Documente Academic
Documente Profesional
Documente Cultură
November 2012
© Copyright IBM Corp. 2012. All Rights Reserved.
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and service names might be trademarks of
IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and
trademark information” at www.ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other
countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications
Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon,
Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation
or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in
the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government
Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle
and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States,
other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM
Corp. and Quantum in the U.S. and other countries.
The information contained in this publication is provided for informational purposes only. While
efforts were made to verify the completeness and accuracy of the information contained in this
publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this
information is based on IBM’s current product plans and strategy, which are subject to change by
IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or
otherwise related to, this publication or any other materials. Nothing contained in this publication is
intended to,nor shall have the effect of, creating any warranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software.
References in this publication to IBM products, programs, or services do not imply that they will be
available in all countries in which IBM operates. Product release dates and/or capabilities referenced
in this presentation may change at any time at IBM’s sole discretion based on market opportunities
or other factors, and are not intended to be a commitment to future product or feature availability in
any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or
implying that any activities undertaken by you will result in any specific sales, revenue growth,
savings or other results.
Printed in Ireland
Table of contents
Unit 1: Introduction
Introduction . . . . . . . . . . . . 1-2
Objectives . . . . . . . . . . . . . 1-2
Lesson 1: IBM Security Framework (ISF) . . . . . . . 1-3
ISF maturity categories . . . . . . . . . . . 1-4
Maturity categories and security software types . . . . . . . 1-5
IBM security software portfolio and QRadar SIEM . . . . . . . 1-6
Lesson 2: QRadar brief history . . . . . . . . . 1-7
QRadar key Capabilities . . . . . . . . . . . 1-8
Security Intelligence at work . . . . . . . . . . 1-9
Ease of deployment . . . . . . . . . . . 1-10
Clear leadership position in SIEM Magic Quadrant . . . . . . . 1-11
QRadar main product differentiators . . . . . . . . . 1-12
Lesson 3: QRadar software components and data flow . . . . 1-13
QRadar software components . . . . . . . . . . 1-14
QRadar appliance components and data flow . . . . . . . 1-15
QRadar appliance types . . . . . . . . . . . 1-16
QRadar Log Management versus SIEM . . . . . . . . 1-17
Lesson 4: QRadar distribution . . . . . . . . . 1-18
Summary . . . . . . . . . . . . . 1-19
•
•
• III
•
•
Table of contents
Summary . . . . . . . . . . . . . 2-23
•
•
VI • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Table of contents
Summary . . . . . . . . . . . . . 7-34
•
•
VIII • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Unit 1 Introduction
•
•
• 1-1
•
•
Unit 1: Introduction
Introduction
This unit describes the QRadar product and its components and functions.
Objectives
Objectives
When you complete this unit, you can perform the following tasks:
Understand the QRadar positioning
Know the QRadar software and appliances
Overview
•
•
1-2 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 1: IBM Security Framework (ISF)
•
•
©Copyright IBM Corp. 2012 IBM QRadar Implementation • 1-3
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 1: IBM Security Framework (ISF)
d
te
a
m
o
t
u
A
Optimized
Or ga ni za ti on s u se
p re di ctive a n d
a u to ma ted se cur ity
a n al ytics to d riv e to wa rd
s ecu ri ty i nte lli ge n ce
Basic l
a
O rga ni za tio ns u
em pl oy p eri me ter n
a Proficient
pr ote ctio n, w hi ch M Se cu rity is l aye re d
re g ul ate s ac ces s an d in to the IT fa br ic a nd
fe ed s man u al re po rtin g bu si ne ss op e rati on s
Reactive Proactive
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
1-4 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 1: IBM Security Framework (ISF)
•
•
©Copyright IBM Corp. 2012 IBM QRadar Implementation • 1-5
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 1: IBM Security Framework (ISF)
•
•
1-6 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 2: QRadar brief history
• 2002 Log files from network devices are pulled into QRadar to
correlate flows with log records. Early SIM functionality (V4.3)
•
•
©Copyright IBM Corp. 2012 IBM QRadar Implementation • 1-7
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 2: QRadar brief history
•
•
1-8 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 2: QRadar brief history
•
•
©Copyright IBM Corp. 2012 IBM QRadar Implementation • 1-9
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 2: QRadar brief history
Ease of deployment
Auto-tuning of rules
Auto-detect threats
using VIS
Best practice rules and
role based reports IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
1-10 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 2: QRadar brief history
IBM-ers check
Product sales Kit for
more information on
differentiators.
