:
• Create an authentication token
4. Configure the authorization service using the values in the following table.
5. Verify that your configuration looks like the one in the following graphic.
8. In the Selected Token field, highlight the token, right-click it and click Copy.
Note: The authentication token is a required parameter for the WinCollect installation. The
authentication token allows the WinCollect agent to automatically register with the QRadar SIEM.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
7 Collecting Windows log records exercises
Exercise 2. Install the WinCollect agent
Uempty
5. Verify that your configuration looks like the one in the following graphic.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
7 Collecting Windows log records exercises
Exercise 3. Assign log sources to the WinCollect agent
Uempty 8. Verify that your Dialog Bold Title window looks like the one in the following graphic.
.
9. Click Next.
10. Click Install.
3. To create a Windows security event log source for the FSPDC WinCollect agent, select
WinCollect@FSPDC and click Log Sources on the toolbar.
The Log Sources window opens.
4. Click Add.
5. Configure the log source using the values in the following table.
Note: If a configuration parameter is not in the table, use the default value.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
7 Collecting Windows log records exercises
Exercise 3. Assign log sources to the WinCollect agent
Uempty 6. Verify that your log source configuration looks like the one in the following graphic.
7. Click Save.
8. Close the Log Sources window.
9. Close the WinCollect window.
10. On the Admin tab, click Deploy Changes.
11. Verify that the FSPDC log source sends events to QRadar SIEM.
a. In the QRadar SIEM console double-click the Log Activity tab.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
8 Managing custom log sources
exercises
The exercises in this chapter are examples of how to create UDSM log sources in the QRadar
SIEM console.
To export events from the QRadar SIEM console, perform the following steps:
1. In the PuTTY command line, type:
./sendAIX.sh
5. Stop the execution of the script. In the PuTTY command line, press Ctrl+C.
6. List the log sources for the events for the 10.0.120.10 IP address.
_______________________________________________________________________
____________________________________________
10. From the Actions list, select Export to XML > Full Export.
11. Save the zip file to the host system and browse to where the file is saved. The file is typically
saved in the, C:\Documents and Settings\Administrator\My Documents\Downloads folder.
12. To extract the contents of the file, right-click the file and click Extract All.
13. Use FileZilla to copy the YYYY-MM-DD-data_export.xml file to the QRadar SIEM server.
a. Launch FileZilla using the “FileZilla login credentials” on page ix. Copy the extracted file to
the /labfiles directory on the QRadar SIEM server.
72 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
8 Managing custom log sources exercises
Exercise 1. Export QRadar SIEM events
Uempty d. Verify that your configuration looks similar to the one in the following graphic.
e. In the Filename pane, right-click the selected file and select Upload.
f. Click Successful Transfers to verify that the file transfer was successful.
g. Exit FileZilla.
Note: You just exported events to a file and copied the file to the same QRadar SIEM server.
Typically events are exported to a file on one QRadar SIEM server and that file is copied to
another QRadar SIEM server.
16. Wait until the script finishes. In the PuTTY command line, type:
tail /tmp/AIXevents.log
You see the extracted events.
17. In the QRadar SIEM console, double-click the Log Activity tab.
The events previously categorized as Unknown Stored are now parsed by the AIX parser.
You successfully exported events, extracted the event payload, and sent the raw events to the
same QRadar SIEM for processing. In real life you use this process if you want the events parsed
by the correct DSM. You can also send the exported events to be processed on a different QRadar
SIEM server instance. Use this scenario to instruct a third party to export events and analyze them.
74 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
8 Managing custom log sources exercises
Exercise 2. Use regular expressions
5. Copy the following text from the SampleAIXevent.txt file and paste it into the Test Field pane.
<125>Jul 8 06:38:56 10.0.120.10 <10>Jan 24 17:17:49 Message forwarded from
ibm.aix.test.com: syslog[1855696]: [CLSLog.Handler.File/LogFile
0x10100BE](P/PP/TID 1855696/2195608/2314)
File(/apps/MANH/wmdev/logs/PkMHEInboundS-1855696-0124.log).Write()
_______________________________________________________________________
_______________________________________________________________________
11. Which expression replaces the string Write in the regular expression so that the RegEx
matches other alphabetical values, like Read, for example? Select one.
