Scribd
Upload
477 views93 pages

3 Using The Qradar Siem Dashboard

Uploaded by

Hussain
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
477 views93 pages

3 Using The Qradar Siem Dashboard

Uploaded by

Hussain
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 93

3 Using the QRadar SIEM dashboard

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Objectives
After completing this unit, you should be able to perform the
following tasks:
• Navigate the default dashboard
• Customize dashboards

© Copyright IBM Corporation 2013 2


Lesson 1. Navigating the Dashboard tab

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Dashboard overview
• QRadar SIEM shows the Dashboard tab when you log in.
• You can create multiple dashboards.
• Each dashboard can contain items that provide summary and
detailed information.
• Six default dashboards are available.
• You can create custom dashboards to focus on your security or
operations responsibilities.
• Each dashboard is associated with a user. Changes that you
make to a dashboard do not affect the dashboards of other
users.

© Copyright IBM Corporation 2013 4


Instructor demonstration of the dashboard

© Copyright IBM Corporation 2013 5


Default dashboard
Click a tab to load it. Tabs Tables and charts

© Copyright IBM Corporation 2013 6


QRadar SIEM tabs

Use tabs to navigate the primary QRadar SIEM functions


• Dashboard: The initial summary view ‫اعطاء االولوية للحوادث‬
• Offenses: Displays offenses; list of prioritized incidents
• Log Activity: Query and display events
• Network Activity: Query and display flows
• Assets: Query and display information about systems in your
network
• Reports: Create templates and generate reports
• Admin: Administrative system management
© Copyright IBM Corporation 2013 7
Other menu options

The dashboard has the following additional menu options:

• Preferences

• Help

• Logout

© Copyright IBM Corporation 2013 8


Context-sensitive help
Click the question mark in any window to access help for the
current page.

© Copyright IBM Corporation 2013 9


Dashboard refresh
• In the displayed Pause/Play Refresh
dashboard, events
and flows refresh
every minute unless
you click Pause.
• Use the Refresh
button to manually
refresh the displayed
data.

© Copyright IBM Corporation 2013 10


Lesson 2. Customizing a dashboard

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 11
Dashboard variety
• QRadar SIEM includes the following default dashboards:
▪ Application Overview
▪ Compliance Overview
▪ Network Overview
▪ System Monitoring
▪ Threat and Security Monitoring
▪ Vulnerability Management
• Use multiple dashboards to better organize data
For example, a single user can have the following dashboards:
▪ Databases
▪ Critical Applications
to show log and network activity of these systems.

© Copyright IBM Corporation 2013 12


Creating a custom dashboard
Show Dashboard: New Dashboard: Add item:
Select a dashboard Create a new dashboard Add an item
to view. empty of items. to dashboard.

© Copyright IBM Corporation 2013 13


Items
Include no more than 15 items on each dashboard.

© Copyright IBM Corporation 2013 14


Managing dashboard items
Click Add Item to place additional objects on the dashboard.
Click the green icon to detach the object from the interface to the desktop.
Click the yellow icon to modify the settings of an object.
Click the red icon to delete an object from the dashboard.

© Copyright IBM Corporation 2013 15


Student exercise
Use the procedures in the Student
Exercises Guide to create a new
dashboard.

© Copyright IBM Corporation 2013 16


Summary
Now that you have completed this unit, you should be able to
perform the following tasks:
• Navigate and customize the user interface
• Customize dashboards

© Copyright IBM Corporation 2013 17


4 Investigating an offense triggered by
events

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Objectives
After completing this unit, you should be able to perform the
following tasks:
• Explain the concept of offenses
• Investigate an offense, which includes this information:
▪ Summary information
▪ The details of an offense
• Respond to an offense

© Copyright IBM Corporation 2013 19


Lesson 1. Offenses overview

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Introduction to offenses
• QRadar SIEMs prime benefit for security analysts is that it
detects suspicious activities and ties them together into
offenses.
• An offense represents a suspected attack or policy breach.
Some common offenses include these examples:
▪ Multiple login failures
▪ Worm infection
▪ P2P traffic
▪ Scanner reconnaissance
• Treat offenses as security incidents and have a security analyst
investigate them.