http://w3-103.ibm.com/software/xl/portal/content?synKey=B885344U22687H00#assets
•
•
©Copyright IBM Corp. 2012 IBM QRadar Implementation • 1-11
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 2: QRadar brief history
•
•
1-12 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 3: QRadar software components and data flow
Network Logs
•
•
©Copyright IBM Corp. 2012 IBM QRadar Implementation • 1-13
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 3: QRadar software components and data flow
Event Processor
• Rule Proce ssor
• Storage for events, accumul ated me ta data
• Storage for flows, accumulated meta d ata
Event Collector
• Log event collection, coalescing, and normalization
• 3rd party Flow col lection J-Flow, NetFl ow, S-Fl ow, dedupl ication, and
recomb ination
Flow Collector
• QFlow and Superflow creation, an d applicati on detection
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
1-14 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 3: QRadar software components and data flow
Network Network
Logs Logs • Network flows preferably
packages flows
are processed by a seperate
flow processor appliance
Console
•An event collector is used
where bandwith between log
sources and log storage is
critical IBM Sof tware Group ©| Securit y Division
2012 I BM Corp.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Implementation • 1-15
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 3: QRadar software components and data flow
•
•
1-16 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 3: QRadar software components and data flow
•
•
©Copyright IBM Corp. 2012 IBM QRadar Implementation • 1-17
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Lesson 4: QRadar distribution
$
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
1-18 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Summary
Summary
Summary
Now that you have completed this unit, you can perform the following tasks:
Understand the QRadar positioning
Know the QRadar software and appliances
•
•
©Copyright IBM Corp. 2012 IBM QRadar Implementation • 1-19
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 1: Introduction
Summary
•
•
1-20 • IBM QRadar Implementation ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and
configuration
© 20 12 IBM C orp.
•
•
• 2-1
•
•
Unit 2: QRadar deployment and configuration
Introduction
This unit decribes QRadar appliances and how tPut your introduction text here. Do not delete the
anchor because it is the anchor for the cross-reference to the description in the preface.
Objectives
Objectives
When you complete this unit, you can perform the following tasks:
Explain the QRadar appliances offering
Estimate the number of Events per second and Flows per minute for a
QRadar deployment.
•
•
2-2 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 1: QRadar appliances
The following appliance types are available. The table maps them
on the QRadar appliance components.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-3
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 1: QRadar appliances
•
•
2-4 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 1: QRadar appliances
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-5
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 1: QRadar appliances
•
•
2-6 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 2: Example small ´all in one´ deployment
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-7
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 2: Example small ´all in one´ deployment
•
•
2-8 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 2: Example small ´all in one´ deployment
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-9
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 3: Estimating EPS and FPM
•
•
2-10 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 3: Estimating EPS and FPM
Estimating by scope
Estimating by scope
FPM and EPS sizing depends on the parts of the network and the
machines that need to be made visible in QRadar.
• Assume an organization with 15.000 users, 10 di re ctory servers an d 1000
servers.
• Assume that the scope is determined by the PCI regulati on
• Assume 10 PCI servers a nd 2 directory servers in scope
• Assume 250 users with access to PCI machines in scope
• EPS sizing includes only the 250 users and the 2 directo ry servers.
Th erefore we can assume an approxi mate event rate of 780 EP S
• FP M sizing includes the 250 u sers and 10 PCI servers. Therefore we can
assu me a flow rate of 5 750 FPM
• Try to use appliances that would NOT be utilized more than 75% of the sustained EPS or
FPM capacity
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-11
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 4: QRadar disk utilization parameters
•
•
2-12 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 4: QRadar disk utilization parameters
Retention buckets
Retention buckets
Default: records older than 6 hours are compressed and when disk
space is required (87%), the oldest records are deleted untill either
the 30 days of data is kept on disk or disk utilization reaches 82% .
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-13
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 4: QRadar disk utilization parameters
•
•
2-14 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 5: Backup storage
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-15
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 5: Backup storage
•
•
2-16 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 5: Backup storage
Technical preparations
Technical preparations
• Fiber Channel PCI card must be installed in the QRadar appliance
• Existing appliances can have cards added
• New orders can specify to have Fiber Channel cards pre-installed
• QRadar can be configured to use the Fiber Channel storage in different
ways:
• Store all online event & flow data (not recommended)
• Store only backups
• Fiber Channel is transparent to QRadar
• Drivers and configuration utilities included for convenience
• HA with Fiber Channel is supported if latency time between machines is
less then 10Ms and assuming that the Fibre Channels bandwith is at least
1 Gbps. These two requirements also apply to non Fiber Channel
connections in a HA environment.
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-17
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 5: Backup storage
•
•
2-18 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 6: Distributed deployment across Wide Area Network
Q: why is port 23 (rdate) mentioned when rdate is completely deprecated and ntp (port 123/udp)
should be used instead? Is it really still used?
A: indeed, we do use rdate between qradar components and the console, rather than NTP. NTP can
be configured on each host to reach out to an NTP server, but if used, all systems should point to
the exact same NTP service, regardless of their location. That said, all managed hosts, regardless
of NTP settings, will also reach out to the console every 10 minutes to sync up their time to the
console. RDATE is used over NTP, as a built in service on the console will service those requests
(the time service in xinetd), and saves the (admittedly minimal) overhead of running an ntpd service
on the console.
