PresentationMaterialLog PDF
PresentationMaterialLog PDF
PresentationMaterialLog PDF
Course Exercises
IBM Security QRadar SIEM
Administration
Course code BQ150 ERC 1.3
IBM Training
Licensed to Anim M for class on 5/29/2018
August 2016 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
ITIL is a Registered Trade Mark of AXELOS Limited.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Uempty
Unit 11 Custom Offense Close Reasons exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
This unit has no student exercises.
Uempty
Exercise 3 Assign a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-4
Uempty
Virtual machines
The lab environment uses the following virtual machines (VMs):
• QRadar® - a virtual machine running IBM® Security QRadar on Red Hat Enterprise Linux.
• Client - a virtual machine running a graphical user interface. For the exercises, you will use one
or more of the following installed software applications:
– Mozilla Firefox
– OpenSSH client or PuTTY
Uempty
Logging in to the QRadar web interface
To log in to the QRadar web interface, perform the following steps:
1. Double-click the Firefox icon on the desktop of the client VM.
Alternatively, you can click the Firefox icon in the main menu of the desktop. To open the main
menu, click Computer in the very left of the bottom panel of the desktop.
2. The browser starts and loads the login page of QRadar.The Username and Password fields
should already be populated. If they are not populated, for the Username, enter admin, and for
the Password, enter object00.
Uempty
Running commands on the QRadar VM
To establish an SSH session with the QRadar VM, perform the following steps:
1. Double-click the Terminal icon on the desktop of the client VM.
2. To establish an SSH session with the SSH service running on the QRadar VM, run the
OpenSSH client in the terminal window:
ssh 192.168.10.10
3. If the OpenSSH client prompts you to confirm the authenticity of the remote host, enter yes.
5. Instead of the OpenSSH client in the terminal, you can use PuTTY. To start PuTTY, double-click
the PuTTY SSH Client icon on the desktop.
6. In PuTTY, double-click the session with the name QRadar to establish an SSH session to the
QRadar VM.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the Backup and Recovery icon in the System
Configuration section.
5. In the Backup Archives window, click On Demand Backup in the options toolbar.
a. For Name, enter Initial.
d. Click OK.
6. Wait for the Initial backup to finish and display in the Existing Backups list.
Uempty
3. In the User Details window, enter the values shown in the following table.
Field Value
Username Exercise
E-mail [email protected]
Password <any password>
Confirm Password <same as Password field>
Description Exercise user that will be removed when the
initial backup is recovered
User Role Admin
Uempty
Exercise 3 Create Offenses and Assets
1. Return to the desktop of the Student client.
2. On the Student machine desktop, double-click the PuTTY SSH Client icon.
3. In the PuTTY client window, select the QRadar Saved Session, and click Load.
5. In the PuTTY command line window, log in to the QRadar SIEM machine as root with
password object00.
7. Log and flow records are generated in the background. Let the service execute for about
5 minutes.
9. Click the Log Sources icon in the Data Sources section and verify that at least 20 log sources
are listed.
10. Navigate to the Assets tab and refresh the list. You notice a list of assets added since the initial
backup was made. Verify that at least 100 assets are listed.
11. Navigate to the Offenses tab and refresh the list. You notice a long list of offenses added since
the initial backup was created. Verify that at least nine offenses are listed.
Uempty
Exercise 4 Recover the Initial backup
1. In the QRadar Console, navigate to the Admin tab and click the Backup and Recovery icon in
the System Configuration section.
6. Wait until the recover process finishes and click OK on the recover result window.
7. Log in to the QRadar Console with username admin and password object00.
9. Click Advanced, select Deploy Full Configuration from the menu, and wait until the
deployment finishes.
Note: You must log in to QRadar interface again after the full deployment has completed.
10. Click the Users icon in the User Management section and verify that the user Exercise is
removed.
11. Click the Log Sources icon in the Data Sources section and verify that only one log source
remains.
Uempty
12. Navigate to the Offenses tab. Verify that no offenses are listed.
13. Navigate to the Assets tab. Verify that two or three assets are listed.
3. Verify that some indexed properties have data-written values by sorting the Data Written
column in descending order.
