Test 000-195: IBM Security QRadar V7.0 MR4

Tab navigation

Section 1:General

Given the IBM Security QRadar V7.0 MR4 (QRadar ) product, assess QRadar Log Management, SIEM and Security Framework documents so that the QRadar value to the SIEM market and its relation to ISF or any other IT Security Framework like ISO-27001/2 or BS7799 have been explained.
With emphasis on performing the following tasks:
1. QRadar functionality emphasized by IBM for Log Managent: comprehensive, turnkey log management solution for organizations of all sizes. It collects, archives, analyzes and reports on network and security event logs. This enables enhanced regulatory compliance, decreased effort in compliance and reporting activities, and reduced security risks.
2. QRadar functionality emphasized by IBM for SIEM: provides full visibility and actionable insight to protect networks and IT assets from a wide range of advanced threats, while meeting critical compliance mandates. QRadar SIEM's unique approach encompasses log management, threat management, compliance management, network behavior analytics, and user and application activity monitoring in an integrated and scalable solution.
3. Of all Security Domains in the IBM Security Framework, QRadar is positioned to address Risk Management and Compliance, and People and Identity.
4. ISO-27001/2 controls A10.10, A13.1, A15.2, and A15.3 are addressed by QRadar functionality.
5. QRadar provides layer 7 network information and the product is easy to deploy.
  1. qFlow and vFlow differentiate QRadar from any other product that uses network information for SIEM.
  2. QRadar has a track record of easy deployment in enterprise environments.
6. QRadar is capable of collecting fast amounts of log data and manages it in a scalable and reliable manner. On top it provides thousands reports for log event investigation and compliancy.
Given knowledge of log management and security information and event management, define the differences between the two QRadar solutions so that differences and advantages between QRadar log management and QRadar security information and event management have been explained.
With emphasis on performing the following tasks:
1. Log Management:
  1. Ability to aggregate, search, and report on disparate logging information in to one environment.
  2. Log management solutions aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
  3. If you are not collecting logs, then compliance cannot be achieved.
  4. Provide the ability to prove the integrity of the log data.
  5. Automated reviewing of logs
2. Security Information and Event Management:
  1. Understand the context of the event and not just the content.
  2. Gartner defines that SIM provides log management the collection reporting and analysis of log data primarily from host systems and applications and secondarily from network and security devices to support regulatory compliance reporting, internal threat management, and resource access monitoring.
  3. According to Gartner SEM processes log and event data from security devices, network devices, systems, and applications in real time to provide security monitoring, event correlation and incident responses.
  4. Data Aggregation: SIEM/ log management solutions aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
  5. Correlation: looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information.
  6. Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.
  7. Dashboards: SIEM/log management tools take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
  8. Compliance: SIEM applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.
  9. Retention: SIEM/SIM solutions employ long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements.
  10. Advantages of SIEM over log management:-Greater security visibility and awareness.-Efficiency in solving issues.-Prioritization of response.-Effective utilization of man power based on level of risk not number of events. -Effective correlation of current data.
Given the QRadar V7.0 SIEM product, navigate to the HELP menu and understand the components so that you are able to explain and use its contents.
With emphasis on performing the following tasks:
1. Log on to the QRadar UI and navigate to the HELP menu.
  1. Obtain access to a QRadar V7.0 Console.
  2. Open the HELP menu located at the top right in the QRadar interface.
  3. List the options available.
2. Click the ABOUT menu option
  1. Click and describe the hyperlinks found in the ABOUT section.
3. Click the QRadar HELP contents menu option
  1. Read the ABOUT THIS GUIDE section wherever availableto understand the use cases for the various documents found in the HELP contents.
  2. Click on INDEX-Click on E and select EVENT CATEGORIES from the list-The section explains the default High Level and Low Level categories used by this QRadar version.
  3. Click on SEARCH-Type APPLICATION in the search window.-From the list select DEFAULT APPLICATIONS.-This section shows the applications that are recognized by QFlow and VFlow by default.
  4. Click on FAVORITES-While still on the DEFAULT APPLICATIONS documentation page, click on ADD.-A hyperlink is added to your personal favorites.
4. A context sensitive help is available for any page, window or section where a �?� appears at the top left of the page, window or section.
  1. Navigate to the Network Activity page and click on the �?� at the top left of the page.
  2. You will see the help section that informs you about how to investigate flows.
  3. Now navigate to the Offenses page and double-click on any reported offense.
  4. Click on the �?� at the top left of the page.
  5. You will see the Help section that informs you about how to manage an offense.
Given the QRadar dashboard, navigate from the workspaces to flow and event summary so that to demonstrate how to gather forensic evidence as part of a workflow.
With emphasis on performing the following tasks:
1. Access the QRadar Dashboard
  1. From the Show Dashboard, you can choose between the default templates of dashboards that serve a specific purpose.-Application overview informs on applications identified on the network and shows their network activity.-Compliance overview informs on users and their action reported in the log activity.-Network overview informs on general network activity and offenses.-System monitoring informs on the status of the QRadar system and problems identified.-Threat and Security Monitoring informs on the most active application, sources, and offenses by severity.
2. Starting from any dashboard workspace you can zoom into a Time Series. For example, start in Application Overview and concentrate on the Top Applications.
  1. Double-click in the Time Series on the peak sum and click on View in Network Activity.
  2. A network activity page is displayed showing only the network events matching the search within the time window that includes the peak sum you selected.
  3. Double-click the row representing the highest application activity found and you will all flows that contributed to the peak for the application you are investigating.
  4. Now sort the Total Bytes column to find the flow that represents the highest activity and identify the source and destination IP.
  5. Double-click the row and you will see the flow details.
3. This workflow approach can be taken starting from each dashboard workspace.
  1. The dashboard workspace informs you on possible incidents.
  2. In case of Time Series workspaces you can zoom in.
  3. A detailed overview is created from the workspace by displaying the result set in either Log Activity or Network Activity page.
  4. Drill down to Flow or Event Summary helps to obtain detailed information for further forensic analysis.
Given a log activity search, apply various filters using the QRadar user interface so that the result set of a search can be narrowed down and the search can be saved for future use.
With emphasis on performing the following tasks:
1. Log on to the QRadar user interface.
2. Click on the Log Activity tab.
  1. The default filter is set to ignore log events from the Log Source System Notifications-2::qradar. The Current Filters lists all active filters.
  2. Right-click a cell in the Log Source column.
  3. Select the �Log Source is not� option from the menu list and confirm that the list of Current Filters is extended.
3. Click on Add Filter.
  1. From the properties drop-down menu that initially shows Quick Filter, select Username.
  2. In the test value window that initially appears empty, type �administrator�
  3. The list of Current Filters is once again extended. The result is a search that helps to concentrate on actions performed by the administrator account on the various Log Source other than the ones filter out by Log Source.
4. Save the search with the applied filters by clicking on Save Criteria.
  1. In the Save Criteria window, provide a Search Name and assign the search to the Group �Authentication, Identity and User activity�
  2. The search as defined with the filters is now saved for future use.
Given the QRadar navigation reports, right-click Source or Destination IP addresses and use the menu options so that you can investigate detailed information about the IP address more easily.
With emphasis on performing the following tasks:
1. Access the QRadar user interface
  1. Open the Network Activity report.
2. Pause the stream of events by clicking on the ||sign at the top right of the window.
3. Select any of the Destination IPs and right-click the cell.
4. A menu appears that lets one select any of the following options:
  1. Filter on Destination IP is
  2. Filter on Destination IP is not
  3. Filter on Source or Destination IP is
  4. False Positive-Click on False Positive brings up another window that helps to drop events with similar characteristics from the offense rule processing.
  5. Move the pointer to the last option: More Options-Under More Options you find Navigate, Information and TNC Information-The Navigate option gives you access to the following options.-View by Network to display the List of Networks window, which displays all networks associated with the selected IP address.-View Source Summary shows the List of offenses window, which displays all offenses associated with the selected source IP address.-View Destination Summary shows the List of Offenses window, which displays all offenses associated to the selected destination IP address.-The Information option gives you access to the following options:-DNS Lookup to show DNS entries based on the IP address.-WHOISLookup to search for the registered owner of a remote IP address. The default system server is whois.crsnic.net.-Port Scan to perform a NMAP scan of the selected IP address. This option is only available if NMAP is installed on your system.-Asset Profile to Display asset profile information. This menu option is only available when profile data has been acquired either actively (through a scan) or passively (through flow sources).-Search Events to search for events related to the IP-Search Flows to search flows related to the IP
Given the QRadar log or network activity report, use the Quick Filter option so that you can search the payload of Events and Flows using strings or regular expressionsI
With emphasis on performing the following tasks:
1. Access the Log or Network Activity report.
  1. On the toolbar, next to Actions, you find the Quick Filter window.-Move the mouse pointer inside the Quick Filter window and click.-The tooltip is displayed with information how to use the Quick Filter.-In Streaming or Last Interval mode, the Quick Filter only accepts words or phrases found in the payload of the event. For example, while the Log Activity is in Streaming mode, type �drop� in the Quick Filter window. You will see only Firewall Deny Event Names.-In Time Based mode, the Quick Filter can be used with complex regular expressions like (su AND (root OR adm*)) which on Unix machine will add an filter on the search to show only su activity where root or userids starting with adm are involved.
  2. Access the Quick Filter also through the Edit Search page or through the Add Filter menu.-Apply the same Filter or Search parameter as defined previously and Save the Criteria.
Given the QRadar Log Activity report, use the New Search option to create a search, and aggregate or group the result set by any column so that the search result can be presented in a graphical manner and can be used for custom reports or dashboard workspaces.
With emphasis on performing the following tasks:
1. Access the QRadar user interface and navigate to the log activity report.
2. From the Search drop-down menu in the toolbar, select New Search.
  1. Apply Search Parameters as�Category�, �High Level Category Authentication�, and �Low Level Category SSH Login Succeeded�.
  2. In the Column Definition, remove Log Source from the Columns and add Log Source to the Group By.
  3. In the Column Definition, remove all Columns except for Event Name, Username, and Event Count.
  4. Set the Storage Time Range to Recent last 7 days and click on Search to generate the result set.
3. Once the report is generated, click on Show Charts just above the event table, if necessary.
  1. Click on Save Criteria in the Toolbar.
4. Apply �Access through SSH grouped by machine� and assign the search to the group �Authentication, Identity and User Activity�.
  1. Check the boxes �Share With Everyone� and �Include in my Dashboard�.
5. You have created a search that groups or aggregates the result set by the Log Source. Because the search has been saved, you can use it either in a custom dashboard or a custom report. See section 2 and Section 7 for Dashboard or Report management.