Q: are the ports related to flows used at all when no flows are analyzed?
A:Assuming we are talking about netflow ports, such as 2055, 9995, etc. While the qflow collectors
are listening for these ports, if nothing is being send to the flow collectors on these ports, then no,
there will not be any traffic on them, we won't generate netflow or any other external flow data. If
we are talking about the ports used between a flow collector and a flow processor (32xxx), then if
there are no flow collectors they will not be used.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-19
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 6: Distributed deployment across Wide Area Network
A: Part of the deployment editor download uses port 80 instead of 443, which had something to do
with java security checks and download jar files via http versus https and being required to verify
the ssl host when it was self signed. For that reason, part of the downloads in the deployment editor
are via port 80.
Q: why does the Used Ports document mention a lot of ports related to nfs (111/tcp&udp, 762/
tcp&udp, 2049/tcp, …) and how are they relevant/necessary for QRadar?
A: these are only important if they are used. IF NFS is not being used, then these ports are not used
by qradar. This is only listed because for customers who use NFS.
Q: why does the used ports document mention snmp ports (161/udp, 199/tcp) and how are they
relevant/necessary for QRadar?
A: we accept inbound data from SNMP devices into our appliances for event sources, so we need
to accept data on that port. The other port, 199, we accept SNMP polls from other devices, so that
they can check on the health status of the qradar appliances.
Q: why is port 6514/tcp used for syslog with TLS instead of the standard port 514/tcp?
A: 6514 for TLS syslog is a design restriction, ECS normally listens on port 514, and syslog-ng is
moved to 1514. The additional port was necessary because ECS does not handle the TLS directly
but an intermediate process does. We change the syslog-ng port. Since ECS is what we want
processing syslog, ECS listens on port 514 and we move syslog-ng to port 1514 for our own internal
logging. We use JSVC as a wrapper in order to easily change process owners and catch the output
of stdout/stderr and send to our local syslog.
A:These are messaging ports used by the "imq" service between managed hosts.
A:ports 32004 and above are randomly chosen (in order, starting at 32004) for general
communication purposes between qradar components. qflow to ec, ec to ep, ep to ep on the console,
etc. These ports are used to transit collected data between QRadar components, and may be
assigned as required, as each process on a host will require it's own listen port. Ports 7777-778x are
debug & monitoring ports on the java processes on the managed hosts. These are only used for local
(on the host itself) debugging purposes, and are not available off the machine itself. Ports 8005-
>8080 are only used between the HTTPD & tomcat services on the console itself, and would not be
exposed to any processes outside the console.
A: They are used for managed hosts to report event & flow related information back to the console
ecs service.
•
•
2-20 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 6: Distributed deployment across Wide Area Network
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-21
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Lesson 6: Distributed deployment across Wide Area Network
Student exercise
Student exercise
Open your Student Exercises book and perform the exercises for this unit.
•
•
2-22 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Summary
Summary
Summary
Now that you have completed this unit, you can perform the following tasks:
Explain the QRadar appliances offering
Estimate the number of Events per second and Flows per minute for a
QRadar deployment.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 2-23
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 2: QRadar deployment and configuration
Summary
•
•
2-24 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
© 20 12 IBM Corp .
•
•
• 3-1
•
•
Unit 3: QRadar Software installation
Introduction
This unit describes he steps to install the Redhat operating system and to install, upgrade and
configure QRadar.
Objectives
Objectives
When you complete this unit, you can perform the following tasks:
Install QRadar V7.1 with 31xx appliance role on Redhat 6.2
Bring up QRadar appliance hardware
Perform the basic configurations
•
•
3-2 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
Lesson 1: Prerequisites
Lesson 1: Prerequisites
At least 9 GB of RAM.
At least 50 GB of storage device space.
64 bit architecture
RHEL 6.2
QRadar V7.1 ISO image.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-3
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
Preparations
Preparations
Obtain the fixed IP addresses for the QRadar appliance interfaces to be
used.
Determine which interface should be used for the flow collector.
Preferably the high speed interface.
Obtain the necessary user IDS and passwords for the QRadar appliance
OS and QRadar admin account.
Communicate the ports used by QRadar appliance in case the
appliances will be separated by firewalls. See appendix A.
Download the QRadar V7.1 ISO and burn to DVD if necessary.
The QRadar host will be hardened during the installation. Only the base
OS will be installed.
•
•
3-4 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
Power on the
machine.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-5
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
You may skip this step using the Tab key and
Enter.
