Uploaded byPencilData
PDF, PPTX118 views

User Interface and Data Sources.pdf

This document provides an overview of the user interface and dashboard features of IBM QRadar SIEM. It discusses the main tabs for navigating QRadar functions like Dashboard, Offenses, Log Activity, and more. It also describes how to create custom dashboards, add dashboard items from saved searches, and access help resources.

Embed presentation

Download as PDF, PPTX
IBM Security QRadar SIEM Foundations User Interface and Dashboard
2 IBM Security QRadar SIEM tabs Use tabs to navigate the primary QRadar SIEM functions • Dashboard: The initial summary view • Offenses: Displays offenses; list of prioritized incidents • Log Activity: Query and display events • Network Activity: Query and display flows • Assets: Query and display information about systems in your network • Reports: Create templates and generate reports • Admin: Administrative system management • Other Tabs – Vulnerability Management Risk Management, Incident Forensics (Requires Additional License), Apps installed from the App Exchange
3 IBM Security Other menu options The dashboard has the following additional menu options • User Preferences • Help • Log out
4 IBM Security Accessing help © COPYRIGHT IBM CORPORATION 2017 Question mark icon: Open context- sensitive help for the currently displayed feature in a new browser window. The browser does not require internet access because the Console appliance provides the context- sensitive help QRadar Help Contents: Open the IBM Knowledge Center in a new browser tab. The browser requires internet access 4
5 IBM Security Dashboard overview • QRadar SIEM shows the Dashboard tab when you log in • Several default dashboards are available • You can create multiple dashboards • Each dashboard can contain items that provide summary and detailed information • You can create custom dashboards to focus on your security or operations responsibilities • Each dashboard is associated with a user; changes that you make to a dashboard do not affect the dashboards of other users
6 IBM Security Dashboard tab The Dashboard tab displays Dashboard items. 6
7 IBM Security New Dashboard: Create a new empty dashboard Dashboards ̶ Dashboards are like a canvas for dashboard items ̶ You can create custom dashboards to focus on your security or operations responsibilities ̶ Each dashboard is associated with a user; changes that you make to a dashboard do not affect the dashboards of other users © COPYRIGHT IBM CORPORATION 2017 Rename Dashboard: Rename the currently selected dashboard Delete Dashboard: Delete the currently selected dashboard Show Dashboard: Select a dashboard to display its items 7
8 IBM Security Adding a saved search as a dashboard item • You can only add a saved search, that has a grouping, as a dashboard item • More than 15 items on a dashboard can negatively impact performance © COPYRIGHT IBM CORPORATION 2017 8
9 IBM Security Adding a saved search as a dashboard item (continued) You can add searches with a grouping that you created yourself © COPYRIGHT IBM CORPORATION 2017 9
10 IBM Security Adding a saved search as a dashboard item (continued) • Items are added at the bottom of dashboards • Press the header of an item to move it © COPYRIGHT IBM CORPORATION 2017 10
11 IBM Security Enabling a search to be used as a dashboard item © COPYRIGHT IBM CORPORATION 2017 Include in my Dashboard: Add the search to the Add item drop-down list on the Dashboard tab 11
Data Sources
13 IBM Security Collecting data: Data sources Use the Data Sources tools to manage event, flow, and vulnerability data.
14 IBM Security Log sources through traffic analysis QRadar SIEM can automatically discover log sources in your deployment that send syslog-only messages to an Event Collector IP address.
15 IBM Security Adding log sources (1/2) To add a log source: 1.In the Data Sources window, click the Log Sources icon. 2.Click the Add icon on the upper-right side of the window. 3.Select and complete the associated fields in the Add a log source pane. 4.Click Save. 5.Deploy the change.
16 IBM Security Adding log sources (2/2) Because it is dependent on the Log Source Type selected, the Add a log source pane expands to reflect the specific Type parameters and values used in QRadar SIEM.
17 IBM Security Adding log source extensions • Log source extensions immediately extend the parsing routines of specific devices. • Note: You must use a log source extension to detect an event that has missing or incorrect fields. • A log source extension can also parse an event when the DSM it is attached to fails to produce a result. • You must create the extension document before you can define a log source extension within QRadar SIEM. • If you use the DSM Editor tool, Log Source Extensions are automatically created and uploaded (recommended)
18 IBM Security Log source parsing order • You can configure the order that you want each Event Collector in your deployment to use to apply DSMs to log sources. • If a log source has multiple Log Source Types under the same IP address or host name, you can order the importance of these incoming log source events by defining the parsing order.
19 IBM Security Other Supported Formats • Universal CEF ̶ Accepts events from any device that produces events in the Common Event Format (CEF) from Syslog or Log File • Universal LEEF ̶ Accept events from devices that produce events using the Log Event Extended Format (LEEF) from Syslog of Log File ̶ Proprietary event format, which allows hardware manufacturers and software product manufacturers to read and map device events specifically designed for QRadar integration ̶ Both Universal CEF and LEEF events must be mapped. They do not contain QID (Qradar Identifier) to categorize events
20 IBM Security Managing flow sources • QRadar SIEM accepts external flow data from various sources such as the following accounting technologies: ̶ NetFlow: Protocol defined by Cisco to share accounting information from switches and routers ̶ IPFIX: Protocol defined by IETF to share accounting information from switches and routers (NetFlow V9 resembles IPFIX) ̶ sFlow: Advanced packet sampling technique and protocol used for network monitoring ̶ J-Flow: Packet sampling technique and protocol developed by Juniper ̶ Packeteer: Protocol developed by Bluecoat that is used for bandwidth management ̶ Flowlog file: A flow log file as stored in the Ariel data structure • QRadar SIEM accepts internal flow data from the NICs using qFlow, Napatech, and Endace.
21 IBM Security Adding a flow source • QRadar SIEM automatically adds default flow sources for physical ports on the appliance and includes a default NetFlow flow source. • In the Data Sources window, click the Flow Sources icon. Click Save and then Deploy Changes. Click Add. Source File Path: Enter the location of the flow file. Flow Source Type: Select a Flow Source Type.
22 IBM Security Adding a flow source with asymmetric routing In some networks, traffic is configured to take different paths for inbound and outbound traffic. QRadar can combine the traffic into a single flow. Choose a Flow Source Type. Click Enable Asymmetric Flows. Complete these fields. Click Save and then Deploy Changes.
23 IBM Security Flow source aliases • You can configure a virtual name (or alias) for flow sources. • Using the source IP address and virtual name, you can identify multiple sources being sent to the same QRadar QFlow Collector. • QRadar QFlow Collector can use an alias to uniquely identify and process data sources being sent to the same port. Note: Use the Deployment Actions in System and License Management to configure the QRadar QFlow Collector to automatically detect flow-source aliases.
24 IBM Security Adding a flow source alias To add a flow source alias: 1.Click the Admin tab. 2.Click the Flow Aliases icon. Click Add. IP: Type the IP address of the flow source alias. Name: Type a unique name for the flow source alias. Click Save and then Deploy Changes.
ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU

More Related Content

PDF
Qradar - Reports.pdf
byPencilData
 
PDF
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
PDF
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
PDF
Introduction to QRadar
byPencilData
 
PDF
QRadar Architecture.pdf
byPencilData
 
PDF
IBM Security Intelligence
byAnna Landolfi
 
PPTX
IBM QRadar’s DomainTools Application.pptx
byInfosectrain3
 
PPTX
IBM QRadar’s DomainTools Application.pptx
byinfosec train
 
Qradar - Reports.pdf
byPencilData
 
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
Introduction to QRadar
byPencilData
 
QRadar Architecture.pdf
byPencilData
 
IBM Security Intelligence
byAnna Landolfi
 
IBM QRadar’s DomainTools Application.pptx
byInfosectrain3
 
IBM QRadar’s DomainTools Application.pptx
byinfosec train
 

Similar to User Interface and Data Sources.pdf

PPTX
IBM i Security SIEM Integration
byPrecisely
 
PPTX
ee it All, Secure it All: How SIEM Strengthens Your Business
byPrecisely
 
PDF
IBM Qradar & resilient
byPrime Infoserv
 
PDF
b_siem_deployment.pdf
byMiguelAlva22
 
PDF
IBM Qradar
byCoenraad Smith
 
PDF
IBM Security QFlow & Vflow
byCamilo Fandiño Gómez
 
PDF
How to Choose the Right Security Information and Event Management (SIEM) Solu...
byIBM Security
 