Note: Management information for the indexed property updates every hour.
5. Click Save.
6. Click OK.
Uempty
Task 2 Use an indexed property in a search
1. On the Student machine desktop, double-click the PuTTY SSH Client icon.
6. Modify the search using Add Filter and View using the following criteria:
a. View the events from the last 30 minutes.
ii. For the Columns list, select only Event Name and Event Count.
7. Click Search.
8. Verify that your search results look similar to the results in the following figure.
Uempty
10. Save the search using the values shown in the following table.
Uempty
11. Verify that your save search configuration looks like the one in the following figure.
Because Index Management refreshes the statistics every hour, you must wait one hour to see any
modifications to the statistics. To view the data for the indexed property used in the search, perform
the following steps:
15. Verify that the AccountName property now includes statistics for the indexed property.
Uempty
6. Create a new property using the values shown in the following table.
7. Verify that your configuration looks like the one in the following figure.
8. Click Save.
Uempty
Task 4 Verify that the indexed property is configured to
use in searches or rules
1. In the QRadar SIEM console, double-click the Log Activity tab.
Note: You can use the new property in searches and reports.
4. Click Rules.
6. Edit the Exercise-Policy: Accounts under Surveillance rule and verify that you cannot
change the Username testable object to WinLogonType (custom).
4. In the Property Definition window, enable the Optimize parsing for rules, reports, and
searches option.
5. Click Save.
Uempty
6. Edit the Exercise: Policy: Accounts under Surveillance rule and change the
AccountName(Custom) testable object to WinLogonType (custom).
Note: If you disable indexing for the WinLogon Type property and keep parsing optimized for
rules, reports, and searches, you can continue to use the property in searches and rules.
3. In the Quick Search field, enter Exercise and click the magnifying glass icon.
2. Open the Quick Searches menu and select Exercise:Report:Index Management - Last 15
Minutes.
3. Click any green gear wheel icon and change the Chart Type to Time Series.
4. Enable the Capture Time Series Data check box and click Save.
Uempty
5. Repeat the steps in Task 1 on page 3-7.
6. If you see a result, what is the Aggregated Data ID of the result? _______________
2. Open the Quick Searches menu and select Exercise:Report:Index Management - Last 15
Minutes. Click Rules and then click Add Behavioral Rule.
3. Create an ADE Rule using the information shown in the following table.
7. Enter the Aggregated Data ID you found in Step 6 of Task 2 into the search field and click the
magnifying glass icon.
9. Verify that all Display views show results, except for the Reports view.
Uempty
Field / Option Value
Chart Type Events/Logs
Chart Title Demo
Type Saved Search Exercise:Report:Index Management
2. Save the Container Details and click Next and Finish until the report wizard exits.
5. Enter the Aggregated Data ID you found in Step 6 on page 3-8 into the search field and click
the magnifying glass icon.
Hint: Double-click the report, change the schedule in the Report Wizard, and then click Finish.
Uempty
11. For every selectable report schedule, verify that the following statements are true:
– Manual schedules do not use Aggregated Data Views.
– Hourly schedules do not use Aggregated Data Views.
– Daily schedules use Aggregated Data Views.
– Weekly schedules use Aggregated Data Views.
– Monthly schedules use Aggregated Data Views.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the Network Hierarchy icon in the System Configuration
section.
5. Click Add.
6. In the Add Network window, click the green gear wheel icon.
7. For Name in the Add a new Group window, enter the following text: QRadar.Clients
8. .Click Save.
9. In the Add Network window, enter the values shown in the following table.
Field Value
Name Student
Description Exercise
IP/CIDR(s) 192.168.10.30
10. Make sure you click the plus icon to add the IP/CIDR(s) value to the object’s list.
13. In the Add Network window, click the green gear wheel icon.
The Add a new group window opens.