• \D+
• \.*
• \w+
• (Read|Write)
2. Let the script run for 10 minutes. While the script runs, return to the QRadar SIEM console.
c. Add a filter for the high-level category Authentication and the low-level category User
Account Added.
6. In the Event Name column, look for the event, A user account was created.
7. Pause the stream and double-click any A user account was created event.
10. The Windows 2003 events that represent account creation or activation are eventids 624 and
626. Assume that the event format for the Windows 2003 events 624 and 626 are the same as
the 4720 event. How do you extend your regular expression to capture the Security ID in a 624
or 626 event?
76 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
8 Managing custom log sources exercises
Exercise 3. Create a universal DSM and map unknown events
_______________________________________________________________________
13. Modify the .*? to .*. Explain the purpose of the ? token.
_______________________________________________________________________
14. What does the {2} token, after the \s token, mean?
_______________________________________________________________________
• http://www.regexplanet.com/advanced/java/index.html
• http://www.zytrax.com/tech/web/regex.htm
3. Click Add.
4. Configure the custom log parser using the values in the following table.
5. Verify that your configuration looks like the one in the following graphic.
6. Click Upload.
7. Click Save.
2. Click Add.
3. Configure the universal DSM using the values in the following table.
78 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
8 Managing custom log sources exercises
Exercise 3. Create a universal DSM and map unknown events
Uempty
Field / Option Setting
Enabled Enable
Credibility 5
Target Event Collector default
Coalescing Events Disable
Incoming Payload Encoding UTF-8
Store Event Payload Enable
Log Source Language English
Log Source Extension CustomLogParser
Extension Use Condition Parsing Override
4. Verify that your configuration looks like the one in the following graphic.
5. Click Save.
5. Pause the stream and double-click any event for the log source CustomLog.
7. Click Map Event and verify that the Log Source Event ID is blank.
8. Stop the execution of the script. in the PuTTY command line, press CRTL+C.
• Location value
• ID value
• Name value
• Entrance value
• Access value
• Direction value
80 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
8 Managing custom log sources exercises
Exercise 3. Create a universal DSM and map unknown events
Uempty
Hint: (\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2})\tLocation:(.*?)\tID:(.*?)\tName:(.*?)\tEntrance:(.*?)\tAcce
ss:(.*?)\tDirection:(.*)
5. Edit the UDSM_LSX.xml file and insert the regular expression create in Step 2 into the inner
square brackets of the EventName pattern:
<pattern id="EventName" xmlns=""><![CDATA[]]></pattern>
6. Delete all other pattern ID lines and matcher field lines until the extension contains only the
patterns ID and matcher field lines shown in the following graphic:
8. Update and save the UDSM_LSX.xml file and upload it to the CustomLogParser log source
extension.
9. Click Save.
2. After 60 seconds, stop the execution of the script. In the PuTTY command line, press CRTL+C.
4. View events from the CustomLog log source received in the last 5 minutes.
5. Double-click any event.
________________________________________________________________________
82 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
8 Managing custom log sources exercises
Exercise 3. Create a universal DSM and map unknown events
Uempty 7. Click Map Event and acknowledge that the Log Source Event ID now contains one of the
following values:
• Access:In:Granted
• Access:In:Denied
• Access:Out:Granted
You created a log source extension document and a universal DSM that captures custom
events and uses the event identifier of the raw event to map it to a log source event ID. For this
exercise, the log file is a simplified physical access log.
2. Verify that the output of the script looks like the one in the following graphic.
To map the Log Source Event ID to an Event Name and appropriate HLC and LLC, perform the
following steps:
4. Search for an event that is assigned the Access:In:Granted Log Source Event ID.
a. In the Quick Filter search field type: “Access\:Granted”.
b. Click Search.