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
3-6 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-7
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
License agreement
License agreement
•
•
3-8 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
Shown is an
activation key for
the 31xx appliance
role software install.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-9
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
•
•
3-10 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-11
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
•
•
3-12 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-13
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
•
•
3-14 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
Do not use
common QRadar
terms in the
Hostname, like:
QRadar, EP, EC,
FC, FP, Console,
etc.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-15
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
Installation completed
Installation completed
It takes about
another 30 minutes
for QRadar
appliance to install
and start.
•
•
3-16 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-17
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
•
•
3-18 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 1: Prerequisites
Use the IP address provided to you for the flow collector. After
exiting the tool, reboot the system.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-19
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 2: Basic configuration of the All in One 31xx appliance
•
•
3-20 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 2: Basic configuration of the All in One 31xx appliance
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-21
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 2: Basic configuration of the All in One 31xx appliance
Don’t forget to
deploy the changes
•
•
3-22 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 2: Basic configuration of the All in One 31xx appliance
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-23
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 3: Physical Setup
•
•
3-24 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 3: Physical Setup
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-25
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 4: Post Installation actions
DSM Updates
Pro tocol Upd ates
Scan ner Updates
Note: QRa da r Auto Upda tes prov ide update d conf iguration information for QRadar
deployme nts. Informa tion update d include De vice Eve nt ma pping s ( for
DS Ms), Geogra phic da ta (for the G eographicVie w), and Re mote N etwork
update s(for bogon lists). Deploy ments tha t do not hav e direct interne t
a cce ss (https conne ction from your QRa da r console to qmmunity. q1labs.com)
will require tha t you se tup a n inte rnal upda te se rv er for your cons ole to
download the fil es from.
•
•
3-26 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 4: Post Installation actions
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-27
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 4: Post Installation actions
•
•
3-28 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 4: Post Installation actions
Auto integrate
means that
customized
configurations will
be maintained.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-29
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 5: Adding non-Console appliances
•
•
3-30 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 5: Adding non-Console appliances
In case of problems, try to ssh to from the console to the managed host first and scp a file from
the managed host to the console. This might help to synchronise the passphrases.
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-31
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 6: High Availability Overview
Shared Storage
Disk Replication
•
•
3-32 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 6: High Availability Overview
The Master
appliance’s IP
address will become
the virtual IP later
on.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-33
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 6: High Availability Overview
•
•
3-34 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 6: High Availability Overview
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-35
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 6: High Availability Overview
•
•
3-36 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 6: High Availability Overview
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-37
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 6: High Availability Overview
•
•
3-38 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 6: High Availability Overview
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-39
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Lesson 6: High Availability Overview
Student exercise
Student exercise
Open your Student Exercises book and perform the exercises for this unit.
•
•
3-40 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Summary
Summary
Summary
Now that you have completed this unit, you can perform the following tasks:
Install QRadar V7.1 with 31xx appliance role on Redhat 6.2
Bring up QRadar appliance hardware
Perform the basic configurations
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 3-41
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 3: QRadar Software installation
Summary
•
•
3-42 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
© 20 12 IBM C orp.
•
•
• 4-1
•
•
Unit 4: QRadar architecture
Introduction
Objectives
Objectives
When you complete this unit, you can perform the following tasks:
Explain the Qradar architecture
•
•
4-2 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 1: High level Architecture
Flo w
• Offenses, asset, and identity
Assets I dentity
information is stored in the
EventProcessor
master PostgreSQL database
Event
on the console.
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-3
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 2: Flow collector architecture
C o l e cto r
- Cr ea te Su p e rFl ow s
•Superflows are created
Ap pl i ca ti on D ete c tio n M od u l e
a p p Id = e v e ntId
•
•
4-4 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 2: Flow collector architecture
Application detection
Application detection
Four methods of determining the application of the flow. In order of priority:
1. User defined. This method is mainly used when a user has a proprietary
application running on their network. For example: All traffic going to host
10.100.100.42 on port 443 is recognized to be MySpecialApplication. Uses
user_application_mapping.xml
2. State based decoders. This method is implemented in the source code and
determines the application by analyzing the payload for multiple markers.
For example. If we see A followed by B then application = X, If we see A
followed by C, then application = Y.
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-5
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 2: Flow collector architecture
Superflows
Superflows
• Types of superflows
• Type A: Single SRC, Multiple DST – Same DST Port (tcp/udp),
byte count, SRC flags/ICMP Codes. Network Sw eeps
• Type B: Multiple SRC, Single DST – Same DST Port (tcp/udp),
byte count, SRC flags/ICMP Codes. DDos attacks
• Type C: Single SRC and DST, TCP/UDP Only, Changing
SRC/DST ports. Portscans
• Only store the single flow with the collection of IPs
• Specific rule tests can leverage the flow type to determine if an
offense needs to be created
• Creation of Superflows can be disabled.
