Soc: centralized location to monitor, detect and defend against cyber attack

Goal: reduce risk and improve security

SIEM: Security information and Event Management
Benefit:
 Collect event and security information such (logs, traffic, threat)
 Correlate data
 Real time alert
 Reporting
QRadar source information
 Logs >>OS, firewall, Proxy, ….
 Flow >>network, NetFlow, QFlow
 Watch list >>Black list
 Threat intelligence >> IBM XForce
 Asset Information
QRadar component
 Event/Flow collector
 Event/Flow processor
 Console
 Data node
Event is a record from a device that describes an action on a network or host
Event Collectors receive raw events as log messages from a wide variety of
external log sources
Event Collector gathers events from local and remote sources. The Event
Collector normalizes events and classifies them into low- and high-level
categories. The Event Collector also bundles identical events to conserve system
usage through a process that is known as coalescing ‫االندماج‬.
Event collectors use traffic analysis to discover which kind of device a log source
is if a Device Support Module (DSM) for that kind of device is installed. In
addition, the DSM for a device specifies how to map and normalize the device's
raw events.
Device Support Modules (DSMs)in the event collectors parse and normalize
raw events; raw log messages remain intact.
Event Processors: receive the normalized events and raw events to analyze
and store them.
processes events from the Event Collectors and flow data. Event processors
correlate the information. The Event Processor examines information gathered
by QRadar SIEM to indicate behavioral changes or policy violations. Rules are
applied to the events to search for anomalies‫شذوذ‬.
Data Nodes: provide additional storage for event and flow Data
Magistrate(console): correlates data from event processors and creates
offenses.
Flow is a record of a conversation between two devices on a network.
A network flow record provides information about a conversation between two
devices using a specific protocol and can include many fields that describe the
conversation. Examples include the source IP, the destination IP, the port,
and other fields.
QFlow Collectors read packets from the wire or receive flows from other
devices.
convert all gathered network data to flow records similar normalized events; they
include such details as when, who, how much, protocols, and options.
QRadar use QVM QRadar Vulnerability manager to provide active scanner on
all event and flow collector and processor and Tracks Common Vulnerabilities
and Exposures (CVE)
Incident investigation process
 Monitor
 Triage
 Basic investigation
 Deep investigation
 Remediation
 closure

QRadar SIEM Functions

•Dashboard: The initial summary view, dashboard can display table, bar, pie,
and time-series charts
•Offenses: Displays offenses; list of prioritized incidents
•Log Activity: Query and display events
•Network Activity: Query and display flows
•Assets: Query and display information about systems in your network
•Reports: Create templates and generate reports
•Admin: Administrative system management
•User Preferences: Users can change their password here if they authenticate
with the local system authentication of QRadar SIEM. Users cannot change the
password here if QRadar SIEM uses RADIUS, TACACS, Active Directory, or
LDAP for their authentication.
In most deployments, the user admin authenticates with the local system
authentication of QRadar SIEM even if other users use external authentication.
Therefore, user admin usually can change his or her password in the User
Preferences of QRadar SIEM.
QRadar SIEM includes the following default dashboards
Application Overview
Compliance Overview
Network Overview
System Monitoring
Threat and Security Monitoring
Virtual Cloud Infrastructure
Vulnerability Management
QRadar SIEM correlates events and flows into an offense if it assumes
suspicious activity.
offense represents a suspected attack or policy breach; some common offenses
include ex:
1. Multiple login failures
2. Worm infection
3. P2p traffic>>>peer-to-peer
4. Scanner reconnaissance
some of the most common offenses that a typical security analyst
investigates:
1. Clear Text Application Usage
2. Remote Desktop Access from the Internet
 3. Connection to a remote proxy or anonymization service
4. SSH or Telnet detected on Non-Standard Port
5. Large Outbound Transfer
6. Communication to a known Bot Command and Control
7. Local IRC Server detected
QRadar SIEM creates an offense when events, flows, or both meet the test
criteria specified in changeable rules that analyze the following information
1. Incoming events and flows
2. Asset information
3. Known vulnerabilities
Offense parameters

 Magnitude: Prioritizes offenses by importance. (0-10)