PPSX
IBM: Cognitive Security Transformation for the Enrgy Sector
byFMA Summits
 
PDF
Leverage Big Data for Security Intelligence
byStefaan Van daele
 
PDF
Whitepaper IBM Qradar Security Intelligence
byCamilo Fandiño Gómez
 
PDF
Q radar architecture deep dive
byKamal Mouline
 
PPTX
Effective Security Monitoring for IBM i: What You Need to Know
byPrecisely
 
PDF
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
byIBM Security
 
PPT
Extend Your Market Reach with IBM Security QRadar for MSPs
byIBM Security
 
PDF
Big Data - Amplifying Security Intelligence
byIBM Danmark
 
PPTX
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
PPTX
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byIBM Security
 
PPTX
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byFrancisco González Jiménez
 
PPTX
Hands-On Security Breakout Session- ES Guided Tour
bySplunk
 
PPT
Five critical conditions to maximizing security intelligence investments
byIBM Security
 
IBM i Security SIEM Integration
byPrecisely
 
ee it All, Secure it All: How SIEM Strengthens Your Business
byPrecisely
 
IBM Qradar & resilient
byPrime Infoserv
 
b_siem_deployment.pdf
byMiguelAlva22
 
IBM Qradar
byCoenraad Smith
 
IBM Security QFlow & Vflow
byCamilo Fandiño Gómez
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
byIBM Security
 
IBM: Cognitive Security Transformation for the Enrgy Sector
byFMA Summits
 
Leverage Big Data for Security Intelligence
byStefaan Van daele
 
Whitepaper IBM Qradar Security Intelligence
byCamilo Fandiño Gómez
 
Q radar architecture deep dive
byKamal Mouline
 
Effective Security Monitoring for IBM i: What You Need to Know
byPrecisely
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
byIBM Security
 
Extend Your Market Reach with IBM Security QRadar for MSPs
byIBM Security
 
Big Data - Amplifying Security Intelligence
byIBM Danmark
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byIBM Security
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byFrancisco González Jiménez
 
Hands-On Security Breakout Session- ES Guided Tour
bySplunk
 
Five critical conditions to maximizing security intelligence investments
byIBM Security
 

Recently uploaded

PDF
The future of software delivery is agentic
byMaxim Salnikov
 
PDF
Building production-ready AI Agents with Spring AI and Amazon Bedrock AgentCo...
byVadym Kazulkin
 
PPTX
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 
PPTX
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
DOCX
Data Governance and Compliance Choosing a Tableau Replacement with Strong Con...
byVarsha Nayak
 
PPTX
PPT - Easy way to improve your website's Google ranking.pptx
byThe Webbuzz
 
PDF
Softaken OCR Image to Text Extractor Tool
byaimberdphilomena
 
PDF
Patterns of Patterns and why we need them
bydescri1
 
PPTX
Scrape Grocery App Data from BigBasket, Zepto, and Blinkit.pptx
byMobile App Scraping
 
PPTX
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
PPTX
AI EMR Software Making Healthcare Smarter, Simpler, and More Human
byEasy Clinic
 
PPTX
Invisible protection against AI training - Poison Pill
byPoison Pill
 
PDF
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
PPTX
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
PPTX
College Management System.pptx
bygehlotyash2005
 
PDF
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
PPTX
1stCollege Management System (1) .pptx
bygehlotyash2005
 
PPTX
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pptx
byinfoswipesolutionsin
 
PDF
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
PDF
Effortless MBOX Conversion — Fast, Secure, and Compatible with SysInfo MBOX C...
bySysInfo Tools
 
The future of software delivery is agentic
byMaxim Salnikov
 
Building production-ready AI Agents with Spring AI and Amazon Bedrock AgentCo...
byVadym Kazulkin
 
