Test 000-196: IBM Security QRadar SIEM V7.1 Implementation

Tab navigation

Section 1: Planning

Given QRadar V7.1 appliances, define the QRadar model types and differences between the various QRadar appliance models and offerings so that proper QRadar appliances are utilized in a successful and supported methodology as applicable to a customer environment.
With emphasis on performing the following tasks:
1. Naming convention: QRadar hardware appliances follow a general naming convention
  1. 12XX - QFlow utilizing Gigabit Ethernet connections.-QFlow collectors collect network traffic passively through network taps and span ports and can detect over 1000 networked applications. -Data is not stored on QFlow appliances.
  2. 13XX - QFlow utilizing Fiber based connections.
    -QFlow collectors collect network traffic passively through network taps and span ports and can detect over 1000 networked applications.
    -Data is not stored on QFlow appliances.
  3. 15XX - Event Collector: an appliance for collecting events in remote locations for periodic forwarding to an Event Processor or an all-in-one appliance. No separate EPS license is required since log data must be forwarded for correlation, analysis and long term storage.
  4. 16XX - Even Processor: an appliance designed to collect, process, and store log event messages.
  5. 17XX - Flow Processor: an appliance designed to collect, process, and store flow messages, A 17xx series appliance cannot directly collect span or tap traffic but can be used in conjuction with a 12xx or 13xx series to collect the Layer 7 flow data.
  6. 18XX - Flow and Event Processor: an appliance designed to collect, process, and store both log event messages and flow messages. These appliances do not scale their licensing to the same level as a dedicated Event Processor or Flow Processor appliances.
  7. 21XX - Console all-in-one appliance
  8. 31XX - All-in-one OR distributed console
  9. Last 2 digits determine licensing and capabilities -
    -XX05 - standard appliance
    -XX24 - high capacity appliance with higher CPU, Memory, and Storage. In a distributed model, these appliances have higher license expandable options
    -XX90 - Virtual version of a hardware Appliance with lower licensing capabilities than a hardware or software deployment.
2. Appliance Model Specifics
  1. 1201 - The 1201 QFlow Collector provides a low to mid range multi-port collection appliance for underutilized Gigabit Ethernet connections (under 200 Mbps aggregated speed). Appliances include 3x 10/100/1000baseT interfaces for monitoring.
  2. 1202 - The 1202 QFlow collector appliance provides line rate gigabit network performance and multi-port flexibility. The 1202 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. (under 2Gbps aggregated speed). Appliances include 4x 1000base T interfaces for monitoring.
  3. 1290 - The 1290 VFlow Collector virtual appliance provides the same visibility and functionality in your virtual network infrastructure that a QFlow Collector offers in your physical environment. The VFlow Collector virtual appliance analyzes network behavior and provides Layer 7 visibility within your virtual infrastructure. Network visibility is derived from a direct connection to the virtual switch. The VFlow Collector virtual appliance supports a maximum of:
    -10,000 flows per minute
    -Three virtual switches, with one additional switch that is designated as the management interface.
    -The VFlow Collector 1290 virtual appliance does not support NetFlow.
  4. 1301 - The 1301 QFlow collector appliance provides line rate gigabit network performance and multi-port flexibility and fiber connectivity. The 1301 is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise. Appliances utilized 4x 1000base SX Multi-Mode fiber interfaces for monitoring.
  5. 1310 - The 1310 QFlow Collector delivers advanced network and application visibility and collection on 10G networks. 1310 Appliances utilized 2x 10Gbps XFP fiber modules for monitoring and can be purchased as either SR or LR interfaces.
  6. 1501 - The 1501 is an appliance for collecting events in remote locations for periodic forwarding to an Event Processor or an all-in-one appliance. No separate EPS license is required since log data must be forwarded for correlation, analysis and long term storage. Storage capacities are based on worst-case-scenarios for disconnected operations, and policies control forwarding activities.
  7. 1590 - A Virtual Event Collector appliance.
  8. 1605 - The 1605 is an expansion appliance that is deployed in conjunction with QRadar 31XX. Designed to integrate seamlessly into Q1 Labs' Total Security Intelligence platform, QRadar 1605 can scale to support deployments from 2,500 to more than 20,000 EPS and can be upgraded with a simple license key. Includes 9TB of onboard storage.
  9. 1624 - The 1624 is an expansion appliance that is deployed in conjunction with QRadar Console 31XX. The 1624 Event Processor supports expanded storage, up to 16 Tb, for long term retention of log data and increased capacity for event processing up to 20,000 EPS.
  10. 1690 - A Virtual Event Processor with 100EPS base license, expandable up to 1000 EPS.
  11. 1705 - The 1705 is an expansion appliance that is deployed in conjunction with QRadar Console 31XX. Designed to integrate seamlessly into Q1 Labs' Total Security Intelligence platform, the QRadar 1705 enables QRadar deployments to scale from 100,000 network flows (Layer 4 Netflows) per minute to 600,000 with license key upgrades. The appliance can also process Layer 7 QFlow network packet contents when teamed with a 12XX or 13XX QFlow Collector. Includes 9TB of onboard storage.
  12. 1724 - The 1724 is an expansion appliance that is deployed in conjunction with QRadar Console 31XX. Designed to integrate seamlessly into Q1 Labs' Total Security Intelligence platform, the QRadar 1724 enables QRadar deployments to scale from 100,000 network flows (Layer 4 Netflows) per minute to 1,200,000 with license key upgrades. The appliance can also process Layer 7 QFlow network packet contents when teamed with a 12XX or 13XX QFlow Collector. Includes 16TB of onboard storage.
  13. 1790 - A Virtual Flow Processor with 15K Flows (FPM/FPI) expandable up to 50K FPM/FPI.
  14. 1805 - The 1805 delivers a cost-effective solution for event and network activity processing across a distributed organization. This appliance is well suited for organizations looking to introduce event and network activity processing to remote or branch offices or larger highly distributed organizations that need to provide local event and flow collection in locations that do not have high levels of traffic or log rates. Includes 9TB of onboard storage.
  15. 2100 - The 2100 combines the features and functionality of QRadar's powerful SIEM and Log Management and built in network activity monitoring technology in a single appliance. QRadar 2100 is ideal for deployments in smaller enterprises or departments. A 2100 cannot be expanded to a distributed model.-Include onboard 50Mbps QFlow Collector.-Base Flows per Minute=25,000 (50,000 NetFlows) -Maximum Flows per Minute= 100,000 (200,000 NetFlows)-Maximum EPS=1000, 750 Event Feeds (Devices), 100 network objects-Support External Flows and QFlow Collectors. Includes 1.3 TB of onboard storage.
  16. 3105 - The 3105 is an enterprise-class network security management appliance that combines SIEM and Log Management and is well suited for organizations ranging from medium sized organizations to large, globally deployed entities. As the flagship of the QRadar family, QRadar 3105 serves as the base platform for geographically dispersed organizations or any organization that requires an integrated solution to monitor their global network with the efficiency of a single Web-based UI. Includes 9TB of onboard storage.
    -As an All-in-One Appliance:
    -Base license includes 1000 EPS/25K Flows.
    -Max Events= 5000 EPS
    -Max Flows= 200K FPM/FPI
    -As a Distributed Console:
    -No external events or flows should be sent to Appliance.
  17. 3124 - The 3124 is a higher capacity version of the 3105. In includes additional storage and memory for increased performance for larger environments in a distributed architecture, as well as provides additional storage and performance when used as an all-in-one appliance compared to the 2100 or 3105 appliance models. Includes 16TB of onboard storage.
    -As an All-in-One Appliance:
    -Base license includes 1000 EPS/25K Flows.
    -Max Events= 5000 EPS
    -Max Flows= 200K FPM/FPI
    -As a Distributed Console:
    -No external events or flows should be sent to Appliance
  18. 3190 - Virtual Console Appliance.
    -As an all-in-one:
    -Base license includes 100EPS/15K Flows.
    -Max EPS = 500 EPS
    -Max Flows= 50K FPI/FPM
    -As a Distributed Console:
    -No external events or flows should be sent to Appliance.
    -Only 1690 and 1790 Virtual Appliances may be added to a 3190 Virtual Console.
  19. VFlow- VFlow Collectors are virtual appliances that connect to the virtual switch within a virtual host. VFlow collectors enable collection, classification and visibility within your virtual network and server infrastructure. Similar to QFlow collectors, the collected data from VFlow is leveraged for network activity monitoring as well as for correlation against log activity for superior detection of security threats. Technical Specifications: Requires VMware ESX 3.5 and ESXi 3.5, Requires at least 512MB RAM, Provides collection of up to 10,000 Flows per Minute (FPM), Provides collection of up to 4 virtual interfaces.
  20. Software Appliances: A Software QRadar license in which the Customer will deploy on their own hardware. Requires customer own hardware and customer purchased copy of Red Hat Enterprise (RHEL) 6.2. Software appliances cannot be deployed in virtual deployment.
3. High Availability (HA): QRadar HA supports seamless failover between the primary and the high availability appliance in the event of primary appliance or network failures, and tests for connectivity to all appliances within its distributed deployment, including network devices such as switches and routers to determine when (or if ) a failover occurs. QRadar HA can be fully integrated into all QRadar appliances, including all-in-one systems and distributed appliances. QRadar HA can be deployed on a per-appliance basis enabling distributed QRadar deployments to add additional high availability appliances on an as-needed basis.
  1. HA Performance requirements:
  2. There must be a minimum of a dedicated 1GB link between Primary and Secondary Hosts.
  3. HA primary and secondary hosts must be on same VLAN/Subnet.
  4. HA hosts must be within same geographic location, and must have less than 5 millisecond (MS) latency between hosts when utilizing data synchronization functionality.
  5. HA primary and secondary hosts must be same appliance version and type, to include the same base (QRadar software version installed from ISO image) software level.
4. In order to access additional requirements such as hardware and memory requirements for software, virtual, or VFlow configurations, consult QRadar documentation.
  1. Access Qmmunity with your authorized username/password credentials to access documentation.
  2. Click the Documentation link.
  3. Click the Core Documentation link.
  4. Review the available guides for QRadar 7.1.
    -Guides May include: Hardware Guide, QRadar High Availability Guide, and QRadar Installation Guide.
Given QRadar V7.1 software appliances, identify considerations for a software installation so that QRadar is properly installed and supported on customer supplied hardware.
With emphasis on performing the following tasks:
1. You can install QRadar software on customer supplied hardware using Red Hate Enterprise (RHEL) 6.2.
  1. Customer must have hardware provided by customer.
  2. Customer must have a valid RHEL 6.2 license.
  3. When installing RHEL you must use the "Base" install option and set SELinux option to Disabled. If you do not adhere to theis recommendation, your installation will fail.
    -To access the Base install option, select the Customize Software Packages to be Installed option and clear all the options in each category except BASE in the Base System category.
    -QRadar does not support KickStart disks, using these disks may cause application to install incorrectly.
    -If you want to use NTP as your time server, make sure you install the NTP package. For more information, see your Red Hat documentation.
    -For Console Systems, make sure the primary drive is at least 36 GB, and a minimum of 8GB of RAM.
2. Q1 Labs recommends a minimum of 24GB of ram for any console, Event Processor, or Flow Processor.
Given QRadar V7.1 virtual appliances, identify the minimum requirements and installation procedures so that a QRadar customer properly plans for the installation in a Virtual environment.
With emphasis on performing the following tasks:
1. Review QRadar Installation guide available on Qmmunity for detailed requirements.
  1. Access Qmmunity with authorized username/password credentials to access documentation.
  2. Click the Documentation tab.
  3. Click the Core Documentation link.
  4. Click the QRadar-71-InstallationGuide.pdf link.
  5. Open the Installation Guide.
  6. Review guide, paying special attention to Section 7 "Installing a Virtual Appliance".
2. Q1 Labs only support the xx90 series of servers to be installed in a virtual environment. A customer may not purchase a Software license to be used on a virtual server.
3. All Virtual servers end in xx90 model numbers.
  1. QRadar 3190 - The QRadar 3190 virtual appliance is a QRadar system that can profile network behavior and identify network security threats. The QRadar 3190 virtual appliance includes an on-board Event Collector and internal storage for events.
    -The QRadar 3190 virtual appliance supports:
    - Up to 1,000 network objects.
    - 50,000 flows per interval, depending on your license.
    - 1,000 EPS, depending on your license.
    - 750 event feeds (additional devices can be added to your licensing).
    - External flow data sources for NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files.
    - QFlow Collector and Layer 7 network activity monitoring.
    -You can also expand the capacity of the QRadar 3190 beyond license-based upgrade options by adding one or more of the following virtual appliances:
    - QRadar 1690
    - QRadar 1790
  2. QRadar 1690 - The QRadar 1690 virtual appliance is a dedicated Event Processor that allows you to scale your QRadar deployment to manage higher EPS rates. The QRadar 1690 includes an on-board Event Collector, Event Processor, and internal storage for events.
    -The QRadar 1690 appliance supports:
    - Up to 1,000 EPS.
    - 2 TB or larger dedicated event storage.
    - The QRadar 1690 is a distributed Event Processor appliance and requires a connection to any QRadar 3105 or 3124 series appliance.
  3. QRadar 1790 - The QRadar 1790 virtual appliance is deployed in conjunction with any QRadar 3105 or 3124 series appliance to increase storage. The QRadar 1790 virtual appliance includes an on-board Event Processor, and internal storage.
    -The QRadar 1790 appliance supports:
    - 50,000 flows per interval depending on traffic types.
    - 2 TB or larger dedicated flow storage.
    - 1,000 network objects.
    - You can add QRadar 1790 appliances to any QRadar 3105 or 3124 series appliance to increase your deployment's storage and performance.
    - QFlow Collector and Layer 7 network activity monitoring.
  4. VFlow 1290 Collector - The 1290 VFlow Collector virtual appliance provides the same visibility and functionality in your virtual network infrastructure that a QFlow Collector offers in your physical environment. The VFlow Collector virtual appliance analyzes network behavior and provides Layer 7 visibility within your virtual infrastructure. Network visibility is derived from a direct connection to the virtual switch.
    -The VFlow Collector virtual appliance supports a maximum of:
    - 10,000 flows per minute.
    - Three virtual switches, with one additional switch that is designated as the management interface.
    -The VFlow Collector 1290 virtual appliance does not support NetFlow.
  5. QRadar 1590 - The QRadar 1590 virtual appliance is a dedicated Event Collector , which is required if you want to enable the Store and Forward feature. The Store and Forward feature allows you to manage schedules that control when to start and stop forwarding events from your dedicated Event Collector appliances to Event Processors in your deployment. A dedicated Event Collector does not process events and it does not include an on-board Event Processor. By default, a dedicated Event Collector continuously forwards events to an Event Processor that you must connect using the Deployment Editor. The maximum Event Per Second (EPS) is controlled by the Event Processor.
  6. Virtual appliances require VMware ESXi 4.1. You must have a VMware client installed on your desktop. VMware server applications are bundled with client software. For example, ESXi 4.1 is bundled with VMware vSphere client 4.1. If your server/client configuration differs, we recommend you upgrade your VMware server and client. For more information, see http://www.vmware.com.
  7. 4 GB of free memory is required by the VMware host for QRadar 1690 and QRadar 1790. 12 GB is optimal.
  8. 8 GB of free memory is required by the VMware host for QRadar 3190. 12 GB is optimal.
  9. 512 MB of free memory is required by the VMWare host for QRadar 1290 VFlow Collector.
  10. A minimum of 36 GB of free disk space is required on all virtual appliance types.
  11. A minimum of 2 processors is requires for all virtual appliance types.
Given a clients collection requirements, network architecture diagrams ,and bandwidth availability, determine the placement of the QRadar appliance so that the appliance is situated for optimal utilization.
With emphasis on performing the following tasks:
1. Evaluate the customer's collection requirements in their various networks to determine bandwidth utilization and storage requirements.
2. If the bandwidth utilization of sending the log sources over the wan link is greater than the wan-link a collection appliance should be placed in the remote location.
3. If a collector appliance is placed remotely enable encryption and compression when adding the managed host.
4. To determine the optimal location for flow collector appliances you will want to put them where they have access to your edge routers/firewalls or your core switches.
5. Event Collector appliances can be used in situations where bandwidth to the remote location is limited, by placing a Event Collector appliance remotely that feeds an event processor in the central deployment you can optimize your search speeds.
Given a customers need to understand network hierarchy in respect to QRadar, explain the network hierarchy concepts so that the customer will have the knowledge required to create a network hierarchy and understand its importance.
With emphasis on performing the following tasks:
1. Explain the concept of Network Groups:
  1. Network groups contain one or many network objects.
  2. Network groups are intended to flow in a logical hierarchy based on one or many of the following:
  3. Geographic Location of CIDR assignment
  4. Business Use of CIDR assignments
  5. Business Unit of CIDR assignments
2. Explain the concept of network objects:
  1. Network objects are a container for CIDR addresses, a CIDR can only belong to one network object however subsets of a CIDR range can belong to another network object, Traffic will match the most exact CIDR.
  2. A network object can have multiple CIDR ranges assigned to it.
3. Explain the importance of the network weight.
  1. Each network object has a weight assigned to it, this weight is a numeric value from 0-99, the weight sets the importance of the network object in relation to the other network objects. With 99 being the highest, 0 being the lowest.
4. Explain how to enter IP addresses in CIDR notation, the network hierarchy only supports IPv4.
  1. Network objects are entered into Qradar using CIDR notation, which means the following format Network Address/Network prefix in decimal, examples include 192.168.1.0/24, 172.16.0.0/16.
  2. To enter a single address you would use /32 as your network prefix.
5. Explain the concept of Local and Remote IP addresses in regards to QRadar
  1. In QRadar any IP address covered by a CIDR range in the network hierarchy is considered a local address, anything not defined in a Network Hierarchy objects CIDR range is considered a remote IP address.
6. The total number of network objects is controlled by the customers license key, the limit of objects is typically 1000.
Given a customers need to understand log collections, explain the different protocols used by QRadar so that the proper protocol can be used for the deployment.
With emphasis on performing the following tasks:
1. Syslog:
  Syslog is a standard for computer data logging. Syslog can be used for computer system management and security auditing as well as generalized informational, analysis, and debugging messages.
2. SMBTail :
  SMBTail is used to connect and read Windows files from the QRadar deployment.
3. JDBC:
  Facilitates communication between QRadar and Databases. Java base data access technology that acts as an API for the Java programming language that defines how a client may access a database.
4. JDBC - SiteProtector:
  The JDBC - SiteProtector protocol combines information from the SensorData1and SensorDataAVP1 tables in the creation of the log source payload. The SensorData1 and SensorDataAVP1 tables are located in the IBM Proventia Management SiteProtector database.
5. Sophos Enterprise Console - JDBC:
  JDBC protocol combines payload information from application control logs, device control logs, data control logs, tamper protection logs, and firewall logs in the vEventsCommonData table to provide events to QRadar.
6. Juniper Networks NSM :
  Network Communications Protocol is used to communicate between the Secure Access device server and client applications. Facilitates communication between the Qradar and Juniper Networks.
7. OPSEC/LEA :
  The OPSEC LEA (Log Export API) provides the ability to pull logs from a Check Point device based on the OPSEC SDK. OPSEC LEA listens on port tcp/18184 on the device (OPSEC LEA Server) which will contain your logs.
8. SDEE :
  Security Device Event Exchange (SDEE) is a standard that specifies the format of messages and protocol used to communicate events generated by security devices. This protocol is used in the Cisco Systems IPS Sensor.
9. SNMPv1 , SNMPv2 , SNMPv3:
  It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.SNMP version 1 (SNMPv1) is the initial implementation of the SNMP protocol. SNMPv1 operates over protocols such as UDP, Internet Protocol (IP), etc.
  SNMPv2 includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications.SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security.
10. Sourcefire Defense Center Estreamer :
  The Sourcefire Defense Center Estreamer protocol allows QRadar to request streaming event data from a Sourcefire Defense Center Estreamer (Event Streamer) service. Event files are streamed to QRadar for processing after you have configured the Sourcefire Defense Center DSM.
11. Log File :
  A log file protocol source allows QRadar to retrieve archived log files from a remote host. These files are transferred, one at a time, to QRadar for processing. The log file protocol can manage plain text, compressed files, or archives.
12. Microsoft Security Event Log:
  The Microsoft Security Event Log protocol provides remote agentless Windows event log collection for Windows server versions 2000, 2003, 2008, Windows XP, Windows Vista, and Windows 7 using the Microsoft Windows Management Instrumentation (WMI) API. The log files are used in conjunction with the Microsoft Windows Security Event Log DSM.
13. Microsoft Security Event Log Custom:
  The Microsoft Security Event Log Custom protocol provides remote agentless Windows event log collection for Windows server versions 2000, 2003, 2008, Windows XP, Windows Vista, and Windows 7 using the Microsoft Windows Management Instrumentation (WMI) API. The Microsoft Security Event Log Custom protocol can process any Windows EVT log files and is used in conjunction with the Universal DSM.
14. Microsoft Exchange :
  The Microsoft Windows Exchange protocol supports SMTP, OWA, and message tracking logs for Microsoft Exchange 2007. The Microsoft Exchange protocol does not support Microsoft Exchange 2003 or Microsoft authentication protocol NTLMv2 Session.
15. Microsoft DHCP:
  The Microsoft DHCP protocol only supports a single connection to a Microsoft DHCP server. The Microsoft authentication protocol NTLMv2 Session is not supported in the Microsoft DHCP Log Source.
16. Microsoft IIS:
  Microsoft IIS protocol supports a single point collection of .w3c format log files from a Microsoft IIS web server. The Microsoft authentication protocol NTLMv2 Session is not supported in the Microsoft IIS protocol.
17. EMC VMWare:
  The EMC VMWare protocol allows QRadar to receive event data from the VMWare Web service for virtual environments.
18. Oracle Database Listener:
  The Oracle Database Listener protocol source allows QRadar to monitor log files.generated from an Oracle Listener database. Before you configure the Oracle Database Listener protocol to monitor log files for processing, you must obtain the directory path to the Oracle Listener database log files.
19. Cisco Network Security Event Logging:
  The Cisco Network Security Event Logging (NSEL) protocol source allows QRadar to monitor NetFlow packet flows from a Cisco Adaptive Security Appliance (ASA). NetFlow events are streamed to QRadar for processing after you have configured the Cisco ASA DSM.
20. PCAP Syslog Combination Protocol:
  The PCAP Syslog Combination protocol allows Juniper Networks SRX Series appliances to forward packet capture (PCAP) data from a Juniper Networks SRX appliance to QRadar. Packet capture data is forwarded to QRadar on a specified port that is separate from the syslog data forwarded to QRadar on port 514. The data contained in the packet capture and the outgoing port from the Juniper Networks SRX Series is configured from the Juniper Networks SRX Series appliance user interface. QRadar is capable or receiving both syslog and the additional PCAP data after you have configured the Juniper Networks SRX Series appliance.
21. Forwarded Protocol:
  The Forwarded protocol enables you to receive a forwarded log source from another QRadar Console in a QRadar deployment.
22. TLS Syslog Protocol:
  TLS Syslog protocol allows QRadar to receive encrypted syslog events from up to 50 network devices that support TLS Syslog event forwarding. After you create an initial TLS Syslog log source and configure a listening port for TLS syslog, QRadar generates a syslog-tls certificate. This certificate can be copied to any device on your network that is capable of forwarding encrypted syslog. Additional network devices with a syslog-tls certificate file and the TLS listen port number can be automatically discovered as a TLS syslog log source in QRadar.
23. Juniper Security Binary Log Collector:
  QRadar can accept audit, system, firewall and intrusion prevention system (IPS) events in binary format from Juniper SRX or Juniper Networks J Series appliances. The Juniper Networks binary log file format is intended to increase performance when writing large amounts of data to an event log
24. UDP Multi-line Syslog Protocol:
  QRadar can accept UDP multi-line syslog event messages from Open LDAP servers and reassemble the multi-line syslog messages in to single payloads for QRadar.
25. IBM Tivoli Endpoint Manager SOAP:
  The IBM Tivoli Endpoint Manager SOAP protocol for QRadar retrieves Log Extended Event Format (LEEF) formatted events from IBM Tivoli Endpoint Manager. QRadar uses the Tivoli Endpoint Manager SOAP protocol to retrieve events on a 30 second interval. As events are retrieved the IBM Tivoli Endpoint Manager DSM parses and categorizes the events for QRadar. The SOAP API for IBM Tivoli Endpoint Manager is only available after you have installed with the Web Reports application. The Web Reports application for Tivoli Endpoint Manager is required to retrieve and integrate IBM Tivoli Endpoint Manager system event data.
Given a customers need to understand the various flow sources, explain the advantages and disadvantages of the various flow source types so that the customer will have an understanding of which QRadar flow source will work best in their environment.
With emphasis on performing the following tasks:
1. Explain the advantages and disadvantages of a span/tap connection to collect qflow.
  1. Advantages:
    -Provide accurate non-sampled byte and packet counts directly off the wire.
    -Provide Layer 7 Application detection.
  2. Disadvantages:
    -Require a free spanport or tap to plug into.
    -Require a qflow or vflow appliances (12xx/13xx) or a 2100 all-in-one appliance.
2. Netflow V1,V5,V7,V9/jflow collection/IPFIX
  1. Advantages:
    -Require no Physical ports on switches/routers.
  2. Disadvantages:
    -No Layer 7 Application Detection.
    -Records are unidirectional which can cause inaccuracies.
    -Netflow traffic can based on sampled data and, therefore, may not represent all network traffic.
3. Packeteer collection
  1. Advantages:
    -Require no Physical ports on switches/routers.
    -Packeteers application detection is translated into our application detection.
  2. Disadvantages:
    -No Layer 7 Content available.
4. sflow V2,V4,V5 collection
  1. Advantages:
    -Require no Physical ports on switches/routers.
    -Can be configured to capture content.
  2. Disadvantages:
    -sFlow traffic is based on sampled data and, therefore, may not
    -represent all network traffic.

