QRADAR INCIDENT RESPONSE

INTRODUCTION TO IBM SECURITY QRADAR SIEM
  • Purposes of QRadar SIEM
  • QRadar SIEM and the IBM Security Framework
  • Identifying suspected attacks and policy breaches
  • Providing context
  • Key QRadar SIEM capabilities
  • QRadar SIEM Console
HOW QRADAR SIEM COLLECTS SECURITY DATA
  • Normalizing log messages to events
  • Event collection and processing
  • Flow collection and processing
  • Reporting
  • Asset profiles
  • Active scanners
  • QRadar Vulnerability Manager scanner
  • Gathering asset information
USING THE QRADAR SIEM DASHBOARD
  • Navigating the Dashboard tab
  • Dashboard overview
  • Default dashboard
  • QRadar SIEM tabs
  • Other menu options
  • Context-sensitive help
  • Dashboard refresh
  • Dashboard variety
  • Creating a custom dashboard
  • Managing dashboard items
INVESTIGATING AN OFFENSE THAT IS TRIGGERED BY EVENTS
  • Introduction to offenses
  • Creating and rating offenses
  • Instructor demonstration of offense parameters
  • Selecting an offense to investigate
  • Offense Summary window
  • Offense parameters
  • Top 5 Source IPs
  • Top 5 Destination IPs
  • Top 5 Log Sources
  • Top 5 Users
  • Top 5 Categories
  • Last 10 Events
  • Last 10 Flows
  • Annotations
  • Offense Summary toolbar
  • Lesson 4 Acting on an offense
  • Offense actions
  • Offense status and flags
INVESTIGATING THE EVENTS OF AN OFFENSE
  • How to create alerts, Understanding alerts, Viewing fired alerts
  • Navigating to the events
  • List of events
  • Event details: Base information
  • Event details: Reviewing the raw event
  • Event details: Additional details
  • Returning to the list of events
  • Filtering events
  • Applying a Quick Filter to the payload
  • Using another filter option
  • Grouping events
  • Grouping events by low-level category
  • Removing grouping criteria
  • Viewing a range of events
  • Monitoring the scanning host
  • Saving search criteria
  • Event list using the saved search
  • About Quick Searches
  • Using alternative methods to create and edit searches
  • Finding and loading a saved search
  • Search actions
  • Adding a saved search as a dashboard item
  • Saving a search as a dashboard item
  • Enabling time-series data
  • Selecting the time range
  • Displaying 24 hours in a dashboard item
  • Modifying items in the chart type table
USING ASSET PROFILES TO INVESTIGATE OFFENSES
  • About asset profiles
  • Creating asset profiles
  • Navigating from an offense to an asset
  • Assets tab
  • Asset summary
INVESTIGATING AN OFFENSE THAT IS TRIGGERED BY FLOWS
  • About flows
  • Network Activity tab
  • Grouping flows
  • Finding an offense
  • Offense parameters
  • Top 5 Source and Destination IPs
  • Top 5 Log Sources
  • Top 5 Categories
  • Last 10 Events
  • Last 10 Flows
  • Annotations
  • Base information
  • Source and destination information
  • Layer 7 payload
  • Additional information
  • Creating a false positive flow or event
  • Tuning a false positive flow or event
USING RULES AND BUILDING BLOCKS
  • About rules and building blocks
  • About rules
  • About building blocks and functions
  • Navigating to rules
  • Finding the rules that fired for an event or flow
  • Finding the rules that triggered an offense
  • Rule Wizard demonstration
  • Rule Wizard
  • Rule actions
  • Rule response
CREATING QRADAR SIEM REPORTS
  • Reporting introduction
  • Reporting demonstration
  • Reports tab
  • Finding a report
  • Running a report
  • Selecting the generated report
  • Viewing a report
  • Reporting demonstration
  • Creating a new report template
  • Choosing a schedule
  • Choosing a layout
  • Defining report contents
  • Configuring the upper chart
  • Configuring the lower chart
  • Verifying the layout preview
  • Choosing a format
  • Distributing the report
  • Adding a description and assigning the group
  • Verifying the report summary
  • Viewing the generated report
PERFORMING ADVANCED FILTERING
  • Filtering demonstration
  • Flows to external destinations
  • Remote to Remote flows
  • Scanning activity
  • Applications not running on the correct port
  • Data loss
  • Flows to suspect Internet addresses
  • Filtering on custom rules and building blocks
  • Grouping by custom rules
  • Charts on Log and Network Activity tabs: Grouping
  • Charts on Log and Network Activity tabs: Time range
  • Capturing time-series data
  • Viewing time series charts: Zooming to focus

QRADAR ADMINISTRATION

IMPLEMENTING
  • Plan and design QRadar deployment
  • Implement and install QRadar.
  • Add Managed Hosts
MIGRATING AND UPGRADING
  • Plan QRadar upgrade and migration.
  • Review documentation and release notes.
  • Perform QRadar updates, patches and upgrades.
  • Perform migration (e.g., backup and restore, import and export content).
CONFIGURING AND ADMINISTERING TASKS
  • Configure event flow sources and custom properties
  • Maintain configuration and data backups
  • Create and administer users, user roles, and security profiles
  • Manage the license per allocation.
  • Create, review and modify rules, building blocks and reference sets.
  • Configure and manage retention policies (i.e., data and assets)
  • Create and manage saved searches, index, global views, dashboards and reports
  • Deploy and manage applications and content packages
  • Configure global system notifications.
  • Configure and apply network hierarchy.
  • Configure and manage domain and tenants
  • Use the asset database.
  • Schedule and run a VA scan.
MONITORING
  • Monitor QRadar Notifications and error messages.
  • Review and interpret system monitoring dashboards.
  • Verify QRadar processes and services.
  • Monitor QRadar performance.
  • Use apps and tools for monitoring (e.g., QDI, assistant app, incident overview, DrQ).
  • Check system maintenance and health of appliances.
  • Monitor offenses and detect anomalies.
Troubleshooting
  • Demonstrate knowledge of key commands to interpret QRadar services and processes
  • Explain error messages and notifications
  • Interpret the basic logs (e.g., qradar.error, qradar.log).
  • Use embedded troubleshooting tools and scripts.

PRACTICE TEST AND INTERVIEW QUESTIONS

At CyberVZN trainings, we provide practice tests at the end of the course, Splunk interview question and answers, Community question and answers, and Sample Resumes to crack the interview.

OUR COURSES

Training1