© Copyright IBM Corporation 2013 21


Creating and rating offenses
• QRadar SIEM creates an offense when events, flows, or both
meet the test criteria specified in changeable rules that
analyze the following information:
▪ Incoming events and flows
▪ Asset information
▪ Known vulnerabilities
• QRadar SIEMs magistrate rates each offense by its
magnitude, which has these characteristics:
▪ Ranges from 1 to 10, with 1 being low and 10 being high
▪ Specifies the relative importance of the offense

© Copyright IBM Corporation 2013 22


Lesson 2. Using summary information to
investigate an offense

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Instructor demonstration of offense parameters

This demonstration uses an offense that alerts to a suspected


ICMP scanner as an example. Investigating this kind of offense
is a typical part of a security analyst's job.

© Copyright IBM Corporation 2013 24


Selecting an offense to investigate
Offenses are listed in these locations:
• In Dashboard items
• In the Offense Manager on the Offenses tab

© Copyright IBM Corporation 2013 25


Offense Summary window
The offense summary displays
information about the ICMP scanning
offense.

The remainder of the unit examines the


window sections in the same way as
the security analyst does to investigate
an offense.

© Copyright IBM Corporation 2013 26


Offense parameters (1 of 4)
Investigating an offense begins with the parameters at the top of
the offense summary window:
Magnitude: Credibility:
Relative importance of the How valid is information
offense, as calculated from from that source?
relevance, severity, and credibility. 20% of magnitude

Relevance: Severity:
How important is the How high is the potential
destination? damage to the destination?
50% of magnitude 30% of magnitude
© Copyright IBM Corporation 2013 27
Offense parameters (2 of 4)
Offense Type:
General root cause of the offense. The offense
type determines which information is displayed
in the next section of the Offense Summary.

Description: Event count: Flow count:


Reflects the causes for the Number of events Number of flows
offense. The description can associated with associated with
change when new events or this offense. this offense.
flows are associated with the
offense.
© Copyright IBM Corporation 2013 28
Offense parameters (3 of 4)
Source IP(s): Start:
Origin of the Date and time when the first event or flow
ICMP scanning. associated with the offense was created.

Destination IP(s): Duration:


Targets of the Amount of time elapsed since the first event or
ICMP scanning. flow associated with the offense was created.
© Copyright IBM Corporation 2013 29
Offense parameters (4 of 4)

Network(s): Assigned to:


Local network(s) of the QRadar SIEM user
local Destination IP(s) assigned to investigate
that have been scanned. this offense.

© Copyright IBM Corporation 2013 30


Offense Source Summary (1 of 4)
To the security analyst, the Offense Source Summary provides
information about the origin of the ICMP scanning.
IP: Location:
Origin of the Network of the source
ICMP scanning. IP address if it is local.

Magnitude: Vulnerabilities:
Indication about the level of A known vulnerability of a local
risk an IP address poses host can have been exploited
relative to other IP addresses. and turned it into an attacker.
© Copyright IBM Corporation 2013 31
Offense Source Summary (2 of 4)
When you right-click the IP, you see navigation options for
further investigation.

© Copyright IBM Corporation 2013 32


Offense Source Summary (3 of 4)

Port Scan: WHOIS Lookup:


Nmap scans Find registered
the IP address. owner of the IP
Search Flows: address.
Find flows associated
with the IP address.
© Copyright IBM Corporation 2013 33
Offense Source Summary (4 of 4)

Weight:
Relevance of
the source IP
address.

Offenses: Events/Flows:
Number of offenses Number of events and flows
associated with this associated with this offense.
source IP address.
© Copyright IBM Corporation 2013 34
Lesson 3. Investigating offense details

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Notes
QRadar SIEM users can add notes to offenses.
• You cannot edit or delete notes.
• The maximum length is 2000 characters.

Notes: Add Note:


View all notes Create new note.
of the offense.

© Copyright IBM Corporation 2013 36


Top 5 Source IPs (1 of 2)
QRadar SIEM lists the five IP addresses with the highest
magnitude, from which the suspected attack or policy breach
originates.
Location:
Hover the mouse over a Sources:
shortened field value to View all source IP
display the full value. addresses of the offense.

Note: The example offense has only one source IP address.


Therefore, the table contains only one row.
© Copyright IBM Corporation 2013 37
Top 5 Source IPs (2 of 2)
Right-click anywhere on the row to view more information about
the source IP address.

Destinations: Offenses:
List all destination IP List all offenses for
addresses targeted by which the source IP
the source IP address. address is source or
destination IP address.

© Copyright IBM Corporation 2013 38


Top 5 Destination IPs
QRadar SIEM lists the five local IP addresses with the highest
magnitude, which were targets of the ICMP scan.
Chained: Destinations:
Indicates whether the destination IP address View all destinations IP
is the source IP address in another offense. addresses of the offense.