•
•
4-6 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 3: Event Collector architecture
Fu l
Fo rward ed
Q ue ue
Store
Onl y
Postg res i s up da ted wi th
disco ve red Devi ce s
C ol e
l ctor(s)
(Off Site Ta rge ts fo r
• Log sources are
Fl ows EVENTS)
automatically detected
Fu l
Que ue
Store
RPC
Sta t Fi tl er
after record analysis
Onl y
Forwa rda bl e
Eve nts
Flo w Fo rwa rdi ng
Fi tl er Traffic An al ysi s Fil te r
Co alesc n
i g Fil ter
Ful l Qu eu e
Store Onl y coalesced
Fil te r
Qu eu e
• Custom properties are
Fl ow Go vern er
(L ci en si ng )
extracted from the events
Parse r
Fl ow Statis ti cs
DSM
Pa rser Th rea ds
Que ue
and flows
Fi tl er
DSM Norm aliz e Fil te r
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-7
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 3: Event Collector architecture
•Every log source protocol has an overflow buffer of about 100000 events.
•If the overflow buffer fills up, the additional flows and events are dropped.
•There are also event and flow queues for the normalization and custom
property extraction process. If any of these queues fill up because of slow
parsing, the raw flows and events will be written to the Ariel datastorage.
(HLC,LLC) eq (Unknow, Stored)
•
•
4-8 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 3: Event Collector architecture
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-9
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 3: Event Collector architecture
•
•
4-10 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 3: Event Collector architecture
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-11
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 3: Event Collector architecture
•
•
4-12 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 3: Event Collector architecture
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-13
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 3: Event Collector architecture
•
•
4-14 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 3: Event Collector architecture
• Lock-in Thre sholds are con figure on a per DSM basis. See
/opt/qradar/conf/TrafficAnalysisConfig.xml
<Threshold name="MinNumEvents" value="25"/>
<Threshold name="MinSuccessRate" value="35"/>
<Threshold name="MaxEventsBeforeFail" value="1000"/>
<Threshold name="Aban donAfterSuccessiveFailures" value="50"/>
• Detection can only be carri ed out on event protocols which are “pushed” to
the Event Collector. (ie Syslog)
• Discover multiple devi ces on the same IP add ress as long as there are
unknowns events from that IP address and auto detecti on has not been
abandone d for the IP address
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-15
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 4: Event Processor architecture
EVENT PROCESSOR
Offb oa rd
L oca l EC Offbo ard EC
IBM Sof tware Group | Securit y Division
EP
© 2012 I BM Corp.
•
•
4-16 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 4: Event Processor architecture
• Multiple events, flows and rules matched may correlate into a single
offense
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-17
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 4: Event Processor architecture
Accumulator
Accumulator
• Accumulations defined by ´grouped by´ searches
• Creates time series statistical meta data (counts) that are used in
• Dashboards
• Event/Flow forensics and searching
• Reporting
• Anomaly and behavior Alerts
• Accumulated intervals are 1 minute, 1 hour and 1 day
• Distributed component that operates on each Event Processor
• The Ariel Query Server gathers the distributed data for QRadar to use.
•
•
4-18 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 4: Event Processor architecture
Accumulator structure
Accumulator structure
I nterval Queue Timer
Tim er Event
Main Processor
Ariel Reader
A ri el
Preprocessor
Acce ssors
Recor d Pack
Record P reprocessor
Config table contains the search
Conf ig
T hread P ool
Preprocessor
definitions for the accumulator (the
O bject[ ] pack Preprocessor
“results grouped by” searches)
View Co nfigurat o
i n
Aggregat ion
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-19
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 5: Console architecture
(Sy sl o g TCP )
•The Magistrate ca n
Ev e nts
Th a t e
l ad
U p to Offe n s e M AG ISTR ATE
MP C Ev e nt
Qu e ry Pro ce s so r i nstruct the Ariel proxy to
gather all events, that
triggered the creation of an
O ve rfl o w Fi l te r (L i ce n s n
i g)
Ev e nts Th a t Le a d offense, on search.
To Offe n s e
•
•
4-20 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 5: Console architecture
• Rules can correlate both events and flows into a single offense
• While rules are tested, they may lead to the creation of an offense.
• These pending offenses tag the events or flows as long as the rule
that may trigger the creation of the offense, remains partially matched.
• Offenses that have been created after rules completely matched, are
back filled with the tags from all events or flows leading up to the
offense creation.
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-21
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 5: Console architecture
Partial matches
tag the flows or
events
Query for all tags of the events
or flows on Offense Creation.
Ariel
Offense is created with all tags to
events or flows that lead up to the
offense.
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
4-22 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 5: Console architecture
Offense types
Offense types
• An Open Offense that is created, remains an Active Offense as long as the rules that
triggered the offense creation are matched by events or flows within 30 minutes after
the last match has been found. Tags of events or flows are added to the Active Offense.