2. After 60 seconds, stop the execution of the script. In the PuTTY command line, press CRTL+C.
3. In the QRadar SIEM console, double-click the Log Activity tab.
84 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
8 Managing custom log sources exercises
Exercise 3. Create a universal DSM and map unknown events
Uempty 5. Verify that Physical entry success events appear as shown in the following graphic.
6. Create additional QIDs for the Access:In:Denied (use LLC=4015) and Access:Out:Granted (use
LLC=4014) log source event IDs and define appropriate qnames for each of these log source
event IDs.
Note: When applying the qidmap_cli.sh tool, choose to use lowlevelcategoryid 4014 or 4015. If
you have a list of LLC names and their LLC IDs, you can assign an event a low-level category that
best categories the event. Instead of creating new QID entries for log source event IDs, you can
reuse existing QIDs with QID names that end with the string Event CRE.
8. Verify that new assets are created with names matching the entrance values found in the log
file and extracted by the UDSM_LSX.xml log source extension document. The asset name
looks like the ones shown in the following graphic.
Hint: The sql command must be typed as written. Pay attention to the spaces.
b. Verify that the grep command output looks like the one in the following graphic.
graphic
86 IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
9 Using rules exercises
Also look for HTTP on ports 1024-10000 from machines that are not approved to run web servers.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
2. In the VA Scanners window, select the VA scanner you just created and click Schedule.
3. Click Add.
4. Create a new schedule using the values in the following table.
5. Click Save.
6. Close the Scan Scheduling window.
7. Close the VA Scanners window.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
9 Using rules exercises
Exercise 1. Capture a RPC vulnerability exploit
4. Click Save.
5. On the Admin tab, click Deploy Changes.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
10 Creating rules exercises
This exercises in this unit create rules that capture the following security scenario.
A domain administrator creates an account for a friend who needs temporary access to the lab
files on a Windows system. Normally, this friend is not allowed to access these files and he tells
the administrator that he does not want to elevate the authorizations of his own account. They
agree that the administrator will create a temporary account with sufficient privileges. When the
administrator creates the account, the friend uses it to access files on the Windows system.
When he finishes, he informs the administrator. The administrator deletes the account quickly
because he knows that he is only allowed to create accounts when a change management
account creation ticket exists. The administrator’s actions violates the company security policy,
because the account he created was part of the privileged user groups that can access the files.
The administrator hopes nobody notices that an account with sufficient privileges accessed
sensitive files.
An offense that captures this security scenario, is created by the following parts:
• Rules that detect the following activity:
• Account deletion
b. From the All Test Group, select the when an event matches any|all of the following
rules test.
c. For the rules testable object, select BB: CategoryDefinition: Superuser Accounts.
d. From the All Test Group, select the when the event category for the event is one of
the following categories test.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
10 Creating rules exercises
Exercise 1. Write event rules
Uempty .
8. Verify that your configuration looks similar to the one in the following graphic.
9. Click Next.
10. Click Finish.
c. From the All Test Group, select the when any of these properties match this regular
expression test.
Hint: If you do not see the EventID property in the list, go to Custom Event Properties and
review the configuration for EventID.
f. From the All Test Group, select the when the Event Payload contains this string test.
Note: Optimize this building block for EventID 560. To test for the value 560, use the custom
property EventID along with the rule, when any of these properties match this regular expression.
Make sure to test for the EventID before you test the payload. The payload test is very expensive
on its own.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
10 Creating rules exercises
Exercise 1. Write event rules
Uempty 2. Verify that your configuration looks like the one in the following graphic.
Note: When you click Export as Building Block, the rule is saved as a building block and the
rules wizard remains open for you to create another rule.
c. For the these reference set(s) testable object, select Newly created users.
d. From the All Test Group, select the when the event category for the event is one of the
following categories test.
f. From the All Test Group, select the when an event matches any|all of the following rules
test.
g. For the rules testable object, select BB: CategoryDefinition: Sensitive data.