Uempty
15. Click Save.
16. In the Add Network window, enter the values shown in the following table.
Field Values
Name On_Premise
Description Exercise
IP/CIDR(s) 192.168.10.20/32
192.168.10.16/30
192.168.10.12/30
192.168.10.10/31
22. Verify that the Student and On_Premise Network Hierarchy objects are listed.
2. Wait until you see flow records with the IP address 192.168.10.10 or 192.168.10.30.
3. Hover the mouse over either of the IP addresses and review the Network field information.
4. To view the Network Hierarchy objects you created, click Add Filter.
5. In the Add Filter window, enter the values shown in the following table.
Field Value
Parameter Destination Network
Operator Equals
Value QRadar.Managed_Hosts
Uempty
8. On the Student machine desktop, double-click the PuTTY SSH Client icon.
14. Verify that no rows other than one with a Destination Network of On_Premise are listed.
17. Use the right-click option menu on the Destination IP column to apply Filter on Destination IP
is not 192.168.10.10.
18. Verify that you only see rows with Destination IP 192.168.10.12.
19. Hover the mouse over the Destination IP address and review the Network field information.
20. Navigate to the Admin tab and click the Network Hierarchy icon in the System Configuration
section.
23. Select 192.168.10.12/30 from the IP/CIDR(s) list and click the red X.
Uempty
28. Hover the mouse over the Destination IP address and review the Network field information to
verify that it no longer displays QRadar.Managed_Hosts.On_Premise.
Note: Imagine an offense rule that is triggered by flows matching a specific Network Hierarchy
object. Now assume that an offense was triggered by the rule, and a local IP address in the
offense is removed from the Network Hierarchy object afterwards. The offense will then no longer
show the original Network Hierarchy object for the local IP address, although the offense was
triggered by the fact that the IP address was covered by the Network Hierarchy object.
Hint: Check the Offenses and hover your mouse over the Destination IPs field (192.168.10.12) of
the “Remote Desktop Access from the Internet containing RemoteAccess.MSTerminalServices”
offense. Add 192.168.10.12/30 to the Students Network Hierarchy object and then check the
offense again. This demonstrates how fundamental the Network Hierarchy is to QRadar and that
its configuration must be part of the initial configuration of QRadar.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the System and License Management icon in the System
Configuration section.
9. In the Advanced Options area, enter the values shown in the following table.
Field Value
Include Debug Logs <enable>
Include Setup Logs (Current Version) <enable>
Collect Logs for this Many Days 1
Uempty
11. When you see the Log file collection completed successfully. Click here to download file
message, click the hyperlink.
2. On the Student machine desktop, double-click the PuTTY SSH Client icon.
3. In the PuTTY Configuration window, click the QRadar Default Settings and click Load.
4. Click Open.
5. In the command line interface (CLI), log in as root with password object00.
9. Log in to the QRadar Console with username admin and password object00.
10. Navigate to the Admin tab and click the System Health icon in the System Configuration
section.
11. Wait until you see the Local QRadar janus (192.168.10.10) snap-in display in the System
Health window.
Uempty
12. Click the graph in the window.
13. In the Host Notification Table window, scroll to the Memory Usage graph.
14. Hover your mouse on the top time series graph, as shown in the following figure.
16. To return to the System Health window, click Local QRadar or QRadar Health Console.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the Reference Set Management icon in the System
Configuration section.
5. Click Add.
6. Create a reference set using the values shown in the following table.
7. Verify that your configuration looks like the one in the following figure.
Uempty .
8. Click Create. Verify that Newly created users is added to the list of Reference Sets.
Uempty
6. Click Import.
8. Select the HR files.txt file on the Student desktop and click Open.
10. Verify that your HR Data reference set content looks like the content in the following figure.
Uempty
2. Create the reference set using the values shown in the following table.
.
3. Click Create.
Uempty
4. On the Student desktop, create another text file with the following lines, each terminated by a
new line character, except for the last entry:
– QRadar
– QRM
– QVM
11. While looking at the elements in the High Surveillance reference set, click the Refresh icon
several times for approximately one minute.