Destination IP:
Hover the mouse over the
asset name or IP address to
display further information.

Note: In this example, only two local IP addresses were


scanned. Therefore, the table contains only two rows.
© Copyright IBM Corporation 2013 39
Top 5 Log Sources
A firewall provided the log messages about firewall denies. This
firewall is the major log source of the ICMP scanner offense.
Log Sources:
Events: View all log sources
Number of events sent by the log contributing to the offense.
source contributing to the offense.

Custom Rule Engine: Offenses: Total Events:


QRadar SIEMs CRE Number of Sum of all events received
creates events and adds offenses related from this log source while
them to offenses. to the log source. the offense is active.

© Copyright IBM Corporation 2013 40


Top 5 Users
QRadar SIEM lists the five users with the most events
contributing to the offense.
Users:
View all users associated
to the offense.

Note: In this example, QRadar SIEM did not receive an event


with user information and therefore does not list a user.
© Copyright IBM Corporation 2013 41
Top 5 Categories (1 of 2)
QRadar SIEM categorized most events Categories:
into the Firewall Deny category. From View all low level
this categorization and the nature of the categories of the
events, rules deduced the ICMP events contributing
scanning. to the offense.

Name: Local Destination Count:


Low level category Number of local destination IP
of the event. addresses affected by offenses
with events in this category.
© Copyright IBM Corporation 2013 42
Top 5 Categories (2 of 2)
Right-click anywhere on the row to view events and flows.

Events: Flows:
List all events that List all flows that
contribute to the viewed contribute to the viewed
offense in the category offense in the category
under the mouse pointer. under the mouse pointer.

© Copyright IBM Corporation 2013 43


Last 10 Events
Double-click anywhere on a row to open a window with details
about the event.
Events:
View all events
Dst Port: that contribute
The destination port is to the offense.
0 for layer 3 protocol
traffic such as ICMP.

© Copyright IBM Corporation 2013 44


Last 10 Flows
No flows contributed to the ICMP scanner offense. Therefore,
QRadar SIEM does not list any flows.
Flows:
Total Bytes: View all flows
Sum of bytes that contribute
transferred in to the offense.
both directions.

© Copyright IBM Corporation 2013 45


Annotations
• Annotations provide insight into why QRadar SIEM considers
the event or observed traffic threatening.
• QRadar SIEM can add annotations when it adds events and
flows to an offense.
• Read the oldest annotation because it was added when the
offense was created.
Annotation: Annotations:
Hold the mouse over a shortened View all annotations
annotation to show the full annotation. of the offense.

© Copyright IBM Corporation 2013 46


Offense Summary toolbar
On top of the Offense Summary offers Events:
the toolbar direct links to the information View all events
contributing to
that you just investigated.
the offense.

Summary:
Flows:
View the
View all flows
Offense
contributing to
Summary.
the offense.

Display:
View offense
information
introduced on
previous slides.

© Copyright IBM Corporation 2013 47


Lesson 4. Acting on an offense

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Offense actions
After investigating an offense, click Actions at the top of the Offense
Summary page to set flags and status.
Follow up: Hide:
Choose if you want to Use with caution because
revisit the offense. QRadar SIEM still updates
the offense. Alarming
updates can stay hidden.

Protect Offense:
Prevent QRadar
SIEM from deleting
the offenses.

Close:
When you have resolved
the offense, close it.
© Copyright IBM Corporation 2013 49
Offense status and flags
Status: Icons indicates: The actions available depend
- Protected - Follow up on the status of the offense.
- Inactive - Notes
- Closed - Assigned

Unprotect Offense:
Allow QRadar SIEM
to delete this
protected offense.

© Copyright IBM Corporation 2013 50


Student exercise
Use the procedures in the Student
Exercises Guide to investigate the local
DNS scanner offense.

© Copyright IBM Corporation 2013 51


Summary
Now that you have completed this unit, you should be able to
perform the following tasks:
• Explain the concept of offenses
• Investigate an offense, which includes this information:
▪ Summary information
▪ The details of an offense
• Respond to an offense

© Copyright IBM Corporation 2013 52


5 Investigating the events of an offense

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Objectives
When you complete this unit, you can perform the following
tasks:
• Use the list of events to navigate event details
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
• Modify a saved search
• Add a search to the dashboard

© Copyright IBM Corporation 2013 54


Lesson 1. Investigating event details

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Navigating to the events
In the Offense Summary, click Events to
open the list of events. Events:
View all events
that contribute
to the offense.