Section 2:Dashboard

Given the IBM Security QRadar V7.0 MR4 (QRadar) dashboard, determine the default tabs, dashboards and dashboard configuration options so as to explain the capabilities of the QRadar dashboard.
With emphasis on performing the following tasks:
1. Use the login credentials provided to you to access the QRadar dashboard.
  1. The QRadar diplay consists of focus area tabs at the top of the display and the information area Focus area tabs can be added and deleted by the QRadar administrator. The default focus area tabs are:-Dashboard-Offenses-Log Activity-Network Activity-Assets-Reports-Admin
2. Any QRadar user with sufficient privileges, can personalize the dashboard information area. The information in the dashboard is refreshed every minute. You can pause the display refresh. QRadar will refresh and update the information in the background in real-time as the events and network flows are processed.There are five default dashboards included:
  1. Application overview
  2. Compliance overview
  3. Network Overview
  4. System monitoring
  5. Threat and security monitoring
3. You can configure Log Activity, Network Activity, and Connections (if applicable) dashboard items to specify the chart type and how many data objects you want to view. Your custom chart configurations are retained, so that they are displayed as configured each time you access the dashboard interface.
  1. To configure charts in a dashboard item:
  2. On the dashboard item header, click the configuration icon .-Configuration options are displayed. Configure the parameters:-Value to Graph From the drop-down list box, select the object type that you want to graph on the chart. Options include all normalized and custom event or flow parameters included in your search parameters. QRadar accumulates data so that when you perform a time series saved search, there is a cache of event or flow data available to display the data for the previous time period. Accumulated parameters are indicated by a asterisk (*) in the Value to Graph drop-down list box. If you select a value to graph that is not accumulated (no asterisk), time series data is not available.-Display Top From the drop-down list box, select the number of objects you want you view in the chart. Options include 5, 10, and 20. The default is 10.Chart Type From the drop-down list box, select the chart type you want to view. Options include:-Bar Chart - Displays data in a bar chart. This option is only available for grouped events or flows.-Pie Chart - Displays data in a pie chart. This option is only available for grouped events or flows.-Table - Displays data in a table. This option is only available for grouped events or flows.-Time Series - Displays an interactive line chart representing the records matched by a specified time interval.-Capture Time Series Data Select this check box if you want to enable time series capture. Once you select this check box, the chart feature begins accumulating data for time series charts. By default, this option is disabled. This option is only available on time series charts. You must have the appropriate role permissions to manage and view time series charts.-Time Range From the drop-down list box, select the time range you want to view. This option is only available on time series charts.
4. Remove Items : To remove an item from your dashboard:
  1. Click the Dashboard tab. The Dashboard interface is displayed.
  2. From the Show Dashboard drop-down list box, select the dashboard from which you want to remove an item.
  3. Click the red icon located in the upper right corner of the item. A confirmation window is displayed before an item is removed.
5. Detach an Item:Detaching an item allows you to temporarily monitor one or more particular items on your desktop. You can detach the item, and then remove the item from your dashboard. The detached window remains open and refreshes during scheduled intervals. If you close the QRadar application, the detached window remains open Chart Type.
Given the QRadar dashboard, select from saved searches so as to create a new dashboard.
With emphasis on performing the following tasks:
1. You can display a custom dashboard item based on saved search criteria in the Risks interface. You can only add a saved search item that you created, unless an administrator has shared a search with you. The supported chart types are table, pie, bar, and time series. The saved search results display real-time last minute data on your dashboard. For the saved search criteria to be included in the Add Item menu in the dashboard interface, you must configure the following parameters in the search criteria:
  1. The search is grouped.
  2. Include in my Dashboard is selected.
2. Click on the New Dashboard button.
  1. Provide the name and description in the popup window.
  2. From the Add Item... pull-down menu choose: Offenses -> Offenses -> Most Severe Offenses.
3. Drag and drop the display to any location on the dashboard area.
4. Continue by adding the next dashboard item: Log Activity -> Event Searches -> Top Authentication Failures by User� and �Network Activity -> Flow Searches -> Remote Recon and Scanning Activity by Source IP.
5. This single dashboard now contains information gathered from:
  1. Correlation rules engine
  2. Network flows
  3. Audit event flows
Given a QRadar Dashboard, use the action toolbar option, so as to personalize the Dashboard.
With emphasis on performing the following tasks:
1. You can edit the name and description for any dashboard. From the Show Dashboard drop-down list box, select the dashboard you want to edit. The dashboard you selected is displayed.
2. To edit the name or description of the dashboard: From the toolbar, click the Rename Dashboard icon. The Rename Dashboard dialog box is displayed.
  1. In the Name field, type a new name for the dashboard. The maximum length is 65 characters.
  2. n the Description field, type a new description of the dashboard. The maximum length is 255 characters.
3. To delete a dashboard: From the Show Dashboard drop-down list box, select the dashboard you want to delete.
  1. Click Delete Dashboard, A confirmation message is displayed. The Dashboard interface refreshes and the first dashboard listed in the Show Dashboard drop-down list box is displayed. The dashboard you deleted is no longer displayed in the Show Dashboard drop-down list box.
4. You can also add Dashboard Items. Available dashboard items include:
  1. Network Activity Items - You can display a custom dashboard item based on saved search criteria in the Network Activity interface. You can only add a saved search item that you created, unless an administrator has shared a search with you. The supported chart types are time series, table, pie, and bar. The default chart type is bar. The saved search results display real-time last minute data on your dashboard.
  2. Offenses Items - You can add several Offenses items to your dashboard. The Offenses interface displays data for offenses, sources, and local destinations detected on your network. Hidden or closed offenses are not included in the values that are displayed in the Dashboard. Offenses items include:-Offenses-Most Recent Offenses -The five most recent offenses are identified with a magnitude bar to inform you of the importance of the offense. Point your mouse over the offense name to view detailed information for the IP address.-Most Severe Offenses -The five most severe offenses are identified with a magnitude bar to inform you of the importance of the offense. Point your mouse over the offense name to view detailed information for the IP address.-My Offenses - The My Offenses item displays five of the most recent offenses assigned to you. The offenses are identified with a magnitude bar to inform you of the importance of the offense. Point your mouse over the IP address to view detailed information for the IP address.-Sources and Destinations-Categories
  3. Log Activity Items. The Log Activity items allow you to monitor and investigate events in real-time. Log Activity items include:-Event Searches (only displayed if at least one event search is configured to display in the Dashboard interface)-Events By Severity-Top Log Sources
  4. Reports Items - The Most Recent Reports item allows you to display the top recently generated reports. The display provides the report title, the time and date the report was generated, and the format of the report.
  5. System Summary Item - The System Summary item provides a high-level summary of activity within the past 24 hours. Within the summary item, you can view the following information:-Current Flows Per Second - Specifies the flow rate per second.-Flows (Past 24 Hours) - Specifies the total number of active flows seen within the last 24 hours.-Current Events Per Second - Specifies the event rate per second.-New Events (Past 24 Hours) - Specifies the total number of new events received within the last 24 hours.-Updated Offenses (Past 24 Hours) - Specifies the total number of offenses that have been either created or modified with new evidence within the last 24 hours.-Data Reduction Ratio - Specifies the ratio of data reduced based on the total events detected within the last 24 hours and the number of modified offenses within the last 24 hours.
  6. Risk Manager Items - Risk manager items are only displayed when the QRadar Risk Manager has been purchased and licensed, and you have established the connection between the Console and the QRadar Risk Manager appliance.
  7. System Notifications Item - The Systems Notification item displays event notifications received by QRadar. For events to show in the System Notification item, the Administrator must create a rule based on each notification message type and select the Notify check box in the Custom Rules Wizard. This section provides information on the System Notification item, including:-Viewing System Notifications-Managing System Notifications-Viewing Pop-Up Notifications