16. Close the Reference Set Editor and the Reference Set Management windows.
2. Click Rules.
Uempty
5. In the Rule Wizard window, click Next until you see the Rule Wizard - Rule Response window.
6. In the Rule Wizard - Rule Response window, change the IT Admins-AlphaNumeric reference
set to High Surveillance - AlphaNumeric (Ignore Case).
7. Click Finish.
9. In the Rule Editor - Rule Test Stack Editor window, change the IT Admins testable object to
High Surveillance - AlphaNumeric (Ignore Case) by performing the following steps:
a. Select the IT Admins - AlphaNumeric testable object.
b. In the Selected Items list, click IT Admins - AlphaNumeric and click Remove -.
Uempty
c. In the window, click High Surveillance - AlphaNumeric (Ignore Case) and click Add +.
d. Click Submit.
10. Verify that your rule looks like the one in the following figure.
Note: You modified two sample rules to use the High Surveillance reference set. The first rule
adds any account that is locked out to the reference set. The second rule generates a new event
with the EventName User Surveillance Event when one of the listed users generates activity.
Uempty
6. Verify that the rule configured to add elements to the reference set is Exercise-Policy: Add
locked accounts to Surveillance list.
2. Double-click the PuTTY SSH Client icon on the Student desktop and load the QRadar Saved
Session, and then click Open.
Hint: When browsing for the user surveillance event to include in the filter, in the Event Browser
window in the QID/Name field, type User Surveillance Event.
5. Verify that the user names are listed in the High Surveillance Reference Set.
Uempty
notification when these accounts are used. The Exercise-Policy:Accounts under Surveillance
rule sends a notification to the QRadar SIEM console to satisfy this requirement.
1. To see such a notification, in the QRadar SIEM console on the toolbar, click Messages.
3. In the List of Events window, double-click the User Account Locked Out event.
All the User Account Locked Out events are displayed. These events are also in the System
Monitoring dashboard under System Notifications. If time permits, examine these events and
explain which rule sends these events to the System Monitoring dashboard. Check the responses
defined for the demo rules that were triggered by these events.
Hint: Another use case of this functionality is to monitor the actions of employees leaving the
company. To perform the rule test only for events representing actions by leaving employees, add
another test to the Exercise-Policy: Accounts under Surveillance rule and test for user
accounts that access files contained in the sensitive data reference set.
Note: To follow the hint, you must create a custom event property to capture the file and directory
names from windows events. For testing, use the FSPDC log source and create a custom
property for the “Object Name” value. Add the value for this Custom Property to the sensitive data
reference set. Add the test group: ”and when any of these event properties are contained in any of
these reference set(s)” to the rule mentioned above and add the created custom event property
and the sensitive data reference set to the suitable underlined values. Emulate the windows log
source by using the sendFSPDC script in the labfiles directory of the QRadar SIEM server.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the Centralized Credentials icon in the System
Configuration section.
5. Click Add.
6. In the Credential set window, enter the values shown in the following table.
Field Value
Name Fredericton
Description Exercise
9. Click Add.
Uempty
11. In the Credential set window, enter the values shown in the following table.
Field Value
Username root
Password object00
14. In the Credential set window, enter the values shown in the following table.
Field Value
Domain coe.ibm.com
Username QVMUser
Password object00
21. Verify that a Credential Set with Name Fredericton was saved.
23. In the Credential set window, enter the values shown in the following table.
Field Value
Name Delft
Description Exercise
Uempty
28. In the Credential set window, enter the values shown in the following table.
Field Value
Domain nl.ibm.com
Username QVMUser
Password object00
31. Verify that a Credential Set with the Name Delft has been added to the Credentials list.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the Forwarding Destinations icon in the System
Configuration section.
5. Click Add.
6. In the Forwarding Destination Properties window, enter the values shown in the following table.
Field Value
Name UDP_Destination
Destination Address 192.168.10.30
Event Format Payload
Destination Port 514
Protocol UDP
7. Click Save.
8. Click Add.
9. In the Forwarding Destination Properties window, enter the values shown in the following table.
Field Value
Name JSON_Destination
Destination Address 192.168.10.30
Event Format JSON
Uempty
Field Value
Destination Port 5141
Protocol TCP over SSL
10. Click the Profile Options > Create New Profile option from the list.
12. In the table, activate the following properties by clicking the check box. Then type the default
values shown in the following table.