• If an Open Offense did not find additional matches for more than 30 minutes, it
becomes a Dormant Offense
• Dormant Offense can become active again when additional matches are found within 5
days after the offense became dormant. Thus becoming a Recalled Offense. Tags of
events or flows are added to the Recalled Offense.
• Once a Dormant Offense did not receive any matches within 5 days after it became
dormant, it will turn to an Inactive Offense
• If events or flows are matched for an Inactive Offense or Closed Offense, a new Open
Offense will be created.
• A maximum of 2500 Active Offense are allowed and a maximum of 500 Recalled
Offenses are allowed
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-23
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 5: Console architecture
•
•
4-24 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 5: Console architecture
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-25
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 5: Console architecture
Building
blocks are
used to
categorize the
assets based
on identified
ports by IP
address
•
•
4-26 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 6: Datastorage Technology
• PostgreSQL
• QRadar SIEM: Configuration, Assets, Offenses
• Scalability and Performance are managed through bulk insert/update
transactions and populating memory caches to avoid numerous round
trips to the database
• One master database with copies on each processor for backup and
automatic restore
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-27
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 6: Datastorage Technology
Access to Ariel through Ariel Query Server (AQS) using Ariel Query
Language (AQL)
Query results are send back or stored and cached by the AQS inside
C ursors
•
•
4-28 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Lesson 6: Datastorage Technology
Student exercise
Student exercise
Open your Student Exercises book and perform the exercises for this unit.
•
•
IBM CONFIDENTIAL ©Copyright IBM Corp. 2012 IBM QRadar Administration • 4-29
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 4: QRadar architecture
Summary
Summary
Summary
Now that you have completed this unit, you can perform the following tasks:
Explain the QRadar architecture
•
•
4-30 • IBM QRadar Administration IBM CONFIDENTIAL ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5:Solution implementation
© 20 12 IBM Corp .
•
•
• 5-1
•
•
Unit 5: Solution implementation
Introduction
Objectives
Objectives
When you complete this unit, you can perform the following tasks:
Scope a QRadar solution
Explain the QRadar basic deployment steps
Setup a QRadar Network Hierarchy
Use Asset Profiles
Integrate Vulnerability information
Use QRadar windows agents to collect Windows event logs
Integrate QRadar authentication with Windows AD
Perform basic QRadar troubleshooting
•
•
5-2 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-3
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
5-4 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-5
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
5-6 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-7
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
5-8 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-9
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
5-10 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-11
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 1: QRadar solution scope
•
•
5-12 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 2: Suggested default Log Activity reports
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-13
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 2: Suggested default Log Activity reports
•
•
5-14 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 2: Suggested default Log Activity reports
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-15
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 3: Deployment steps
•
•
5-16 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 4: Create a QRadar network hierarchy
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-17
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 4: Create a QRadar network hierarchy
•
•
5-18 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 4: Create a QRadar network hierarchy
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-19
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 4: Create a QRadar network hierarchy
Example
Example
Create security
relevant network
groups
•
•
5-20 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 4: Create a QRadar network hierarchy
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-21
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 4: Create a QRadar network hierarchy
Use http://ip2cidr.com
to calculate CIDR
ranges
•
•
5-22 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 4: Create a QRadar network hierarchy
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-23
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 4: Create a QRadar network hierarchy
Student exercise
Student exercise
•
•
5-24 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 5: Populate the Asset profile database
Logsource
events with
identity
information also
add asset profile
information
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-25
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 5: Populate the Asset profile database
•
•
5-26 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 5: Populate the Asset profile database
Proxy servers and virus servers can generate high volumes of traffic. To reduce
the offenses created by these server types, edit the following building blocks to
reduce the number of offenses:
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-27
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 6: Configuring Vulnerability Assessment
•
•
5-28 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 6: Configuring Vulnerability Assessment
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-29
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
5-30 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
License Agreement
License Agreement
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-31
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
Installation directory
Installation directory
•
•
5-32 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
Installation type
Installation type
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-33
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
5-34 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-35
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
5-36 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-37
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
5-38 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
Open your Student Exercises book and perform the exercises for this unit.
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-39
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
5-40 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-41
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
5-42 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
Check the Setup Log dddd #n file created in the users temp directory
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-43
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
•
•
5-44 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 7: Collecting eventlogs with ALE
Check collection
Check collection
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-45
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 8: Configure authentication method
•
•
5-46 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 8: Configure authentication method
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-47
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 8: Configure authentication method
•
•
5-48 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 8: Configure authentication method
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-49
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 8: Configure authentication method
Student exercise
Student exercise
•
•
5-50 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-51
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
•
•
5-52 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-53
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
•
•
5-54 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-55
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
/opt/qradar/bin/qradar_netse tup
• Will run the initi al configuration
To restart processes
o S ervice tomcat start (consol e on ly)
o S ervice tomcat stop (console only)
o S ervice i mq start (console only)
o S ervice i mq stop (conso le only)
o S ervice po stgresql restart (console only)
o S ervice ho stcontext start
IBM Sof tware Group | Securit y Division
o S ervice ho stcontext stop © 2012 I BM Corp.