2. Verify that your rule looks like the one in the following graphic.
6. Verify that your rule action looks like the one in the following graphic.
7. Click Next.
8. Click Finish.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
10 Creating rules exercises
Exercise 1. Write event rules
d. From the All Test Group, select the when an event matches any|all of the following rules
test.
e. For the rules testable object, select BB: CategoryDefinition: Superuser Accounts.
f. From the All Test Group, select the when the event category for the event is one of the
following categories test.
h. From the All Test Group, select the when any of these event properties are contained in
any of these reference set(s) test.
i. For the these event properties testable object, select Account Name(custom).
j. For the these reference set(s) testable object, select Newly created users.
2. Verify that your rule looks like the one in the following graphic.
6. Verify that your rule action looks like the one in the following graphic.
7. Click Next.
8. Click Finish.
c. From the All Test group, select the when these rules match at least this many times
in this many minutes after these rules match test.
d. For the these rules testable object, select Exploit: Administrator social engineering new
account deleted.
h. For the these rules testable object, select Exploit: Administrator social engineering
account added and Exploit: New user accesses sensitive data.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
10 Creating rules exercises
Exercise 1. Write event rules
Uempty 2. Verify that your rule looks like the one in the following graphic.
6. Verify that your rule action looks in the one in the following graphic.
7. Click Next.
8. Click Finish.
You created a set of rules to capture the individual events that, in combination, triggers an
offense.
Hint: For detailed steps to create a user in Active Directory, see Task 3, "Create a user account
in Active Directory," on page 37.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
10 Creating rules exercises
Exercise 2. Perform activities to trigger an offense
b. In the Enter the object name to select field, type Domain Admins and click Check Names.
ssssssss
c. Click OK.
3. Log out of the Windows system as the Administrator user.
Note: It takes some time for offenses to appear in the Log Activity tab. Make sure you give the
system enough time to update the reference set with the newly created user account. Otherwise
the system will not find the account in the reference set.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
11 Managing false positives exercises
To reduce the number of false positive modify the Exploit: Administrator social engineering rule
used to access sensitive data such that an offense is triggered only when the Exploit: Administrator
social engineering account added and Exploit: New user accesses sensitive data rules match.
3. Edit the Exploit: Administrator social engineering used to access sensitive data rule.
a. Delete the single test.
b. Add the when all of these rules, in|in any order, from the same|any source IP
to the same|any destination IP, over this many seconds test.
c. Modify the testable object to reflect the rules that should fire in the right order at least one
time in 24 hours.
c. Select the Newly created users reference set and click Edit.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
12 Using Reference Maps in rules
exercises
These exercises illustrate how to implement reference maps. You will walk through the following
exercises:
• Create reference maps
Note: Before you begin this exercise, install the WinCollect agent on the Windows VM. Refer to
the exercise “Create an authentication token” on page 63.
Note: For detailed instructions about copying the file using FileZilla, refer to “Use Filezilla to copy
a file to the QRadar SIEM server” on page 72.
2. Log in to the QRadar SIEM server. Use the procedure “Logging in to the QRadar SIEM server
VM” on page vii.
3. To create the reference map of sets, in the PuTTY command line, type:
cd /opt/qradar/bin
./ReferenceDataUtil.sh create PrivilegedAccess MAPofSETS
4. To populate the reference map of sets with records, in the PuTTY command line, type:
./ReferenceDataUtil.sh load PrivilegedAccess /tmp/SampleRefSet.txt
5. To check the contents, in the PuTTY command line, type:
./ReferenceDataUtil.sh list PrivilegedAccess displayContents
6. Verify that the contents of the reference map of sets look like the contents in the following
graphic.
2. Click Rules.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
12 Using Reference Maps in rules exercises
Exercise 2. Create a custom rule
Uempty 9. For the these reference map of sets testable object, select PrivilegedAccess.
10. Add the rule to the Exercises group.
11. In the Note field, type:
This rule is used to monitor privileged access to sensitive data.