© Copyright IBM Corporation 2013 56


List of events

Hide graphical charts.

View event details by


double-clicking a row.

© Copyright IBM Corporation 2013 57


Event details: Base information

Event
information:
Similar offense
parameters

Source and
Destination
information:
Most fields do not
matter for this
particular event
because NAT and
IPv6 were not used.

© Copyright IBM Corporation 2013 58


Event details: Reviewing the raw event
Each normalized event carries its raw event as the payload.
‫فيها معلومات كما جاءت من المصدر‬

Review the raw event for


information that QRadar
SIEM has not normalized
into fields, which
therefore does not
display in the UI. An
example is the firewall
profile name Atlantis.

© Copyright IBM Corporation 2013 59


Event details: Additional details
Protocol: QID:
Network The QID determines the name,
protocol low-level category, and high-
level category of an event.

Log Source: Event Count:


This log source provided the Number of raw events
raw event that QRadar SIEM bundled into this
normalized into this event. normalized event

© Copyright IBM Corporation 2013 60


Returning to the list of events
After investigating the event details, click Return to Event List,
in the top left corner of the event details window, to return to the
event list.

Return to Event List: Offense:


Navigate back to the list Navigate to the offense to
of events for the offense. which the event contributes.

© Copyright IBM Corporation 2013 61


Lesson 2. Using filters to investigate
events

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Filtering events (1 of 3)
• In the list of events, you can use filters to explore the offense
further
• Most events in this offense are Firewall Deny.
• Because other events provide more insight, right-click the
event name to filter for events that are not Firewall Deny.

© Copyright IBM Corporation 2013 63


Filtering events (2 of 3)
By filtering Firewall Deny events, you can focus on events that
do not originate from the firewall.

QRadar SIEM's Custom Rule Engine (CRE) created the events


in this list to alert you to suspicious activity.
© Copyright IBM Corporation 2013 64
Filtering events (3 of 3)

Clear Filter:
Click to view the Firewall
Deny events again.

Unlike searches, filters do not query each event processor.

© Copyright IBM Corporation 2013 65


Applying a Quick Filter to the payload
• The payload of an event contains the raw event that mentions
the firewall profile that denied the connection.
• To verify that the company's main profile, Atlantis, was always
active, filter events without profile: Atlantis in the payload.

Quick Filter:
Filter for events that do not contain
profile: Atlantis in the payload.

Clear Filter:
Click to view all events
of the offense again.

© Copyright IBM Corporation 2013 66


Using another filter option
• You can use each event field as a filter.
• To create a filter, in the top menu bar, click the icon .

© Copyright IBM Corporation 2013 67


Lesson 3. Using grouping to investigate
events

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Grouping events
Display:
Explore the events further by
grouping them. For example, group
them by their Low Level Category.

Default (Normalized):
By default, QRadar SIEM
shows normalized events
without grouping.

Raw Events:
Instead of grouping, QRadar
SIEM shows the raw events
stored in the payload of
each normalized event.

© Copyright IBM Corporation 2013 69


Grouping events by low-level category
Grouping By: In this example, exploring by
QRadar SIEM shows the currently grouping indicates a second
selected grouping above the filters. protocol.

Protocol:
All events are
Some events recorded an additional
aggregated by their
protocol. Click Multiple (2).
low-level category.
© Copyright IBM Corporation 2013 70
Grouping events by protocol
In the Protocol column, click Multiple (2) to open a window with
events grouped by protocol. You learn that the firewall denied
udp_ip in addition to icmp_ip.
Grouping By: Current Filters:
Now QRadar SIEM The previous grouping, Log
groups by Protocol. Level Category, became a filter.

© Copyright IBM Corporation 2013 71


Removing grouping criteria
Display:
Group by Default (Normalized)
to remove the grouping by Low
Level Category.

© Copyright IBM Corporation 2013 72


Viewing a range of events
If events are still added to the investigated offenses, view them:
• Real Time (streaming): Shows events as they arrive at the
Event Processor (EP). Grouping and sorting are not available.
• Last Interval (auto refresh): Shows the last minute of events.
Refreshes automatically after 1 minute.

Pause/Play Refresh

© Copyright IBM Corporation 2013 73


Lesson 4. Saving a search

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Monitoring the scanning host (1 of 3)
The event list always displays search results. To view traffic to
and from the scanning host, edit this search, save it, and add it
to the dashboard. Clear Filter:
To monitor all traffic, remove the offense filter.