Section 2: Installation

Given a new QRadar appliance, physically mount and cable it so that it can be operational in a data center.
With emphasis on performing the following tasks:
1. Remove the appliance, cables and rackmount rails from the shipping box.
2. Mount the rails to the rack in your data center / server room.
3. Slide the appliance into the rails.
4. Optional: attach the cable management piece at the rear of the rails.
5. Connect the power, Ethernet, keyboard/video and cables to the appliance. Optionally, but highly recommended: connect the management port.
  1. If you have a Dell appliance, the management port is labeled with a wrench symbol. If you have an IBM appliance, the management port should be labeled as IMM.
6. Turn the appliance on.
7. If you connected the management port, configure the management port network settings.
  1. You can configure the network settings for the management port from the LCD at the front of the appliance. You can also configure it from the BIOS.
  2. You can configure the IMM port by pressing F1 during boot. Once in the setup, select System Settings, followed by Integrated Management Module, and then Network Configuration.
  3. If you enabled the management port, make sure you change the default password soon. The default credentials for a Dell appliance are root with a password of calvin. The default credentials for an IBM appliance are USERID and PASSW0RD (with a zero).
8. Your appliance should now be properly racked and remotely manageable.
Given QRadar IBM appliances, configure the out of band management port on the appliance so that remote console access will be available to administrators.
With emphasis on performing the following tasks:
1. On the back panel of each appliance type, the serial connector and Ethernet connectors can be managed using the Integrated Management Module (IMM). You can configure the IMM to share an ethernet port with the QRadar management interface; however, we recommend configuring the IMM in dedicated mode to reduce the risk of losing the IMM connection when the appliance is restarted.
2. After you start the server, you can use the Setup utility to select an IMM network connection. The server with the IMM hardware must be connected to a Dynamic Host Configuration Protocol (DHCP) server, or the server network must be configured to use the IMM static IP address.
  NOTE: Q1 Labs recommends the use of static IP address for IMM configurations
3. To set up the IMM network connection through the Setup utility, complete the following steps:
  1. Turn on the server.
    -Note: Approximately 2 minutes after the server is connected to ac power, the power-control button becomes active.
    -The IBM System x Server Firmware welcome screen is displayed.
  2. When the prompt Setup is displayed, press F1. If you have set both a power-on password and an administrator password, you must type the administrator password to access the full Setup utility menu.
  3. From the Setup utility main menu, select System Settings.
  4. On the next screen, select Integrated Management Module.
  5. On the next screen, select Network Configuration.
  6. Highlight DHCP Control. There are three IMM network connection choices in the DHCP Control field:
    -Static IP
    -DHCP Enabled
    -DHCP with Failover (default)
  7. Select one of the network connection choices.
  8. If you choose to use a static IP address, you must specify the IP address, the subnet mask, and the default gateway.
  9. You can also use the Setup utility to select a dedicated or shared IMM network connection. On the Network Configuration screen, select Dedicated or Shared in the Network Interface Port field.
  10. Select Save Network Settings.
  11. Exit from the Setup utility.
4. The IMM is set initially with a user name of USERID and password of PASSW0RD (with a zero, not the letter O). This default user setting has Supervisor access. It is recommended although not required: you may change this default password for enhanced security.
5. To access the IMM through the IMM Web interface:
  1. Open a Web browser.
  2. In the address or URL field, type the IP address or host name of the IMM server to which you want to connect.
Given a freshly installed QRadar system, install the activation key so that the QRadar appliance has the proper role and functionality assigned to it.
With emphasis on performing the following tasks:
1. The QRadar application key defines the appliance model, functionality and capabilities during initial setup.
2. The activation key can be found on the documentation package shipped with the server.
3. Turn the QRadar system on if it is not already powered up.
4. From the console (either physically seated at it, via a remote access card or serial cable), login as 'root' at the prompt. There should be no password set on a new system.
5. Read and accept the EULA by typing 'yes' when prompted.
6. The activation key window is displayed. The activation key is a 24-digit, four-part, alphanumeric string. It can be found printed on a sticker and physically placed on the appliance or included with the packing slip.
7. Type the activation key into the textbox and press Enter, including the dash symbols. Note that the letter l and the number 1 (one) are treated the same, as are the letter O and the number 0 (zero).
8. The system will display a brief message about decrypting the key and move to the next page if it was successful.
Given a freshly installed QRadar system, setup the network configuration settings so that the QRadar user interface will be available to access a web browser if the installation was performed on a console type of appliance.
With emphasis on performing the following tasks:
1. After completion of entering the activation key, a window will display asking to select an internet protocol version. This screen will be displayed after configuring time server information if the system you are working with is a console (31xx or 21xx) appliance. In typical environments, this will be IPv4.
2. A window displays up to a maximum of four interfaces depending on hardware configuration. Each interface with a physical link is denoted with a plus (+) symbol. Select the interface that you want to specify as the management interface. This is usually the 'eth0' interface. Select Next and press Enter.
3. Configure the network settings using the following parameters:
  1. Hostname - Type a fully qualified domain name as the system name.
  2. IP Address - Type the IP address of the system.
  3. Network Mask - Type the network mask address for the system.
  4. Gateway - Type the default gateway of the system.
  5. Primary DNS - Type the primary DNS server address.
  6. Secondary DNS - Optional. Type the secondary DNS server IP address
  7. Public IP - Optional. Type the Public IP address of the server. This is a secondary IP address that is used to access the server, usually from a different network or the Internet, and is managed by your network administrator. The Public IP address is often configured using Network Address Translation (NAT) services on your network or firewall settings on your network. NAT translates an IP address in one network to a different IP address in another network.
  8. Email Server - Type the SMTP email server hostname or IP in. If you do not have an SMTP server, type localhost in this field.
4. Select Next and press Enter.
5. At this point, your network settings are configured. The system will then ask to configure a new root password. Follow the on-screen steps to set the password. The installation continues and a Configuration is Complete window will display. Press Enter to select OK.
Given a freshly installed QRadar console or recently added managed host, install and deploy the QRadar license so that the newly applied license will take effect on each host in the QRadar deployment.
With emphasis on performing the following tasks:
1. Upon login to the QRadar user interface at https:///, you may receive a message window should pop up stating "Warning: This temporary license will expire on . Please contact customer support to receive a permanent license." This indicates the console has not had a permanent license deployed. If adding new managed hosts to an existing deployment, you will not see this message.
2. Click on the Admin tab, followed by the System and License Management icon.
3. A new window is displayed, providing a list of all hosts in the deployment. Select the host for which you want to view the license key.
4. From the Actions menu, select Manage License.
5. The default temporary license window is displayed, showing the current license key limits. To update the existing license, click Browse beside the New License Key File field and select the license key from your local system and click Open.
6. The license window will display. Click Save. The new license values will display in the window.
7. If there are additional managed hosts that you have licenses for, repeat steps 3-6 for host in the deployment. Otherwise, continue to step 8.
8. On the System and License Management window, click Deploy License Key.
9. The key information is updated in your deployment.
Given a successfully installed deployment of QRadar describe and configure external storage so that the QRadar system can backup externally and/or mount the Ariel datastore externally.
With emphasis on performing the following tasks:
1. Describe the options for backing up to an external system.
  1. Mount /store/backup as an NFS share
  2. Mount /store/backup as an SAMBA share
  3. Mount /store/backup using iSCSI to a SAN
  4. Mount /store/backup using Fibrechannel to a SAN
  5. Create a script to copy the contents of /store/backup to an external system.
2. Describe the options for mounting Ariel to an external system.
  1. Mount /store/ariel using iSCSI to a SAN
  2. Mount /store or /store/ariel using Fibrechannel to a SAN
3. Implement NFS or SMB for Backups.
  To implement NFS for backups:
  1. Step 1 :Using SSH, log in to QRadar as the root user.
  2. Step 2 :Add your NFS or SMB server to the /etc/hosts file.
  3. Step 3: Edit the iptables firewall to allow the connection to your NFS server.
  4. Step 4: Restart iptables.
  5. Step 5: Add the NFS to be part of the startup.
  6. Step 6 :Manually start NFS services.
  7. Step 7: Configure the /store/backup directory.
  8. Step 8: Migrate existing backup files to the NFS volume.
4. Configure iSCSI in a Standard Deployment.
  To configure iSCSI in a standard deployment:
  1. Prepare QRadar to connect to the iSCSI network.
  2. Assign and configure the iSCSI volumes.
  3. Migrate the /store/ariel directory to the iSCSI storage solution.
  4. Configure the system to auto-mount the iSCSI volume.
  5. Verify the iSCSI mount.
  6. Note - Your iSCSI interface should be configured on a separate interface from the management or primary interface.
5. Configure iSCSI HA :
  In a HA deployment, the secondary host maintains the same data as the primary host by one of two methods: data replication or shared external storage. If you use the shared external storage method, you must configure your secondary host with the same external iSCSI device as the primary host.
  To configure iSCSI for use with HA, you must:
  1. Configure iSCSI on the primary host:This step must be performed before adding the secondary host.
    -Prepare the primary host to connect to the iSCSI network.
    -Assign and configure the iSCSI volumes on the primary host.
    -Migrate the /store/ariel directory on the primary host to the iSCSI storage solution.
    -Configure the primary host to auto-mount the iSCSI volume.
    -Verify the iSCSI mount on the primary host. See Verifying the iSCSI Mount.
  2. Install the secondary host.
  3. Configure iSCSI on the secondary host:
    -Prepare the primary host to connect to the iSCSI network.
    -Assign and configure the iSCSI volumes on the primary host.
    -Migrate the /store/ariel directory on the primary host to the iSCSI storage solution. Only perform Step 2 through Step 9.
    -Configure the secondary host to auto-mount the iSCSI volume.
  4. Access QRadar and configure the HA cluster. For more information about configuring HA, see the QRadar Administration Guide or the QRadar Log Manager Administration Guide.
    Note - Your iSCSI interface should be configured on a separate interface from the management or primary interface.
6. Configure Fibre Channel in a Standard Deployment.
  To configure Fibre Channel in a standard deployment:
  1. Step 1: Prepare QRadar to connect to the Fibre Channel network.
  2. Step 2: Migrate the storage directory to the Fibre Channel storage solution. By default, QRadar stores data in the /store directory, however, storing data in subdirectories of /store is supported. Choose one of the following:
    -Migrate /store to the Fibre Channel Solution.
    -Migrate a subdirectory of /store to the Fibre Channel Solution.
  3. Step 3 :Verify that Fibre Channel storage mounts properly.
7. Configure Fibre Channel HA
  In a HA deployment, the secondary host maintains the same data as the primary host by one of two methods: data replication or shared external storage.If you use the shared external storage method, your secondary host must be configured with the same external Fibre Channel device as the primary host.
Given a newly installed QRadar deployment, use the Deployment editor so that managed hosts and components can be added, modified or removed.
With emphasis on performing the following tasks:
1. Deployment Editor Overview.
  The deployment editor provides the following views of your deployment:
  1. System View - Use the System View page to assign software
    components, such as a QFlow Collector, to managed hosts in your deployment.
    The System View page includes all managed hosts in your deployment. A managed host is a system in your deployment that has QRadarQRadar software installed.
    By default, the System View page also includes the following components:
  2. Host Context - Monitors all QRadar components to ensure that each component is operating as expected.
  3. Accumulator - Analyzes flows, events, reporting, writing database data, and alerting a DSM. An accumulator resides on any host that contains an Event Processor.
  4. Event View - Use the Event View page to create a view of your components including QFlow Collectors, Event Processors, Event Collectors, Off-site Sources, Off-site Targets, and Magistrate components.
2. Open Deployment Editor.
  On the Admin tab, click Deployment Editor. The deployment editor is displayed. After you update your configuration settings using the deployment editor, you must save those changes to the staging area.
  You must manually deploy all changes using the Admin tab menu option. All deployed changes are then enforced throughout your deployment.
3. Add a managed host.
  You can add the following QRadar components to your Event View:
  Event Collector
  Event Processor
  Off-site Source
  Off-site Target
  QFlow Collector
  1. Step 1: On the Admin tab, click Deployment Editor.
    The Event View page is displayed.
  2. Step 2: In the Event Components pane, select a component you want to add to your deployment.
    The Adding a New Component wizard is displayed.
  3. Step 3: Type a unique name for the component you want to add.
    The name can be up to 20 characters in length and may include underscores or hyphens. Click Next.
    The Assign Component page is displayed.
  4. Step 4: From the Select a host to assign to list box, select a managed
    host you want to assign the new component to. Click Next.
  5. Step 5 :Click Finish.
  6. Step 6: Repeat for each component you want to add to your view.
  7. Step 7: From the deployment editor menu, select File -> Save to staging.
    The deployment editor saves your changes to the staging area.
  8. Step 8: On the Admin tab menu, click Deploy Changes.
4. Make a connection from one component to another
  1. Step 1: In the Event View page, select the component for which you want to establish a connection.
  2. Step 2 :From the menu, select Actions -> Add Connection.
    NOTE:You can also right-click a component to access the Action menu item.An arrow is displayed in your map. The arrow represents a connection between two components.
  3. Step 3: Drag the end of the arrow to the component you want to establish
  4. Step 4: Optional. Configure flow filtering on a connection between a QFlow Collector and an Event Collector.
    -Right-click the arrow between the QFlow Collector and the Event Collector and select Configure.
    -In the text field for the Flow Filter parameter, type the IP addresses or CIDR addresses for the Event Collectors you want the QFlow Collector to send flows to.
    -Click Save.
  5. Step 5: Repeat for all remaining components that require connections.
5. Verify managed host is connected to deployment.
  Highlight the component that you attached the line to, Hold yor left mouse-key down and move the component, the line should move with the component if It is properly attached.
6. Edit a managed host
  1. Step 1: Click the System View tab.
  2. Step 2: Right-click the managed host you want to edit and select Edit Managed Host.
    The Edit a managed host wizard is displayed.
    NOTE:This option is only available when the selected component has a managed host running a compatible version of QRadar software.
  3. Step 3: Click Next.
    The Attributes window is displayed.
  4. Step 4 :Edit the following values, as necessary:
    Host is NATed - Select the check box if you want to use existing Network Address Translation (NAT) on this managed host. For more information on NAT,
    NOTE:If you want to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT.
    Enable Encryption - Select the check box if you want to create an encryption tunnel for the host. To enable encryption between two managed hosts, each managed host must be running at least QRadar 5.1. If you selected the Host is NATed check box, the Configure NAT settings page is displayed. Go to Step 5. Otherwise, go to Step 6.
  5. Step 5: To select a NATed network, enter values for the following parameters:
    -Enter public IP of the server or appliance to add - Type the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.
    -Select NATed network - From the list box, select the network you want this managed host to use.
  6. Step 6: Click Next.
  7. Step 7 :Click Finish.
7. Remove a managed host.
  1. Step 1: Click the System View tab.
  2. Step 2 :Right-click the managed host you want to delete and select Remove host.
    NOTE:This option is only available when the selected component has a managed host running a compatible version of QRadar software.A confirmation window is displayed.
  3. Step 3: Click OK.
  4. Step 4: On the Admin tab menu, select Advanced > Deploy Full Configuration.
8. Re-assinge a managed host.
  1. Step 1: Click the System View tab.
  2. Step 2 :Right-click the unassigned managed host you want to assign and select Assign Host.
    NOTE:Unassigned managed hosts appear in the deployment editor as RED components.A confirmation window is displayed.
  3. Step 3 :Click OK.
  4. Step 4 :Repeat for each component you want to assign in your view.
  5. Step 5 :From the deployment editor menu, select File -> Save to staging.
    The deployment editor saves your changes to the staging area.
  6. Step 6: On the Admin tab menu, click Deploy Changes.
9. Save the deployment.
  1. From the deployment editor menu, select File -> Save to staging.
  2. The deployment editor saves your changes to the staging area.
  3. From the deployment editor menu, select File -> Save and close.
  4. The deployment editor saves your changes to the staging area and automatically closes.
Given that QRadar has been installed and high availability was purchase, install and configure HA so that the system is configured as a HA and Disk Synchronization is enabled.
With emphasis on performing the following tasks:
1. Install a Secondary HA Qradar Appliance.
  1. Prepare your appliance.
  2. Install all necessary hardware.
  3. Connect to the Appliance via a serial port or KVM.
  4. Log in with username root (Username is case sensitive) Press Enter.
  5. The End User License Agreement (EULA) is displayed.
  6. Read the information in the window. Press the Spacebar to advance eachwindow until you have reached the end of the document.
  7. Type yes to accept the agreement, and then press Enter
  8. The activation key window is displayed. The activation key is a 24-digit,four-part, alphanumeric string.
  9. The activation key can be found on:
    -Printed on a sticker and physically placed on your appliance.
    -Included with the packing slip; all appliances are listed along with their associated keys.
  10. Type your activation key and press Enter.
  11. To specify your secondary device type, select This system is a stand-by for a console.
  12. Select Next and press Enter.
  13. Choose one of the following options to setup the time:
    -Manual - To manually enter the time and date, type the current date and time. Select Next and press Enter
    -Select your time zone continent or area. Select Next and press Enter.
    -The Time Zone Region window is displayed.
    -Select your time zone region. Select Next and press Enter.
    -Server - To specify a time server, in the Time server field, type the time server name or IP address.
  14. Select IPv4 for your internet protocol version. Select Next and press Enter.
    -The window displays up to a maximum of four interfaces depending on your hardware configuration. Each interface with a physical link is denoted with a plus (+) symbol.
  15. Select the interface that you want to specify as the management interface. Select Next and press Enter.
  16. Configure the QRadar network settings:
  17. Enter values for the following parameters:
    -Hostname - Type a fully qualified domain name as the system host name.
    -IP Address - Type the IP address of the system.
    -Network Mask - Type the network mask address for the system.
    -Gateway - Type the default gateway of the system.
    -Primary DNS - Type the primary DNS server address.
    -Secondary DNS - Optional. Type the secondary DNS server address.
    -Public IP - Optional.
    -Email Server - Type the email server. If you do not have an email server, type localhost in this field.
    -Select Next and press Enter
    -To configure the QRadar root password:
    -a Type the root password.
    -Select Next and press Enter.
    -The Confirm New Root Password window is displayed.
    -Retype your new password to confirm.
    -Select Finish and press Enter.
    -A series of messages is displayed as QRadar continues with the installation.
    -This process typically takes several minutes.
    -The Configuration is Complete window is displayed.
    -Press Enter to select OK.
    NOTE: If adding HA to a Console Appliance, you must re-partition and move the /store/ariel/persistent_data location and contents into a new partition in order to alleviate potential performance issues caused by HA data replication of temporary search result data. QRadar has a script that performs these tasks. The partition splitting process affects both the primary and secondary HA hosts. Before running the script, the Console HA secondary must not be in a HA configuration. This process takes several hours to complete and will effect console availability and functionality.
2. Add and configuring the HA Cluster.
  1. Log in to the QRadar user interface.
  2. Add and Configure your HA cluster.
  3. Click the Admin tab.
  4. On the navigation menu, click System Configuration.
  5. The System Configuration pane is displayed.
  6. Click the System and License Management icon.
  7. The System and License Management window is displayed.
  8. Select the host for which you want to configure HA.
  9. From the Actions menu, select Add HA Host.
  10. If the primary host is a Console, a warning message is displayed to indicate that the QRadar user interface restarts after you add the HA host. Click OK to proceed.
  11. The HA Wizard is displayed.
  12. Read the introductory text. Click Next.
  13. Primary Host IP Address
  14. Secondary Host IP Address
  15. Enter the root password of the host.
  16. Confirm the root password of the host.
  17. Optional. You may configure advanced parameters .
  18. Click Next. The HA Wizard connects to the primary and secondary host to perform the following validations:
  19. Verifies that the secondary host has a valid HA activation key.
  20. Verifies that the secondary host is not already added to another HA cluster.
  21. Verifies that the software versions on the primary and secondary hosts are the same.
  22. Verifies that the primary and secondary hosts support the same Device Support Module (DSM), scanner, and protocol RPMs.
  23. Verifies if the primary host has an externally mounted storage system. If it does, the HA wizard then verifies that the secondary host also has an externally mounted storage system.
  24. If any of these validations fail, the HA wizard displays an error message and then closes.
  25. The Confirm the High Availability Wizard Options page is displayed.
  26. Review the information. Click Finish.
  27. If Disk Synchronization is enabled, it can take 24 hours or more for the data to initially synchronize. For a portion of this time the system may appear to be down with no update or status available - this is normal.
Given a need to reformat an appliance, flatten and reinstall the appliance so that the QRadar appliance is completely reinstalled.
With emphasis on performing the following tasks:
1. Choose a method to reinstall:
  1. From the boot menu using the recovery partition.
  2. Using a DVD. (all appliances except for xx24 series)
  3. Using a USB.
2. Prepare for Reinstallation from a Recovery Partition.
  To prepare for re-installation:
  1. Step 1: Reboot your QRadar appliance.
    A menu is displayed with the following options:
    -Normal System - Starts QRadar as normal.
    -Factory re-install - Runs the installer.
  2. Step 2: Select Factory re-install.
    The installer runs and detects that there is already an installation present.
  3. Step 3 :Type flatten to continue.
    The installer partitions and reformats the hard disk, installs the OS, and then re-installs QRadar. You must wait for the flatten process to complete. This process can take up to several minutes, depending on your system. When the process is complete, a confirmation is displayed:
  4. Step 4 :Type SETUP.
  5. Step 5: Log in to QRadar as the root user.
  6. Step 6 :Follow the prompts to install QRadar. The remaining steps are documented in the installation Guide for your software product.
3. Prepare for Reinstallation from a DVD.
  To prepare for re-installation:
  1. Step 1 :Download the appropriate ISO from the Qmmunity website.
  2. Step 2 :Burn that image to a DVD.
  3. Step 3 :Reboot your QRadar appliance with the DVD in place.
  4. Step 4 :Press the key required to load the boot menu for your appliance.
  5. Step 5 :Select USB as the boot option. The USB flash-drive prepares for the QRadar installation. It can take up to an hour to start the installation process.
  6. Step 6 :When the login prompt is displayed, log in to the system as the root user.
  7. Step 7 :Type SETUP to begin the installation.
  8. Step 8: Follow the prompts to install QRadar. The remaining steps are documented in the installation Guide for your software product.
4. Create a Bootable USB Flash-Drive
  If the system you want to install resides in a QRadar deployment in which other QRadar systems are available, you can create a bootable USB flash-drive on another QRadar system. If the system you want to install is a stand-alone device,you can create a bootable USB flash-drive using a Linux-based desktop system. These instructions are available on Qmmunity.
5. Install QRadar Using a USB Flash-Drive
  Before installing QRadar using a bootable USB flash-drive, you must first complete the steps in Creating a Bootable USB Flash-Drive.
  To install QRadar on your appliance using a bootable USB flash-drive:
  1. Step 1: Insert the bootable USB flash-drive into the USB port of your QRadar appliance.
  2. Step 2: Restart the appliance.
  3. Step 3 :Press the key required to load the boot menu for your appliance.
  4. Step 4 :Select USB as the boot option.The USB flash-drive prepares for the QRadar installation. It can take up to an hour to start the installation process.
  5. Step 5: When the login prompt is displayed, log in to the system as the root user.
  6. Step 6 :Type SETUP to begin the installation.
  7. Step 7 :Follow the prompts to install QRadar. The remaining steps are documented in the installation Guide for your software product.