•
•
5-56 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-57
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
Student exercise
Student exercise
•
•
5-58 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
Summary
Summary
Now that you have completed this unit, you can perform the following tasks:
Scope a QRadar solution
Explain the QRadar basic deployment steps
Setup a QRadar Network Hierarchy
Use Asset Profiles
Integrate Vulnerability information
Use QRadar windows agents to collect Windows event logs
Integrate QRadar authentication with Windows AD
Perform basic QRadar troubleshooting
•
•
©Copyright IBM Corp. 2012 IBM QRadar Administration • 5-59
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 5: Solution implementation
Lesson 9: Troubleshooting Connectivity
•
•
5-60 • IBM QRadar Administration ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
© 20 12 IBM C orp.
•
•
• 6-1
•
•
Unit 6: Custom Log Sources
Introduction
Put your introduction text here. Do not delete the anchor because it is the anchor for the cross-
reference to the description in the preface.
Objectives
Objectives
When you complete this unit, you can perform the following tasks:
Obtain a test log file
Create a Custom Log Source using a Universal DSM
Create a LSX log parser document
Create custom QIDs
Map the custom log records to HLC and LLC categories
•
•
6-2 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 1: Create Custom Log Sources
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-3
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 1: Create Custom Log Sources
Required tools
Required tools
• A U niversal DSM (UDSM ) can be used to integrate logs that have no
official DSM.
• A L og Source E xtension (LSX ) is applied to the UDSM to provide
parsing logic. The LSX uses Java regular expressions java/util/regex
• Obtain sample logs in the same format as logs that will be sent to
QRadar by the logsource.
• Syslog, FTP/SFTP/SCP protocol are the most commonly used
protocols
•
•
6-4 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 1: Create Custom Log Sources
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-5
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 2: Obtain the sample (from remote location)
Export the search result to a xml file and copy to your local QRadar
console
•
•
6-6 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 3: Upload the LSX_Template.xml file
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-7
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 3: Upload the LSX_Template.xml file
•
•
6-8 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 3: Upload the LSX_Template.xml file
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-9
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 3: Upload the LSX_Template.xml file
Student exercise
Student exercise
Open your Student Exercises book and perform the exercises for this unit.
•
•
6-10 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 4: Start mapping the unknown logrecords
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-11
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 4: Start mapping the unknown logrecords
•
•
6-12 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 4: Start mapping the unknown logrecords
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-13
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 5: Creating appropriate regular expressions
•
•
6-14 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 5: Creating appropriate regular expressions
Additionally, the escape character, or "\", is used to denote a literal character. For example, in regex the "."
character means "any single character" and would match A, B, 1, X, etc. To specify a literal match, you
w ould use "\." instead. This would only match the "." character itself. Escaping any non-digit or non-alpha
character is usually the best way to ensure you do not accidentally match another character.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-15
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 5: Creating appropriate regular expressions
•
•
6-16 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 5: Creating appropriate regular expressions
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-17
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 6: Apply RegEx patterns to the LSX
•
•
6-18 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 6: Apply RegEx patterns to the LSX
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-19
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 6: Apply RegEx patterns to the LSX
•
•
6-20 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 6: Apply RegEx patterns to the LSX
Student exercise
Student exercise
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-21
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 7: The value of QIDs
•
•
6-22 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 7: The value of QIDs
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-23
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 8: Map the Log Source ID to the Custom QID
Clicking on OK will
create a QIDmap
record, linking the Log
Source Event ID to an
Event Name and QID.
•
•
6-24 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 8: Map the Log Source ID to the Custom QID
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-25
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 8: Map the Log Source ID to the Custom QID
•
•
6-26 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 8: Map the Log Source ID to the Custom QID
Final remarks
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-27
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Lesson 8: Map the Log Source ID to the Custom QID
Student exercise
Student exercise
•
•
6-28 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Summary
Summary
Summary
Now that you have completed this unit, you can perform the following tasks:
Obtain a test log file
Create a Custom Log Source using a Universal DSM
Create a LSX log parser document
Create custom QIDs
Map the custom log records to HLC and LLC categories
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 6-29
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 6: Custom Log Sources
Summary
Summary
Summary
Now that you have completed this unit, you can perform the following tasks:
Obtain a test log file
Create a Custom Log Source using a Universal DSM
Create a LSX log parser document
Create custom QIDs
Map the custom log records to HLC and LLC categories
•
•
6-30 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine
tuning
© 20 12 IBM Corp .