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
Data Governance and Compliance Choosing a Tableau Replacement with Strong Con...
byVarsha Nayak
 
PPT - Easy way to improve your website's Google ranking.pptx
byThe Webbuzz
 
Softaken OCR Image to Text Extractor Tool
byaimberdphilomena
 
Patterns of Patterns and why we need them
bydescri1
 
Scrape Grocery App Data from BigBasket, Zepto, and Blinkit.pptx
byMobile App Scraping
 
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
AI EMR Software Making Healthcare Smarter, Simpler, and More Human
byEasy Clinic
 
Invisible protection against AI training - Poison Pill
byPoison Pill
 
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
College Management System.pptx
bygehlotyash2005
 
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
1stCollege Management System (1) .pptx
bygehlotyash2005
 
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pptx
byinfoswipesolutionsin
 
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
Effortless MBOX Conversion — Fast, Secure, and Compatible with SysInfo MBOX C...
bySysInfo Tools
 

User Interface and Data Sources.pdf

  • 1.
    IBM Security QRadar SIEMFoundations User Interface and Dashboard
  • 2.
    2 IBM Security QRadarSIEM tabs Use tabs to navigate the primary QRadar SIEM functions • Dashboard: The initial summary view • Offenses: Displays offenses; list of prioritized incidents • Log Activity: Query and display events • Network Activity: Query and display flows • Assets: Query and display information about systems in your network • Reports: Create templates and generate reports • Admin: Administrative system management • Other Tabs – Vulnerability Management Risk Management, Incident Forensics (Requires Additional License), Apps installed from the App Exchange
  • 3.
    3 IBM Security Othermenu options The dashboard has the following additional menu options • User Preferences • Help • Log out
  • 4.
    4 IBM Security Accessinghelp © COPYRIGHT IBM CORPORATION 2017 Question mark icon: Open context- sensitive help for the currently displayed feature in a new browser window. The browser does not require internet access because the Console appliance provides the context- sensitive help QRadar Help Contents: Open the IBM Knowledge Center in a new browser tab. The browser requires internet access 4
  • 5.
    5 IBM Security Dashboardoverview • QRadar SIEM shows the Dashboard tab when you log in • Several default dashboards are available • You can create multiple dashboards • Each dashboard can contain items that provide summary and detailed information • You can create custom dashboards to focus on your security or operations responsibilities • Each dashboard is associated with a user; changes that you make to a dashboard do not affect the dashboards of other users
  • 6.
    6 IBM Security Dashboardtab The Dashboard tab displays Dashboard items. 6
  • 7.
    7 IBM Security NewDashboard: Create a new empty dashboard Dashboards ̶ Dashboards are like a canvas for dashboard items ̶ You can create custom dashboards to focus on your security or operations responsibilities ̶ Each dashboard is associated with a user; changes that you make to a dashboard do not affect the dashboards of other users © COPYRIGHT IBM CORPORATION 2017 Rename Dashboard: Rename the currently selected dashboard Delete Dashboard: Delete the currently selected dashboard Show Dashboard: Select a dashboard to display its items 7
  • 8.
    8 IBM Security Addinga saved search as a dashboard item • You can only add a saved search, that has a grouping, as a dashboard item • More than 15 items on a dashboard can negatively impact performance © COPYRIGHT IBM CORPORATION 2017 8
  • 9.
    9 IBM Security Addinga saved search as a dashboard item (continued) You can add searches with a grouping that you created yourself © COPYRIGHT IBM CORPORATION 2017 9
  • 10.
    10 IBM Security Addinga saved search as a dashboard item (continued) • Items are added at the bottom of dashboards • Press the header of an item to move it © COPYRIGHT IBM CORPORATION 2017 10
  • 11.
    11 IBM Security Enablinga search to be used as a dashboard item © COPYRIGHT IBM CORPORATION 2017 Include in my Dashboard: Add the search to the Add item drop-down list on the Dashboard tab 11
  • 12.
  • 13.
    13 IBM Security Collectingdata: Data sources Use the Data Sources tools to manage event, flow, and vulnerability data.
  • 14.
    14 IBM Security Logsources through traffic analysis QRadar SIEM can automatically discover log sources in your deployment that send syslog-only messages to an Event Collector IP address.