Section 3-1: Configuration

Given a Customers IP assignment information, construct a properly configured network hierarchy so that local networks can be identified in QRadar.
With emphasis on performing the following tasks:
1. Navigate to the QRadar Admin interface and click on Network Hierarchy.
2. Select the Add button from the interface that pops up.
3. Populate the Fields for Group name, Object name, Weight, and Color. Note: use "." to create sub-groups.
4. Leave the Database retention as "System - Network Object Default" (NOTE: This value is no longer used ).
5. Populate the CIDR field with the CIDR's to be assigned to this object by entering them in the field and selecting the Add button.
6. Once all the fields are populated select the �save' button
7. Repeat steps above until all the necessary objects have been added, once they have all been added, close the window and from the Admin tab select Deploy Changes.
Given QRadar has been installed, install and configure the ALE agents so that log data can be collected and sent from Windows Systems to QRadar.
With emphasis on performing the following tasks:
1. Install the ALE.
  1. Download the AdaptiveLogExporter_setup.exe file from the Qmmunity Website.
  2. Copy the ALE setup file to your Windows-based host system.
  3. launch the installation wizard.
  4. Read and accept the license agreement information.
  5. Select Full installation. This option installs the following:
    -ALE Windows Service
    -ALE Configuration User Interface
  6. Chose between the different options.
  7. Click Install.
  8. The Completing the Setup Wizard is displayed when the installa tion is complete. Select Finish.
2. Configur the ALE Update Site.
  To configure an update site:
  1. From the Start menu, select Programs -> Adaptive Log Exporter -> Configure Adapter Log Exporter.
  2. The ALE is displayed.
  3. On the main menu, select File -> Preferences.
  4. The Preferences window is displayed.
  5. Click the + icon to expand the Install/Update navigation tree.
  6. On the navigation menu, select Update Site.
  7. Update Site parameters are displayed.
  8. In the Update Site URL field, type the location of your update site file. For example:
    -To update from the Internet, type a URL:http://downloads.q1labs.com/windowsagent
    -To update from a Windows share, type the path to your server file:///ALE/UpdateSite
    -To update from a local file, type the path to the file:file:///e:/UpdateSite
3. Manage Destinations.
  1. From the Start menu, select Programs -> Adaptive Log Exporter -> Configure Adapter Log Exporter.
  2. The ALE is displayed.
  3. Click the Destinations tab.
  4. Right-click on a destination type(e.g: TCP, UDP) and select Add Destination.
  5. Configure the following values: Name, Description, Syslog Server, Syslog Server Port.
  6. Click Save and Deploy
4. Install and Configure Windows Devices.
  1. From the Start menu, select Programs -> Adaptive Log Exporter -> Configure Adapter Log Exporter.
  2. Click the Devices tab.
  3. Right click on Windows Event Log and select Add Device
  4. Configure the parameters: Name, Description, Device Address and which logs to be monitored.
  5. Click Save.
  6. Click the Destinations tab.
  7. Right-click on a destination and select Add Device Mapping.
  8. A list of configured devices is displayed.
  9. Select your Windows Event Log device.
  10. A mapping is created for your Selected Log device to the destina tion.
  11. Click Save.
  12. Click Deploy.
  13. Installing and Configuring Plugins
  14. From the Start menu, select Programs -> Adaptive Log Exporter
  15. Click Add Plugins.
  16. Select the plugin you wish to install.
  17. Accept the terms and proceed with the installation.
  18. Once installation is completed select restart workbench for the changes to take effect.
  19. Device Type will appear under devices.
  20. Select device and right click to Add Device.
  21. Configure the Basic Configuration parameters and any other required parameters (e.g: File Selection Configuration).
  22. Select Save.
  23. Click the Destination tab.
  24. Right-click on a destination and select Add Device Mapping.
  25. A list of configured devices is displayed.
  26. Select your Device.
  27. A mapping is created for your Selected Log device to the destination.
  28. Click Save.
  29. Click Deploy.
Given QRadar has been installed, install and configure the Wincollect agent so that Log data can be collected and sent from Windows systems to QRadar.
With emphasis on performing the following tasks:
1. Install the WinCollect agent.
  1. Authorizing the WinCollect agent.
  2. To create an authentication token:
  3. Click the Admin tab.
  4. On the navigation menu, click System Configuration.
  5. The System Configuration pane is displayed.
  6. Click the Authorized Services icon.
  7. Click Add Authorized Service parameters: Service Name, User Role, Expiry Date.
  8. Click Create Service
    -Installing a WinCollect Agent Using the Command- line
  9. Interface
  10. Download the WinCollect agent setup file from the Qmmunity Website to the WinCollect agent host:
  11. From the desktop, select Start -> Run.
  12. The Run window is displayed.
  13. Type the following command: cmd and click OK
  14. Navigate to the download directory containing the WinCollect agent.
  15. Type the following command from the directory containing the WinCollect setup file:
  16. AGENT-WinCollect-7.0.0.setup.exe /VERYSILENT /SUPPRESSMSGBOXES /AUTH_TOKEN= /HOST_IDENTIFIER= /CONFIG_CONSOLE_ADDRESS=
  17. Verify that Agent has registered in the QRadar Console in Admin -> Wincollect
2. Add a Log Source
  1. Click the Admin tab.
  2. On the navigation menu, click Data Sources.
  3. The Data Sources pane is displayed.
  4. Click the WinCollect icon.
  5. The WinCollect window is displayed.
  6. Select the WinCollect agent, and click Log Sources.
  7. Click Add.
  8. The Add a log source window is displayed.
  9. From the Log Source Type drop-down list box, select Microsoft Windows Security Event Log.
  10. From the Protocol Configuration drop-down list box, select WinCollect.
  11. Select appropriate Event Processor (If in a distributed environment).
  12. Configure values for the parameters.
  13. Click Save.
  14. Admin tab, click Deploy Changes.
Given the QRadar V7.1 product and the customer statement of work, itemize each log source that is required for collection, determine the protocol, and provide configuration parameters so that events from each required log source are visible in the QRadar Log Activity display.
With emphasis on performing the following tasks:
1. Be able to describe types of collection and major collection processes: QRadar collects log event data from real time data being received over syslog and SNMP, as well as by polling for event data in files, databases, or specially architected store. Numerous protocols are supported for data collection, including syslog, SNMP, JDBC, SCP/SFTP, FTP, and various consortium (SDEE) or vendor specific (OPSEC/LEA).
2. Be able to describe the auto discovery and identify when it may be available: Log Sources that are collected using syslog can be detected from the incoming syslog event stream by the auto discovery process. Log sources that support auto detection can be found in the appendix of the Configuring DSM guide.
3. List each log source to be installed Device Type and determine which of these will be collected using the syslog protocol and are supported by auto discovery.
4. Obtain latest DSM guide and qmmunity information to determine which of the log sources are supported by existing DSM's.
5. Download and install latest protocol and DSM updates from qmmunity.
6. Itemize all log sources that will not be collected using syslog, and determine from the DSM guide and qmmunity which protocol will be used for collection.
7. For each log source not collected via syslog, open the Admin tab, then open Log Sources. Click on Add, and then select the Log Source Type from the drop-down list to open the Add a log source panel.
8. Determine the protocol to be used, for example JDBC, Log File, SDEE, SNMP, Vendor Specific, etc.
9. Select that protocol and itemize each required parameter needed to configure access to the event data.
10. Obtain values for each from site contacts; ensure that information is accurate and that necessary changes have been made to the systems generating the log data to enable the collection. For example, if using SFTP, ensure that the User ID will connect to the remote system, and has sufficient privilege to read the log file.
11. Configure each log source using the Add Log Source panel.
12. Click Save.
13. Watch the Status and Last Event Time columns for successful collect with a current event time.
14. Diagnose any errors by reading the /var/log/qradar.log and /var/log/qradar.error files. Common errors include inability to connect to the event data or problems with the time stamp used to detect latest event data.
15. Check the event data to ensure that some events are available. In some cases, it may be necessary to provoke some event data by performing actions on the system being collected.
16. Open Log Activity tab, then click Add Filter.
17. Define a Filter selecting the Log Source using the drop-down lists.
18. Return to Log Activity and select a View option that covers the time period of collection observed above in step 3.3.10 --- this might be 5 minutes, 1 hour, or 3 days depending on expected frequency of events.
Given QRadar is installed and operational, create flow sources so that the network activity screen is populated with flow data.
With emphasis on performing the following tasks:
1. Log in to the QRadar user interface at https://.
2. Select the Admin tab.
3. Under Data Sources, click on Flow Sources and a new window will appear.
4. To create a new flow source:
  1. Click Add. Complete the flow source details such as name, target collector device and flow source type.
  2. If your network environment has asymmetric routing enabled, enable asymmetric flows.
  3. After selecting the Flow Source Type, complete the values for that flow source type configuration such as monitoring port number that QRadar will receive the flows on.
  4. If you need to forward the flows to another flow destination, select Enable Flow Forwarding.
    -Add the destinations and port number in the respective fields.
    -If you need to spoof the source address the flows are forwarded from their origin when forwarding, you must change the Monitoring Interface value to a specific Ethernet interface.
  5. When done, click Save.
  6. Repeat section 3.4.4 for additional flow sources as needed.
5. To modify an existing flow source, select the source from the list and click Edit. Modify as needed, click Save.
6. To disable or enable a flow source, click on the respective flow source and click Enable/Disable.
7. To delete a flow source, click the respective flow source and click Delete. You will be asked to confirm deletion.
8. Once done modifying flow sources, close the window and return to the Admin tab. It should indicate that there are undeployed changed. Click Deploy Changes to deploy the changes that were made.
Given the VA Scanners and Schedule VA interface in QRadar, configure and schedule a VA Scanner so that Vulnerability data is imported into Asset Profiles in Qradar.
With emphasis on performing the following tasks:
1. The selected scanner populates your asset profile data including the host information, ports, and potential vulnerabilities.
2. Parameters Common to all VA Scanners:
  1. Scanner Name
  2. Description
  3. Managed Host
  4. Type
  5. CIDR Ranges
3. Most Scanners will require a:
  1. Hostname, Server name, or URL
  2. Username
  3. Password
    VA Scanner information can be retrieved and processed on any system, which is then parsed by the VIS component, sent back to the console,
4. Add a VA Scanner.
  1. Click the Admin tab.
  2. On the navigation menu, click Data Sources.
  3. Click the VA Scanners icon.
  4. Click Add.
  5. Configure values for the following parameters:
    Scanner Name : Type the name that you want to assign to this scanner.Description : Type a description for this scanner.Managed Host : From the list box, select the managed host that you want to use to configure the scanner.
    Type : From the list box, select the type of scanner you want to configure.
  6. Configure the parameters for the scanner chosen in 3.5.5.
    Note: Each supported scanner will have different parameters that will need to be configured. Most scanners will require at a minimum a Hostname, Server name, or URL and a Username and Passsword.
    -Refer to the 7.1 Managing Vulnerability Assessments for details on each supported scanners parameters.
  7. To configure the CIDR ranges that you want this scanner to consider:
    -In the text field, type the CIDR range that you want this scanner to consider or
    click Browse to select the CIDR range from the network list.
    -Click Add.
  8. Click Save.
  9. On the Admin tab, click Deploy Changes.
5. Schedule a VA Scanner.
  1. Click the Admin tab.
  2. On the navigation menu, click Data Sources.
  3. Click the Schedule VA Scanners icon.
  4. Click Add.
    NOTE: If you do not have any scanners deployed, an error message is displayed. You must configure/deploy the scanner before you can schedule a scan.
  5. Configure values for the following parameters:
    VA Scanner: From the list box, select the scanner for which you want to create a schedule.
    Network CIDR: Choose one of the following options:
    -Network CIDR - Select the option and select the network CIDR range to which you want this scan to apply.
    -Subnet/CIDR - Select the option and type the subnet or CIDR range to which you want this scan to apply. The subnet/CIDR must be within the selected Network CIDR.
    The Network CIDR or Subnet/CIDR values must be available by the scanner selected in the VA Scanner list box.
    Potency: From the Potency list box, select the level of scan that you want to perform. The precise interpretation of the levels depends on the scanner. For more precise potency information, see your vendor documentation. In general, the potency levels indicate the aggressiveness of the scan:
    -Very safe - Indicates a safe, non-intrusive assessment. They can generate false results.
    -Safe - Indicates an intermediate assessment and produces safe, banner-based results.
    -Medium - Indicates a safe intermediate assessment with accurate results.
    -Somewhat safe - Indicates an intermediate assessment but can leave service unresponsive.
    -Somewhat unsafe - Indicates an intermediate assessment, however, can result in your host or server cease functioning.
    -Unsafe - Indicates an intermediate assessment, however, this can cause your service to become unresponsive.
    -Very unsafe - Indicates an unsafe, aggressive assessment that can result in your host or server becoming unresponsive.Note: Potency levels only apply to NMap scanners.
    Priority : From the Priority list box, select the priority level to assign to the scan.
    -Low - Indicates the scan is of normal priority. Low priority is the default scan value.
    -High - Indicates the scan is high priority. High priority scans are always placed above low priority scans in the scan queue.
    Ports : Type the port range you want the scanner to scan.
    Start Time : Configure the start date and time for the scan. The default is the local time of your QRadar system.
    Note: If you select a start time that is in the past, the scan begins immediately after saving the scan schedule.
    Interval : Type a time interval to indicate how often you want this scan to run. Scan intervals can be scheduled by the hour, day, week, or month. An interval of 0 indicates that the scheduled scan runs one time and does not repeat.
    Concurrency Mask: Type a CIDR range to specify the size of the subnet to be scanned during a vulnerability scan. The value configured for the concurrency mask represents the largest portion of the subnet that the scanner is allowed to scan at a time. Concurrency mask allows the entire network CIDR or subnet/CIDR to be scanned in subnet segments to optimize the scan. The maximum subnet segment scan is /24 and the minimum subnet segment scan is /32.
    Clean Vulnerability Ports: Select this check box if you want the scan to exclude previous collected vulnerability data.
  6. Click Save.