Property Default
src 192.168.10.10
dst
usrName QRadar
payload
protocolName TCP over SSL
eventName
lowLevelCategory
highLevelCategory
logSource QRadar
Hostname QRadar
Uempty
Exercise 2 Use the Forwarding destinations in
a rule
1. Navigate to the Offenses tab and click the Rules menu option.
2. Find the Authentication: Multiple Login Failures for Single Username Rule and edit it.
3. Click Next.
4. Under the Rule Response section, select the Send to Forwarding Destinations check box.
6. Click Finish.
7. On the Student machine desktop, double-click the PuTTY SSH Client icon.
12. Click the Forwarding Destinations icon and refresh several times to see the column’s Seen,
Sent, and Dropped values increase.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the Log Source Groups icon in the Data Sources section.
Parameter Value
Name DomainA
Description exercise
Uempty
7. Click OK.
Parameter Value
Name DomainA
Description Exercise
7. Click Add.
Uempty
11. Click Add.
2. Click Add.
3. In the Add Network window, click the green gear wheel icon.
4. In the Add a new group window’s Name field, enter the following text:
Europe.Amsterdam.HQ
5. Click Save.
6. In the Add Network window, enter the values shown in the following table.
Field Value
Name DatabaseServers
Description DomainA
databaseservers
IP/CIDR(s) 192.168.10.0/24
Uempty
7. Make sure that you click the plus icon to add the IP/CIDR(s) value to the object’s list.
8. Click Create.
Note: Using domains allows the Network Hierarchy to contain objects with overlapping IP ranges.
Uempty
Exercise 4 Use DomainA in a Security Profile
1. Navigate to the Admin tab and click the Security Profiles icon in the User Management
section.
8. Select Amsterdam from the list, and click > to move the object to the Assigned Networks list.
12. Click > to move the object to the Assigned Log Sources list.
14. Click the All Domains list and select the Domains List.
15. In the All Domains list, select the DomainA object and click > to move the object to the
Assigned Domains list.
18. Verify that all choices you made in the previous steps are represented in the summary.
Uempty
19. Click Close.
5. In the Available Dashboards list, select System Monitoring and click Add to add it to the
Selected Dashboard list.
6. Click Save.
7. Click Close.
Uempty
3. Use the values in the following table to edit the User Details window.
Field Value
Username DomainA_User
E-mail [email protected]
Password object00
Confirm Password object00
Description Exercise
User Role DomainA
Security Profile DomainA
4. Click Save.
5. Click Close.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the User Roles icon in the User Management section.
8. In the Available Dashboards list, select System Monitoring and Add it to the Selected
Dashboard list.
9. Click Save.
Uempty
3. In the Security Profile Name field, type demoprofile.
7. In the All Networks list, select the All object and click > to move the object to the Assigned
Networks list.
11. In the Other group, select all the log sources in the list by using the Shift and left-mouse click
combination.
12. Click > to move the object to the Assigned Log Sources list.
14. Click the All Domains list and select the Domains List.
15. In the All Domains list, select the DomainA object and click > to move the object to the
Assigned Domains list.
Uempty
18. Verify that all choices you made in the previous steps are represented in the summary.
3. Use the values in the following table to edit the User Details window.
Field Value
Username demouser
E-mail [email protected]
Password object00
Confirm Password object00
Description Exercise
User Role demorole
Security Profile demoprofile
Uempty
4. Click Save.
5. Click Close.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the Log Sources icon in the Data Sources section.
5. Click Add.
6. In the Log Source window, enter the values shown in the following table.
Field Value
Log Source Name FSPDC_Demo
Log Source Description Exercise
Log Source Type Oracle RDBMS OS Audit Record
Protocol Configuration Syslog
Log Source Identifier FSPDC
7. Click Save.
Note: You have just manually added a Log Source for the host FSPDC. You see two Log Sources
for the FSPDC host in the Log Sources window. One is for Microsoft Windows Security Event Log
and another is for Oracle RDBMS OS Audit Record. Such a scenario might be necessary if you
are collecting both types of Log Sources from a single host. In this example, a Windows database
server is running Oracle. As long the combination log source type, identifier, and protocol
configuration is unique, QRadar allows you to create additional Log Sources for the same source.