 Status: status of offense open, close
 Relevance ‫المالئمة‬: Indicates the importance of the destination. Less important
areas of the network have a lower relevance. QRadar SIEM determines the
relevance by the weight of networks and assets. QRadar SIEM administrators
configure the weight in the network hierarchy, remote networks, remote
services, and asset profiles
 Severity: Indicates the amount of threat an attack poses in relation to the
vulnerability of the destination.
 Credibility ‫المصداقية‬: Indicates the reliability of the witness. Credibility
increases if multiple sources report the same attack. QRadar SIEM
administrators configure the credibility rating of log sources.
 Description
 Offense Type: The rule that created the offense determines the one of the
following Offense Types:‫ ايه اللي أدى الى حصول‬offense
• Event Name • Source/ Destination IP • Source /Destination MAC Address
• Username • Source/ Destination Port • Log Source • Host Name •
 Destination IPv6 • Source IPv6 • Rule • Source ASN • Destination ASN •
Source IP Identity • App ID
 Event count: Number of events associated with this offense
 Flow count: Number of flows associated with this offense
 Src, Dest IP
 Start: Date and time when the first event or flow associated with the offense
was created
 Duration Amount of time elapsed since the first event or flow associated with
the offense was created
 Network(s): Local networks of the local Destination IPs that have been
scanned
 Assigned to: QRadar SIEM user assigned to investigate this offense

Offense source summary

WHOIS Lookup: Find registered owner of the IP address.

Search Events: find events that are associated with the IP address.

Search Flows: Find flows associated with the IP address

Asset Profile

Port Scan: Nmap scans the IP address

-QRadar SIEM runs the command nmap-A for the IP address. All QRadar SIEM
7.2 installations include Nmap
-QRadar SIEM displays the Nmap scan results in a pop-up window. In addition to
open ports and services, Nmap detects operating system versions and a
few potential vulnerabilities, such as anonymous FTP login. However, Nmap
does not check for vulnerabilities that are provided by threat intelligence feeds.

Offenses: Number of offenses associated with this source IP address

Events/Flows: Number of events and flows associated with this offense

Weight: Relevance of the source IP address, as defined by QRadar SIEM

administrators, in the asset profile. If no asset profile exists, the weight of the
network hierarchy, remote network, or remote service determines the weight of
the source IP address. The field in the user interface shows 0 in that case.

User: User that is associated with this Src IP address. If no user is identified,
shows Unknown.

MAC

Host Name

Asset Name

* Top 5 Source Ips: QRadar SIEM lists the five IP addresses with the highest
magnitude, which is where the suspected attack or policy breach originates
Sources: View all source IP addresses of the offense

Destinations: List all destination IP addresses targeted by the source IP address

Offenses: List all offenses for which the source IP address is source or
destination IP address

Top 5 Dest Ips

Chained: Indicates whether the destination IP address is the source IP address

in another offense

Destinations: View all destinations IP addresses of the offense

Magnitude: The column displays the Aggregate CVSS Score if this value exists.
If it does not exist, the column displays the highest offense magnitude of all the
offenses that the IP address is a part of.
Destination Magnitude: The bar displays the Aggregate CVSS Score if this
value exists. If it does not exist, a zero (0) is displayed.

* Top 5 Log Sources: A firewall provided the log messages about firewall
denies; this firewall is the major log source of the ICMP scanner offense

Custom Rule Engine: The QRadar SIEM CRE creates events and adds them to
offenses
Events/flows: Number of events sent by the log source contributing to the
offense

Offenses: Number of offenses related to the log source

Total Events: Sum of all events received from this log source while the offense
is active

Log Sources: View all log sources contributing to the offense

* Top 5 Categories: QRadar SIEM classifies offenses into categories.

Categories cannot be added, deleted, or renamed.

Rules that are applied by the Custom Rules Engine (CRE) noticed the suspicious
Firewall Deny events. As an action of the rules, the CRE created the events in
the Network Sweep and ICMP Reconnaissance categories, and created the
ICMP scanner offense that ties these events together.

Categories: View all low-level categories of the events contributing to the

offense
Local Destination Count: Number of local destination IP addresses affected by
offenses with events in this category, shows 0 if all destination IP addresses are
remote.

Events/Flows: Shows the number of events per low-level category that

contributed to the offense.

Events: List all events that contribute to the viewed offense in the category under
the mouse pointer
Flows: List all flows that contribute to the viewed offense in the category under
the mouse pointer
Annotations provide insight into why QRadar SIEM considers the event or
observed traffic threatening ‫ توفر التعليقات التوضيحية نظرة ثاقبة على سبب اعتبار‬QRadar SIEM
‫الحدث أو تهديد حركة المرور المرصودة‬
QRadar SIEM can add annotations when it adds events and flows to an offense
QRadar SIEM users cannot add, edit, or delete annotations.