Section 3-2: Configuration

Given an existing QRadar deployment, configure external authentication so that existing users can login to the QRadar UI using external credentials.
With emphasis on performing the following tasks:
1. Under Admin tab, open Authentication.
  NOTE: administrative user can access QRadar through a vendor authentication module or by using the local QRadar Admin password.
  The QRadar Admin password still functions if you have set up and activated a vendor authentication module, however, you cannot change the QRadar Admin password while the authentication module is active. If you want to change the QRadar admin password, you must temporarily disable the vendor authentication module, reset the password, and then reconfigure the vendor authentication module.
  1. Step 1: Click the Admin tab.
  2. Step 2: On the navigation menu, click System Configuration. The System Configuration pane is displayed.
  3. Step 3: Click the Authentication icon. The Authentication Configuration window is displayed.
  4. Step 4: From the Authentication Module list box, select the authentication type you want to configure.
2. Select Appropiate Auth Method.
  1. QRadar supports the following user authentication types:
    NOTE:If you want to configure RADIUS, TACACS, Active Directory, or LDAP as the authentication type, you must:
  2. Configure the authentication server before you configure authentication in QRadar.
  3. Configure the authentication server before you configure authentication in QRadar.
  4. Make sure the server has the appropriate user accounts and privilege levels to communicate with QRadar. See your server documentation for more information.
  5. Make sure the time of the authentication server is synchronized with the time of the QRadar server.
  6. Make sure all users have appropriate user accounts and roles in QRadar to allow authentication with the vendor servers.
    When authentication is configured and a user enters an invalid user name and password combination, a message is displayed indicating the login was invalid. If the user attempts to access the system multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again.
  7. System Authentication - Users are authenticated locally by QRadar. This is the default authentication type.
  8. RADIUS Authentication - Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server.
    When a user attempts to log in, QRadar encrypts the password only, and forwards the user name and password to the RADIUS server for authentication.
  9. TACACS Authentication - Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to log in, QRadar encrypts the user name and password, and forwards this information to the TACACS server for authentication.
  10. Active Directory - Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server using Kerberos.
  11. LDAP - Users are authenticated by a Native LDAP server.
3. Radius Auth config
  From the list box, select the type of authentication you want to perform. The options are:
  1. Challenge Handshake Authentication Protocol (CHAP) - Establishes a Point-to-Point Protocol (PPP) connection between the user and the server.
  2. Microsoft Challenge Handshake Authentication Protocol (MSCHAP ) - Authenticates remote Windows workstations.
  3. Apple Remote Access Protocol (ARAP) - Establishes authentication for AppleTalk network traffic.
  4. Password Authentication Protocol (PAP) - Sends clear text between the user and the server.
    Shared Secret: Type the shared secret that QRadar uses to encrypt RADIUS passwords for transmission to the RADIUS server.
4. Tacas Auth Config
  From the list box, select the type of authentication you want to perform. The options are:
  1. ASCII
  2. PAP - Sends clear text between the user and the server.
  3. CHAP - Establishes a PPP connection between the user and the server.
  4. MSCHAP - Authenticates remote Windows workstations.
  5. MSCHAP2 - Authenticates remote Windows workstations using mutual authentication.
  6. EAPMD5 - Uses MD5 to establish a PPP connection.
    Shared Secret: Type the shared secret that QRadar uses to encrypt TACACS
5. AD Auth Config
  1. Server URL: Type the URL used to connect to the LDAP server. For example, ldap://:
  2. LDAP Context: Type the LDAP context you want to use, for example, DC=Q1LABS,DC=INC.
  3. LDAP Domain: Type the domain you want to use, for example q1labs.inc.
6. LDAP Auth Config
  1. Server URL: Type the URL used to connect to the LDAP server. For example, ldap://:
    You can use a space-separated list to specify multiple LDAP servers.
  2. SSL Connection: From the list box, select True if you want to use Secure Socket Layer (SSL) encryption when connecting to the LDAP server. The default is True.Before enabling the SSL connection to your LDAP server, you must import the SSL certificate from the LDAP server to the your QRadar system.
  3. TLS Authentication: From the list box, select True if you want to start Transport Layer Security (TLS) encryption when connecting to the LDAP server. The default is True. Search Entire Base From the list box, select one of the following options:
    -True - Enables searching all subdirectories of the specified Directory Name (DN).
    -False - Enables searching the immediate contents of the Base DN. The subdirectories are not searched.The default is True.
  4. LDAP User Field: Type the user field identifier you want to search on, for example, uid. You can use a comma-separated list to search for multiple user identifiers.
  5. Base DN: Type the base DN for performing searches, for example, DC=Q1LABS,DC=INC.
  6. Configuring your SSL Certificate
    If you use LDAP for user authentication and you want to enable SSL, you must configure your SSL certificate. To configure your SSL certificate for connection to your LDAP server:
    Step 1: Using SSH, log in to QRadar as the root user.
    User Name: root
    Password:
    Step 2: Type the following command to create the /opt/qradar/conf/trusted_certificates/ directory:
    mkdir -p /opt/qradar/conf/trusted_certificates
    Step 3: Copy the SSL certificate from the LDAP server to the /opt/qradar/conf/trusted_certificates/ directory on your QRadar Network Intelligence system.
    Step 4: Verify that the certificate file name extension is .cert, which indicates that the certificate is trusted. QRadar Network Intelligence only loads .cert files.
Given the Store and Forward interface, configure store and forwarding so that events will be forwarded at a specified time.
With emphasis on performing the following tasks:
1. The Store and Forward feature is supported on the Event Collector 1501 and Event Collector 1590 appliances.
2. A dedicated Event Collector does not process events and it does not include an on-board Event Processor. By default, a dedicated Event Collector continuously forwards events to an Event Processor that you must connect using the Deployment Editor.
3. During the period of time when events are not forwarding, the events are stored locally on the appliance and are not accessible using the Console user interface.
4. When viewing store and forward events in the Log Activity tab on the Console user interface, the Time property displays the time stamp of when the event was received by the Event Processor, therefore, the Time property does not accurately indicate the time the event occurred on your network.
  Configure Store and Forward
5. Click the Admin tab.
6. On the navigation menu, click System Configuration.
7. Click the Store and Forward icon.
8. From the Actions menu, select Create.
9. Click Next to move to the Select Collectors page.
10. On the Select Collectors page, configure the following parameters:
  1. Schedule Name: Type a unique name for the schedule. You can type
  2. Event Collectors: Select one or more Event Collectors from the Available Event Collectors list and click the Add Event Collector icon. When you add an Event Collector, the Event Collector is displayed in the Selected Event Collectors list.
  3. Selected Event Collectors: Displays a list of selected Event Collectors. You can remove Event Collectors from this list.
11. Click Next to move to the Schedule Options page.
12. On the Schedule Options page, configure the following parameters:
  1. Forward Transfer Rate: Configure the forward transfer rate you want this schedule to use when forwarding events from theEvent Collector to the Event Processor.
  2. To configure the forward transfer rate:-From the first list box, type or select a number. The minimum transfer rate is 0. The maximum transfer rate is 9,999,999. A value of 0 means that the transfer rate is unlimited.-From the second list box, select a unit of measurement. Options include: Kilobits per second, Megabits per second, and Gigabits per second.-Scheduling Information Select this check box to display the following scheduling options:-Forward Time Zone - Forward Start- Forward End
13. Click Next to move to the Summary page.
14. On the Summary page, confirm the options you configured for this Store and Forward schedule.
15. Click Finish.
Given that QRadar is operational, change the Qradar's network settings so that the network settings meet the requirements of the customers network.
1. Changing Network Settings in anAll-in-One Console
  You can change the network settings in your All-In-One system. An All-In-One system has all QRadar components, including the Admin tab, installed on one system.To change the settings on the QRadar Console:
  NOTE:You must have a local connection to your Console before executing the script.
  Log in to QRadar as the root user:
  Username: root
  Password:
  Type the following command:
  qchange_netsetup
  Select an internet protocol version. Select Next and press Enter.
  The window displays up to a maximum of four interfaces depending on yourhardware configuration. Each interface with a physical link is denoted with a plus(+) symbol.
  Select the interface that you want to specify as the management interface. SelectNext and press Enter.
  Choose one of the following options:
  If you are using IPv4 as your Internet protocol skip the Ipv6 instructions and go to Configure the QRadar network settings.
  If you are using IPv6 as your Internet protocol
  To configure IPv6, choose one of the following options:
  To automatically configure for IPv6, select Yes and press Enter. The automaticconfiguration can take an extended period of time.
  To manually configure for IPv6, select No and press Enter.
  To enter network information to use for IPv6:
  Type the values for the Hostname, IP Address, and Email server.
  Select Next and press Enter.
  Configure the QRadar network settings:
  Enter values for the following parameters:
  Hostname - Type a fully qualified domain name as the system hostname.
  IP Address - Type the IP address of the system.
  Network Mask - Type the network mask address for the system.
  Gateway - Type the default gateway of the system.
  Primary DNS - Type the primary DNS server address.
  Secondary DNS - Optional. Type the secondary DNS server address.
  Public IP - Optional. Type the Public IP address of the server. This is a secondary IP address that is used to access the server, usually from a different network or the Internet, and is managed by your network administrator. The Public IP address is often configured using Network Address Translation (NAT) services on your network or firewall settings on your network. NAT translates an IP address in one network to a different IP address in another network.
  Email Server - Type the name of the email server. If you do not have an email server, type localhost in this field.
  Select Next and press Enter.
  Select Finish and press Enter.
  A series of messages are displayed as QRadar processes the requested changes.After the requested changes are processed, the QRadar system is automatically shutdown and rebooted.
2. Changing the Network Settings of a Console in a Multi-System DeploymentTo change the network settings in a multi-system deployment, you must remove all non-Console managed hosts from the deployment, change the network settings, re-add the managed host or hosts, and then re-assign the component or components. You must perform this procedure in the following order:
  1. Removing Non-Console Managed Hosts
  2. Changing the Network Settings #Re-Adding Managed Hosts and Re-Assigning the Components
    NOTE:This procedure requires you to use the deployment editor. For more information on using the deployment editor, see the QRadar Administration Guide.
    Removing Non-Console Managed Hosts:
    To remove non-Console managed hosts from your deployment, you must:
    Log in to QRadar:https:// Where is the IP address of the QRadar system.
    Username: admin
    Password:
    Click the Admin tab.
    Click the Deployment Editor icon.
    The deployment editor is displayed.
    Click the System View tab.
    Right-click the managed host that you want to delete and select Remove host.
    Repeat for each non-Console managed host until all hosts are deleted.
    Click Save.
    Close the deployment editor.
    On the Admin tab, click Deploy Changes.
    The changes are deployed.
    Changing the Network Settings :
    Log in to QRadar as the root user:
    Username: root
    Password:
    Type the following command:qchange_netsetup
    Select an internet protocol version. Select Next and press Enter.
    The window displays up to a maximum of four interfaces depending on yourhardware configuration. Each interface with a physical link is denoted with a plus(+) symbol.
    Select the interface that you want to specify as the management interface. SelectNext and press Enter.
    Choose one of the following options:
    If you are using IPv4 as your Internet protocol skip the Ipv6 instructions and go to Configure the QRadar network settings.
    If you are using IPv6 as your Internet protocol
    To configure IPv6, choose one of the following options:
    To automatically configure for IPv6, select Yes and press Enter. The automaticconfiguration can take an extended period of time.
    To manually configure for IPv6, select No and press Enter.
    To enter network information to use for IPv6:
    Type the values for the Hostname, IP Address, and Email server.
    Select Next and press Enter.
    Configure the QRadar network settings:
    Enter values for the following parameters:
    Hostname - Type a fully qualified domain name as the system hostname.
    IP Address - Type the IP address of the system.
    Network Mask - Type the network mask address for the system.
    Gateway - Type the default gateway of the system.
    Primary DNS - Type the primary DNS server address.
    Secondary DNS - Optional. Type the secondary DNS server address.
    Public IP - Optional. Type the Public IP address of the server. This is a secondary IP address that is used to access the server, usually from a different network or the Internet, and is managed by your network administrator. The Public IP address is often configured using Network Address Translation (NAT) services on your network or firewall settings on your network. NAT translates anIP address in one network to a different IP address in another network.
    Email Server - Type the name of the email server. If you do not have an email server, type localhost in this field.
    Select Next and press Enter.
    Select Finish and press Enter.
    A series of messages are displayed as QRadar processes the requested changes.After the requested changes are processed, the QRadar system is automatically shutdown and rebooted.
    Re-Adding Managed Hosts and Re-Assigning the Components
    To re-add the managed hosts and re-assign components, you must:
    Log in to QRadar:https:// Where is the IP address of the QRadar system.
    Username: admin
    Password:
    Click the Admin tab.
    Click the Deployment Edit icon.
    The deployment editor is displayed.
    Click the System View tab.
    From the menu, select Actions- > Add a managed host.
    The Add a new host wizard is displayed.
    Click Next.
    The Enter the host's IP window is displayed.
    Enter values for the parameters:
    Enter the IP of the server or appliance to add - Type the IP address of thehost that you want to add to your System View.
    Enter the root password of the host - Type the root password for the host.
    Confirm the root password of the host - Type the password again, forconfirmation.
    Host is NATed - Select this option if you want to specify NAT values ifnecessary.
    Enable Encryption - Select this option if you want to enable encryption.
    Click Next.
    Click Finish.
    Re-assign all components to your non-Console managed host.
    In Select the QRadar deployment editor, click the Event View tab.the component that you want to re-assign to the managed host.
    From the menu, select Actions -> Assign
    The Assign Component wizard is displayed.
    From the Select a host list box, select the host that you want to re-assign to this component.
    Click Next.
    Click Finish.Click Repeat for each non-Console managed host until all hosts are re-added and re-assigned.Click Close the deployment editor.Click Click Deploy Changes.Click The changes are deployed.
3. Changing the Network Settings of a Non-Console in a Multi-System Deployment.
  To change the network settings of a non-Console in a multi-system deployment, you must remove the non-Console managed host that you want to change from the deployment, change the network settings, re-add the managed host, and then re-assign the original components.
  You must perform this procedure in the following order:
  Removing the Non-Console Managed Host
  Changing the Network Settings
  Re-Adding the Managed Host and Re-Assigning the Components
  NOTE:This procedure requires you to use the deployment editor. For more information on using the deployment editor, see the QRadar Administration Guide.
  Removing the Non-Console Managed Host:
  To remove non-Console managed host from your deployment, you must:
  Log in to QRadar: https:// Where is the IP address of the QRadar system.
  Username: admin
  Password:
  Click the Admin tab.
  Click the Deployment Editor icon.
  The deployment editor is displayed.
  Click the System View tab.
  Right-click the managed host that you want to delete to access the menu, select
  Remove host.
  Close the deployment editor.
  Click Deploy Changes.
  The changes are deployed.
  Changing the Network Settings :
  Log in to QRadar as the root user:
  Username: root
  Password:
  Type the following command:qchange_netsetup
  Select an internet protocol version. Select Next and press Enter.
  The window displays up to a maximum of four interfaces depending on yourhardware configuration. Each interface with a physical link is denoted with a plus(+) symbol.
  Select the interface that you want to specify as the management interface. Select
  Next and press Enter.
  Choose one of the following options:
  If you are using IPv4 as your Internet protocol skip the Ipv6 instructions and go to Configure the QRadar network settings.
  If you are using IPv6 as your Internet protocol
  To configure IPv6, choose one of the following options:
  To automatically configure for IPv6, select Yes and press Enter. The automaticconfiguration can take an extended period of time.
  To manually configure for IPv6, select No and press Enter.
  To enter network information to use for IPv6:
  Type the values for the Hostname, IP Address, and Email server.
  Select Next and press Enter.
  Configure the QRadar network settings:
  Enter values for the following parameters:
  Hostname - Type a fully qualified domain name as the system hostname.
  IP Address - Type the IP address of the system.
  Network Mask - Type the network mask address for the system.
  Gateway - Type the default gateway of the system.
  Primary DNS - Type the primary DNS server address.
  Secondary DNS - Optional. Type the secondary DNS server address.
  Public IP - Optional. Type the Public IP address of the server. This is a secondary IP address that is used to access the server, usually from a different network or the Internet, and is managed by your network administrator. The Public IP address is often configured using Network Address Translation (NAT) services on your network or firewall settings on your network. NAT translates an
  IP address in one network to a different IP address in another network.
  Email Server - Type the name of the email server. If you do not have an email server, type localhost in this field.
  Select Next and press Enter.
  Select Finish and press Enter.
  A series of messages are displayed as QRadar processes the requested changes.
  After the requested changes are processed, the QRadar system is automatically shutdown and rebooted.
  Re-Adding the Managed Host and Re-Assigning the Components
  To re-add the managed host and re-assign components, you must:
  Log in to QRadar:https:// Where is the IP address of the QRadar system.
  Username: admin
  Password:
  Click the Admin tab.
  Click the Deployment Editor icon.
  The deployment editor is displayed.
  Click the System View tab.
  From the menu, select Actions > Add a managed host.
  The Add a new host wizard is displayed.
  Click Next.
  The Enter the host's IP window is displayed.
  Enter values for the parameters:
  Enter the IP of the server or appliance to add - Type the IP address of thehost that you want to add to your System View.
  Enter the root password of the host - Type the root password for the host.
  Confirm the root password of the host - Type the password again, forconfirmation.
  Host is NATed - Select this option if you want to specify NAT values ifnecessary.
  Enable Encryption - Select this option if you want to enable encryption.
  Click Next.
  Click Finish.
  Re-assign all components to your non-Console managed host.
  In the QRadar deployment editor, click the Event View tab.
  Select the component that you want to re-assign to the managed host.
  From the menu, select Actions > Assign.
  The Assign Component wizard is displayed.
  From the Select a host list box, select the host that you want to re-assign tothis component. Click Next.
  Click Finish.
  Close the deployment editor.
  On the Admin tab, click Deploy Changes.
  The changes are deployed.
4. Changing Settings using Webmin UI
  Log in to QRadar:https://
  Where is the IP address of the QRadar system.
  Username: admin
  Password:
  Click the Admin tab.
  Click System and License Management
  Highlight the system you want to change the settings
  Select Actions - > Manage System
  You can bypass the steps above described by typing the following:
  https://:10000 Where is the IP address of the QRadar system.Where 10000 is the port that System Administration listens to.
  The Welcome to the System Administration interface opens:
  Using this interface you can:
  Change passwords.
  Configure interface roles.
  Configure firewall access.
  Configure system time .
  Select one the of following from the Managed Host Config link
  Local Firewall
  Add systems that should be allowed to connect to the device, along with ports they require access to
  Network Interfaces
  Select and modify roles for network interfaces installed on the system.
  Qradar Setup
  Changes the mail server
  Root Password
  Changes the Root Password
  System Time
  Changes the system's current time (Manual, Server)
  Upon changing and saving the configuration, services may be restarted and settings applied.
Given access to the QRadar user interface, demonstrate how to use the GUI to enable event flow hashing so that you can ensure database integrity when required.
With emphasis on performing the following tasks:
1. Log on to the main GUI of QRadar with administrative privileges.
2. Navigate to the Admin tab of the GUI.
3. Select the System Settings icon.
4. Scroll down to the Ariel Database Settings section.
5. Determine, with the customer, any legal, audit, or internal requirements for proving tamper proof storage of events and flows. Review the potential performance impacts of hashing.
6. Enable flow and/ or event hashing by selecting the appropriate drop- down
7. Choose the desired algorithm from the Hashing Algorith drop-down:
  1. SHA-1
  2. SHA-384
  3. SHA-256
  4. SHA-512
  5. MD2
  6. MD5
8. Click Save at the bottom.
9. Click Return.
10. Select Deploy Changes.