Uempty
Exercise 2 Search for events from a deleted
Log Source
1. In the Log Source window, select FSPDC_Demo and click Delete.
2. Click OK.
5. Click Save.
6. On the Student machine desktop, double-click the PuTTY SSH Client icon.
13. Return to the PuTTY CLI. Wait for the sendFSPDC script to terminate.
14. In the QRadar Console, change the View to the Last 15 Minutes.
15. Click the Event Count column and sort in descending order.
16. Verify that the highest number for the Event Count column is above 100.
17. In the Log Sources window, select the FSPDC Log Source and click Delete.
Uempty
18. Click OK.
20. In the Log Source window, enter the values shown in the following table.
26. Verify that the highest number in the Event Count column equals 1.
30. Right-click the Log Source FSPDC with the LOWEST Count and select Filter on Log Source
is FSPDC.
32. Click the Event Count column and sort in descending order. Verify that the highest count in the
column is higher than 100.
33. Add a filter for Log Source [indexed] Does not equal FSPDC.
Uempty
34. Verify that the result has not changed compared to the result obtained before you added the
latest filter.
Note: This demonstrates that every time you create a new Log Source, even with the same
identifier, type, and protocol configuration of a deleted log source, the Log Source is assigned a
new index. The only way to select the “old” events from the Log Source FSPDC is by creating a
column,value filter like you did in Step 30.
7. Click Save.
8. Click Continue.
10. Verify that the newly created Log Sources belong to the Demo group.
11. In the Log Sources window, use the Shift key to select all Log Sources with names that start
with Threecom8800SeriesSwitch.
15. Verify that the newly created Log Sources belong to the Other group.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the Log Source Extensions icon in the Data Sources
section.
5. Click Add.
6. In the Log Source Extension window, enter the values shown in the following table.
Field Value
Name AS400_Demo
Description Exercise
Use Condition Parsing Enhancement
7. Click Browse.
Uempty
Exercise 2 Edit a Log Source Extension
1. On the Student machine desktop, double-click the PuTTY SSH Client icon.
5. Wait 5 minutes.
7. Double-click the first Log Source with a name starting with IBM IMS @ and a status of
Success.
8. In the Edit a log source window, select AS400_Demo for Log Source Extension.
9. Click Save.
12. Click Enable/Disable and make sure the Enabled field changes to false.
14. Double-click the first Log Source with a name starting with IBM IMS @ and a status of
Success.
15. Verify that you can still select a Log Source Extension that has been disabled.
3. Click Delete.
4. Click OK.
6. Double-click the first Log Source with a name starting with IBM IMS @ and a status of
Success.
Uempty
7. Verify that you cannot select a Log Source Extension.
2. On the Student machine desktop, double-click the PuTTY SSH Client icon.
7. Log in to the QRadar Console with username admin and password object00.
8. Navigate to the Admin tab and click the Log Source Groups icon in the Data Sources section.
10. In the Group Properties window, enter the values shown in the following table.
Field Value
Name Linux machines
Description Exercise
Hint: Click the first LinuxServer record, press the Shift key, and click the last LinuxServer record.
Uempty
Note: The sendevents script will generate LinuxServer log sources. This takes about 5 minutes.
17. Verify that the LinuxServer machines you selected earlier have disappeared from the Other
group.
19. Verify that the LinuxServer machines you selected earlier have been added to the Linux
machines group.
20. While you have selected the Linux machines group, click New Group.
21. In the Group Properties window, enter the values shown in the following table.
Field Value
Name Amsterdam
Description Exercise
27. Verify that the LinuxServer machines you selected earlier have disappeared from the Linux
machines group.