Filter:
Right-click the Source IP to filter.

© Copyright IBM Corporation 2013 75


Monitoring the scanning host (2 of 3)

View: Display:
List events of the Group by High
last 24 hours. Level Category.

© Copyright IBM Corporation 2013 76


Monitoring the scanning host (3/3)
Save Criteria: Now the screen shows the selected
Save the criteria of
the current search.
time range, grouping, and filtering.

Grouping Save Results:


Time range
Save the results of
Filtering the current search.

© Copyright IBM Corporation 2013 77


Saving search criteria
Save the search with the criteria specified.

Prepend name with


department name or initials
for easy identification.

Assign to group.

Set as default
search for the
Log Activity tab.

Allows you to add the search


as an item to a dashboard.
© Copyright IBM Corporation 2013 78
Event list using the saved search
Using Search:
The event list shows the
result of the saved search.

© Copyright IBM Corporation 2013 79


Lesson 5. Modifying saved searches

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
About Quick Searches
When you
select Include
in my Quick
Searches
when saving a
search,
QRadar SIEM
lists the saved
search in the
predefined
Quick
Searches list.

© Copyright IBM Corporation 2013 81


Using alternative methods to create and edit
searches
• Most predefined saved searches are not listed under Quick
Searches.
• To find, use, and edit saved searches, select Search in the top
menu bar.
New Search:
Load a saved
Edit Search:
search. Edit
The Event List is the
the loaded
result of a search.
search or
Edit this current
create a new
search or edit another
search. Manage Search Results: saved search.
QRadar SIEM stores the
result from each search for
24 hours. You can revisit,
save, or delete results.

© Copyright IBM Corporation 2013 82


Finding and loading a saved search
If you select New Search or Edit Search, the Event Search
window opens.

Type Saved Search:


To find saved searches
easily, type your
department name, if
you prepended your
saved searches with it.

© Copyright IBM Corporation 2013 83


Search actions

Show All:
Clear all filters. Export:
You can resend
exported events
as raw events to
Delete: QRadar SIEM.
Delete the result
of the currently
displayed search. Notify:
Send an email
when the search in
progress finishes.

© Copyright IBM Corporation 2013 84


Lesson 6. Adding a search to the
dashboard

© Copyright IBM Corporation 2013


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Adding a saved search as a dashboard item
To watch the scanning IP address from the dashboard, add the
saved search as a dashboard item.

Note: This screen capture


shows the Dashboard tab.

© Copyright IBM Corporation 2013 86


Saving a search as a dashboard item
Settings button: You can add
Modify the settings only grouped
of an item. searches as
dashboard items.

Last Minute:
Unless time series data is captured,
the dashboard item shows only the
result of the last 1-minute interval.

View in Log Activity:


Show saved search with a 24-hour
time range on Log Activity tab.
© Copyright IBM Corporation 2013 87
Enabling time series data
Capture Time Series Data:
Select to accumulate time series
data to count events and click Save.

• Capturing time series data means


that QRadar SIEM counts incoming
events according your search criteria,
grouping, and chosen value to graph.
• Most of the predefined searches
capture time series data.
• Capturing time series data can affect
QRadar SIEM's performance
negatively.

© Copyright IBM Corporation 2013 88


Selecting the time range

Value to Graph:
The asterisk (*) indicates
that QRadar SIEM
accumulates time series
data for this value.

Time Range:
Select Last 24 Hours.

© Copyright IBM Corporation 2013 89


Displaying 24 hours in a dashboard item

Accumulation began:
QRadar SIEM started
accumulating time series
data on this date at this time.

A third high-level category shows


now.

Potential Exploit:
This third high-level category
does not have enough events
to display in a bar chart.

© Copyright IBM Corporation 2013 90


Modifying items in the chart type table

Chart Type: Table


To view all high-level categories,
select the chart type Table.

Chart Type: Time Series


To view trending of data, select
the chart type Time Series.

Potential Exploit:
Two events of high-level
category Potential Exploit.

© Copyright IBM Corporation 2013 91


Student exercises
Use the procedures in the Student
Exercises Guide to perform these tasks:
• Look for events contributing to an
offense
• Save search criteria and search results
• Investigate event details

© Copyright IBM Corporation 2013 92


Summary
Now that you have completed this unit, you should be able to
perform the following tasks:
• Use the list of events to navigate event details
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
• Modify a saved search
• Add a search to the dashboard

© Copyright IBM Corporation 2013 93

You might also like