Section 3:Offenses

Given the IBM Security QRadar V7.0 MR4 (QRadar) Offenses page, activate every function on the page so as to explain the purpose and usage of the functions.
With emphasis on performing the following tasks:
1. On the left hand side you find several links to additional pages and filters.
  1. My Offenses Lists - all offenses that the administrator assigned to you.
  2. All Offenses Lists - all global offenses on the network.
  3. By Category Lists - all offenses grouped by the high- and low-level category. For more information about high- and low-level categories, see Task 5.5.
  4. By Source IP Lists - all source IP addresses that are involved in an offense.
  5. By Destination IP Lists - all destination IP addresses that are involved in an offense.
  6. By Network Lists all - networks that are involved in an offense.
  7. Rules Provides access to the Rules interface, in which administrators can create custom rules.
2. The Search menu found on the toolbar, opens the Search page for offenses.
3. Click on the Search icon and choose Edit Search.
  1. The Search page for Offenses opens and this allows you to search Offenses with very specific properties.
  2. For example, in the Search Parameters section, provide the High Level Category �Authentication� and click on Search.
  3. The resultset shows only offenses that relate to Events with High Level Category �Authentication�.
  4. Remove the filter from the Current Search Parameters by clicking on the (Clear Filter) link next to the filter definition.
  5. Edit the Search again but now select in the Offense Source, Offense Type �Username� and click on Search.
  6. The result set now shows Offenses that have Offense Type Username. Meaning you can search offenses related to a specific Username if you provided a value in the Offense Source window. The Offense Type is determined during Offense Rule definition.
4. Searches can be saved by clicking on Save Criteria on the toolbar.
5. The Actions menu contains the following options.
  1. Hide : Select this option to hide selected offenses.
  2. Show : Select this option to show hidden offenses.
  3. Close : Select this option to close selected offenses.
  4. Close Listed : Select this option to close all offenses listed in the Offenses interface.
  5. Protect : Select this option to protect selected offenses.
  6. Protect Listed : Select this option to protect all offenses listed in the Offenses interface.
  7. Unprotect : Select this option to unprotect selected protected offenses.
  8. Unprotect Listed : Select this option to unprotect all selected protected offenses listed in the Offenses interface.
  9. Export to XML: Select this option to export offenses in XML format.
  10. Export to CSV : Select this option to export offenses in CSV format.
  11. Assign:Select this option to assign a selected offense to a user. The Offense will then show up in the list of My Offenses for the user who is assigned the Offense and moved from the list of All Offenses.
6. Click Print to print the offenses displayed in the window.
7. Using the View Offenses drop-down list box, you can filter on the offenses you want to view in this window. You can view all offenses or filter by the offenses based on a time range. From the drop-down list box, select the time range you want to filter by.
Given the QRadar Offenses page, navigate to the Offense Summary page of any of the Offenses and determine the purpose of the Sections, options on the page and use them, so to be able to demonstrate how to manage Offenses and analyze and interpret them
With emphasis on performing the following tasks:
1. Select any of the Offenses listed under All Offenses.
2. The Offense Summary page for that Offense is displayed and immediately displays the magnitude related to the Offense based on the formula Magnitude = 30% of Severity + 50% of Relevance + 20% of Credibility.
  1. The magnitude of an offense is determined by several tests performed on the offense each time it is re-evaluated. Re-evaluation occurs when Events are added to the offense and at scheduled intervals.
  2. Every QRadar Event is assigned a Severity, Relevance, and Credibility, which are used to determine the Magnitude of the Event.
  3. QRadar Rules can modify the the components of the magnitude of an Event based network, asset or other criticalities.
3. Depending on the Offense type, different information is displayed in the Offense Source Summary.
4. On the toolbar you will find several clickable options. The list of options depend on the type of Offense.
  1. Events: Click Events to view all Events for this offense. When you click Events, the Event search results are displayed.
  2. Anomaly: Click Anomaly to display the saved search results that caused the anomaly detection rule to generate this offense. This button is only displayed if this offense was generated by an anomaly detection rule.
  3. Flows: Click Flows to further investigate the flows associated with this offense. When you click Flows, the flow search results are displayed.
  4. Connections: Click Connections to further investigate connections. This option is only available if you have purchased and licensed QRadar Risk Manager. Once you click the Connections icon, the connection search criteria window is displayed in a new window, pre-populated with the following Event search criteria:-Time Range - Recent (Last Hour)-Column Definition - Specifies the following columns to be displayed in the search results:-Last Packet Time-Source Type-Source-Destination Type-Destination-Protocol-Destination Port-Flow Application-Flow Source-Flow Count-Flow Source Bytes-Flow Destination Bytes-Log Source-Event Count-Connection TypeYou can customize the search parameters, if required. Click Search to view the connection information.
  5. Actions: From the Actions drop-down list box, you can choose one of the following actions:Follow up : Select this option to mark this offense for further follow-up.Hide : Select this option to hide this offense.Protect Offense : Select this option to protect this offense.Close : Select this option to close this offense.Email: Select this option to email the offense summary to one or more recipients. Add Note : Select this option to add notes to the offense.Assign:Select this option to assign this offense to a user.
  6. View Attack Path: Click View Attack Path to further investigate the attack path of the offense. Once you click the View Attack Path icon, the Current Topology window is displayed in a new window.This option is only available if you have purchased and licensed QRadar Risk Manager.
  7. Print: Click Print to print the offense.
5. When investigating an Offense, try to follow these steps to interpret the Offense:
  1. Gather information about the source IP addresses.-Is the asset a local or is it an internet host.-Look at the asset profile. Ports like 135, 137, 139, 445 indicate a Windows machine. Ports like 22, 80, 443, 1433 indicate servers of some type.-Perform a DNS/Geography/WhoIs lookup.-Find the username of the host during the start of the offense.-Check if the Source IP has a history of other offenses.
  2. Gather information about the Destination IP Addresses.-Analyze the Destination IP Addresses and look for critical services and determine if they are local or not.
  3. Look at the duration of the offense. Was it a sudden attack or did the attack occur over a long period of time.
  4. Check the Offense Annotations, keep in mind that the Annotation at the bottom happened first.
  5. Check the Event Categories related to the offense.
  6. Check for similar Events that happened 5 minutes before the offense was created.
  7. Check if the same Events happened a day, week before.
  8. Check the payload of the Events for interesting information.
  9. In the Summary click on the magnifying glass icon in the Top 5 Categories area for each row to see the Events or flows that have contributed to the Offense.
  10. Investigate the flows related to the offense. Especially look for how traffic has been communicated and what has been communicated. (From the Offense Summary, click on the flows number in the Event/Flow count. In the pop-up page drill down to the contents of a particular flow.)
Given the QRadar Offenses page, navigate through the actions used for Offense management so as to show how Offenses status can changed.
With emphasis on performing the following tasks:
1. In the Actions menu you find actions that allow you to change the status and visibility of offenses.
  1. One can hide an offense, so it will not be shown in any offense list. Hidden offenses can be displayed by creating an appropriate offense search.
  2. Hidden Offenses can be shown by the Show option to show hidden offenses. The Offense Search is required to display hidden offenses is created by this option.
  3. Offenses that no longer need to be inspected can be closed - Select the option Close to close selected offenses. Offenses can be closed and are kept stored by QRadar for a period equal to the Offense Retention Period. (Default period is 3 days). Closed Offenses are not displayed in any Offense List, but can be displayed by creating an appropriate Offense Search, provided that the retention period for the Offense has not been passed.
  4. In case you want to close multiple offenses, use Close Listed, this option to close all offenses listed in the Offenses interface.
  5. Sometimes you want to keep offenses for a longer period then the retention period allows you to, Choose Protect to protect selected offenses. If an offense is required to be kept longer than the Offense Retention Period allows, then you can protect the offense. To clear a protected offense, you must first unprotect the offense, or reset the SIM Data Model with the Hard Clean option selected.
  6. In case you want to protect multiple offenses, choose Protect Listed. This option to protect all offenses listed in the Offenses interface.
  7. Unprotect option is used to unprotect selected protected offenses.
  8. Unprotect Listed is used to unprotect multiple protected offenses listed in the offenses interface.