29. Verify that the LinuxServer machines you selected earlier have been added to the Amsterdam
group.
Uempty
Exercise 2 Delete a Log Source Group
1. Navigate to the Admin tab and click the Log Source Groups icon in the Data Sources section.
4. Click Remove.
5. Click OK.
6. Click Other.
Note: For information about creating and using Custom Event Properties, refer to Create and
index a custom property through Configure an indexed property to use in rules, starting on
page 3-4.
6. Log in to the QRadar Console with username admin and password object00.
7. Navigate to the Admin tab and click the Custom Event Properties icon in the Data Sources
section.
8. Search the WinLogonType property by entering the string winlogon in the search field and
clicking the magnifying glass.
11. Verify that the Enabled column value for the WinLogonType property equals False.
Uempty
12. Return to the Log Activity page and click Add Filter.
13. Verify that you cannot choose the Parameter WinLogonType (custom).
14. Navigate to the Admin tab and click the Custom Event Properties icon in the Data Sources
section.
15. Search the WinLogonType property by entering the string winlogon in the search field and
clicking the magnifying glass.
2. In the Add Filter window, use the settings in the following table.
Note: Increase the time window if you don’t get any results.
5. Double-click any event. Verify that the WinLogonType (custom) property is listed under the
Event Information.
6. Navigate to the Admin tab and click the Custom Event Properties icon in the Data Sources
section.
7. Search the WinLogonType property by entering the string winlogon in the search field and
clicking the magnifying glass.
9. Click OK.
Uempty
10. Double click the Log Activity page and click Add Filter.
11. In the Add Filter window, use the settings in the following table.
Note: Increase the time window if you don’t get any results.
14. Double-click any event. Verify that the WinLogonType (custom) property is no longer listed
under the Event Information.
Note: The Flow Sources exercise requires access to the Student client.
3. Log in to the QRadar Console with username admin and password object00.
10. In the PuTTY SSH Client CLI, type the following text:
cd /labfiles
./startPcap.sh
11. Wait for the script to start processing the /labfiles/flows/dns1.pcap file.
12. In the QRadar Console, change the following settings on the Network Activity page:
– View: Last 15 Minutes
– Display: Destination Port
Uempty
15. In the PuTTY CLI, press Ctrl+C to stop the script.
16. Navigate to the Admin tab and click the Flow Sources icon.
18. In the Flow Source Management window, select the Filter String check box.
26. In the PuTTY SSH Client CLI, type the following text:
cd /labfiles
./startPcap.sh
27. In the QRadar Console, change the following settings on the Network Activity page:
– View: Last Interval (auto refresh)
– Display: Application
You will see that only flow records are generated for Web and FTP applications. When you use a
name in combination with the port parameter, both port and protocol values are checked.
3. Log in to the QRadar Console with username admin and password object00.
4. Click the Admin tab.
6. Click Add.
The Add Scanner window opens.
7. Add the new scanner using the values in the following table.
Uempty
Field / Option Setting
Remote Results Max Age 7
CIDR Ranges 0.0.0.0/0
Note: The Remote Results Directory value starts with a forward slash (/). Be sure to clear the
default value before you enter the correct value.
8. Verify that the configuration looks like the one in the following graphic.
9. Click Save.
Uempty
Exercise 2 Update the scan results file
modification date
The Nessus scanner is configured to retrieve results from a scan performed during the last 7 days.
The Nessus result files are stored in the /labfiles/VIS directory on the QRadar SIEM server.
Because these files have a modification date older than 7 days, you must update the modification
date of these files to import the scan results.
1. On the Student machine desktop, double-click the PuTTY SSH Client icon.
2. Click Add.
Uempty
4. Verify that the configuration looks similar to the one in the following graphic.
5. Click Save.
6. Wait two minutes and verify that the schedule’s Status changes to Complete.
To verify that assets with vulnerabilities appear on the Assets tab, perform the following steps:
Uempty
IBM Training