Offense Summary toolbar: provides direct links to the information

that you just investigated

Summary
Display
Events
Flows

*Offense Actions and Status

The actions available depend on the status of the offense
Status:
-Protected - Follow up
- Inactive - Notes
- Closed - Assigned
Event details: Event Information, Src and Dest Information.
Events Detail info
Event filter:

Quick Filter

Add Filter

Saving a search (117)

Modifying saved searches (123)

You can use the Manage Search Results option to complete the following tasks:
•Save results for auditing or forensics
•Delete previously saved search results
•Cancel long-running searches
•Send an email when the search in progress finishes

How QRadar SIEM processes searches

Searches run concurrently in the background. The maximum number of
concurrent searches depends on the search and the appliance in use.
Subsequent searches above the maximum number are queued. Details of the
three search queues are as follows:
•The low-priority queue includes searches that generate reports.
•The normal-priority queue includes searches created by users.
•The high-priority queue includes searches for dashboard items such as graphs
and searches for the view Last interval (auto refresh).

Capturing time-series data means that QRadar SIEM counts incoming events
according your search criteria, grouping, and chosen value to graph
• Most of the predefined searches capture time-series data
• Capturing time-series data can negatively affect the performance of QRadar
SIEM

Value to Graph
•Count: Number of events before coalescing bundles several raw events
into one normalized event.
•Event Count: Number of events after coalescing has bundled several raw events
into one normalized event.

chart type
Table To view all high-level categories.
Time Series To view trending of data
Potential Exploit: Two events of high-level category.
Payload contain: raw events

Assets
An asset is any type of system or host in the network
asset profiles of QRadar SIEM store security-relevant data of systems in your
network.
Asset profiles store a wealth ‫ثروه‬of information about the system resources,
such as these examples:
Name, IP addresses, MAC addresses, Operating system, Vulnerabilities,
Services, Other resource information
• Use asset profiles to investigate each source and destination IP address of an
offense

Creating asset profiles

• QRadar SIEM automatically creates and updates asset profiles for systems found in
these locations:
• DHCP, DNS, VPN, proxy, firewall NAT, and wireless access point logs
• Passively gathered bidirectional flows
• Vulnerability data provided by active scanners
Only flows and vulnerability data add and update information about ports, services, and
products to asset profiles
• QRadar SIEM administrators can create assets by using these methods
• Manually in the user interface
• By importing a CSV file in this format IP address, Name, Weight (1-10),
Description Administrators can use the REST API to import other properties
QRadar SIEM administrators can delete asset profiles. A deleted asset profile is recreated if an active
scanner finds the system or QRadar SIEM detects it in flow data.

Navigating Assets
from an offense: you can navigate to the asset profile of any
source or destination
1. Right-click the IP address or asset name
2. Click Information > Asset Profile

From Assets tab

•Asset Profiles: If a system has two IP addresses on two different networks and a
QRadar SIEM user is granted permission to view only one of the networks, the user will
not see the system's asset profile at all.
•Server Discovery: QRadar SIEM administrators can discover different server types,
such as mail, web, and Windows servers. QRadar SIEM classifies a server of a specific
type if one or more open ports match the standard port for that server type. QRadar
SIEM does not probe open server ports but uses the passively gathered network flows
to determine open ports.
•VA Scan: QRadar SIEM administrators can schedule active scans for vulnerability
assessments (VA) of systems on the network.

From Asset summary: Double-click an asset to open the asset details

Aggregate CVSS Score: Level of concern about this asset in comparison to others
The asset Weight measures the importance of the asset. The levels range from 0 (not
important) to 10 (very important).
Assets Vulnerabilities: Verify the vulnerabilities of the asset to determine whether
the investigated offense is a concern
Severity: Payment Card Industry (PCI) severity level
Risk: Threat level (warning-low-medium-high)
Risk Score: Level of concern about this vulnerability in comparison to others

Services
Last Seen Passive: Services detected in passively gathered network flows
Last Seen Active: Services detected actively by scanners.
The vulnerabilities count is always 0 for open ports with unknown services.
Products

Viewing and grouping flows (155)

flow provides information about network communication between two systems
flow can include information about the conversation, such as
 Source and destination IP address
 Protocol transport
 Source and destination port
 Application information
 Traffic statistics
 Quality of service
 Packet payload from unencrypted traffic
Network Activity tab
 Investigate flows sent to QRadar SIEM
 Perform detailed searches
 View network activity
Grouping flows