Section 4:Flows

Given knowledge of Flow information and format, describe basic types of flows so that you can determine which type of flow to use based upon the customer's requirements.
With emphasis on performing the following tasks:
1. Describe the basic types of flows
  1. Essentially, Jflow and Netflow are similar, both use the switch or router to capture traffic from a specific port and send the digested results on to IBM Security QRadar V7.0 MR4 (QRadar). The information sent will be;-The start time of the conversation -The duration and the total bytes transferred -The destination IP address-The source IP address-The IP port number the data was sent and received over.
  2. Neither Jflow or Netflow will give you any idea of what data was actually sent or what protocol was used, for example, Peer to Peer traffic, also referred to as P2P, that will change ports based on availability may end up on TCP Port 80 and be falsely classified as HTTP or Web traffic.Similarly with BOT C&C, or Command & Control traffic, as the content cannot be seen, this may go undetected.
  3. Advantages:-Handles traffic up to 10 Gbps depending on hardware.
  4. Disadvantages:-Router or Switch performance impact-No Content of conversation-Not Protocol aware
2. SFlow is mainly used to sample ports where the line rate is too high or the performance impact on the device is unacceptable, SFlow is a sampling flow collector and will only look at a percentage of the packets on a single interface. Sflow will not be able to collect total flow information, i.e the total number of bytes transferred in this conversation. The remainder of the information will be similar to JFlow and NetFlow.
  1. Advantages:Handles virtually unlimited traffic rates.
  2. Disadvantages:No Content of conversationNot Protocol awareDue to sampling nature will miss much detail and totally miss many conversations.
3. QFlow collects packet captures on a set amount of each packet that is sent to n on a span or mirror port of a switch or router. QFlow will analyze not only the addresses and port numbers but also the packet contents and determine which of over 1,000 documented traffic types this data is and categorize it. QFlow enables the search of payload and detection of text strings, like SSN or Credit Card information. QFlow will currently work with up to 2 Gbps, traffic in excess of that is better handled with NetFlow or Jflow,or the collector should be on a quieter segment.
  1. Advantages:Incredibly detailed information on traffic type and contents, early detection of BOT traffic.No Switch Router performance impact.
  2. Disadvantages:Currently capped at 2GbpsAs entire flow is forwarded Collector needs to be in geographic proximity to the span/mirror port.
4. Describe a Flow.
  1. Packet flow or network flow is a sequence of packets from a source computer to a destination, which may be another host, a multicast group, or a broadcast domain. RFC 2722 defines traffic flow as an artificial logical equivalent to a call or connection.
  2. RFC 3697 defines traffic flow as a sequence of packets sent from a particular source to a particular unicast, anycast, or multicast destination that the source desires to label as a flow. A flow could consist of all packets in a specific transport connection or a media stream. However, a flow is not necessarily 1:1 mapped to a transport connection.
  3. Flow is also defined in RFC 3917 as a set of IP packets passing an observation point in the network during a certain time interval. Network devices differentiate flows depending upon their architecture, implementation, and device configuration. Each of these devices collects flow information on traffic that is received or sent through it. This information can then be logged locally or sent to an external information collector. Applied to Internet routers, a flow may be a host-to-host communication path, or a socket-to-socket communication identified by a unique combination of source and destination addresses and port numbers, together with transport protocol (for example, UDP or TCP)
Given knowledge of networking and experience using QRadar, explain the sections of the Flow tab so that an individual understands the purpose of the Flows section and what can be configured from there.
With emphasis on performing the following tasks:
1. Explain column data.QRadar uses an Ariel database, this database is sorted by columns, each of the columns can be used as a primary then secondary sort order by simply clicking on the headers.
2. Define Flow Type.Specifies the flow type. Flow types are measured by the ratio of incoming activity to outgoing activity. Flow types include:
  1. Standard Flow - Bidirectional traffic
  2. Type A - Single-to-Many (unidirectional), for example, a single host performing a network scan.
  3. Type B - Many-to-Single (unidirectional), for example, a Distributed DoS (DDoS) attack.
  4. Type C - Single-to-Single (unidirectional), for example, a host to host port scan.
3. Define First Packet Time.Specifies the date and time that QRadar received the flow.
4. Define Source IP.Specifies the source IP address of the flow.
5. Define Source Port.Specifies the source port of the flow.
6. Define Destination IP.Specifies the destination IP address of the flow.
7. Define Destination Port.Specifies the destination port of the flow.
8. Define Protocol.Specifies the protocol associated with the flow.
9. Define ApplicationSpecifies the detected application of the flow.
10. Define Source Bytes.Specifies the number of bytes sent from the source host.
11. Define Destination Bytes.Specifies the number of bytes sent from the destination host.
12. Define Source Packets.Specifies the total number of packets sent from the source host.
13. Define Destination Packets.Specifies the total number of packets sent from the destination host.
14. Define ICMP Type/Code.Specifies the Internet Control Message Protocol (ICMP) type and code, if applicable.
15. Define Flow Source.Specifies the system that detected the flow, QRadar allows you to integrate flow sources. Flow sources are classed as either internal or external:
  1. Internal flow sources - Includes any additional hardware installed on a managed host, such as a Network Interface Card (NIC). Depending on the hardware configuration of your managed host, the internal flow sources may include:-Network interface Card
  2. External flow sources - Includes any external flow sources that send flows to the QFlow Collector. If your QFlow Collector receives multiple flow sources, you can assign each flow source a distinct name, providing the ability to distinguish one source of external flow data from another when received on the same QFlow Collector. External flow sources may include:- NetFlow-sFlow-J-Flow-Packeteer-Flowlog File-IPFix
16. Define Flow Interface.Specifies the interface that received the flow.
Given knowledge of networking and experience using QRadar flows, use searches to find flows and explain the results so that you can demonstrate the ability to interpret flow data.
With emphasis on performing the following tasks:
1. Explain the Network Activity tab.You can use the Network Activity tab to:
  1. Search flows.
  2. Search a subset of flows (sub-search).
  3. Save and manage search criteria and results.
  4. View flows in real-time (streaming).
  5. View flow information grouped by various options.
  6. Create, view, and investigate time series charts.
  7. Tune false positive flows from generating offenses.
  8. Export flows in XML or CSV format.
2. Explain the Search feature on the toolbar.Click Search to perform advanced searches on flows. Options include:New Search - Select this option to create a new flow search.Edit Search - Select this option to select and edit a flow search.Manage Search Results - Select this option to view and manage search results.
3. Explain Quick Searches.From this list box, you can run previously saved searches. Options are displayed in the Quick Searches list box only when you have saved search criteria that specifies the Include in my Quick Searches option.
4. Explain Add Filter.Click Add Filter to add a filter to the current search results.
5. Explain Save Criteria.Click Save Criteria to save the current search criteria.
6. Explain Save Results.Click Save Results to save the current search results. This option is only displayed after a search is complete. This option is disabled in streaming mode.
7. Explain Cancel.Click Cancel to cancel a search in progress. This option is disabled in streaming mode.
8. Explain False Positive.Click False Positive to open the False Positive Tuning window, which allows you to tune out flows that are known to be false positives from creating offenses.This option is disabled in streaming mode. See Exporting Flows.
9. Explain Rules.Click Rules to configure custom flow rules. Options include:
  1. Rules - Select this option to create a rule. When you select the Rules option, the Rules Wizard is displayed, pre-populated with the appropriate options for creating a flow rule. Note: To enable the anomaly detection rule options (Add Threshold Rule, Add Behavioral Rule, and Add Anomaly Rule), you must save aggregated search criteria because the saved search criteria specifies the required parameters.
  2. Add Threshold Rule - Select this option to create a threshold rule. A threshold rule tests flow traffic for activity that exceeds a configured threshold. Thresholds can be based on any data collected by QRadar. For example, if you create a threshold rule indicating that no more than 220 clients can log into the server between 8 am and 5 pm, the rules generate an alert when the 221st client attempts to login. When you select the Add Threshold Rule option, the Rules Wizard is displayed, pre-populated with the appropriate options for creating a threshold rule.
  3. Add Behavioral Rule - Select this option to create a behavioral rule. A behavior rule tests flow traffic for volume changes in behavior that occurs in regular seasonal patterns. For example, if a mail server typically communicates with 100 hosts per second in the middle of the night and then suddenly starts communicating with 1,000 hosts a second, a behavioral rule generates an alert. When you select the Add Behavioral Rule option, the Rules Wizard is displayed, pre-populated with the appropriate options for creating a behavioral rule.
  4. Add Anomaly Rule - Select this option to create an anomaly rule. An anomaly rule tests flow traffic for abnormal activity, such as the existence of new or unknown traffic, which is traffic that suddenly ceases or a percentage change in the amount of time an object is active. For example, you can create an anomaly rule to compare the average volume of traffic for the last 5 minutes with the average volume of traffic over the last hour. If there is more than a 40% change, the rule generates a response. When you select the Add Anomaly Rule option, the Rules Wizard is displayed, pre-populated with the appropriate options for creating an anomaly rule.
10. Explain Actions.Click Actions to perform the following actions:
11. Show All - Select this option to remove all filters on search criteria and display all unfiltered flows.
12. Print - Select this option to print the flows displayed on the page.
13. Export to XML - Select this option to export flows in XML format. See Exporting Flows.
14. Export to CSV - Select this option to export flows in CSV format. See Exporting Flows.
15. Delete - Select this option to delete a search result.
16. Notify - Select this option to specify that you want a notification emailed to you on completion of the selected searches. This option is only enabled for searches in progress.
17. Note: The Print, Export to XML, and Export to CSV options are disabled in streaming mode and when viewing partial search results.
18. Explain Quick Filter.Type your search criteria in the Quick Filter field and click the Quick Filter icon or press Enter on the keyboard. All flows that match your search criteria are displayed in the flows list. A text search is run on the event payload to determine which match your specified criteria.Note: When you click the Quick Filter field, a tooltip is displayed, providing information on the appropriate syntax to use for search criteria. For more syntax information, see Quick Filter Syntax.
19. Explain Exporting Flows.You can export flows in Extensible Markup Language (XML) or Comma Separated Values (CSV). To export flows:
  1. Step 1-Click the Network Activity tab.-If you are viewing flows in streaming mode, you must pause streaming before you export flow information.
  2. Step 2-Choose one of the following options:-If you want to export the flows in XML format, select Export to XML from the Actions list box.-If you want to export the flows in CSV format, select Export to CSV from the Actions list box.-When the export is complete, you receive notification that the export is complete. If you did not select the Notify When Done icon, the status window is displayed.
20. Explain the Quick Filter Syntax.Using Quick Filter Syntax:The Quick Filter feature enables you to search flow payloads using a text search string. The Quick Filter functionality is available in the following locations on the user interface:
  1. Network Activity toolbar - On the toolbar, a Quick Filter field enables you to type a text search string and click the Quick Filter icon to apply your quick filter to the currently displayed list of flows.
  2. Add Filter dialog box - From the Add Filter dialog box, accessed by clicking the Add Filter icon on the Network Activity tab, you can select Quick Filter as your filter parameter and type a text search string. This enables you to apply your quick filter to the currently displayed list of flows. For more information about the Add Filter dialog box, see Performing a Sub-Search.
  3. Flow search pages - From the flow search pages, you can add a Quick Filter to your list of filters to be included in your search criteria. For more information about configuring search criteria, see Searching Flows.
  4. When viewing flows in real time (streaming) or last interval mode, you can only type simple words or phrases in the Quick Filter text field. When viewing flow using a time-range, use the following syntax guidelines for typing your text search criteria:-Search terms can include any plain text that you expect to find in the payload. For example, Firewall-Include multiple terms in double quotes to indicate that you want to search for the exact phrase. For example, Firewall deny.-Search terms can include single and multiple character wild cards. The search term cannot start with a wild card. For example, F?rewall or F??ew*.
  5. Group terms using logical expressions, such as AND, OR, and NOT. The syntax is case sensitive and the operators must be upper case to be recognized as logical expressions and not as search terms. For example: (%PIX* AND ("Accessed URL" OR "Deny udp src") AND 10.100.100.*).
  6. When creating search criteria that includes the NOT logical expression, you must include at least one other logical expression type, otherwise, your filter will not return any results. For example: (%PIX* AND ("Accessed URL" OR "Deny udp src") NOT 10.100.100.*).
  7. The following characters must be preceded by a backslash to indicate that the character is part of your search term: + - && || () {} [] ^ " ~ * ? : \. For example: "%PIX\-5\-304001".