12. Verify that your rule looks like the one in the following graphic.
2. Add the Custom Rule Partial or Full Matched Equals DEMO: Granted privileged access to
sensitive data filter:
a. Click Add Filter on the toolbar.
b. In the first list, select the Custom Rule Partial or Full Matched search parameter.
e. From the Rule list, select DEMO: Granted privileged access to sensitive data.
f. Verify that your filter looks like the one in the following graphic.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
12 Using Reference Maps in rules exercises
Exercise 3. Create a search
Uempty
You can create a search instead of using a custom rule. While this is not necessary in a production
environment, it demonstrates that you can get the same results with a search that you get when
you create a rule.
b. In the first list, select the Reference Map of Sets search parameter,.
g. Verify that your filter looks like the one in the following graphic.
b. Format the columns in the search results. Group the search results by Username. Include
ObjectName(custom) in the search results. Order the search results by Count in
descending order.
d. Verify that your configuration looks like the one in the following graphic.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
12 Using Reference Maps in rules exercises
Exercise 5. Test the ADE rule
5. Click Next.
6. Click Finish.
Hint: Refer to Task 3, "Create a user account in Active Directory," on page 37 for detailed steps
to create a user account in Active Directory.
Hint: Refer to “Assign the user account to the Domain Admins group” on page 101 for detailed
steps to add a user account r to the Domain Admins group.
• Password: object00
11. When the events appear, apply the finance Quick Filter.
12. From the View list, select Last 5 minutes. Verify that the list contains Object Opened
Successfully events.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
12 Using Reference Maps in rules exercises
Exercise 6. Refine the ADE rule
Uempty 13. Open the event detail for any event and verify that the event triggered the DEMO: Granted
privileged access to sensitive data rule.
Note: In a production environment, let the script and QRadar SIEM run for at least 24 hours. The
next day, run additional instances (three extra is sufficient) of the same script simultaneously using
the AlBundy account. The following day, verify that the behavioral rule ran.
This concludes the setup of the ADE rule, but follow these steps to finish the exercise:
14. Stop the execution of the AlBundysLoop.bat script by pressing CTRL+C.
15. Log out of the Windows VM as the AlBundy user.
9. Export this rule as a building block and name it DEMO: BB: Sensitive data sets.
b. From the All Test Group, select the when an event matches any|all of the following
rules test.
d. For the rules testable object, select DEMO: BB: Sensitive data sets.
e. From All Test Group, select the when the event QID is one of the following QIDs
test.
Hint: In the Browse or search for QID window, type 5000026 in the QID/Name field and click
Search.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
12 Using Reference Maps in rules exercises
Exercise 6. Refine the ADE rule
11. Verify that your rule looks like the one in the following graphic.
14. Verify that your rule response looks like the one in the following graphic.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
12 Using Reference Maps in rules exercises
Exercise 7. Test the refined ADE rule
9. Verify that the event triggered the DEMO: Rule to add new records to the Privileged access
reference map of sets rule.
10. Log on to the QRadar SIEM server by using the procedure “Logging in to the QRadar SIEM
server VM” on page vii,
11. In the PuTTY command line, type:
cd /opt/qradar/bin
./ReferenceDataUtil.sh list PrivilegedAccess displayContents
12. Verify that your output looks similar to the one in the following graphic.
You created a mechanism to automatically add new privileged access records to the reference map
of sets. The reference map of sets is used by the behavioral rule to check for suspicious privilege
access patterns.
IBM Security QRadar SIEM 7.2 Administration and Configuration © Copyright IBM Corp. 2014
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
More
Back pa about IBM Security Systems
You can find the latest information about IBM Security Systems education offerings online at the following
location:
www.ibm.com/training
Certification
All IBM certifications are based on job roles. They focus on a job a person must do with a product, not just
the product’s features and functions. Online certification paths are available to guide you through the
process for achieving certification in many IBM Security areas. See ibm.com/training for more information
about certification.
Authorized
Training
ibm.com/training