Section 4-1: Performance, Tuning and Problem Determination

Given an existing QRadar installation, describe types of rules, type of rule conditions, and types of rule responses so that the user knows how to edit and create rules.
With emphasis on performing the following tasks:
1. Custom rules include the following rule types:
  1. Event Rule - An event rule performs tests on events as they are processed in real-time by the Event Processor. You can create an event rule to detect a single event (within certain properties) or event sequences. For example, if you want to monitor your network for unsuccessful login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you can create an event rule. It is common for event rules to create offenses as a response.
  2. Flow Rule - A flow rule performs tests on flows as they are processed in real-time by the QFlow Collector. You can create a flow rule to detect a single flow (within certain properties) or flow sequences. It is common for flow rules to create offenses as a response.
  3. Common Rule - A common rule performs tests on fields that are common to both event and flow records. For example, you can create a common rule to detect events and flows that have a specific source IP address. It is common for common rules to create offenses as a response.
  4. Offense Rule - An offense rule processes offenses only when changes are made to the offense, such as, when new events are added or the system scheduled the offense for reassessment. It is common for offense rules to email a notification as a response.
    Anomaly detection rules perform tests on the results of saved flow or event searches as a means to detect when unusual traffic patterns occur in your network. This rule category includes the following rule types:
    Anomaly - An anomaly rule tests event and flow traffic for abnormal activity such as the existence of new or unknown traffic, which is traffic that suddenly ceases or a percentage change in the amount of time an object is active. For example, you can create an anomaly rule to compare the average volume of traffic for the last 5 minutes with the average volume of traffic over the last hour. If there is more than a 40% change, the rule generates a response.
    Threshold - A threshold rule tests event and flow traffic for activity that is less than, equal to, or greater than a configured threshold, or within a specified range. Thresholds can be based on any data collected by QRadar. For example, you can create a threshold rule specifying that no more than 220 clients can log into the server between 8 am and 5 pm. The threshold rule generates an alert when the 221st client attempts to login.
    Behavioral - A behavioral rule tests event and flow traffic for volume changes in behavior that occurs in regular seasonal patterns. For example, if a mail server typically communicates with 100 hosts per second in the middle of the night and then.
    Rule Conditions:
    The tests in each rule can also reference other building blocks and rules. You are not required to create rules in any specific order because the system checks for dependencies each time a new rule is added, edited, or deleted. If a rule that is referenced by another rule is deleted or disabled, a warning is displayed and no action is taken.
    Each rule may contain the following components:
    Functions - With functions, you can use building blocks and other rules to create a multi-event, multi-flow, or multi-offense function. You can connect rules using functions that support Boolean operators, such as OR and AND. For example, if you want to connect event rules, you can use this when an event matches any or all of the following rules function. For a complete list of functions, see Rule Tests.
    Building blocks - A building block is a rule without a response and is used as a common variable in multiple rules or to build complex rules or logic that you want to use in other rules. You can save a group of tests as building blocks for use with other functions. Building blocks allow you to re-use specific rule tests in other rules. For example, you can save a building block that includes the IP addresses of all mail servers in your network and then use that building block to exclude those hosts from another rule. The default building blocks are provided as guidelines, which should be reviewed and edited based on the needs of your network. For a complete list of building blocks, see the QRadar Administration Guide.
    Tests - You can run tests on the property of an event, flow, or offense, such as source IP address, severity of event, or rate analysis. For a complete list of tests, see Rule Tests.
    Event Rule Tests
    This section provides information on the event rule tests you can apply to the rules, including:
    Host Profile Tests
    IP/Port Tests
    Event Property Tests
    Common Property Tests
    Log Source Tests
    Function - Sequence Tests
    Function - Counter Tests
    Function - Simple Tests
    Date/Time Tests
    Network Property Tests
    Function - Negative Tests
    Flow Rule Tests include:
    Host Profile Tests
    IP/Port Tests
    Flow Property Tests
    Common Property Tests
    Function - Sequence Tests
    Function - Counters Tests
    Function - Simple Tests
    Date/Time Tests
    Network Property Tests
    Function - Negative Tests
    Common Rule Tests can be applied to both event and flow records, including:
    Host Profile Tests
    IP/Port Tests
    Common Property Tests
    Functions - Sequence Tests
    Function - Counter Tests
    Function - Simple Tests
    Date/Time Tests
    Network Property Tests
    Functions Negative Tests
    Offense Rule Tests - tests you can apply to the offense rules, including:
    IP/Port Tests
    Function Tests
    Date/Time Tests
    Log Source Tests
    Offense Property Tests
    Anomaly Rule Tests
    Anomaly Tests
    Time Threshold Tests
    Behavioral Rule Tests
    This section provides information on the behavioral rule tests you can apply to the rules, including:
    Behavioral Tests
    Time Threshold Tests
    Threshold Rule Tests
    This section provides information on the threshold rule tests you can apply to the rules, including:
    Field Threshold Tests
    Time Threshold Tests
    Rule Responses - when rule conditions are met can include one or more of the following responses:
    Creating an offense.
    Sending an email.
    Generating system notifications using the Dashboard feature.
    Creating or adding data to reference sets.
    The Rules tab allows you to create a rule to import event and flow data into a reference set. A reference set is a set of data, such as a list of IP addresses or user names. After you create a reference set, you can create rules to detect when log or network activity associated with the reference set occurs on your network.
    You can create a reference set to contain data derived from an external file. For example, you can create a reference set to retain data about terminated employees. First, you add a log source to import a text file containing terminated employee data, such as IP addresses and user names. Then, using the Custom Rule Wizard, create a reference set specifying which data you want to retain from the external file. For more information about adding a log source, see the Log Sources User Guide.
    When a reference set is created, you create a rule that generates a response when a reference set element, such as the IP address of a terminated employee, is detected on your network.
    Generating a response to an external system, including the following server types:
    Local Syslog - Syslog is a standard that allows you to store event, flow, and offense information in a software-independent log file. Using the Rules wizard, you can configure rules to generate a syslog file.
    Forwarding Destinations - QRadar allows you to forward raw log data received from log sources and QRadar-normalized event data to one or more vendor systems, such as ticketing or alerting systems. On the QRadar user interface, these vendor systems are called forwarding destinations.
    Simple Network Management Protocol (SNMP) - The SNMP protocol enables QRadar to send event, flow, and offense notifications to another host to be stored. Using the Rules wizard, you can configure rules to generate a response that includes sending SNMP traps to the configured host.
    Interface For Metadata Access Points (IF-MAP) - The Interface For Metadata Access Points (IF-MAP) rule response enables QRadar to publish alert and offense data derived from events, flows, and offense data on an IF-MAP server.
Given an existing QRadar installation, configure server discovery and server building blocks so that QRadar is tuned to minimize false positives.
With emphasis on performing the following tasks:

To use server discovery to populate server building block automatically:
NOTE - Server Discovery requires enough flow data to populate assets with active ports. This can take anywhere from a day to a week.
The Server Discovery function uses the Asset Profile database to discover different server types based on port definitions, and then allows you to select which servers to add to a server-type building block for rules. This feature makes the discovery and tuning process simpler and faster by providing a quick mechanism to insert servers into building blocks.
The Server Discovery function is based on server-type building blocks. Ports are used to define the server type so that the server-type building block essentially functions as a port-based filter when searching the Asset Profile database. For more information on building blocks, see the QRadar User Guide.
To discover servers:
Step 1: Click the Assets tab.
Step 2: On the navigation menu, click Server Discovery. The Server Discovery pane is displayed.
Step 3: From the Server Type list box, select the server type you want to discover.
Step 4: Select the option to determine the servers you want to discover, including:
All - Search all servers in your deployment with the currently selected Server Type.
Assigned - Search servers in your deployment that have been previously assigned to the currently selected Server Type.
Unassigned - Search servers in your deployment that have not been previously assigned.
Step 5: From the Network list box, select the network you want to search.
Step 6: Click Discover Servers.
The discovered servers are displayed.
Step 7: In the Matching Servers table, select the check boxes of all servers you want to assign to the server role.
NOTE - If you want to modify the search criteria, click either Edit Port or Edit Definition. The Rules Wizard is displayed. For more information on the rules wizard, see the QRadar User Guide.
Step 8: Click Approve Selected Servers.
Manually populate the server building blocks
Step 1 :Open the rule by clicking Offenses Rules.
Step 2 :Change Display to Building Blocks
Step 3 :Change the Group to Host Definitions
Step 4 :Edit each building block accordingly.
Given the QRadar product documentation and access to the user interface, explain what rules and building blocks are and demonstrate how to use the Rule Editor so that you can demonstrate understanding of rules and building blocks.
With emphasis on performing the following tasks:
1. Log on to the main GUI of Qradar.
2. Navigate to either the Log Activity, Network Activity or Offense tabs.
3. If on one of the activity tabs, select the Rules option from Rules drop-down menu. If in the Offense tab, select Rules from the left hand menu pane.
4. Within the Rules editor, the user can see the list of the current rules defined within the default template provided with Qradar.
5. The user can select a rule group from Group drop-down menu or search for rule in the free text search field on the upper right portion of the screen.
6. Create a rule, select the Actions drop menu and select one of the rule options:
  1. Event Rule - Rules that only apply to log events or events generated by the Custom Rule Engine.
  2. Flow Rule -Rules that only apply to network events ( e.g. QFlow ).
  3. Common Rule - Rules that can apply to log events and network events
  4. Offense Rule - Rules that apply to the nature of Offenses.
7. In the Rule Wizard screen, the user will be shown the current state of the rule as well as the possible tests that can be added. A test is a set of conditions that must be met in order to be true. The user can either double click a test name or select the plus symbol at the left of the test name to add it to the current rule.
8. The user can also associate the rule with a rule group by selecting the name of the group at the bottom of the Wizard.
9. The user can also add notes to the Rule which will describe the nature of the rule for other users of QRadar.
10. If the user wants to reuse the set of tests for other rules, they can select the Export as Building Block. A Building Block is a set of tests with no resulting actions. Building Block are used throughout the default rule set to describe like events, server types, and other components.
11. If the user has decided to continue with building a rule, they will select the Next button, which will bring up the Rule Response screen.
12. The Rule Response screen defines both the actions that can be taken on the triggering event, flow, or offense.
  1. Rule Actions
    -Severity (Event, Flow, Common only) - adjust the severity of the event/flow/offense.
    -Credibility (Event, Flow, Common only) - adjust the credibility of the event/flow/offense.
    -Relevance (Event, Flow, Common only) - adjust the relevance of the event/flow/offense.
    -Ensure the detected event is part of an offense (Event, Flow, Common only) - If selected, the event/flow will be associated with an offense based on the index criteria. Further options include annotating the offense or associating further events/flows that match the index with the same offense.
    -Annotate event/offense - For offenses, the rule can rename the offense.
    -Drop the detected event (Event, Flow, Common only) - Useful for building custom tuning rules, this will drop the event/flow from the correlation engine.
  2. Rule Reponses
    -Dispatch New Event (Event, Flow, Common only) - generate a new event with a user defined name and description, SRC scoring, and categorization. Additional options include annotating the offense or associating further events/flows that match the index with the same offense.
    -Email - Send an email to the provided address when the rule is true.
    -Send to Local Syslog - generate a syslog entry in the local log when the rule is true.
    -Send to Forwarding Destination - generate a syslog entry to a remote location.
    -Notify (Event, Flow, Common only) - Send a "system notification" (e.g. pop-up ) when the rule is true.
    -Add to a Reference Set (Event, Flow, Common only) - Add an element of the event and/or flow to a reference set. Options include creating a new one or adding to an existing one.
  3. Response Limiter - Useful for testing, limit the responses to be generated to the interval selected.
13. Select to whether to enable the rule immediately at the bottom of the Wizard screen.
14. Click Next.
15. The user can review the summary of the rule created, and then click Finish.
16. If not already enabled, the user can select the rule name, and click Enable/Disable from the Actions drop-down.
Given QRadar V7.1, describe the use of assets within Qradar and how to define them so that QRadar has the proper contextual information.
With emphasis on performing the following tasks:
1. Assets are defined by:
  1. Any host observed based on flow data (passive).
  2. Hosts identity information provided event logs.
  3. Hosts that are identified by a VA or Active Network Scan.
  4. Hosts that are manually added into the database.
2. The Asset interface can be accessed by:
  1. Clicking the Assets tab.
3. The Assets interface is organized into three tools:
  1. Asset Profiles: Provide an interface to search and edit stored asset profile data.
  2. Server Discovery: Finds all hosts on the network running a particular service.
  3. VA Scan: Manages scheduling or collection of results from vulnerability scanners.
4. The Asset Profiles Interface toolbar provides:
  1. Modify Search: Find assets that meet a certain criteria.
  2. Add Asset: Add an asset record in manually.
  3. Edit Asset: Edit an existing record (can also be accessed by double clicking on the asset summary record).
  4. Actions: Delete Asset, Delete Listed, Import Assets, Export to XML, Export to CSV.
  5. Print: Print the search results.
5. The Actions menu provides:
  1. Delete Asset: deletes the selected asset. This is useful if a system has been replaced or number of changes have been made to the services that run on the host.
    ** If the asset is rediscovered passively a new asset record will be created.
  2. Delete Listed: Deletes all the assets that meet the current search criteria.
  3. Import assets: Import a list of assets via a CVS file in the following format.
  4. IP, Name, Weight (1-10), Description
    ** Import will fail with line numbers if a field does not match the criteria above or if there are duplicate IP addresses. Note none of the entries will import even if there is a single parsing error on the last line. The line number of the error will be reported.
  5. Export as XML: XML export of all results.
  6. Export as CSV: Comma Separated Value export of all results.
6. The Search Feature
  1. Allows you to search host profiles, assets, and identity information.
  2. Identity information provides additional details about log sources on your network, including DNS information, user logins, and MAC addresses.
7. Search By Vulnerability Attribute:
  1. Third party scanners, report vulnerabilities to QRadar using external references from the Open Source Vulnerability Database (OSVDB) and National Vulnerability Database (NVDB).
  2. Vulnerabilities are assigned a unique reference identifier (OSVDB ID). Additionally, each vulnerability can references data, such as a Common Vulnerability and Exposures (CVE) ID or Bugtraq ID.
8. By selecting an asset of interest, the asset profile for that asset (host) can be displayed:
  1. The Name, Description, and Weight, Operating System, Vendor, Version, Over-ride, Business & Technical info, Location of the asset can be manually modified and saved.
  2. Ports and Vulnerabilities provides a list of all ports observed to be responsive, including the first and last time the response was detected.
9. The following information can be stored for each asset:
  1. Name
  2. Description
  3. IP Address
  4. Network
  5. Host Name(DNS)
  6. Risk Level
  7. Operating System
  8. Vendor
  9. Version
  10. Override
  11. Asset Weight: ranked 0(Not Important) though 10 (Very Important)
  12. Mac
  13. Machine Name
  14. User Name
  15. Extra Data
  16. Network
  17. Host Name
  18. User Group
  19. Business Owner
  20. Business Owner Contact Info
  21. Technical Owner
  22. Technical Owner Contact Info
  23. Location
10. To add an asset:
  1. Click the Asset tab.
  2. Click Add Asset.
  3. Complete information in Asset profile window.
    -Note that only an IP address and Asset Weight is required for creating an asset.
11. To import a list of assets:
  1. Click the Asset tab.
  2. Click Actions.
  3. Click Import Assets.
  4. Click Browse.
    -Browse to the file you wish to import.
    -Note that the file must be a CSV file.
  5. Import supports following format: IP, Name, Weight (1-10), Description.
  6. Click Import Assets.
  7. ** Import will fail with line numbers if a field does not match the criteria above or if there are duplicate IP addresses. Note none of the entries will import even if there is a single parsing error on the last line. The line number of the error will be reported.
  8. Note that you can import and update existing asset names, weights, and descriptions. The import will overwrite the Name, Weight, and Description fields of any assets currently existing in the Asset Database.
12. The Server Discovery function searches the asset profile database for assets with ports open.
  1. When vulnerability scans are performed, operating system, open ports, and vulnerabilities are updated in the asset profiles.
  2. Passive flow data discovers open ports with it sees a number of stateful connection to a port over time.
  3. This port data is filtered by the Server Discovery process, which searches for ports associated with known server types.
  4. Users can re-define the ports for each server type.
  5. There are 3 user defined server types which you can use for other services.
  6. Once servers are discovered, they must be approved .
  7. In large networks it is often best to filter by network to avoid getting too many results.
  8. The server profiles are entered into HostDefinition Building Blocks.
    -The Building Blocks are then updated with the IP addresses of the discovered servers.
    -Building Blocks are then used to tune out false alarms or detect policy and security issues for that server type.
13. Vulnerability Assessment functionality uses vulnerability scan data to build and populated asset profiles.
  1. In addition to detailing the known characteristics of detected hosts, the vulnerability assessment process uses the Open Source Vulnerability Database to associated observed details with known vulnerabilities.
  2. In this fashion, QRadar can use the vulnerability detection abilities of dedicated third-party scanners, as well as evaluate possible vulnerabilities on its own.
  3. VA scanning can be configured from both the Assets Interface, as well as the Administration Console.
Given an active QRadar console/server appliance, perform the required actions to use the false positive wizard so that events and/or flows can be tuned out.
With emphasis on performing the following tasks:
1. Log on to the main GUI of Qradar.
2. Navigate to either the Log Activity or Network Activity tab.
3. Select the event or flow that the user will want to tune out. Double click or right click on the event or flow to select the False Positive option.
4. Click the False Positive Wizard button, which will bring up the False Postive screen.
5. If the defaults are taken, then only the specific event type (QID) with the source and destination IP address pair will be tuned out.
6. If the user wants to broaden the tuning by either tuning out the entire Low Level or even High Level category, they then need to make their selection from the Event/Flow Property section. Likewise if the user wants to broaden the tuning to include any source and/or any destination IP address, they need to make their selection from the Traffic Direction section.
7. The user can then just click the Tune button after making their tuning choices.
Given QRadar is operational, configure log source groups so that Log sources can be managed efficiently.
With emphasis on performing the following tasks:
1. Create Log Source Groups:
  1. Select Admin tab.
  2. Select and click Log Source Groups icon.
  3. Select New Group.
  4. Type Group Name and brief description.
  5. Click OK.
2. Assign Log Sources to Log Source Groups:
  1. From Admin tab Select Log Source Groups.
  2. Select Other Group.
  3. Double click on log source.
  4. Window pops up showing available groups.
  5. Select target group(s).
  6. Select Assign Groups.
3. Assign Log Sources to Log Sources Groups (Different Method):
  1. From Admin tab Select Log Sources.
  2. Highlight Log Sources.
  3. Select Assign icon.
  4. Select target group(s).
  5. Select Assign Groups.
Given that events are visible in the Log or Network Activity panel, use the Event Detail screen to extract or calculate additional information from the payload so that you may use that data for rule building, reporting, and/or other analysis.
With emphasis on performing the following tasks:
1. Access the QRadar user interface.
2. Open the Log Activity panel (alternately Network Activity panel).
3. Pause the stream by clicking on the || sign at top right of window.
4. Select any event, and click on any field to open the Event Information panel.
5. Click on Extract Property found above the title Event Information to open the Custom Event Properties panel.
6. Decide if you want to extract a specific item from the payload, or calculate a new item from existing data. Click Regex or Calculation based on choice.
7. Chose either Existing Property or New Property.
8. If new, provide a name, type, and description.
9. If you intend to use this property in rules, reports, or searches, then check the box for Optimize parsing for rules, reports, and searches. Note that custom properties do not appear in the rules wizard property lists unless this option is selected.
10. To define the data element as a property, complete the Property Expression Definition section.
  1. For a Regex Based property, select Log Source Type, Log Source, Event Name or Category, and provide a regular expression to extract the data. Use the Test button to ensure that your regular expression is correct. If the expression is correct, the data will be highlighted in the Test Field box on the panel.
  2. For a Calculation Based property, provide the values of two existing properties and an operator to calculate the new data element.
11. Click Save, which will return to the Event Information panel.
12. Check to see that the newly extracted property name is visible, and data element provided in the Event Information panel.
Given the Global System Notification Interface, configure the SAR thresholds so that SAR thresholds are configured for the environment in question.
With emphasis on performing the following tasks:

Logs of crossed threshold are written to /var/log/systemStabMon/[yyyy]/[mm]/[dd].
The system load in the Linux operating system, indicates the number of concurrent processes that are running in the indicated time period. There are 3 load average monitors: 1, 5 and 15 minutes. Messages are displayed and sent when there are more than X active, running processes in that time period.
Threshold values should be increased if there are a number of Qradar Console users.
Global System Notification Pop-up Notifications can be disable in the Users Preferences.
Configure System Notifications:
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Global System Notifications icon.
4. Enter values for the parameters. For each parameter, you must select the following options:
  1. Enabled - Select the check box to enable the option.
  2. Respond if value is - From the list box, select one of the following options:
    -Greater Than - An alert occurs if the parameter value exceeds the configured value.
    -Less Than - An alert occurs if the parameter value is less than the configured value.
  3. Resolution Message - Type a description of the preferred resolution to the alert.
5. Click Save.
6. On the Admin tab menu, click Deploy Changes.