Section 5:Events

Given basic knowledge of log record processing by IBM Security QRadar V7.0 MR4 (QRadar), review the Log Activity and Event Summary pages so that you can better explain what a QRadar Event is.
With emphasis on performing the following tasks:
1. Navigate to the Log Activity page in the QRadar user interface.
  1. Pause the display of the real time stream by clicking on the || icon on right of the toolbar.
  2. Every single line shown in the report is a QRadar Event and is the result of log records going through a normalization and coalescing process.
  3. Every log record is received by a QRadar Event Collector and parsed by QRadar Log Source which is a combination of collection mechanism and a parsing script.
  4. If a log record can be parsed, then it will be normalized as a QRadar Event with its default properties as shown in the Log Activity page.-QRadar Events are pushed to a QRadar Event Processor where they are correlated using QRadar Rules.-QRadar Rules may generate new QRadar Events. They are labeled CRE.-Add a Filter for the �Custom Rule Engine-8:: qradar� Log Source and View Events of the Last 7 Days in the Log Activity page.-These are Events created by QRadar Rules.-QRadar Events that match (a) particular QRadar Rule(s), inherit a Severity, Credibility, and Relevance from the matching Rule(s).
  5. A QRadar Log Source can be configured to coalesce QRadar Events and present them as a single QRadar Event in the Log Activity page.-The Event Count property of a coalesced QRadar Event informs you about the number of QRadar Events that have been coalesced for this single Event.
  6. Change the View of the Log Activity to show Events that have been processed in the Last Hour.-Click on any QRadar Event in the list to access the Event Summary page.-You will see not only see the default Event properties, but also Custom properties. Custom properties can be created by using the Extract Property option in the toolbar. See section 5.8-The QRadar Event summary page also shows the original log record as received by the Log Source. This information is called the Payload of the Event.
Given the Event List page, navigate to the Event Summary page and assess the information in each Section so that a better understanding of the Event information captured and generated by QRadar.
With emphasis on performing the following tasks:
1. Navigate to the Log Activity page and View the Events of the Last Hour.
2. Select any of the Events and click on the row and double-click on the row.
3. The QRadar Event Summary page opens.
  1. The Event Summary page is broken up into Sections.
  2. The Sections are: Event Information, Source and Destination Information, Payload Information, Additional Information, and Identity Information.-Event Information shows the user associated with the Event, the importance of the Event, the time it was processed, generated and created, the type of Event as determined by the QRadar Log Source. In addition to these default properties, any Custom Properties that have been defined for this Event are also shown in this Section.-Source and Destination Information shows the IP addresses and Ports related to Event. It also shows pre and post NATed IP or Ports of the Source or Destination in case the Event is received from a network device capable of NATing. Mouse over functionality is provided for the IP addresses and will display asset information related to the IP.-Payload Information shows the original contents of the log record received and processed. The Payload can be shown in UTF, HEX, or BASE64.-Additional Information Section contains the protocol associated with the Event, the QID assigned to this Event by the Log Source, the Log Source responsible for the QRadar Event creation, and the number of Events that have been coalesced in this Event. The QID is a pre-defined value that identifies the type of log record. The QID translates to High and Low Level Event Categories. See Section 5.4 for more about the QID.-In addition to the above, Additional Information contains the list of Rules that matched the Event completely and also the Rules that partially matched the Event. This is especially of importance if you would like to understand why a specific Event contributed to an Offense. The Rule at the bottom of the list is the Rule that was matched first, while the Rule at the top of the list is the last Rule that was matched, and in case the Event contributed to an Offense, probably has triggered the Offense. Every Rule may have annotations, explaining the purpose or effect of the Rule. Any annotation related to Rules that matched the Event are shown in the Annotations sub section.-The Identity Information Section shows identity information captured for the Event and mouse over some of the values displays asset information as managed by QRadar.
Given the QRadar product documentation, assess the types of Log Sources and their properties so as to differentiate the Log Sources and understand the advantages and disadvantages of each.
With emphasis on performing the following tasks:
1. Locate the Configuring Protocols paragraph in the most recent version of the LogSources product document.
2. You see various protocol types listed. Amongst them you will find JDBC, OPSEC, Log File, Microsoft Security Event Log.
  1. A Log Source can receives log records through various protocols, the most common is the syslog protocol.
  2. Log records received by a Log Source are processed by an appropriate Device Support Module (DSM).-For example log records received from an AIX machine through the syslog protocol will be processed by the AIX DSM.-Log records received by a QRadar Log Source may be pre formatted by the QRadar Log Source by a QRadar Event Generator. Check for example the LogSources documentation for the LogFile protocol. The LogFile protocol has an Event Generator option that allows to receive log records from HP Tandem and pre-format them. The pre-formatted log records are then send to the appropriate Device Support Module, in this case HP Tandem DSM, for further processing.
  3. One can create and apply a Log Source Extension for the DSM, if no DSM is available or if the DSM does not process all log records successfully.
  4. Log Sources can be automatically added to the QRadar deployment by enabling Autodetection on the Event Collector-This enables the Event Collector to automatically analyze and accept traffic from previously unknown log sources and assign it to the DSM which is most successful in parsing the log records coming from the log source. Auto detection relies on the syslog protocol.
Given the list of QIDs, search for QIDs by using the Map Event option and analyze the relation between QID,log records and Log Source Types, so to better understand how QIDs are used during the log records parsing process.
With emphasis on performing the following tasks:
1. Access the QRadar Log Activity page.
2. Select to View the Events from the Last Hour.
3. Double-click any Event.
4. On the toolbar in the Event Summary page, click on Map Event.
  1. A new window appears that allows you to search for QIDs.
  2. Select Any for the High Level and Low Level categories.
  3. Select IBM AIX forLog Source Type, and click on Search.-QID number blocks are assigned to vendors and applications, for example IBM AIX is assigned 23250001 through 23250065. -For example QID 23250049 is assigned to the IBM AIX log record type USER_Login, which can be generated by the AIX audit subsystem.
  4. Every Log Source type has its own range of QIDs and some values in the range are assigned to log records that may be received from the logsource.
  5. The QID finally relates to a combination of High Level and Low Level Categories that are assigned to the QRadar Event during the normalization processes.