Display options available for flow grouping:

Default (Normalized): To remove a grouping.
Unioned Flows: QRadar SIEM works in 1-minute cycles. When the minute is
over, the event processors send the events and flows they processed to the
console (only if they are needed on the console). Therefore, QRadar SIEM cuts
off flows even if the real network flows have not actually terminated. QRadar
SIEM creates a new flow record during the next 1-minute cycle for such a flow.
To merge these flow-slices into one flow representing the real network flow,
group by Unioned Flows. Otherwise, one real network flow can be represented
by more than one flow in QRadar SIEM.
Application: QRadar SIEM detects the kind of application data transported in
flows.
QFlow detects applications by performing traffic analysis on network packets. If
you do not use QFlow, QRadar SIEM determines the type of application from the
destination port.
Flow Bias: To summarize flows by the flow direction.
Finding an offense

A red icon indicates that a flow

contributes to an offense
A, B, C: super flow
C: payload have clear text
Red Bug: participate in Offense
Annotations ‫شروح‬
• Annotations provide insight into why QRadar SIEM considers the event or traffic
threatening
• QRadar SIEM can add annotations when it adds events and flows to an offense
• Read the oldest annotation because it was added when the offense was
created
• Hold the mouse over an annotation to show the entire text.
 QRadar SIEM rules and building blocks add annotations when they create or
update an offense.
 QRadar SIEM users cannot add, edit, or delete annotations.

Navigating flow details

The Flow Direction field can include the following values:
•L2L: Traffic from a local network to another local network
•L2R: Traffic from a local network to a remote network
•R2L: Traffic from a remote network to a local network
•R2R: Traffic from a remote network to another remote network
Network activity> add filter >
Parameter: Flow direction >>>>> Value: L2L
OR Source network >>>> other for flow and event
False positives Flow or Event
Each organization has legitimate network traffic that can trigger false positive
flows and events. This traffic creates noise that makes it difficult to identify true
security incidents.
Offense> Rules>
Display: building block
Creating a false positive flow or event
• If an event or flow is legitimate, you can prevent it and similar events and flows from
contributing to offenses
• In the top menu bar, click the False Positive icon

Tuning a false positive flow or event

• Flows and events that you tagged as false positives perform in these ways
 Contribute to reports
 No longer contribute to offenses
 Are still stored by QRadar SIEM
• QRadar SIEM administrators must perform these tasks
 Keep the network hierarchy and Device Support Modules (DSM) up-to-date to
prevent false alarm offenses
 Disable rules that produce numerous unwanted offenses
Investigating super flows
A superflows is a flow that is an aggregate of a number of flows that have a
similar set of elements
QRadar SIEM aggregates flows with common characteristics into superflows that
indicate common attack types

• Type A: Network sweep one source IP address > many destinations IP addresses
• Type B: Distributed denial of service (DDOS) attack many sources IP addresses > one
destination IP address
• Type C: PortScan one source IP address > many ports on one destination IP address

Some benefits of super flows:

•Reduced traffic from QFlow collectors •Store only a single flow to disk
Using rules and building blocks (183)
Rules perform tests on the events, flows, and offenses in QRadar SIEM and respond if
the test criteria are met.
A building block is a rule without a response that is used as a common variable in
multiple rules or to build complex rules.
Rules and building blocks are a collection of tests
Rules and building blocks test incoming events, flows, and offenses
About rules
If the tests of a rule match, the rule generates the configured actions and responses,
such as these examples
 Creating an offense
 Adding an annotation
 Sending an email
 Generating system notifications shown on the dashboard
Rules on offenses do not create new events or offenses; they perform only these tasks
 Send notifications
 Annotate the triggering offense
 Name the triggering offense
Custom Rule Engine (CRE) performs all tests, actions, and responses specified in rules
About building blocks and functions
•A building block is a collection of tests without actions and responses
•Building blocks group commonly used tests to build complex logic that enables the
building block to be reused in rules
•Building blocks often test for IP addresses, privileged user names, or collections of event
names; for example, if a building block includes the IP addresses of all DNS servers,
rules can then use this building block
•The CRE evaluates a building block only if a rule test uses it
•Functions allow rule tests with building blocks, for example: when an event matches
any/all of the following BB:HostDefinition: DNS Servers

Locating rules
Navigating to rules
custom rules. They test the incoming events, flows, and offenses.
QRadar SIEM includes four custom rule types:
1.Event rules that test only events
2.Flow rules that test only flows
3.Common rule that tests events and flows
4.Offense rule that tests only offenses
QRadar SIEM includes three anomaly detection rule types:
1.Anomaly detection rules that test the results of saved flow or event
searches to detect when unusual traffic patterns occur in your network
2.Behavioral rules that test event and flow traffic according to seasonal
traffic levels and trends
3.Threshold rules that test event and flow traffic for activity less than, equal
to, or greater than a configured threshold or within a specified range

QRadar SIEM shows the rules and building blocks that fired‫ تعمل‬for an event or
flow
 BB means building block
 In the example Botnet: Potential Botnet Connection (DNS) created the
offense
Finding the rules that triggered an offense
Offense > Rules > Display: Rules

Using rule definitions during an investigation

Creating QRadar SIEM reports (203)
Reports allow you to examine trends and statistical views on your network for various purposes, in
particular to meet compliance requirements.

A QRadar SIEM report is a means of scheduling and automating one or more

saved searches
•QRadar SIEM reports perform the following tasks
 Present measurements and statistics derived from events, flows, and
offenses
 Provide users the ability to create custom reports
 Can brand reports and distribute them
• Predefined report templates serve a multitude of purposes, such as
 Regulatory compliance
 Authentication activity
 Operational status
 Network status
  Executive summaries
QRadar SIEM supports the following regulatory schemas:
•HIPAA: Health Insurance Portability and Accountability Act
•COBIT: Control Objectives for Information and Related Technology
•SOX: Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act
•PCI: Visa Payment Card Industry Data Security Standard
•GLBA: Gramm-Leach-Bliley Privacy Act
•FISMA: Federal Information Security Management Act
•NERC: The North American Electric Reliability Council
•GSX: Government Secure Extranet

Finding a report

Reporting Groups: View report templates of a reporting group

Hide Inactive Reports: Disable to view all inactive report templates
Inactive reports: QRadar SIEM does not automatically generate reports for inactive templates
Active reports: QRadar SIEM generates reports for active templates automatically according to
the schedule, unless the schedule is set to manual. QRadar SIEM lists active templates with a
manual schedule if the Hide Inactive Reports check box is enabled.
Running a report

Run Report: Run selected report template immediately, regardless of its schedule or active or
inactive state
Run Report on Raw Data: Generate the report on raw data if QRadar SIEM has not captured the
required time-series data
Toggle scheduling: Toggle the active and inactive state of the template

Creating a report template

If the default QRadar SIEM report templates do not meet your specific needs, you can create and save a
customized report template.

1-Click Create or Edit to open the Report Wizard.

2-Choosing a schedule
The schedule determines when the report runs and the default data range to use; for
example, when you select Weekly, the previous week's data (Sunday- Saturday) is
selected
Use the following options to schedule the report:
•Manually: QRadar SIEM generates the report only when a user initiates.
•Hourly: Schedules the report to generate at the end of each hour using the data from the
previous hour.
•Daily, Weekly, Monthly
3-Choosing a layout
4-Defining report contents: To configure the report chart, click Define
Some of the chart types include the following charts:
•Asset Vulnerabilities: Displays vulnerability data for defined assets in your deployment
•Top Destination IPs: Displays the top targeted IP addresses
•Top Offenses: Displays the top threat types to the managed network
•Top Source IPs: Displays the top IP addresses that attack any defined network or asset

5-Configuring the upper chart

6-Configuring the lower chart
7-Verifying the layout preview: provides only the layout of the report; it does not
show the actual data

8-Choosing a format: You can select any or all of the available formats for reports (xml, pdf,
html, xls, …...)

9-Distributing the report: can Distribute the report by email

Note: You can distribute the report to multiple email addresses. Use commas to separate email
addresses listed in the Enter the report destination email address(es) field

10-Adding a description and assigning to the group

Performing advanced filtering

1-Filtering scenarios
Flows to external destinations: Flows originate in the local network and connect to an
external network >>Filters
 Source Network is not other>>local
 Destination Network is other>>Remote
 L2R
Remote to Remote flows: Flows originate in the local network and connect to an
external network >>Filter
 Flow Direction is R2R
Applications not running on the correct port

Advanced Search filter uses Ariel Query Language (AQL) to build SQL-like queries