Section 4-2: Performance, Tuning and Problem Determination

Given log sources and events, create and manage search criteria so that a user will have the ability to query on saved criteria.
With emphasis on performing the following tasks:
1. Create searches from Events or Flows:
  1. Choose one of the following options:
  2. To search events, click the Log Activity tab. To search flows, click the Network Activity tab.
  3. From the Search list box, select New Search.
  4. The search page is displayed.
  5. Choose one of the following options:
  6. To load a previously saved search:
    -Choose one of the following options:
    -From the Available Saved Searches list, select the desired saved search to load.
    -Or In the Type Saved Search or Select from List field, type the name of the search you want to load.
    - Click Load.
    -After you load the saved search, the Edit Search pane is displayed.
    -In the Time Range change the time as desired.
    -In the Search Parameters add/remove filters.
    -Select Save Results box.
    -Add/Remove Columns as necessary.
    -Select Search.
    -Results of Search are displayed.
    -Click on Save Criteria Icon to save the search parameters.
  7. To create and save a search from the Search Icon:
    -Select Search -> New Search.
    -Define Time Range.
    -Modify Search parameters.
    -Add/Remove Columns as necessary.
    -Select Search.
    -Results of Search are displayed.
    -Click on Save Criteria Icon to save the search parameters.
  8. Create and save a search from the Log or Network tab:
    -Click Add Filter to define criteria.
    -Add Filters as necessary.
    -Select Save Criteria to save search.
    -Type Search Name.
    -Define Timespan.
    -Define additional parameters (include in quick searches, share with everyone, etc).
    -Assign Search Group.
    -Click OK to Save Search.
  9. Delete a saved search:
    -From Log Activity tab or the Network Activity tab select one of the following:
    -New Search
    -Edit Search
    -Type name of the Search in the box Type Saved Search or Select from List.
    -Select Delete.
Given a series of events, use the rules wizard to parameterize existing or create new Anomaly Rules and to set up Automated Anomaly Analysis so that QRadar will detect and alert on significant changes to event rates or usage patterns. .
With emphasis on performing the following tasks:
1. From the Log Activity or the Network Activity tab, click on Search.
2. Define a search that highlights something of interest, useful items would include a volume of activity such as number of bytes flowing to a particular port, or counts of activity such as number of failed logins.
3. In the search panel, scroll down to Column Definition and ensure that the volume or count element is part of the Group by selection. Click Search to perform this search.
4. Click on (Show Charts) to get a graphic display of search results.
5. Click on the Configure icon in the upper right of the chart to open the configuration options.
6. Select Value to Graph as the item of interest, Chart Type to Time Series, ensure that Capture Time Series Data is checked, and choose a meaningful Time Range for your system.
7. To enable Anomaly Rules, click on the Rules button in the menu. Note that it will display Add Anomaly Rule, Add Behavioral Rule, and Add Threshold Rule.
8. To enable a Threshold rule.
  1. Click Add Threshold Rule to open the Rules Wizard.
  2. Give the rule a name, and select the clauses from the value (gt, lt, between) or date / days templates given by the wizard. The thresholds appropriate for your system.
  3. Complete rule response, note that AD rules will automatically generate a new event when triggered.
9. To enable an Anomaly Rule:
  1. Click Add Anomaly Rule to open the Rules Wizard
  2. Give the rule a name, and select clauses as appropriate. Note that the clauses deal with the average value of the accumulated property over time. This is useful for dealing with short term changes in behavior, or those changes that are not influenced by longer term trends or cycles in volume.
  3. Complete the rule response, noting (as before in 4.10.8.3) that a new event will be generated.
10. To enable a Behavioral Rule:
  1. Click Add Behavioral Rule to open the rules wizard.
  2. Give the rule a name, and then set up the clauses per local needs. This is a complex topic and requires more discussion.
  3. The behavioral rules use a time series analysis method based on Holt-Winters. This is a well known statistical process based on single, double, and triple exponential smoothing of time series data that seeks to identify patterns of (a) random variation, (b) long term trend, and (c) seasonal or cyclic fluctuation over time.
  4. The clauses provide current traffic behavior for measuring the random variation on short durations, "current traffic trend" for measuring movement due to a longer term trend, and finally "current traffic level" for measuring seasonal or cyclic change. Each is assigned a metric from 0 to 100 so you can generate a comparison that detect change of different relative magnitude.
  5. Additional clauses are used to set a change threshold on the predicted vs. the observed value, as well as to set the length of the seasonal or cyclical period.
  6. The recommendation is to experiment with these settings start with the default values of 70/30/30 for cyclic/trend/random variation using a set of historical data to see how sensitive the triggers are to the actual behavior of your data. Modify these values and/or change the cycle length based on the number of events generated, and whether you believe they are false positives based on your other observations of the system's behavior.
  7. Finish the wizard by assigning an appropriate response. Note that as with the other types of AD rules, a new event will be generated.
11. Behavioral rules are a very powerful capability of QRadar that may be used to detect new and/or unknown attacks or malicious behaviors using purely statistical methods applied to data patterns. While they are very powerful, they should be studied and understood in context. Statistics provide valuable insight, and the events detected are indeed rare. But statistics cannot determine if an observed value is "bad" or "good", only that is it sufficiently unusual as to warrant further investigation.
12. From the Offenses tab, click on Rules in the menu on the left side.
13. Use the Group drop-down selector list, and choose the Anomaly group
14. Click on the rule titled Anomaly: Devices with High Event Rates to view the definition statement of the rule.
15. Note that an anomaly rule contains a condition to be sensed, along with one or more thresholds determining when the anomaly is triggered. For the Anomaly: Devices with High Event Rates, the condition is membership in a list BB:DeviceDefinition: Devices to Monitor for High Event Rates.
16. On the menu top of panel, use the Display drop-down list to select Building Blocks.
17. On the same menu, use the Group drop-down list to select Rule/Bulding Block Groups.
18. Use the search box to search for BB:DeviceDefinition: Devices to Monitor for High Events.
19. Double click on the BB definition to open the Rules Wizard. Notice that the rule is governed by a list of these devices, which is highlighted in green.
20. Double clock on the link "these devices" to bring up the window for building a device list. Select the devices needed based on the local security policy.
  1. To configure the remaining anomaly rules, use the same process as subtasks 4.10.16-19 to configure the following Building Blocks:
  2. DeviceDefinition: Devices to Monitor for High Event Rates - list the devices.
  3. NetworkDefinition: DMZ Addresses - provide DMZ addresses
  4. CategoryDefinition: Database Connections - events other than Oracle if desired.
  5. CategoryDefinition: Firewall or ACL Accept - list of events, review and augment as desired.
  6. CategoryDefinition: Firewall or ACL Denies - same
  7. CategoryDefinition: Countries with no Remote Access - tune based on acceptable use policy.
  8. CategoryDefinition: Authentication Success - list of events, review and augment as needed.
  9. NetworkDefinition: Honeypot like Addresses - review and augment definition of "Bogon" (bogus IP address list) as needed.
21. On the menu at top, use the Display drop-down list to select Rules and the Group drop-down list to select Anomaly thus bringing up a list of the existing anomaly rules.
22. Review the threshold values in each rule. For example, the Excessive Database Connection rule is triggered for 60 connections to 1 destination in 1 minute. Tailor the 60, 1, and 1 per installation requirements and security policy.
23. Define a new rule by clicking on the Actions button, and using the drop-down list to select New Event Rule (alternately New Flow / Common / Offense). The rule wizard will open and display the introductory screen.
  1. Choose the event source for the rule.
  2. Use the Test Stack Editor to create a condition to detect the anomaly. Refer to the existing rules for examples.
  3. Set up a rule response.
Given a source of data, define a UDSM to collect events, extract a sample of events, prepare a LSX document, upload and apply the LSX so that events from the UDSM appear in the Log Activity panel with the columns (fields) populated from the events payload details.
With emphasis on performing the following tasks:
1. Define a UDSM
  1. Open the Admin tab and click the Log Sources icon.
  2. Click on the Add button to bring up the Add a log source panel.
  3. From the Log Source Type drop-down, select the Universal DSM
  4. From the Protocol Configuration drop-down, select the protocol that will be used to collect this type of log data. Research the documentation for the source to determine the characteristics and means of data storage and retrieval.
  5. Complete definition of USDM based on the protocol selected and the documentation for the source of data. Some common skill examples follow.
    -For syslog, be able to configure remote device to send syslog events to QRadar by updating its configuration file with target IP and Port.
    -For JDBC, be able to define a new user who has connect capability to the data base and grant rights to read the desired tables.
    -For log file, be able to define a new user on the platform, enable SSH, SFTP, etc, and create keys for SSH connections.
  6. Click Save and then Click Deploy Changes from the Admin tab.
  7. Export sample of Logs.
  8. Create a search.
    -From the Log Activity tab, click Search -> Edit Search.
    - Specify a Time Range.
    - Specify the Log Source and click Search. Wait for search to complete.
  9. Export the Log Data so it may be inspected .
    - Click on Actions -> Export to CSV, select Export All Columns, provide a file name, save to disk
    -Open file with Excel or other spreadsheet. The raw event data can be located through inspection. Locate the column with base64 encoded message. This is the column that contains the raw data. Use a base64 decoder to translate in to text.
    -Paste results into an editor such as Notepad++.
2. Review the Logs, Determine field usage.
  1. Obtain a copy of the LSX template from qmmunity .
  2. Inspect raw log data and identify location of the data in each event type for the fields (as many as are available) that correspond to the columns of the Log Activity display.
3. Prepare LSX document:
  1. Rename template.
  2. Determine regular expression to extract data for each applicable field in the Pattern section.
  3. Code the regular expression into the pattern tag for each applicable field.
  4. Edit the matcher tags to provide the pattern-id of the respective pattern tags.
  5. Delete any unused pattern and matcher entries.
4. Upload and Apply the LSX:
  1. From the Admin tab, click on LSXs to open the LSX panel.
  2. Click on Add to open the Add a LSX panel.
  3. Assign an LSX name to identify this type of parsing.
  4. Select the Use Condition as "Parsing Override".
  5. Make sure "Set to default for" box is empty, remove any entries if present.
  6. Click Browse and navigate to the LSX document prepared above.
  7. Click Save to create this LSX.
  8. From the Admin tab, click on Log Sources, to open the Log Source list.
  9. Double click on the UDSM defined in task 4.11.1
  10. Set the LSX to the name 4.11.5.3 by using the drop-down box.
  11. Set the Extension Use Condition to Parsing Override.
  12. Click Save.
Given an extension has provided for a new log source, understand the concepts of the QID, High, and Low Level Categories and be able to assign these to the events so that events from the new log source may be uniquely identified, assigned a severity, and associated with a specified set of types.
With emphasis on performing the following tasks:
1. A QID mapping is used to normalize log events.
  1. A QID is a numerical value that provides a unique identifier for normalized events.
  2. Each QID include a name and description for the event, as well as severity and category information to indicate the kind of event.
  3. QIDMap entries can map to one or many known vulnerabilities, which are displayed in the event viewer along with the other event data.
2. High and Low Level Categories further classify QIDs.
  1. QRadar includes a fairly generic set of High Level Categories (Access, Application, Audit, etc.) that cover most domains of security practice.
  2. Each High Level Category is subdivided into Low Level Categories that further partition the event types within the HLC. (HLC Access goes to LLC Permit, Deny, etc.)
  3. Each QID entry maps to one of these LLC as a means of identifying the type of event. This allows for normalization of different types of events that have common semantic with disparate syntax.
3. To identity events that require mapping, look for the values of "Unknown" in the Log Activity display.
  1. Log events that could not be parsed by the log source are given an HLC of "Unknown" and an LLC of "Stored". Resolve this by providing a parser via an LSX.
  2. Log events that are parsed but for which no QID is assigned are mapped to HLC of "Unknown" and LLC of "Unknown". Resolve this by mapping the events.
4. Process to Map Events
  1. Open the Log Activity panel, and pause the event stream by clicking on the button.
  2. Click on an unmapped event (LLC="Unknown") to open the Event Detail panel.
  3. Click on Map Event to open the Log Source Event window.
  4. If the QID is known, enter is in the field provided.
  5. If the QID is not known, browse the HLC / LLC / Log Source by selecting from the drop-down choosers and clicking Search.
  6. Select on a QID by clicking on one of the entries in the "Matching QIDs" display.
  7. Click OK to accept the choice.
  8. Note that existing events already stored in the database will not be reprocessed to add the QID. It will be necessary to wait until some new events appear in the Log Activity display to check the results of the mapping.
Given an existing QRadar installation, configure index management so that QRadar's indexes are tuned appropriately.
With emphasis on performing the following tasks:

The Index Management feature allows you to control database indexing on event and flow properties. Indexing event and flow properties allows you to optimize your searches. You can enable indexing on any property that is listed in the Index Management window and you can enable indexing on more than one property. The Index Management feature also provides statistics, such as:
The percentage of saved searches running in your deployment that include the indexed property.
The volume of data that is written to the disk by the index during the selected time frame.
To enable payload indexing, you must enable indexing on the Quick Filter property.
The Quick Filter feature in both the Log Activity and Network Activity tabs enables you to search event and flow payloads using a text string. Where Quick Filter searches take an extended time period, you can optimize the search by enabling a payload index on the Quick Filter property.
Enabling payload indexing increases disk storage requirements and could decrease system performance. We recommend that you only enable payload indexing if the event and flow processors in your deployment are:
At no greater than 70% disk utilization.
At no greater than 70% of the maximum EPS or Flows Per Interface (FPI) rating.
1. Enabling Payload Indexing:
  To enable payload indexing on the Quick Filter property:
  Step 1 :Log in to QRadar.
  Step 2 :Click the Admin tab.
  Step 3 :On the navigation menu, click System Configuration.
  Step 4: Click the Index Management icon.
  The Index Management window is displayed.
  Step 5 :In the Quick Search field, type Quick Filter.
  The Quick Filter property is displayed for events and flows.
  Step 6: Select the Quick Filter property you want to index.
  You can identify the event and flow Quick Filter properties using the value in the Database column.
  Step 7: On the toolbar, Click Enable Index.
  A green dot is displayed to indicate the payload index is enabled.
  NOTE:You can also right-click the Quick Filter property and select Enable Index.
  Step 8: Click Save.
  A confirmation window is displayed.
  Step 9: Click OK.
  The selected Quick Filter properties are now indexed. In lists that include event or flow properties, indexed property names are appended with the following text: [Indexed].
2. Configure the Payload Index Retention Period.
  You can configure the time period to store Quick Filter payload indexes. By default, payload indexes are retained for one week. The minimum retention period is one day and the maximum is two years.
  To configure the payload index retention period:
  Step 1: Click the Admin tab.
  Step 2 :On the navigation menu, click System Configuration.
  The System Configuration pane is displayed.
  Step 3 :Click the System Settings icon.
  The System Settings window is displayed.
  Step 4: In the Database Settings pane, select a retention time period from the Payload Index Retention list box.
  Step 5 :Click Save.
  Step 6 :Close the System Settings window.
  Step 7:On the Admin tab menu, click Deploy Changes. Your payload index retention period is now configured.
Given a Qradar system producing errors, retrieve log information for troubleshooting so that the source and cause of the error can be determined.
With emphasis on performing the following tasks:
1. log in to the QRadar system using ssh client.
2. Execute /opt/qradar/support/get_logs.sh.
3. Monitor the output for a line similar to:
4. The file /var/log/logs_qradar71tester_20121030.tar.bz2 has been created to send to support.
5. Use a utility like winscp to retrieve /var/log/logs_qradar71tester_20121030.tar.bz2 from the system for review
6. In the file downloaded review qradar.log and qradar.error for information around what the system is doing.
Given a QRadar system, calculate the EPS and flows per interval so that the customer can understand actual event and flow rates for capacity planning requirements.
With emphasis on performing the following tasks:
1. Retrieve EPS by navigating to the Log Activity tab
2. Select Search -> Edit search to bring up the search options
3. Look for the Flow Rate (FPS) search and click �load' then search
4. Review results for FPS, Use the Flows per Second Raw - Peak 1 Min Value.
5. Retrieve EPS by navigating to the Log Activity tab
6. Select Search -> Edit search to bring up the search options
7. Look for the Event Rate (EPS )search and click �load' then search
8. Review results for EPS, Use the "Events per Second Raw - Average 1 Min" Value.
9. To retrieve rawEPS rate of an appliance from the commandline:
  - ssh into the QRadar console, then ssh over to the appliance you wish to collect logs from ( appliances that are part of a deployment will not respond to direct SSH )
  - Execute the following command: grep "Incoming raw event rate" /var/log/qradar.log
  - You will get lines that look like this:
  Nov 1 16:50:03 172.16.77.112 [ecs] [ea8ac594-f593-4718-a246-2ff19fe6b4cf/SequentialEventDispatcher] com.q1labs.sem.monitors.SourceMonitor: [INFO] [NOT:0000006000][172.16.77.112/- -] [-/- -]Incoming raw event rate (5s: 0.40 eps), (10s: 0.20 eps), (15s: 0.27 eps), (30s: 0.87 eps), (60s: 1.97 eps), (300s: 45.94 eps), (900s: 45.94 eps). Peak in the last 60s: 13.00 eps. Max Seen 130.20 eps. EC Throttles/5s (60s: 0.00). Total EC Throttles in the last 60s: 0. Total EC Throttles: 0.
  - You can use the "Peak in the last 60s" to see your max burst rate in the last minute.
  - You can use the 60s as a good average EPS during a 1 minute window. This is the preferred value to use.
10. To retrieve the amount of flows being collected directly from a qflow processor:
  - ssh to the Qradar console, then ssh to the qflow appliance you wish to gather the information from.
  - Execute the following command: grep 'Sent.\+flows' /var/log/qradar.log
  - You will get lines that look like:
  Nov 1 17:01:00 csd12 [QRadar] [25552] qflow0: [INFO] [1351800000] Sent 12345 flows to 172.16.77.112:32010
  - The number of flows sent is how many the qflow process received for that minute.
Given a QRadar system, troubleshoot asynchronous flows so that issues related to asynchronous flows can be determined.
With emphasis on performing the following tasks:
1. Determine if the system is being effected by asynchronous flows, this can be done by:
  1. Asking the customer if their qflow systems are collecting from asynchronous sources
  2. Flows seem to only come or go from one direction and are not being combined as expected.
2. If the system has asynchronous flow sources navigate to the admin interface of Qradar.
3. Select the flow sources option from the list.
4. Select the interface ports that have asynchronous traffic, double click them to edit them and select the check box "Enable Asymmetric Flows". Then select save.
Given an existing QRadar deployment, all hosts unmanaged, and the client needs to change the rule set, reset the tuning template to the system defaults so that the rule set returns to the default template and is more manageable.
With emphasis on performing the following tasks:
1. SSH or login to the QRadar console as root.
2. Once logged in, execute /opt/qradar/bin/template_setup.pl.
3. You will be asked to select a tuning template. The only available option is Enterprise, so to continue press Enter to set the template.
4. The next page will inform you that custom changes will be removed if the tuning template is re-applied. To continue, press Enter. Otherwise, select No.
5. The console will display a few messages indicating the tuning template is re-applying. This will take a few minutes.

Section 5-1: Administration

Given an active QRadar console/server appliance, define storage requirements so that appropriate retention settings are set.
With emphasis on performing the following tasks:
1. Log on to the main GUI of QRadar with administrative privileges.
2. Navigate to the Admin tab of the GUI.
3. Select either the Event Retention or Flow Retention icons. This will bring up the resulting Event Retention or Flow Retention screen.
4. By default, retention buckets will be set to store one months worth of data (deletion only if space is needed) and compress events/flows after one week.
5. QRadar has a set of algorithms that evaluates the need to compress and delete data when certain thresholds are crossed. When disk usage for the Ariel database location crosses 85% full, QRadar will begin compressing the data regardless of the compression settings in the retention buckets. After all possible compression has been done, then QRadar will begin deleting the oldest data governed by the retention bucket settings. At 95% full, the QRadar processes will shut down. The QRadar processes will not come up until the disk has been cleared to 90% full.
6. Select a bucket filter and click the Edit option at the upper left of the window
7. The resulting Retention Properties screen can be modified for length of storage, conditions of deletion, criteria for compression, and specific search filter used to match events/flows.
8. The filters for search are like other search screens in QRadar, using elements of event/flow properties as well being able to leverage rule objects such as Building Blocks.
9. After naming the bucket and possibly adding a description, click Save.
10. On the resulting screen, click Save.
Given an existing QRadar system, manage user accounts for all users that require access to QRadar so that each user is associated with a role, which determines the privileges the user has to access functionality and information within QRadar.
With emphasis on performing the following tasks:
1. Create a Role :
  1. Step 1: Click the Admin tab.
  2. Step 2: On the navigation menu, click System Configuration. The System Configuration pane is displayed.
  3. Step 3: Click the User Roles icon. The Manage User Roles window is displayed.
  4. Step 4 :Click Create Role. The Edit Role window is displayed.
  5. Step 5: Enter values for the parameters. You must select at least one permission to proceed to the next step.
    -Role Name Type a unique name for the role. The name can be up to 15 characters in length and must only contain integers and letters.
    -Admin Select this check box if you want to grant this user administrative access to the QRadar user interface. After you select the Admin check box, all administrative access check boxes are selected by default. Within the Admin role, you can grant individual access to the following permissions:
    -Administrator Manager - Select this check box if you want to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected.
    -System Administrator - Select this check box if you want to allow users access to all areas of QRadar. Users with this access are not able to edit other administratoraccounts.
    -Remote Networks and Services Configuration - Select this check box if you want to allow users the ability to configure remote networks and services on the Admin tab.
    -Offenses Select this check box if you want to grant this user access to all Offenses tab functionality. Within the Offenses role, you can grant individual access to the following permissions:
    -Customized Rule Creation - Select this check box if you want to allow users to create custom rules.
    -Assign Offenses to Users - Select this check box if you want to allow users to assign offenses to other users.
    -Manage Offense Closing Reasons - Select this check box if you want to allow users to manage offense closing reasons.
    -Log Activity Select this check box if you want this user to have access to all Log Activity tab functionality. Within the Log Activity role, you can also grant users individual access to the following permissions:
    -Manage Time Series - Select this check box if you want to allows users the ability to configure and view time series data charts.
    -Customized Rule Creation - Select this check box if you want to allow users to create rules using the Log Activity tab.
    -User Defined Event Properties - Select this check box if you want to allow users the ability to create custom event properties.
    -Assets Select this check box if you want to grant this user access to all Assets tab functionality. Within the Assets role, you can grant individual access to the following permissions:
    -Remove Vulnerabilities - Select this check box if you want to allows user to remove vulnerabilities from assets.
    - Server Discovery - Select this check box if you want to allow users to discover servers.
    -View VA Data - Select this check box if you want to allow users access to vulnerability assessment data.
    -Perform VA Scans - Select this check box if you want to allow users to perform vulnerability assessment scans.
    -Network Activity Select this check box if you want to grant this user access to all Network Activity tab functionality. Within the Network Activity role, you can grant individual access to the following permissions:
    -View Flow Content - Select this check box if you want to allow users access to flow data.
    -Manage Time Series - Select this check box if you want to allow users to configure and view time series data charts.
    -Customized Rule Creation - Select this check box if you want to allow users to create rules using the Log Activity tab.
    -User Defined Flow Properties - Select this check box if you want to allow users the ability to create custom flow properties.
    -Reports Select this check box if you want to grant this user access to all Reports tab functionality. Within the Reports role, you can grant users individual access to the following permissions:
    -Maintain Templates - Select this check box if you want to allow users to maintain reporting templates.
    -Distribute Reports via Email - Select this check box if you want to allow users to distribute reports through email.
    -IP Right-Click Menu Extensions Select this check box if you want to grant this user access to options added to the right-click menu.
    -Risks This option is only available if QRadar Risk Manager is activated. Select this check box if you want to grant users access to QRadar Risk Manager functionality.
  6. Step 6 :Click Next.
  7. Step 7 :Choose one of the following options: a If you selected a role that includes Log Activity permissions, go to Step 8. b If you selected a role that does not include Log Activity permissions, go to Step 10.
    -The Add Log Sources to User Role page is displayed.
  8. Step 8 :Select the log sources you want to add to the user role:
    -From the Log Source Group list box, select a log source group.
    -From the Log Source list, locate and select the log sources you want the user assigned to this role to have access to.
    NOTE:You can add an entire log source group by clicking the Add icon in the Log Source Group pane. You can also select multiple log sources by holding the Control key while you select each log source you want to add.
    Click the Add icon.
    The selected log sources move to the Selected Log Source Objects field.
  9. Step 9: Click Next. A confirmation message is displayed.
  10. Step 10: Click Return.
  11. Step 11 :Close the Manage User Roles window.
  12. Step 12 :On the Admin tab menu, click Deploy Changes.
2. Edit a Role :
  1. Step 1: Click the Admin tab.
  2. Step 2 :On the navigation menu, click System Configuration. The System Configuration pane is displayed.
  3. Step 3 :In the User Management pane, click the User Roles icon. The Manage User Roles window is displayed.
  4. Step 4: For the role you want to edit, click the Edit icon. The Edit Roles window is displayed.
  5. Step 5 :Update the permissions (see Table 2-2), as necessary.
  6. Step 6 :Click Next.
  7. Step 7 :Choose one of the following options:
    -If you are editing a role that includes the Events permissions role, go to Step 8.
    - If you are editing a role that does not include Events permissions, go to Step 11.
    -The Add Log Sources to User Role page is displayed.
  8. Step 8 :Update log source permissions, as required:
    -To remove a log source permission, select the log sources in the Selected Log Source Objects pane that you want to remove. Click Remove Selected Log Sources.
    - To add a log source permission, select an object you want to add from the left pane.
  9. Step 9: Repeat for all log sources you want to edit for this role.
  10. Step 10 :Click Next.
  11. Step 11 :Click Return.
  12. Step 12 :Close the Manage User Roles window.
  13. Step 13 :On the Admin tab menu, click Deploy Changes.
3. Delete a Role:
  1. Step 1: Click the Admin tab.
  2. Step 2 :On the navigation menu, click System Configuration. The System Configuration pane is displayed.
  3. Step 3 :In the User Management pane, click the User Roles icon. The Manage User Roles window is displayed.
  4. Step 4 :For the role you want to delete, click the Delete icon. A confirmation window is displayed.
  5. Step 5 :Click OK.
  6. Step 6: Close the Manage User Roles window.
  7. Step 7 :On the Admin tab menu, click Deploy Changes.
Given an existing QRadar deployment, configure a QRadar user account so that users are allowed to access selected network components using the QRadar user interface.
With emphasis on performing the following tasks:
1. Create a User Account:
  1. Step 1: Click the Admin tab.
  2. Step 2: On the navigation menu, click System Configuration. The System Configuration pane is displayed.
  3. Step 3: Click the Users icon. The Manage Users window is displayed.
  4. Step 4: In the Manage Users pane, click Add. The User Details window is displayed.
  5. Step 5 :Enter values for the following parameters:
    -Username: Type a unique user name for the new user. The user name must not include spaces or special characters.
    -Password: Type a password for the user to gain access. The password must be at least five characters in length.
    -Confirm Password: Type the password again for confirmation. Email Address Type the user email address.
    -Role: From the list box, select the role you want to assign to this user.
  6. Step 6 :Click Next.
  7. Step 7 :Choose one of the following options:
    -If you select Admin as the user role, go to Step 10.
    - If you select a non-administrative user role, go to Step 8.
    -The Selected Network Objects page is displayed.
  8. Step 8: From the menu tree, select the network objects you want this user to be able to monitor.
    -The selected network objects are displayed in the Selected Network Objects pane.
  9. Step 9 :Click Finish.
  10. Step 10: Close the Manage Users window.
2. Edita User Account:
  1. Step 1: Click the Admin tab.
  2. Step 2 :On the navigation menu, click System Configuration. The System Configuration pane is displayed.
  3. Step 3 :Click the Users icon. The Manage Users window is displayed.
  4. Step 4 :In the Manage Users pane, click the name of the user account you want to edit. The User Details window is displayed.
  5. Step 5 :Update values (see Table 2-3), as necessary.
  6. Step 6 :Click Next.
    -If you are editing a non-administrative user account, the Selected Network Objects page is displayed. If you are editing an administrative user account, go to Step 10.
  7. Step 7 :From the menu tree, select the network objects you want this user to access.
    -The selected network objects are displayed in the Selected Network Object pane.
  8. Step 8 :For all network objects you want to remove access, select the object from the Selected Network Objects pane. Click Remove.
  9. Step 9: Click Finish.
  10. Step 10: Close the Manage Users window.
3. Disabl a User Account:
  1. Step 1 :Click the Admin tab.
  2. Step 2 :On the navigation menu, click System Configuration. The System Configuration pane is displayed.
  3. Step 3 :Click the Users icon. The Manage Users window is displayed.
  4. Step 4 :In the Manage Users pane, click the user account you want to disable. The Editing User window is displayed.
  5. Step 5 :In the Role list box, select Disabled.
  6. Step 6 :Click Next.
  7. Step 7 :Close the Manage Users window. This user no longer has access to the QRadar user interface. If this user attempts to log in to QRadar, the following message is displayed: The username and password you supplied are not valid. Please try again.
    NOTE:After you delete a user, items, such as saved searches, reports, and assigned Offenses, remain associated with the deleted user.
Given the Auto Update Interface, configure automatic updates so that the appliance automatically updates DSMs, VIS, Protocols, Minor, and Major updates.
With emphasis on performing the following tasks:

QRadar update files can include the following updates:
Configuration updates, which include configuration file changes, vulnerability, QID map, and security threat information updates.
DSM updates, which include corrections to parsing issues, scanner changes, and protocol updates.
Major updates, which include items such as updated JAR files.
Minor updates, which include items such as additional Online Help content or updated scripts.
QRadar allows you to either replace your existing configuration files or integrate the updated files with your existing files to maintain the integrity of your current configuration and information.
The Console must be connected to the Internet to receive the updates or a Update Server must be set up in the environment.
In a High Availability (HA) deployment if you do not deploy your changes, the updates are performed on the secondary host through an automated process that runs hourly.
Configure Automatic Update Settings:
1. Click the Admin tab.
2. On the navigation menu, click System Configuration.
3. Click the Auto Update icon.
4. On the navigation menu, click Change Settings.
5. In the Auto Update Schedule pane, configure the schedule for updates:
  1. Frequency From this list box, select the frequency with which you want to receive updates. Options include:
    -Disabled
    -Weekly
    -Monthly
    -Daily
  2. The default frequency is Weekly.
    -Hour: From this list box, select the time of day you want your system to update. The default hour is 3 am.
    -Week Day: This option is only available if you select Weekly as the
    -update frequency.
    -Month Day: This option is only active when you select Monthly as the update frequency.
6. In the Update Types pane, configure the types of updates you want to install:
  1. Configure Updates: From this list box, select the method you want to use for updating your configuration files:
    -Auto Integrate - Select this option to integrate the new configuration files with your existing files and maintain the integrity of your information. This is the default setting.
    -Auto Update - Select this option to replace your existing configuration files with the new configuration files.
    -Disable - Select this option to prevent configuration updates.
  2. DSM, Scanner, Protocols: From this list box, select one of the following options for DSM updates:
    -Disable - Select this option to prevent DSM, scanner, and protocol updates being installed on your system.
    -Manual Install - Select this option to download the DSM, scanner, and protocol updates to the designated download path location. If you choose this option, you must manually install the updates. See Manually Installing Automatic Updates.
    -Auto Install - Select this option to download the DSM, scanner, and protocol updates to the designated download path location and automatically install the update. This is the default setting.
  3. Major Updates: From this list box, select one of the following options for major updates:
    -Disable - Select this option to prevent major updates being installed on your system. This is the default setting.
    -Download - Select this option to download the major updates to the designated download path location. If you choose this option, you must manually install the updates from a command line interface (CLI). See the readme file in the download files for installation instructions.
    - Note: Major updates cause service interruptions during installation.
  4. Minor Updates: From this list box, select one of the following options for minor updates:
    -Disable - Select this option to prevent minor updates being installed on your system.
    -Manual Install- Select this option to download the minor updates to the designated download path location. If you choose this option, you must manually install the updates.
7. Select the Auto Deploy check box if you want to deploy update changes automatically after updates are installed. If this check box is clear, a system notification is displayed on the Dashboard tab indicating that you must deploy changes after updates are installed. By default, the check box is selected.
8. Click the Advanced tab.
9. In the Server Configuration pane, configure the server settings:
  1. Web Server: Type the web server from which you want to obtain the updates. The default web server is: https://qmmunity.q1labs.com
  2. Directory: Type the directory location on which the web server stores the updates. The default directory is autoupdates/.
  3. Proxy Server: Type the URL for the proxy server. The proxy server is only required if the application server uses a proxy server to connect to the Internet.
  4. Proxy Port: Type the port for the proxy server. The proxy port is only required if the application server uses a proxy server to connect to the Internet.
  5. Proxy Username: Type the user name for the proxy server. A user name is only required if you are using an authenticated proxy.
  6. Proxy Password: Type the password for the proxy server. A password is only required if you are using an authenticated proxy.
10. In the Other Settings pane, configure the update settings:#Send feedback: Select this check box if you want to send feedback to Q1 Labs regarding the update. Feedback is sent automatically using a web form when errors occur with the update. By default, this check box is clear.
  1. Backup Retention: Type or select the length of time, in days, that you want to store files that are replaced during the update process. The files are stored in the location specified in the Backup Location parameter. The default backup retention period is 30 days. The minimum is 1 day and the maximum is 65535 years.
  2. Backup Location: Type the location where you want to store backup files.
  3. Download Path: Type the directory path location to which you want to store DSM,minor, and major updates. The directory path is: /store/configservices/staging/updates.
11. Click Save.
Given an active QRadar console/server appliance, configure backup schedule and location so that a valid file location is defined with an active backup schedule.
With emphasis on performing the following tasks:
1. Log on to the main GUI of QRadar with administrative privileges.
2. Navigate to the Admin tab of the GUI.
3. Select the Backup and Recovery icon.
4. From the resulting Backup Archives screen, select the Configure button, which will bring up the Backup Recovery Configuration screen.
5. In the field titled Backup Repository Path, define the mount point or filesystem location for the backups to be stored. Default is "/store/backup"
6. Define the number of days to retain the backup archives in the Backup Retention Period field. Default is 2 days.
7. Select either to backup the Configuration or both the Configuration and Data, for each appliance within the environment.
8. For Data backups, select whether Event, Flow, or both forms of Data are being backed up, by appliance.
  1. Note: Data backups will be stored on the mount point or file location for each processor.
9. Configure the backup time limits and system priority on both Configuration and Data backups. Take into consideration the impact of assigning a higher priority to backups to the performance of the environment.
10. Click Save when done
11. Navigate back to the Admin tab and click Deploy Changes, to commit the new schedule.
Given an active QRadar console/server appliance, configure authorized services so that a WinCollect agent can communicate with QRadar or an external system (e.g. Service Desk) can update, hide, or close offenses.
With emphasis on performing the following tasks:
1. Log on to the main GUI of QRadar with administrative privileges.
2. Navigate to the Admin tab of the GUI.
3. Select the Authorized Services icon
4. From the Manage Authorized Services screen, click the Add Authorized Service button. This will bring up the Add Authorized Service screen
5. Provide a name to the service on the Service Name field.
6. Select the role for the authorized service to act under from the User Role drop-down.
7. Either chose an expiration date or select No Expiry in the Expiry Date section.
8. Select Create Service , this will close the current screen and return the user to the Manage Authorized Services screen.
9. Make note of the authentication token and provide this code to the third party product which will integrate with QRadar
Given that QRadar is operational, install and configure the IP_Contect_Menu_Plugin, so that the right click menu functionality has been enhanced.
With emphasis on performing the following tasks:
1. The ip_context_menu gives QRadar the ability to expand the right-click functionality buy initiating either a URL, command or binary with a variable of %IP% for IP address. Any command that can be initiated by the user "nobody" is available to be ran.
2. SSH to the Console.
3. Copy the File to QRadar opt/qradar/conf.
4. Restart Tomcat service by issuing the command "service tomcat restart".
5. Once the service finishes restarting login to the Console GUI.
6. Verify that plugin is working by selecting the the Log Activity tab.
7. Pause event viewer.
8. Move mouse over an IP Address.
9. Right click and select more options - view available plugins.
Given an existing QRadar deployment, manage Routing rules to configure filters and actions so that actions are performed when event data matches each rule.
With emphasis on performing the following tasks:
1. View Routing Rules:
  1. The Event Routing Rules window provides valuable information on your routing rules, such as the configured filters and actions that are performed when event data matches each rule.
  2. Step 1 :Click the Admin tab.
  3. Step 2 :On the navigation menu, click Data Sources.The Data Sources pane is displayed.
  4. Step 3 :Click the Routing Rules icon.
    Name Specifies the name of this routing rule.
    Event Collector Specifies the Event Collector you want this routing rule process data from.
    Filters Specifies the configured filters for this routing rule.
    Routing Options Specifies the configured routing options for thisrouting rule.
    Options include:
    -Forward - Event data is forwarded to the specified forwarding destination. Event data is also stored in the QRadar database and processed by the Custom Rules Engine (CRE).
    -Forward & Drop - Event data is forwarded to the specified forwarding destination. Event data is not stored in the QRadar database, but it is processed by the CRE.
    -Forward & Bypass - Event data is forwarded to the specified forwarding destination. Event data is also stored in the QRadar database, but it is not processed by the CRE.
    -Drop - Event data is not stored in the QRadar database. The event data is not forwarded to a forwarding destination, but it is processed by the CRE.
    -Bypass - Event data is not processed by the CRE, but it is stored in the QRadar database. The event data is not forwarded to a forwarding destination. Enabled Specifies whether this routing rule is enabled or disabled.
    Creation Date Specifies the date that this routing rule was created. Modification Date Specifies the date that this routing rule was modified.
2. Edit a Routing Rule:
  1. Step 1 :Click the Admin tab.
  2. Step 2: On the navigation menu, click Data Sources. The Data Sources pane is displayed.
  3. Step 3 :Click the Routing Rules icon. The Event Routing Rules window is displayed.
  4. Step 4 :Select the routing rule you want to edit.
  5. Step 5 :On the toolbar, click Edit. The Routing Rule window is displayed.
  6. Step 6 :Update the parameters, as necessary.
  7. Step 7 :Click Save.
3. Enabl or Disabling a Routing Rule:
  1. Step 1 :Click the Admin tab.
  2. Step 2 :On the navigation menu, click Data Sources. The Data Sources pane is displayed.
  3. Step 3 :Click the Routing Rules icon. The Event Routing Rules window is displayed.
  4. Step 4 :Select the routing rule you want to enable or disable.
  5. Step 5 :On the toolbar, click Enable/Disable. Depending on the current status of the routing rule, the result of clicking Enable/Disable is as follows:
    - If the Enabled status is True, the routing rule is disabled.
    -If the Enabled status is False and the routing rule is configured to drop events, a confirmation message is displayed. Click OK.
4. Delet a Routing Rule:
  1. Step 1 :Click the Admin tab.
  2. Step 2 :On the navigation menu, click Data Sources. The Data Sources pane is displayed.
  3. Step 3 :Click the Routing Rules icon. The Event Routing Rules window is displayed.
  4. Step 4 :Select the routing rule you want to delete.
  5. Step 5 :On the toolbar, click Delete. A confirmation window is displayed.
  6. Step 6 :Click OK.
Given the QRadar V7.1 product, and access to the user interface, explain the QRadar Reporting Subsystem detailing functionality and use the GUI to brand the reports with the customer logo, schedule, and generate existing reports so that the customer will have output reports they can use to track security and show the value of the QRadar deployment.
With emphasis on performing the following tasks:
1. QRadar contains hundreds of default reports that help satisfy the common regulatory reporting requirements. These reports include the following groups:
  1. HIPAA - Health Insurance Portability and Accountability Act
  2. COBIT - Control Objectives for Information and Related Technology
  3. SOX - Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act.
  4. PCI - Payment Care Industry Data Security Standard
  5. GLBA - Gramm-Leach-Bliley Privacy Act
  6. FISMA - Federal Information Security Management Act
  7. NERC - North American Electric Reliability Council
  8. Government Secure Extranet
2. QRadar regulatory reports features:
  1. The QRadar Regulatory Reports are defined according to the recommendations in the various standards above which normally stipulate that a particular type of security control be implemented by the installation, and that reporting be available to show that (a) the control is indeed implemented and working as recommended and (b) that any output as a result of the control, such as too many failed access attempts, or too high a volume of attack traffic be flagged and escalated for remediation.
  2. Regulatory reports are a integral part of an incident response system for the installation.
  3. Individual regulatory reports are grouped by, and identify in their titles the paragraph or recommendation number in the regulatory control documents listed above.
3. QRadar contains Executive summary reports suitable for managers tracking the activity levels of the event monitoring and detection activities of QRadar.
  1. Executive summary reports provide summary data at the day, week, or month level, suitable for tracking trends and for reporting activity in management meetings.
4. QRadar contains detail reports for each Log Source type grouped into the following general categories:
  1. AntiVirus
  2. Applications and OS's
  3. Databases
  4. Firewalls / Routers / Switches
  5. Intrusion Detecton and Prevention (IDS/IPS)
  6. Security Access Logs
  7. VPN systems
5. QRadar provides a set of default reports tailored to the operational needs of the installation staff, grouped in the following categories:
  1. Network Management
  2. Security
  3. Usage Monitoring
  4. VoIP
6. Branding Reports - QRadar reports may be configured to display a customer logo on the reports.
  1. On the Reports tab, click on Branding.
  2. Browse to an image file containing the customer's logo and click on upload image.
7. Scheduling Reports
  1. From the Reports tab, click on Reports on the left side.
  2. Open the reports group hierarchy from the Group pull down and choose a group.
  3. Click on a row to select a particular report.
  4. From the Actions button, select Toggle Scheduling
  5. The default schedule will be activated, and a countdown time until the next report generation will be shown.
  6. Double click the report to open the report definition wizard. The first panel of the wizard gives the default schedule. Modify this schedule to the desired time and frequency of generation.
8. Generate a Report:
  1. From the Reports tab, click on Reports on the left side.
  2. Open the reports group hierarchy from the Group pull down and choose a group.
  3. Click on a row to select a particular report.
  4. From the Actions button, select Run Report
9. Define a new report:
  1. From the Reports tab, click on Reports on the left side.
  2. From the Actions button, select Create to open the reports wizard
  3. In the wizard, define the report on the following panels:
    -Schedule report frequency
    -Choose layout (how many charts and where they are positioned)
    -Specify contents (detail panels for data selection specific to event type)
    -Preview layout (chart type, etc.) Specific chart types include:
    -Top Source IPs chart will display the top IPs that attack any defined network or asset.
    -Top Offenses chart will display the top types of threats to the managed network.
    -Asset Vulnerabilities chart shows vulnerable assets optionally by severity .
    -Top Destination IPs show high volume destinations in the network.
    -Chose a report format (PDF, HTML, etc.).
    -Chose a distribution channel (console or email).