•
•
• 7-1
•
•
Unit 7: Rules creation and fine tuning
Introduction
in this unit you learn how to create offense rules and fine tune false possitives
Objectives
Objectives
When you complete this unit, you can perform the following tasks:
Create effective rules leading to a minimal set of Offenses
Fine-tune rules to minimize false positives
•
•
7-2 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 1: QRadar Rules reminder
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-3
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 1: QRadar Rules reminder
•
•
7-4 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 1: QRadar Rules reminder
Linked tests
Linked tests
Multiple tests can be linked to a single rule or building block using the
logical AND or NOT operators on the set {TRUE, FALSE} onto itself
When linking tests, put the tests using the smallest subset of flows or
records at the bottom.
Visualize the linked tests in a decision tree where each test narrows
down the result set that is used as search set for the next test.
Logical OR is constructed by defining a test on rules or building blocks.
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-5
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 1: QRadar Rules reminder
•
•
7-6 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 1: QRadar Rules reminder
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-7
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 2: Using Building Blocks
•
•
7-8 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 2: Using Building Blocks
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-9
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 3: Rule creation
•
•
7-10 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 3: Rule creation
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-11
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 3: Rule creation
•
•
7-12 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 3: Rule creation
EventID=(624|630).*?Message=(\w+)
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-13
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 3: Rule creation
•
•
7-14 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 4: Offense analysis
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-15
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 4: Offense analysis
•
•
7-16 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 4: Offense analysis
Sort Last Event/Flow column descending to see last triggered rule on top
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-17
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 4: Offense analysis
By indexing the offenses, you will see all contributing events and
flows in a single report
•
•
7-18 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 4: Offense analysis
w eb 1 w eb 2 web3
192. 168. 20. 40 192. 168. 20. 50 192.168.20. 60
(win) (alt oro) (wi n)
Vul nerab le
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-19
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 4: Offense analysis
•
•
7-20 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 4: Offense analysis
Student exercise
Student exercise
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-21
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 5: False positive management
•
•
7-22 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 5: False positive management
Example 1
Example 1
Take the example of suspicious access to sensitive data.
Currently the test check for at least 1 account deletion within 5 days after
data is accessed and an account is created.
But within 5 days many accounts are created and deleted while the
reference set only expands.
Potentially this may lead to many false positives.
Suggestion decrease the timewindow to 1 day and install a process that
cleans up the reference every day
Instead of capturing access to the labfiles directory and subdirectories,
capture access to the subdirectories of the labfiles directory. This will
drop denied access to the labfiles directory.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-23
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 5: False positive management
•
•
7-24 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 5: False positive management
In this sample
a Dutch IP
address has
been
connected to
and this IP
address is
listed in the
QRadar Botnet
group of
remote
networks IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-25
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 5: False positive management
•
•
7-26 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 5: False positive management
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-27
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 5: False positive management
Create a search and maybe even a report to capture all events and
flows
•
•
7-28 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 5: False positive management
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-29
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 5: False positive management
You might decide that the source IPs in this sample should have
access, and use the false positive wizard for fine-tuning
IBM Sof tware Group | Securit y Division
© 2012 I BM Corp.
•
•
7-30 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 6: Tuning Methodology
Man y attackers, m any events in Use Fals e Positive Wizard t o tune Edit Building Bloc ks , using C ustom
the same catego ry category R ules Edit or, t o tune c at egory
One attacker, man y uni que Inves tigat e t he offense and det ermine Invest igat e the offense and
events in di fferen t categ ories the nature of t he att acker. If the det ermine the nature of the
off ense(s) c an be t uned out , edit at tacker. If the of fens e(s) can be
Building B locks, using Cus tom R ules t uned out , edit B uilding B locks,
Edit or, to t une c at egories f or the hos t us ing Cust om Rules Edit or, to t une
IP. c at egories for the host IP.
Man y attackers, m any uniq ue Edit B uilding Blocks, us ing Cust om Edit Building Bloc ks , using C ustom
events in di fferen t categ ories Rules Editor, t o t une categories R ules Edit or, t o tune c at egories
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-31
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 6: Tuning Methodology
Proxy servers and virus servers can generate high volumes of traffic. To reduce
the offenses created by these server types, edit the following building blocks to
reduce the number of offenses:
•
•
7-32 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Lesson 6: Tuning Methodology
Student exercise
Student exercise
Open your Student Exercises book and perform the exercises for this unit.
•
•
©Copyright IBM Corp. 2012 IBM Tivoli Course • 7-33
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Unit 7: Rules creation and fine tuning
Summary
Summary
Summary
Now that you have completed this unit, you can perform the following tasks:
Create effective rules leading to a minimal set of Offenses
Fine-tune rules to minimize false positives
•
•
7-34 • IBM Tivoli Course ©Copyright IBM Corp. 2012
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.