  6. QIDs are used to map different log records from different log sources, but representing similar actions, to the same combination of High Level and Low Level Categories.-For example, an authentication failure on a Linux Server is from a security point of view a similar action as an authentication failure on an IBM AIX Server. Therefore it makes sense to assign both log records that are different from a log source and syntax point of view, to the same combination of High Level and Low Level Category: �Authentication failed�, �General Authentication Failed�. The QIDs are respectively: 44250023 for the Linux Server Log Source and 23250018 for the IBM AIX Server Log Source.
Given the QRadar documentation and access to the Log Activity page, understand the purpose of the high and low Level categories so that one has a better understanding of QIDs, Event Categories, and Event processing.
With emphasis on performing the following tasks:
1. Locate the Event Categories paragraph in the Administration Guide.
  1. This paragraph explains the High Level Categories and also contains a list and explanation of each Low Level Category.
  2. High Level and Low Level Categories are related to Log Source Event types and QIDs. Any normalized Event is the result of a certain security relevant action that was logged by the log source. Similar security relevant actions logged by different log source are represented by QRadar by the same combination of High Level and Low Level Categories. The Log Source specific Events are linked to the High Level and Low Level Categories by a QID. The Event Categories paragraph lists all possible combinations of High Level and Low Level Categories, and also gives the interpretation of the security relevant action that the combination represents.
2. Navigate to the Log Activity page in the QRadar user interface and View the Last Hour of Events.
  1. Double-click on any Event where the Low Level Category does not equal the value Stored.
  2. In the Event Summary page, click on the Map Event option located in the toolbar.
  3. Select from the Log Source Event window the High Level Category Exploit and the Low Level Category SQL Injection.-Select Log Source Type asTippingPoint Intrusion Prevention System (IPS) and click on Search.-You will see that this IPS log source has many log records related to SQL Injection type of security relevant actions.-Select Log Source Type asIBM AIX Server and click on Search.-You will see that this AIX log source has no log records related to SQL Injection type of security relevant actions.
  4. There are High Level and Low Level Categories that are very specific to a log source type, as the above sample shows.
3. Log records that are processed by a specific DSM but not recognized, are assigned the High Level Category Unknown and the Low Level Category Unknown.
  1. These logs can be processed after they are parsed by a Log Source Extension.
4. Log records that are not processed by any DSM, are assigned the High Level Category Unknown and the Low Level Category Stored.These log records can be processed by applying a Universal DSM.
5. In combination with the type of traffic, L2L, R2L, L2R, certain test are performed on the Event, depending on the High Level and Low Level Category assigned to the Event.
  1. These tests are performed to determine factors such as vulnerability data, relevance of the targets, importance, or credibility of the events. The results of the Correlation Group tests appear as annotations in the Offenses and Events interfaces.
Given the QRadar product documentation and access to the user interface, explain what Event Coalescing is and demonstrate how to configure Event Coalescing so that you can demonstrate understanding of event coalescing and the means to configure this functionality.
With emphasis on performing the following tasks:
1. Coalescing or Bundling of Events can be turned on or off by Log Source or globally.
  1. Edit a Log Source and notice that you can check a box to let this Log Source Coalesce Events.
  2. Navigate to the System Settings and notice that you can check a box to activate Event coalescing globally.
2. Coalescing of Events will start after 3 matching events have been found in a 10 second window ( same QID, Src/Dst IP, Dst Port and username ), events after the after the 3 will be coalesced together in a 10 second window going forward until there is a 10 second gap of matches at which point the coalescing would restart for that match.
3. Navigate to the Log Activity page and View the Last Hour.
  1. Sort the Event Count column in descending order. Notice that there are Events that have an Event Count higher than 1. The number in the cell represents the number of events that have been coalesced into this single Event.
Given the access to the QRadar Log Activity page, create Log Activity searches so that you can find specific Events in various time windows.
With emphasis on performing the following tasks:
1. Navigate to the Log Activity page and select to View the Last 7 Days.
2. From the toolbar, select Search and the option New Search.
  1. In the Search Parameter section, choose Category Matches High Level Category �Unknown' and Low Level Category �Unknown'.-Add the filter and click on Search.-The result set will appear as a Log Activity page Event List. In this case the result set shows if any, all Events that have not been parsed by any DSM.In the Search Parameter section, choose Log Source Type Matches �Microsoft Windows Security Event Log', combined with Category Matches High Level Category �Authentication' and Low Level Category �Host Login Succeeded'.-The result set now shows only successful login Events reported on Microsoft Windows log sources.
3. Instead of viewing the Last 7 Days, now View respectively the Last Interval (auto refresh). This will refresh the result set every minute with the most recent Events matching the search.
4. See Task B above to demonstrate and explain the Log Activity page and the Event Summary page Sections.
5. See next Task H to demonstrate extraction of custom properties from the Event.
Given an Event with Low Level category Host Login Succeeded and Log Source Type Microsoft Windows Security Event Log, create a regular expression to capture logontypes so as to capture logon types in a custom property.
With emphasis on performing the following tasks:
1. Isolate an Event with Low Level category Host Login Succeeded and Log Source Type Microsoft Windows Security Event Log and show it in the Event Summary page.
2. From the Toolbar select Extract Property.
3. A Custom Event Properties window appears.
  1. Using a Regex Based property allows you to create a new property and extract values from the payload to represent the property.
  2. The Test Field Section automatically contains the payload of the Event.
  3. In the Property Definition Section, choose New Property to create a new property, and check the Optimize parsing option. The property will be AlphaNumeric. Choose Logontype as the property name.
  4. Choose to extract the property from all �Microsoft Windows Security Event Log' Log Source Types.
  5. Leave the Event name as it is because the property will only be used to add useful information about the Events with this QID.
  6. Use as Regex �Logon Type: (\d{1,2})' which means: Capture the alphanumeric positive value lower than 100 that follows the string �Logon Type: ' in the payload, and store it in the property Logontype.
  7. If the regex captures a value in the payload, then this string is highlighted in the Test Field.
  8. Save the Custom property definition.
4. Navigate to the Admin page and select �Custom Event Properties�.
  1. Locate the property �Logontype' in the list. Acknowledge that this is the Custom property that was just defined.
5. Return to the Event list shown in step 5.8.1
  1. Edit the search and remove all columns except for �Event name', �Log Source', �Start Time', �Username', and �Logontype'.
  2. The newly created custom property is available for searching and displaying.
  3. If the regex does not capture a value, then it will show N/A in the column for the mismatching Event.
6. Now create a search starting from the result set specified by step 5.8.1, where you only search for Events with Logontype matching the value 8. This Logon Type value indicates a network logon like logon type 3, but in this case the password has been sent in cleartext.

Section 6:Assets

Given a IBM Security QRadar V7.0 MR4 (QRadar) Asset, explain the major components for the Asset so that knowledge of QRadar Assets has been demonstrated.
With emphasis on performing the following tasks:
1. List all of the current assets.
  1. From the Asset tab, select the Show All button. This will list all of the assets that QRadar is aware of on the network. Note the total number of assets on the system in the lower left hand corner of the display.
  2. Sort the list by the User column. This will move the assets that have users associated with them to the top of the list.
  3. Sort the list by the Vulnerabilities column. This will move the assets with known vulnerabilities to the top of the list.
2. Identify the primary components for an Asset Profile.
  1. Open up a specific Asset profile by double-clicking on it.
  2. The Asset Profile is made up of 2 primary components. The top part as information that has been collected from event data (IP Address, MAC Address from DHCP Logs, User information from any authentication record containing IP to User Name mapping).
  3. The bottom of the Asset Profile is shows the open ports discovered with flow records and vulnerability scans.
3. Identify where the port information in the asset profile originated.
  1. Look at the Last Seen and First Seen columns, it is possible to determine when the asset was first discovered on the network and when it was last seen.
  2. It is also possible to determine if it was discovered from a Vulnerability Scan if the word (Active) is present after the date and time. If it was discovered with Flow information the word (Passive) will be present after the date and time.
4. Search for other Users on an Asset.
  1. Most assets will have some User Names associated with them. In the case of a system where multiple users might be accessing it, and it is necessary to find the user at a specific time, clicking the History button will launch a search window. From this window a specific time frame can be chosen for this asset.
  2. Search for a specific time frame and identify all of the users during this time.
5. Identify where vulnerabilities would be listed.
  1. Vulnerabilities are listed under the Ports and Vulnerabilities. Section of the Asset Profile. Select a host with known Vulnerabilities. Open its Asset Profile and view the details about the known vulnerabilities.
Given a QRadar Asset, use the search feature within the Asset tab so that assets have been searched and data can be used as needed.
With emphasis on performing the following tasks:
1. Search for specific assets by different values (IP address, MAC Address, or User Name).
  1. From the Asset tab, enter an IP address in the Asset Profile Search fields for IP address. Then Click Search.
  2. Sometimes it is easier to Show All assets and work backwards.
2. Search for specific assets by vulnerabilities present.
  1. From the Asset tab, enter a 94 in the Asset Profile Search fields for Vulnerabilities - OSVDB ID. Then Click Search.
  2. This will return a list of all assets with OSVDB Id 94 in their profiles.
3. Select Actions from the drop-down and the Import Asset
  1. You can import Assets into QRadar if you have a CSV file with a list of the assets. By importing assets you can populate the following fields (IP, name, weight, description).
Given experience with QRadar V7.0, navigate through the QRadar asset, network activity, and log activity page and explain how vulnerability scanner information can is used so that the capabilities of vulnerability scanning within QRadar has been demonstrated.
With emphasis on performing the following tasks:
1. Navigate to the Asset page.
  1. In the left hand menu select the Asset profiles.
  2. In the Asset Properties section, select the checkbox �Show only hosts with vulnerabilities�.
  3. Click on Search.
  4. A list of assets appear that have identified vulnerabilities.
  5. Double-click any of these assets.
  6. An overview of the asset appears showing a list of all vulnerabilities found for this asset.-Port: Specify the port number for the services discovered running on the asset. -Service: Specify the services discovered running on the asset.-OSVDB ID : Specify the vulnerability identifier for the asset. Click the ID to obtain more information. -Name: Specify the name of the detected vulnerability. This value is only available when integrating with VA tools. -Description: Specify a description of the detected vulnerability. This value is only available when integrating with VA tools. -Risk/Severity: Specify the risk level (0 to 10) for the vulnerability. -Last Seen: Specify the date and time that the service was last detected running on the asset either passively or actively. -First Seen: Specify the date and time when the service was first detected running on the asset either passively or actively. -False Positive Tuning: Click False Positive Tuning to remove selected vulnerabilities from the list. This option is only available if you have one of the following user permissions: Admin or Remove Vulnerabilities.
2. Navigate to the Log activity page.
  1. Select an event and navigate to the Event Summary page.
  2. In the Source and Destination section of that page, search for the source or destination IP.
  3. Right-click the IP address and select Information -> Asset Profile from the menus.
  4. You will see the Asset profile for the asset related to the IP address.
3. Navigate to the Network activity page.
  1. Add a filter to display only events with source and destination IP is in the internal network.
  2. Select an Event and navigate to the Event Summary page.
  3. In the Source and Destination section of that page, search for the source or destination IP.
  4. Right-click the IP address and select Information -> Asset Profile from the menus.
  5. You will see the Asset profile for the asset related to the IP address.

Section 7:Reports

Given access to IBM Security QRadar V7.0 MR4 (QRadar), describe how the default reporting system works so that reports have been set up.
With emphasis on performing the following tasks:
1. Show the enabled reports in QRadar.
  1. Select the Reports tab in the QRadar interface.
2. Show all of the reports in QRadar.
  1. Un-Check the Hide Inactive Reports box on the top of the page.
3. Filter the report list down to the PCI reports.
  1. Select PCI from the Group drop-down.
4. Show the active PCI reports in the system.
  1. Click on the Generated Reports column. This will sort the list by the active reports showing the last reports generated by the system.
5. Edit the PCI 10 - Audit Data report and find the search being used by this report
  1. Select the PCI 10 - Audit data report and the select the Actions Edit option from the drop-down menu.
  2. The first screen should show the Report Wizard. Click Next until you see the Specific Report Contents screen.
  3. Click on the Define link in the first Chart Type field. This should open up the Chart Type editor.
  4. The selected Saved Search should be PCI 10.5.4 Verification of Logs Received. This is the search that is being used by this Chart in the report.
6. Find the Saved Search being used by this Report.
  1. Click Cancel in the Report Wizard.
  2. Navigate to the Log Activity tab.
  3. Click on Search/Edit Search from the drop-down.
  4. In the Saved Searches search field, type PCI 10.5.4. This will filter the list to the search for the above report.
  5. Highlight the PCI 10.5.4 Verification of Logs Received search then click the Load button. This will show all of the criteria being used for this saved search in the fields below.
Given access to QRadar and knowledge of QRadar reporting capabilities, define the various types of reports available within QRadar so that reports can be run to analyze the security of your network.
With emphasis on performing the following tasks:
1. Show the list of Chart Types available in QRadar for Reporting.
  1. Select the Reports tab in the QRadar interface.
  2. Select Actions/Create Report from the drop-down.
  3. Click Next until you see the Specific Report Content screen.
  4. Click on the Chart Type drop-down window to get the list of Chart Types available in QRadar.
Given access to the QRadar console with appropriate roles, create a new report or customize an existing report so as to demonstrate the similarities between creating and customizing reports.
With emphasis on performing the following tasks:
1. Create a Saved Search.
  1. Select the Log Activity tab.
  2. Select Add Filter from the menu bar and add a filter for Category. equals Authentication/Any.
  3. Select the View drop-down and select the Last 24 Hours.
  4. Select Event Name from the Display drop-down.
  5. Looking at the Event Name Column, right-click on the Authentication failed event name and select Filter on Event Name is Authentication failed.
  6. Regroup the Events by Username - Select Username from the Display drop-down. Now you have your search criteria built.
  7. Save the Search - Select Save Criteria from the menu. Give the search a name that you can remember.
2. Use the Saved Search in a Report.
  1. Follow the steps in Task 7.2.
  2. Select Events/Logs for the Chart Type.
  3. Give the Chart Title a name Failed Authentications by Username.
  4. Change the Graph from 5 events to 20.
  5. Set your time frame for the Scheduling.
  6. Under the Saved Searches type the name of your search in to the Search field.
  7. Select your search.
  8. Press the Save Container Details button.
  9. The field in the report screen should be Green.
  10. Press Finished. Your report should be running. When it is complete you should be able to open it from the reports list.
  11. Note that some reports may give you a No Data Available Message. This happens when data either was not collected (no events matched the search), or the Report Accumulator has not accumulated any data.
Given access to the QRadar console with the appropriate roles, apply the Toggle Scheduling action so as to demonstrate the usage of this action.
With emphasis on performing the following tasks:
1. List the PCI Reorts
  1. Follow the steps from Section 7.1
  2. Select a report the select Actions/Toggle Scheduling. This will enable the report with its default schedule.
  3. You can enable more than one report at a time by selecting multiples with the Shift click option.
  4. Select Actions/Run Report to create the report immediately.

Register for a test

IBM at Prometric

Test 000-195: IBM Security QRadar V7.0 MR4

Tab navigation

Register for a test

Content navigation

Related links