Section 5-2: Administration

Given knowledge of IBM Security QRadar, describe the functionality of the flow and event viewers so that this functionality can be explained to a customer.
With emphasis on performing the following tasks:
1. Log Activity tab
  1. An event is a record from a log source, such as a firewall or router device, that describes an action on a network or host. Using the Log Activity tab, you can monitor and investigate log activity (events) in real-time or perform advanced searches. The Log Activity tab specifies which events are associated with offenses. You can use the Log Activity tab to:
    -Search events. See Searching Data.
    -Save and manage search criteria and results.
    -View events in real-time (streaming).
    -View event information grouped by various options.
    -Create, view and investigate time series charts.
    -View and manage Packet Capture (PCAP) data.
    -Associate or map an unknown event to a high-level and low-level category (or QID),
    -Tune false positive events from generating offenses.
    -Export events in Extensible Markup Language (XML) or Comma-SeparatedValue (CSV) format.
2. Network Activity tab
  1. The Network Activity tab allows you to visually monitor and investigate flow data in real-time, or perform advanced searches to filter the displayed flows. A flow is a communication session between two hosts. You can view flow information to determine how the traffic is communicated, and what was communicated (if the content capture option is enabled). Flow information can also include such details as protocols, Autonomous System Number (ASN) values, or Interface Index (IFIndex) values. You can use the Network Activity tab to:
    -Search flows. See Searching Data.
    -Save and manage search criteria and results
    -View flows in real-time (streaming)
    -View flow information grouped by various options
    -Create, view, and investigate time series charts
    -Tune false positive flows from generating offenses
    -Export flows in XML or CSV format
Given an existing QRadar deployment, configure the dashboard to allow you to organize your items into functional views so that you are enabled to focus on specific areas of your network.
With emphasis on performing the following tasks:
1. Create a Custom Dashboard:
  1. Step 1 :Click the Dashboard tab.
  2. Step 2 :Click the New Dashboard icon. The New Dashboard dialog box is displayed.
  3. Step 3 :In the Name field, type a unique name for the dashboard. The maximum length is 65 characters.
  4. Step 4 :In the Description field, type a description of the dashboard. The maximum length is 255 characters. This description is displayed in the tooltip for the dashboard name in the Show Dashboard list box.
  5. Step 5 :Click OK.
    The new dashboard is displayed in the Dashboard tab and is listed in the Show Dashboard list box. By default, the dashboard is empty. For more information about adding items, see Adding Items.
2. Add Items :
  1. Step 1: Click the Dashboard tab.
  2. Step 2 :From the Show Dashboard list box, select the dashboard to which you want to add an item.
  3. Step 3 :From Add Item list box, select an item.
3. Configure Charts :
  1. You can configure Log Activity, Network Activity, and Connections (if applicable) dashboard items to specify the chart type and how many data objects you want to view. Your custom chart configurations are retained so that they are displayed as configured each time you access the Dashboard tab.
  2. Step 1: Click the Dashboard tab.
  3. Step 2 :From the Show Dashboard list box, select the dashboard that contains the item you want to customize.
  4. Step 3 :On the dashboard item header, click the Settings icon. Configuration options are displayed.
  5. Step 4 :Configure the parameters:
    Value to Graph: From the list box, select the object type that you want to graph on the chart. Options include all normalized and custom event or flow parameters included in your search parameters.
    Note: QRadar accumulates data so that when you perform a time series saved search, there is a cache of event or flow data available to display the data for the previous timeperiod.
    Accumulated parameters are indicated by an asterisk (*) in the Value to Graph list box. If you select a value to graph that is not accumulated (no asterisk), time series data is not available.
    Chart Type: From the list box, select the chart type you want to view.
    -Bar Chart - Displays data in a bar chart. This option is only available for grouped events or flows.
    -Pie Chart - Displays data in a pie chart. This option is only available for grouped events or flows.
    -Table - Displays data in a table. This option is only available for grouped events or flows.
    -Time Series - Displays an interactive line chart representing the records matched by a specified time interval.
    Display Top: From the list box, select the number of objects you want you view in the chart. Options include 5 and 10. The default is 10.
    Capture Time Series Data: Select this check box to enable time series capture. When you select this check box, the chart feature begins accumulating data for time series charts.
    By default, this option is disabled.
    Note: This option is only available on time series charts. You must have the appropriate role permissions to manage and view time series charts.
    Time Range: From the list box, select the time range you want to view.
    Note: This option is only available on time series charts.
4. Remove Items :
  Removing an item does not remove the item from QRadar. Removing an item removes the item from your dashboard. You can add the item again at any time.
  1. Step 1: Click the Dashboard tab.
  2. Step 2: From the Show Dashboard list box, select the dashboard from which you want to remove an item.
  3. Step 3 :On the dashboard item header, click the red [x] icon to remove the item from the dashboard.
  4. A confirmation window is displayed before an item is removed.
5. Detach an Item :
  Detaching an item allows you to temporarily monitor one or more particular items on your desktop. You can detach the item, and then remove the item from your dashboard.
  The detached window remains open and refreshes during scheduled intervals. If you close the QRadar application, the detached window remains open for monitoring and continues to refresh until you manually close the window or shut down your computer system.
  NOTE:QRadar does not save the status of a detached dashboard item when you end your QRadar session.
  1. Step 1 :Click the Dashboard tab.
  2. Step 2 :From the Show Dashboard list box, select the dashboard from which you want to detach an item.
  3. Step 3 :On the dashboard item header, click the green icon to detach the dashboard item and open it in separate window.
    NOTE:Detaching an item does not remove the item from QRadar; detaching an item duplicates the data in a new window.
6. Edit a Dashboard :
  You can edit the name and description for any dashboard.
  1. Step 1: Click the Dashboard tab.
  2. Step 2 :From the Show Dashboard list box, select the dashboard you want to edit. The dashboard you selected is displayed.
  3. Step 3 :On the toolbar, click the Rename Dashboard icon. The Rename Dashboard dialog box is displayed.
  4. Step 4 :In the Name field, type a new name for the dashboard. The maximum length is 65 characters.
  5. Step 5 :In the Description field, type a new description of the dashboard. The maximum length is 255 characters.
  6. Step 6 :Click OK.
7. Delete a Dashboard :
  1. Step 1 :Click the Dashboard tab.
  2. Step 2 :From the Show Dashboard list box, select the dashboard you want to delete. The dashboard you selected is displayed.
  3. Step 3 :On the toolbar, click Delete Dashboard.A confirmation message is displayed.
  4. Step 4 :Click Yes.
    The Dashboard tab refreshes and the first dashboard listed in the Show Dashboard list box is displayed. The dashboard you deleted is no longer displayed in the Show Dashboard list box.
8. Add Search-Based Dashboard Items to the Add Items List:
  To add an event and flow search dashboard item to the Add Item menu on the Dashboard tab, you must access the Log Activity or Network Activity tab to create search criteria that specifies that the search results can be displayed on the Dashboard tab. The search criteria must also specify that the results are grouped on a parameter.
  NOTE:This procedure also applies to Risk Manager dashboard items. Risk Manager dashboard items are only displayed when QRadar Risk Manager has been purchased and licensed, and you have established the connection between the Console and the QRadar Risk Manager appliance. For more information, see the QRadar Risk Manager Users Guide.
  1. Step 1 :Choose one of the following options:
    -To add a flow search dashboard item, click the Network Activity tab.
    -To add an event search dashboard item, click the Log Activity tab.
  2. Step 2 :From the Search list box, choose one of the following options:
    -To create a new search, select New Search.
    -To edit a saved search, select Edit Search.
    The flow search page is displayed.
  3. Step 3 :Configure or edit your search parameters, as required. For more information on flow searches, see Searching Events or Flows.
  4. Step 4 :Ensure you configure the following parameters:
    -On the Edit Search pane, select the Include in my Dashboard option.
    -On the Column Definition pane, select a column and click the Add Column icon to move the column to the Group By list.
  5. Step 5 :Click Filter. The search results are displayed.
  6. Step 6 :Click Save Criteria The Save Criteria window is displayed.
  7. Step 7 :Configure the parameters, as required. For more information, see Saving #Search Criteria.
  8. Step 8 :Click OK.
  9. Step 9 :Verify that your saved search criteria successfully added the event or flow search dashboard item to the Add Items list
    -Click the Dashboard tab.
    -Choose one of the following options:
    - To verify an event search item, select Add Item -> Log Activity -> Event Searches.
    - To verify a flow search item, select Add Item -> Network Activity- > Flow Searches.
    The dashboard item should be displayed on the list using the same name as your saved search criteria.
Given an existing QRadar deployment, describe the Offense tab so that the user understands how to Assign and close existing offenses.
With emphasis on performing the following tasks:
1. Assign Offenses to Users:
  Using the Offenses tab, you can assign offenses to QRadar users for investigation. When an offense is assigned to a user, the offense is displayed on the My Offenses page belonging to that user. You must have appropriate privileges to assign offenses to users.
  You can assign offenses to users from either the Offenses tab or Offense Summary pages.
  1. Step 1 :Click the Offenses tab.
  2. Step 2 :Click All Offenses.
  3. Step 3 :Select the offense you want to assign.
    NOTE:To assign multiple offenses, hold the Control key while you select each offense you want to assign.
  4. Step 4 :From the Actions list box, select Assign. The Assign To User page is displayed.
  5. Step 5 :From the Username list box, select the user you want to assign this offense to.
    NOTE:The Username list box only displays users who have Offenses tab privileges.
  6. Step 6 :Click Save.
    The offense is assigned to the selected user. The User icon is displayed in the Flag column of the Offenses tab to indicate that the offense is assigned. The designated user can also see this offense in their My Offenses page.
2. Remove Offenses From the Offenses tab:
  You can remove an offense from the Offenses tab using the following options:
  Hiding Offenses
  Showing Hidden Offenses
  Closing an Offense
  Closing Listed Offenses
  You can hide or close an offense from any offense list (for example, All Offenses) or the Offense Summary pages. The procedures below provide instruction on how to hide and close offenses from the All Offenses page.
  1. Hiding Offenses
    After you hide an offense, the offense is no longer displayed in any list (for example, All Offenses) on the Offenses tab; however, if you perform a search that includes the hidden offenses, the item is displayed in the search results.To hide an offense:
    -Step 1 :Click the Offenses tab.
    -Step 2 :Click All Offenses. The All Offenses page is displayed.
    -Step 3:Select the offense you want to hide.
    NOTE: To hide multiple offenses, hold the Control key while you select each offense you want to hide.
    -Step 4 :From the Actions list box, select Hide. A confirmation page is displayed.
    -Step 5 :Click OK. The All Offenses page is displayed, displaying all offenses except the hidden offenses.
    NOTE:Hiding an offense does not affect the offense counts that are displayed on the By Category pane of the Offenses tab.
  2. Showing Hidden Offenses
    Hidden offenses are not visible on the Offenses tab, however, you can show hidden offenses if you want to view them again. To view hidden offenses:
    -Step 1 :Click the Offenses tab.
    -Step 2 :Click All Offenses. The All Offenses page is displayed.
    -Step 3 :Use the Search feature to show the hidden offenses:From the Search list box, select New Search. The Offense Search page is displayed.
    -In the Exclude option list on the Search Parameters pane, clear the Hidden Offenses check box.
    -Click Search.
    -The All Offenses page is displayed, including all offenses. The offense is specified as hidden by the Hidden icon in the Flag column.The hidden offenses are still configured as hidden; therefore, the next time you display All Offenses without the search parameters applied, you will not see the hidden offenses.
    -Step 4 :Locate and select the hidden offense you want to show.
    -Step 5 :From the Actions list box, select Show.
  3. Closing an Offense:
    After you close (delete) an offense, the offense is no longer displayed in any list (for example, All Offenses) on the Offenses tab. The closed offense is removed from the database after the offense retention period has elapsed. The default offense retention period is 3 days. If additional events occur for that offense, a new offense is created. If you perform a search that includes closed offenses, the item is displayed in the search results as long as it has not been removed from the database.
    -Step 1: Click the Offenses tab.
    -Step 2 :Click All Offenses. The All Offenses page is displayed.
    -Step 3 :Select the offense you want to close.
    NOTE:To close multiple offenses, hold the Control key while you select each offense youwant to close.
    -Step 4 :From the Actions list box, select Close.The Close Offense window is displayed.
    -Step 5 :From the Reason for Closing list box, select a reason. The default reason is non-issue.
    If you have the Manage Offense Closing permission, you can add custom reasons to the Reason for Closing list box.
    -Step 6 : Optional. In the Notes field, type a note to provide additional information about closing the note.
    By default, the Notes field displays the note entered for the previous offense closing. Notes must not exceed 2,000 characters. This note will be displayed in the Notes pane of this offense.
    -Step 7: Click OK.
  4. Closing Listed Offenses:
    The offenses that are displayed on the summary page include either all the offenses or, if a search is applied, a subset of offenses. You can close (delete) all listed offenses from the Offenses tab. After the offense retention period has elapsed, closed offenses are removed from the database. If additional events occur for that offense, a new offense is created. If you perform a search that includes closed offenses, the item is displayed in the search results as long as it has not been removed from the database.
    -Step 1 :Click the Offenses tab.
    -Step 2 :Click All Offenses.
    -Step 3 :From the Actions list box, select Close Listed. The Close Offense window is displayed.
    -Step 4 :From the Reason for Closing list box, select a reason. The default reason is non-issue.
    -If you have the Manage Offense Closing permission, you can add custom reasons to the Reason for Closing list box.
    -Step 5 :Optional. In the Notes field, type a note to provide additional information about closing the note. Notes must not exceed 2,000 characters. This note will be displayed in the Notes pane of these offenses.
    -Step 6 :Click OK. The All Offenses page is displayed. The closed offenses are no longer listed.
    NOTE:After you close offenses, the counts that are displayed on the By Category pane of the Offenses tab can take several minutes to reflect the closed offenses.
3. Sending Email Notification:
  1. Step 1 :Click the Offenses tab.
  2. Step 2 :Navigate to the offense for which you want to send an email notification.
  3. Step 3 :Double-click the offense. The details page for the offense is displayed.
  4. Step 4 :From the Actions list box, select Email. The Notification Preferences page is displayed.
  5. Step 5 :Enter values for the following parameters:
  6. Step 6 :Click Send.
    -An email is immediately sent to the email recipients.
4. Marking an Item For Follow-Up:
  1. Step 1 :Click the Offenses tab.
  2. Step 2 :Navigate to the offense you want to mark for follow-up.
  3. Step 3 :Double-click the offense you want to mark for follow-up. The details page for the offense is displayed.
  4. Step 4 :From the Actions list box, select Follow up.
    The offense now displays a flag in the Flags column, indicating the offense is flagged for follow-up.
    NOTE:If you do not see your flagged offense on the offenses list, you can sort the list to display all flagged offenses first. To sort an offense list by flagged offense, double-click the Flags column header.
Given that QRadar is running, SSH access and administrator privileges, create and configure a log banner so that authorized and unauthorized user will be warned that their systems may be monitored.
With emphasis on performing the following tasks:
1. Create Login Banner File with desired Text.
2. Save File in text or HTML Format.
3. SSH to the Console.
4. Copy the File to QRadar in the /opt/qradar/conf directory.
5. From the Console GUI select Admin tab -> Console.
6. In the Login Message File field type the absolute path to the login banner file.
7. Select Save.
8. Deploy Changes.
9. Log out of QRadar Console.
10. Login Message is Displayed.
11. Login back in to QRadar's Console.
Given an existing QRadar installation, create and manage reference sets so that dynamic data can be used in rules.
With emphasis on performing the following tasks:

A reference set is a set of data, such as a list of IP addresses or user names. After you create a reference set, you can create rules to detect when log or network activity associated with the reference set occurs on your network.
You can create a reference set to contain data derived from an external file. For example, you can create a reference set to retain data about terminated employees. First, you add a log source to import a text file containing terminated employee data, such as IP addresses and user names. Then, using the Custom Rule Wizard, create a reference set specifying which data you want to retain from the external file. For more information about adding a log source, see the Log Sources User Guide.
When a reference set is created, you create a rule that generates a response when a reference set element, such as the IP address of a terminated employee, is detected on your network.
1. Create a reference set:
  1. To create a new reference set, you must create a new rule or edit an existing rule.
  2. In the rule responses page, check the box labeled Add to a Reference Set, if not already checked.
  3. Click the New button
  4. Type in a Name. Select the type. Enter a maximum size (default is 10,000, max is 100,000).
  5. Click OK to save. That reference set is now available to all rules.
  6. You can either save the rule or click Cancel. The reference set is saved either way.
2. Edit a reference set:
  1. To edit an existing reference set, you must create a new rule or edit an existing rule.
  2. In the rule responses page, check the box labeled "Add to a Reference Set", if not already checked.
  3. Select the appropriate Reference Set
  4. Click the Edit button
  5. Type in a Name. Select the type. Enter a maximum size (default is 10,000, max is 100,000).
  6. Click OK to save. That reference set is now available to all rules.
  7. You can either save the rule or click Cancel. The reference set is modified either way.
3. Delete or purge a reference set:
  1. To edit an existing reference set, you must create a new rule or edit an existing rule.
  2. In the rule responses page, check the box labeled "Add to a Reference Set", if not already checked.
  3. Select the appropriate Reference Set
  4. Click the delete or purge button
  5. Click OK to confirm.
  6. You can either save the rule or click Cancel. The reference set is deleted or purged either way.
Given the QRadars appliances CLI, Allow ICMP Ping Response and Deny connections from a host so that the IPTables have been modified to allow/restrict port/IP access using the CLI.
With emphasis on performing the following tasks:

QRadar utilizes IPTables for each appliance's local firewall. QRadar supports the use of the files /opt/qradar/conf/iptables.pre and /opt/qradar/conf/iptables.post for changes to IPTables rules.
1. To make a Firewall modification, /opt/qradar/conf/iptables.pre is the most commonly used file for firewall changes.
  1. ssh to the appliance in question.
  2. Optionally, make a backup of the configuration file /opt/qradar/conf/iptables.pre
  3. cp /opt/qradar/conf/iptables.pre /opt/qradar/conf/iptables.pre.bak.`date`
  4. Edit the file /opt/qradar/conf/iptables.pre
  5. Save the edited file.
  6. Reload IPTables
    -/opt/qradar/bin/iptables_update.pl
Given time series permissions within QRadar, configure time series graphs so that you can view graphical representations of data.
With emphasis on performing the following tasks:
1. Log on to the main GUI of QRadar.
2. Navigate to either the Log Activity or Network Activity tab.
3. Construct a search or select an existing search that is grouped by at least 1 property .
4. On the resulting data graph select the sprocket icon on the upper right corner of the graph.
5. Choose the Chart Type drop-down option - Time Series and select the various options such as the values to graph, the option of displaying the top 5,10, or 20 results, and the time range for the graph.
6. Ensure that the Capture Time Series Data check box is selected.
7. Click the Save button
8. A Save Criteria window will open and enter the properties such as Search Name, optional assign to a search group, select a time span.
9. Click OK to save the time series graph parameters to a Saved Search.
Given a need to restore a QRadar appliance from backup, restore the backup so that a previous configuration takes effect.
With emphasis on performing the following tasks:
1. Log in to the console with a user that has the admin role.
  1. Click the Admin tab.
  2. Click the Backup and Recovery icon.
  3. In the new window, select the archive you wish to restore. Click Restore.
  4. A window will display the backup name and description as well as prompting for a number of parameters. The default selection includes "All Configuration Items" - you may selectively choose the specific items you wish to restore if needed. Configuration items may include:
    -Custom Rules Configuration
    -Deployment Configuration, which includes:
    -Assets
    -Certificates
    -Custom logos
    -Device Support Modules (DSMs)
    -Event categories
    -Flow sources
    -Flow and event searches
    -Groups
    -Log sources
    -Offenses
    -Store and Forward schedules
    -Vulnerability data
    -User and user roles information
    -License key information
  5. If the backup taken included data items, "All data items" will be the default selection. This includes Assets and Offenses. If you wish to restore either of these individually, select the check boxes as needed.
  6. Click Restore. A confirmation window will appear; click OK.
    The restore process begins.
    Do not restart the Console until the restore process is complete. During the restore process, the following steps are taken on the Console:
    Existing files and database tables are backed up.
    Tomcat is shut down.
    All system processes are shut down.
    Files are extracted from the backup archive and restored to disk.
    Database tables are restored.
    All system processes are restarted.
    Tomcat restarts.
    The restore process can take up to several hours depending on the size of the backup archive
    When complete, a confirmation message is displayed. Click OK.
    If tomcat was restarted on the console, you will need to log back into the QRadar interface. Upon a login, a window is displayed, providing the status of the restore process. Follow the instructions on the status window.
    Note: After you have verified the backup is restored, you will need to re-apply RPMs for any DSMs, vulnerability scanners or log source protocols.
    Note: If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA cluster configuration after the restore is complete. If disk replication is enabled, the secondary host immediately synchronizes data after the system is restored. If the secondary host was removed from the deployment after backup was performed, the secondary host displays a Failed status on the System and License Management window.
Given administrator and root access to a QRadar deployment, perform an ariel data restore so that QRadar data is accessible and searchable.
With emphasis on performing the following tasks:

Before you restore the data, consider the following:
1. If you are restoring data on a newly installed Console, you must restore the configuration backup before restoring the data backup.
2. Locate the managed host on which the data is backed up.
3. All systems in your deployment with storage capabilities store the backups locally in the configured backup directory.
4. This ariel data restore should only be accomplished with data backup files and not configuration backup files. The difference will be identified in the backup file name.
  1. The backup filename will look similar to the follow backup... ...tgz
    - is the name associated with the backup
    - is the name of the QRadar system hosting the backup file followed by the identifier for the QRadar system.
    - is the date that the backup file was created. The format of the target date is __.
    - type will be either data or config (for configuration backup)
    - is the time that the backup file was created.
5. Make sure your /store (/store/ariel) directory includes adequate space (if your deployment includes a separate mount point for that volume) for the data you want to recover.
6. Identify the date and time for the data you want to recover.
  To restore your ariel data:
7. Using SSH, log in to QRadar as the root user
8. Change director to the root directory
  1. cd /
9. Extract the files to their original directory
  1. tar -xzpvPf
  2. example: tar -zxpvPf /store/backup/backup.scheduled.csd9_2.31_03_2008.data.1207033304942.tgz
    Note: Data backups on a daily basis capture all data for that day on each host. If you want to restore data on a managed host that only contains event or flow data, only that data is restored to that host.
    Note: If you want to maintain the restored data, you can increase your data retention settings to prevent the nightly disk maintenance routines from deleting your restored data. To ensure your restored data is not deleted, see Verifying That Your Data is Restored.
    To verify that your data has been restored correctly:
10. Log in to the QRadar interface.
11. Click the Log Activity or Network Activity tab.
12. Select Edit Search from the Search list box on the toolbar.
13. The search window is displayed.
14. In the Time Range pane, select Specific Interval.
15. Select the time range of the data you restored in Step 5.
16. Click Filter.
17. View the results to verify the restored data.
  Note: After you have verified that your data is restored to your system, you must re-apply RPMs for any DSMs, vulnerability assessment (VA) scanners, or log source protocols, if you are restoring data to a new, different, or rebuilt deployment.
  Common Troubleshooting Tips:
  If you have restored your data files and the restored data is not available in the QRadar interface, we recommend that you verify the following:
  Verify that you have restored the data to the proper location. For example, the restored files need to be located in the /store directory, however, if you typed cd instead of cd / in Step 4, the files would be restored in the directory in which you typed the command (the /root/store directory).
  Also, if you omitted Step 4, the files would be restored in the /store/backup/store directory.
  Ensure all proper file permissions are correctly configured. Typically, files are restored with the original permissions. However, if the files are owned by the root user account, this can cause issues. If this is the case, adjust the files permissions using the chown and chmod commands. For assistance, please contact Q1 Labs Customer Support.

Register for a test

IBM at Prometric

Test 000-196: IBM Security QRadar SIEM V7.1 Implementation

Tab navigation

Register for a test

Content navigation

Related links