  • 15.
    15 IBM Security Addinglog sources (1/2) To add a log source: 1.In the Data Sources window, click the Log Sources icon. 2.Click the Add icon on the upper-right side of the window. 3.Select and complete the associated fields in the Add a log source pane. 4.Click Save. 5.Deploy the change.
  • 16.
    16 IBM Security Addinglog sources (2/2) Because it is dependent on the Log Source Type selected, the Add a log source pane expands to reflect the specific Type parameters and values used in QRadar SIEM.
  • 17.
    17 IBM Security Addinglog source extensions • Log source extensions immediately extend the parsing routines of specific devices. • Note: You must use a log source extension to detect an event that has missing or incorrect fields. • A log source extension can also parse an event when the DSM it is attached to fails to produce a result. • You must create the extension document before you can define a log source extension within QRadar SIEM. • If you use the DSM Editor tool, Log Source Extensions are automatically created and uploaded (recommended)
  • 18.
    18 IBM Security Logsource parsing order • You can configure the order that you want each Event Collector in your deployment to use to apply DSMs to log sources. • If a log source has multiple Log Source Types under the same IP address or host name, you can order the importance of these incoming log source events by defining the parsing order.
  • 19.
    19 IBM Security OtherSupported Formats • Universal CEF ̶ Accepts events from any device that produces events in the Common Event Format (CEF) from Syslog or Log File • Universal LEEF ̶ Accept events from devices that produce events using the Log Event Extended Format (LEEF) from Syslog of Log File ̶ Proprietary event format, which allows hardware manufacturers and software product manufacturers to read and map device events specifically designed for QRadar integration ̶ Both Universal CEF and LEEF events must be mapped. They do not contain QID (Qradar Identifier) to categorize events
  • 20.
    20 IBM Security Managingflow sources • QRadar SIEM accepts external flow data from various sources such as the following accounting technologies: ̶ NetFlow: Protocol defined by Cisco to share accounting information from switches and routers ̶ IPFIX: Protocol defined by IETF to share accounting information from switches and routers (NetFlow V9 resembles IPFIX) ̶ sFlow: Advanced packet sampling technique and protocol used for network monitoring ̶ J-Flow: Packet sampling technique and protocol developed by Juniper ̶ Packeteer: Protocol developed by Bluecoat that is used for bandwidth management ̶ Flowlog file: A flow log file as stored in the Ariel data structure • QRadar SIEM accepts internal flow data from the NICs using qFlow, Napatech, and Endace.
  • 21.
    21 IBM Security Addinga flow source • QRadar SIEM automatically adds default flow sources for physical ports on the appliance and includes a default NetFlow flow source. • In the Data Sources window, click the Flow Sources icon. Click Save and then Deploy Changes. Click Add. Source File Path: Enter the location of the flow file. Flow Source Type: Select a Flow Source Type.
  • 22.
    22 IBM Security Addinga flow source with asymmetric routing In some networks, traffic is configured to take different paths for inbound and outbound traffic. QRadar can combine the traffic into a single flow. Choose a Flow Source Type. Click Enable Asymmetric Flows. Complete these fields. Click Save and then Deploy Changes.
  • 23.
    23 IBM Security Flowsource aliases • You can configure a virtual name (or alias) for flow sources. • Using the source IP address and virtual name, you can identify multiple sources being sent to the same QRadar QFlow Collector. • QRadar QFlow Collector can use an alias to uniquely identify and process data sources being sent to the same port. Note: Use the Deployment Actions in System and License Management to configure the QRadar QFlow Collector to automatically detect flow-source aliases.
  • 24.
    24 IBM Security Addinga flow source alias To add a flow source alias: 1.Click the Admin tab. 2.Click the Flow Aliases icon. Click Add. IP: Type the IP address of the flow source alias. Name: Type a unique name for the flow source alias. Click Save and then Deploy Changes.
  • 25.
    ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBMCorporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU