Section 1: System Configuration
TASK: 1.1 Perform license management
1.1.1. Implement and manage shared license pool
1.1.2. Deploy incremental licenses
1.1.3. Explain burst handling
1.1.4. Upload and allocate a license key to a host
1.1.5. View license details for all QRadar components
Burst handling
IBM® QRadar® uses burst handling to ensure that no data is lost when the system exceeds the allocated events
per second (EPS) or flows per minute (FPM) license limits.
When QRadar receives a data spike that causes it to exceed the allocated EPS and FPM limits, the extra events and
flows are moved to a temporary queue to be processed when the incoming data rate slows. When burst handling
is triggered, a system notification alerts you that the appliance exceeded the EPS or FPM license limit.
The backlog in the temporary queue is processed in the order that the events or flows were received. The older
data at the start of the queue is processed before the most recent data at the end of the queue. The rate at which
the queue empties or fills is impacted by several factors, including the volume and duration of the data spike, the
capacity of the appliance, and the payload size.
Hardware appliances normally can handle burst rates at least 50% greater than the appliance's stated EPS and FPM
capability, and can store up to 5GB in the temporary queue. The actual burst rate capability depends upon the
system load. VM appliances can achieve similar results if the VM is adequately sized and meets the performance
requirements.
The burst recovery rate is the difference between the allocated rate and the incoming rate. When the volume of
incoming data slows, the system processes the backlog of events or flows in the queue as fast as the recovery rate
allows. The smaller the recovery rate, the longer it takes to empty the queue.
Example: Incoming data spike
Every morning, between 8am and 9am, a company's network experiences a data spike as employees log in and
begin to use the network resources
Internal events
IBM® QRadar® appliances generate a small number of internal events when they communicate with each other
as they process data.
To ensure that the internal events are not counted against the allocated capacity, the system automatically returns
all internal events to the license pool immediately after they are generated.
Shared license pool
The EPS and FPM rate that is set by each license is combined into a shared license pool. From the shared license
pool, you can distribute the processing capacity to any host within a specific deployment or that is managed by a
single console, regardless of which host the original license is allocated to.
By adjusting the allocation of the shared license pool, you ensure that the event and flow capacity is distributed
according to the network workload, and that each QRadar® host has enough EPS and FPM to effectively manage
periods of peak traffic.
In deployments that have separate event collector and event processor appliances, the event collector inherits the
EPS rate from the event processor that it is attached to. To increase the capacity of the event collector, allocate
more EPS from the shared license pool to the parent event processor.
Contributions to the license pool
A license that includes both event and flow capacity might not contribute both the EPS and FPM to the shared
license pool. The license pool contributions are dependent on the type of appliance that the license is allocated to.
For example, when you apply a license to a 16xx Event Processor, only the EPS is added to the license pool. The
same license, when applied to a 17xx Flow Processor, contributes only the FPM to the license pool. Applying the
license to an 18xx Event/Flow Processor contributes both EPS and FPM to the pool. With exception of software
licenses for event or flow collectors, all software licenses contribute both the EPS and FPM to the shared license
pool, regardless of which type of appliance the license is allocated to.
As of QRadar V7.3.2, you can now acquire stackable EPS/Flow increments instead of replacing existing console or
other managed hosts license when you need to increase the overall event or flow thresholds of your deployment.
After the licenses are uploaded and deployed, the event/flow capacity can then be reallocated through the License
Pool Management.
Exceeding your licensed processing capacity limits
The license pool becomes over-allocated when the combined EPS and FPM that is allocated to the managed hosts
exceeds the EPS and FPM that is in the shared license pool. When the license pool is overallocated, the License
Pool Management window shows a negative value for the EPS and FPM, and the allocation chart turns
red. QRadar blocks functionality on the Network Activity and Log Activity tabs, including the ability to view
events and flows from the Messages list on the main QRadar toolbar.
To enable the blocked functionality, reduce the EPS and FPM that you allocated to the managed hosts in your
deployment. If the existing licenses do not have enough event and flow capacity to handle the volume of network
data, upload a new license that includes enough EPS or FPM to resolve the deficit in the shared license pool.
Expired licenses
When a license expires, QRadar continues to process events and flows at the allocated rate.
If the EPS and FPM capacity of the expired license was allocated to a host, the shared resources in the license pool
might go into a deficit, and cause QRadar to block functionality on the Network Activity and Log Activity tabs.
License management
License keys entitle you to specific IBM® QRadar® products, and control the event and flow capacity for
your QRadar deployment. You can add licenses to your deployment to activate other QRadar products, such
as QRadar Vulnerability Manager.
When you install QRadar, the default license key is temporary and gives you access to the system for 35 days from
the installation date. The email that you received from IBM when you purchased QRadar contains your permanent
license keys. These license keys extend the capabilities of your appliance, and you must apply them before the
default license expires.
To apply a license key to the system, follow these steps:
1. Obtain the license key. For new or updated license keys, contact your local sales representative.
2. Upload the license key.
License keys determine your entitlement to IBM® QRadar® products and features, and the
system capacity for handling events and flows.
Before you begin
If you need assistance to obtain a new or updated license key, contact your local sales
representative.
About this task
You must upload a license key when you are doing these tasks:
•
•
•
Updating an expired QRadar console license
Increasing the events per minute (EPS) or flows per minute (FPM) limits
Adding a QRadar product to your deployment, such as IBM QRadar Vulnerability Manager, to
your deployment
As of QRadar V7.3.0, you do not need to upload a new license when you add an Event
Processor or Flow Processor to your deployment. Event and flow processors are automatically
assigned a perpetual, or permanent, appliance license, and you can allocate EPS or FPM from the
license pool to the appliance.
As of QRadar V7.3.2, you can now acquire stackable EPS/Flow increments instead of replacing
existing console or other managed hosts license when you need to increase the overall event or
flow thresholds of your deployment. After the licenses are uploaded and deployed, the event/flow
capacity can then be reallocated through the License Pool Management.
If the license key for your QRadar Console expires, you are automatically directed to the System and
License Management window when you log on. You must upload a license key before you can
continue.
If a managed host system has an expired license key, a message is displayed when you log in that
indicates that a managed host requires a new license key. You use the System and License
Management window to update the license key. If the license pool is not over allocated, delete the
expired key and allocate EPS or FPM from the license pool to the managed host.
Procedure
1.
2.
3.
4.
5.
6.
On the navigation menu ( ), click Admin.
In the System Configuration section, click System and License Management.
On the toolbar, click Upload License.
In the dialog box, click Select File.
Select the license key, and click Open.
Click Upload, and then click Confirm.
Results
The license is uploaded to your QRadar Console and is displayed in the System and License
Management window.
By default, most licenses are not immediately allocated to a QRadar host. However, the system
automatically allocates all QRadar Vulnerability Manager, QRadar Risk Manager, and QRadar
Incident Forensics keys to the QRadar console.
Note: Incremental licenses that increase capacity for events and flows are automatically allocated to the
Console.
Allocating a license key to a host
Allocate a license key to an IBM® QRadar® host when you want to replace an existing license, add
new QRadar products, or increase the event or flow capacity in the shared license pool.
Before you begin
You must upload a license key.
About this task
You can allocate multiple licenses to a QRadar console. For example, you can allocate license keys
that add IBM QRadar Risk Manager and QRadar Vulnerability Manager to your QRadar console.
You cannot revert a license key after you add it to a QRadar host. If you mistakenly allocate a license
to the wrong host, you must deploy the change, and then delete the license from the system. After
the license is deleted, you can upload the license again, and then reallocate it. After the license is
allocated to the correct host, you must deploy the changes again.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
In the System Configuration section, click System and License Management.
From the Display list, select Licenses.
Select the license, and click Allocate System to License.
Tip: When you select System from the Display list, the label changes to Allocate License to
a System.
5. To filter the list of licenses, type a keyword in the search box.
6. On the Allocate a System to a License window, select the host that you want to allocate the
license to, and click Allocate System to License.
Deploying changes
Changes that are made to the IBM® QRadar® deployment must be pushed from the staging area to
the production area.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
Check the deployment banner to determine whether changes must be deployed.
Click View Details to view information about the undeployed configuration changes.
Choose the deployment method:
a. To deploy changes and restart only the affected services, click Deploy Changes on
the deployment banner.
b. To rebuild the configuration files and restart all services on each managed host,
click Advanced > Deploy Full Configuration.
Important: QRadar continues to collect events when you deploy the full
configuration. When the event collection service must restart, QRadar does not
restart it automatically. A message displays that gives you the option to cancel the
deployment and restart the service at a more convenient time.
After you apply the license keys to QRadar, redistribute the EPS and FPM rates to ensure that each of the
managed hosts is allocated enough capacity to handle the average volume of network traffic, and still have enough
EPS and FPM available to efficiently handle a data spike. You do not need to deploy the changes after you
redistribute the EPS and FPM capacity.
License expiry
The processing capacity of the system is measured by the volume of events and flows that QRadar can process in
real time. The capacity can be limited by either the appliance hardware or the license keys. The temporary license
key allows for 5,000 events per second (EPS) on the QRadar Console, and 10,000 EPS on each managed host. The
FPM rate for the temporary license is 200,000 on both the QRadar Console and the managed hosts.
When a license expires, QRadar continues to process events and flows up to the licensed capacity limits. If the EPS
and FPM capacity of the expired license was allocated to a host, the shared license pool might go into a deficit, and
cause QRadar to block capabilities on the Network Activity and Log Activity tabs.
When QRadar is not licensed to handle the volume of incoming network data, you can add a license that has more
event or flow capacity.
Event and flow processing capacity
The capacity of a deployment is measured by the number of events per second (EPS) and flows per
minute (FPM) that IBM® QRadar® can collect, normalize, and correlate in real time. The event and flow
capacity is set by the licenses that are uploaded to the system.
Each host in your QRadar deployment must have enough event and flow capacity to ensure that QRadar can
handle incoming data spikes. Most incoming data spikes are temporary, but if you continually receive system
notifications that indicate that the system exceeded the license capacity, you can replace an existing license with a
license that has more EPS or FPM capacity.
Shared license pool
The EPS and FPM rate that is set by each license is combined into a shared license pool. From the
shared license pool, you can distribute the processing capacity to any host within a specific
deployment or that is managed by a single console, regardless of which host the original license is
allocated to.
By adjusting the allocation of the shared license pool, you ensure that the event and flow capacity is
distributed according to the network workload, and that each QRadar® host has enough EPS and
FPM to effectively manage periods of peak traffic.
In deployments that have separate event collector and event processor appliances, the event
collector inherits the EPS rate from the event processor that it is attached to. To increase the
capacity of the event collector, allocate more EPS from the shared license pool to the parent event
processor.
Contributions to the license pool
A license that includes both event and flow capacity might not contribute both the EPS and FPM to
the shared license pool. The license pool contributions are dependent on the type of appliance that
the license is allocated to. For example, when you apply a license to a 16xx Event Processor, only
the EPS is added to the license pool. The same license, when applied to a 17xx Flow Processor,
contributes only the FPM to the license pool. Applying the license to an 18xx Event/Flow Processor
contributes both EPS and FPM to the pool. With exception of software licenses for event or flow
collectors, all software licenses contribute both the EPS and FPM to the shared license pool,
regardless of which type of appliance the license is allocated to.
As of QRadar V7.3.2, you can now acquire stackable EPS/Flow increments instead of replacing
existing console or other managed hosts license when you need to increase the overall event or
flow thresholds of your deployment. After the licenses are uploaded and deployed, the event/flow
capacity can then be reallocated through the License Pool Management.
Exceeding your licensed processing capacity limits
The license pool becomes over-allocated when the combined EPS and FPM that is allocated to the
managed hosts exceeds the EPS and FPM that is in the shared license pool. When the license pool is
overallocated, the License Pool Management window shows a negative value for the EPS and FPM,
and the allocation chart turns red. QRadar blocks functionality on the Network Activity and Log
Activity tabs, including the ability to view events and flows from the Messages list on the
main QRadar toolbar.
To enable the blocked functionality, reduce the EPS and FPM that you allocated to the managed
hosts in your deployment. If the existing licenses do not have enough event and flow capacity to
handle the volume of network data, upload a new license that includes enough EPS or FPM to
resolve the deficit in the shared license pool.
Expired licenses
When a license expires, QRadar continues to process events and flows at the allocated rate.
If the EPS and FPM capacity of the expired license was allocated to a host, the shared resources in
the license pool might go into a deficit, and cause QRadar to block functionality on the Network
Activity and Log Activity tabs.
Capacity sizing
The best way to deal with spikes in data is to ensure that your deployment has enough events per
second (EPS) and flows per minute (FPM) to balance peak periods of incoming data. The goal is to
allocate EPS and FPM so that the host has enough capacity to process data spikes efficiently, but
does not have large amounts of idle EPS and FPM.
When the EPS or FPM that is allocated from the license pool is very close to the average EPS or FPM
for the appliance, the system is likely to accumulate data in a temporary queue to be processed
later. The more data that accumulates in the temporary queue, also known as the burst-handling
queue, the longer it takes QRadar® to process the backlog. For example, a QRadar host with an
allocated rate of 10,000 EPS takes longer to empty the burst handling queue when the average EPS
rate for the host is 9,500, compared to a system where the average EPS rate is 7,000.
Offenses are not generated until the data is processed by the appliance, so it is important to
minimize how frequently QRadar adds data to the burst handling queue. By ensuring that each
managed host has enough capacity to process short bursts of data, you minimize the time that it
takes for QRadar to process the queue, ensuring that offenses are created when an event occurs.
When the system continuously exceeds the allocated processing capacity, you cannot resolve the
problem by increasing the queue size. The excess data is added to the end of the burst handling
queue where it must wait to be processed. The larger the queue, the longer it takes for the queued
events to be processed by the appliance.
Burst handling
IBM QRadar uses burst handling to ensure that no data is lost when the system exceeds the allocated events per
second (EPS) or flows per minute (FPM) license limits.
Uploading a license key
License keys determine your entitlement to IBM QRadar products and features, and the system capacity for
handling events and flows.
Allocating a license key to a host
Allocate a license key to an IBM QRadar host when you want to replace an existing license, add
new QRadar products, or increase the event or flow capacity in the shared license pool.
Distributing event and flow capacity
Use the License Pool Management window to ensure that the events per second (EPS) and flows per minute (FPM)
that you are entitled to is fully used. Also, ensure that IBM QRadar is configured to handle periodic bursts of data
without dropping events or flows, or having excessive unused EPS and FPM.
Viewing license details
View the license details to see information such as the status, expiration, and event and flow rate limits for each
license that is uploaded to the system.
Deleting licenses
Delete a license if you mistakenly allocated it to the wrong QRadar host. Also, delete an expired license to stop IBM
QRadar from generating daily system notifications about the expired license.
Exporting license information
For auditing, export information about the license keys that are installed on your system to an external .xml file.
Incremental licensing
Incremental licensing streamlines the license distribution process and saves you time and effort because you don't
need separate licenses for each appliance. Purchase monthly capacity increases that can be applied to your
deployment, without running the risk that these temporary keys might shut down the entire system when they
expire. Now, you can add more flows and events to the Console license and redistribute to your pool of appliances
as you see fit. Use your operational budget to add capacity to perpetual licenses on a temporary basis for shortterm projects such as network onboarding, reorganizing, and testing use cases.
With incremental licensing, you can now acquire stackable EPS/Flow increments instead of replacing existing
console or other managed hosts license when you need to increase the overall event or flow thresholds of your
deployment. After the licenses are uploaded and deployed, the event/flow capacity can then be reallocated through
the License Pool Management. For example, suppose that you have a 3105 All-in-One with 1000 EPS on a perpetual
key. You’re working on a 6-month project where several new log sources need to be on-boarded for a temporary
period. Previously, this project would cause the EPS volumes to exceed the 1000 EPS limit. With the new
incremental licensing feature, you can purchase an extra 2500 EPS bundle for just 6 months. IBM provides a license
key that incrementally raises the EPS from 1000 through to 3500 for the 6-month period. At the end of the 6-month
period, the additional 2500 EPS expires, but the original 1000 EPS remains operational, without any additional
intervention from support or product
You can review the status of the primary and secondary host in your high-availability (HA) cluster.
The following table describes the status of each host that is displayed in the System and License
Management window:
Status
Active
Description
Specifies that the host is the active system and that all services are running normally.
The primary or secondary HA host can display the active status.
Note: If the secondary HA host displays the active status, the primary HA host failed.
Standby
Specifies that the host is acting as the standby system. In the standby state, no services
are running but data is synchronized if disk replication is enabled. If the primary or
secondary HA host fails, the standby system automatically becomes the active system.
Specifies that the primary or secondary host failed.
If the primary HA host displays Failed, the secondary HA host assumes the
responsibilities of the primary HA host and displays the Active status.
Failed
If the secondary HA host displays Failed, the primary HA host remains active, but is
not protected by HA.
A system in a failed state must be manually repaired or replaced, and then restored. If
the network fails, you might need access to the physical appliance.
Specifies that data is synchronizing between hosts.
Synchronizing
Note: This status is displayed only when disk replication is enabled.
Status
Description
Online
Specifies that the host is online.
Specifies that an administrator manually set the HA host offline. Offline mode indicates
a state that is typically used to complete appliance maintenance.
When an appliance indicates a status of offline:
Offline
Data replication is functioning between the active and offline HA hosts.
Services that process events, flows, offenses, and heartbeat ping tests are stopped for
the offline HA host.
Failover cannot occur until the administrator sets the HA host online.
Specifies that the host is restoring. For more information, see Verifying the status of
primary and secondary hosts.
Specifies that a license key is required for the HA cluster. In this state, no processes
Needs License are running.
Restoring
For more information about applying a license key, see your Administration Guide.
Setting Offline Specifies that an administrator is changing the status of an HA host to offline.
Setting Online Specifies that an administrator is changing the status of an HA host to online
Specifies that the secondary HA host requires a software upgrade.
Needs
Upgrade
When the Needs Upgrade status is displayed, the primary remains active, but is not
protected against failover. Disk replication of events and flows continues between the
primary and the secondary HA hosts.
Specifies that the secondary HA host is being upgraded by the primary HA host.
If the secondary HA host displays the Upgrading status, the primary HA host remains
active, but is not protected by HA. Heartbeat monitoring and disk replication, if
enabled, continue to function.
Upgrading
After DSMs or protocols are installed and deployed on a Console, the Console
replicates the DSM and protocol updates to its managed hosts. When primary and
secondary HA hosts are synchronized, the DSM and protocols updates are installed on
the secondary HA host.
Only a secondary HA host can display an Upgrading status.
Table 1. HA status descriptions
•
Viewing HA cluster IP addresses
You can display the IP addresses of all the components in your High-availability (HA) cluster.
You can display the IP addresses of all the components in your High-availability (HA) cluster.
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
On the navigation menu, click System Configuration.
Click the System and License Management icon.
Identify the QRadar® primary console.
Hover your mouse over the host name field.
Creating an HA cluster
Pairing a primary host, secondary high-availability (HA) host, and a virtual IP address creates an HA
cluster.
Before you begin
•
•
If external storage is configured for a primary HA host, you must also configure the
secondary HA host to use the same external storage options. For more information, see
the QRadar® Offboard Storage Guide.
Ensure that no undeployed changes exist before you create an HA cluster.
About this task
If disk synchronization is enabled, it might take 24 hours or more for the data in
the /store partition on the primary HA host /store partition to initially synchronize with the
secondary HA host.
If the primary HA host fails and the secondary HA host becomes active, the Cluster Virtual IP
address is assigned to the secondary HA host.
In an HA deployment, the interfaces on both the primary and secondary HA hosts can become saturated. If
performance is impacted, you can use a second pair of interfaces on the primary and secondary HA hosts
to manage HA and data replication. Use a crossover cable to connect the interfaces.
Important: You can enable a crossover connection during and after the creation of an HA cluster and this
does not cause any event collection downtime.
Procedure
1.
2.
3.
4.
5.
6.
On the navigation menu ( ), click Admin.
Click System and License Management.
Select the host for which you want to configure HA.
From the Actions menu, select Add HA Host and click OK.
Read the introductory text. Click Next.
Type values for the parameters:
Option
Description
Primary A new primary HA host IP address. The new IP address replaces the previous IP address.
Host IP
The current IP address of the primary HA host becomes the Cluster Virtual IP address.
address
The new primary HA host IP address must be on the same subnet as the virtual host IP
address.
Important: For a NAT deployment, use the private IP address of the primary HA host.
SecondaryThe IP address of the secondary HA host. The secondary HA host must be on the same
HA host IP subnet as the primary HA host.
address
Important: For a NAT deployment, use the private IP address of the secondary HA host.
Enter the The root password for the secondary HA host. The password must not include special
root
characters.
password
of the
host
Confirm The root password for the secondary HA host again for confirmation.
the root
password
of the
host
7. To configure advanced parameters, click the arrow beside Show Advanced Options and
type values for the parameters.
Option
Description
Heartbeat
Interval
(seconds)
The time, in seconds, that you want to elapse between heartbeat pings. The default
is 10 seconds.
Heartbeat
Timeout
(seconds)
For more information about heartbeat pings, see Heartbeat ping tests.
The time, in seconds, that you want to elapse before the primary HA host is
considered unavailable if no heartbeat is detected. The default is 30 seconds.
Network
The IP addresses of the hosts that you want the secondary HA host to ping. The
Connectivity
default is to ping all other managed hosts in the QRadar deployment.
Test List peer IP
addresses
For more information about network connectivity testing, see Network
(comma
connectivity tests.
delimited)
Disk
The disk synchronization rate. The default is 100 MB/s.
Synchronization
Rate (MB/s)
Increase this value to 1100 MB/s when you are using 10 G crossover cables.
Option
Description
Note: Do not exceed your system's capacity. The limit for Distributed Replicated Block
Devices is 4096 MB/s.
Disable Disk
Replication
This option is displayed only when you are configuring an HA cluster by using a
managed host.
Configure
Crossover cables allow QRadar to isolate the replication traffic from all
Crossover Cable other QRadar traffic, such as events, flows, and queries.
You can use crossover cables for connections between 10 Gbps ports, but not the
management interface.
Crossover
Interface
Select the interfaces that you want to connect to the primary HA host.
Crossover
Advanced
Options
Select Show Crossover Advanced Options to enter, edit, or view the property values.
Important: All interfaces with an established link, or an undetermined link, appear in the
list. Select interfaces with established links only.
8. Click Next, and then click Finish.
Important: When an HA cluster is configured, you can display the IP addresses that are used
in the HA cluster. Hover your mouse over the Host Name field on the System and License
Management window.
9. On the navigation menu ( ), click Admin.
10. Click Advanced > Deploy Full Configuration to enable network connectivity tests.
Disconnecting an HA cluster
By disconnecting an HA cluster, the data on your primary HA console or managed host is not
protected against network or hardware failure.
Before you begin
If you migrated the /store file system to a Fibre Channel device, you must modify
the /etc/fstab file before you disconnect the HA cluster. For more information, see Updating the
/etc/fstab file.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
On the navigation menu, click System Configuration.
Click the System and License Management icon.
Select the HA host that you want to remove.
5. From the toolbar, select High Availability > Remove HA Host.
6. Click OK.
Note: When you remove an HA host from a cluster, the host restarts.
•
Updating the /etc/fstab file
Before you disconnect a Fibre Channel HA cluster, you must modify
the /store and /storetmp mount information in the /etc/fstab file.
About this task
You must update the /etc/fstab file on the primary HA host and the secondary HA host.
Procedure
1. Use SSH to log in to your QRadar® host as the root user:
2. Modify the etc/fstab file.
a. Locate the existing mount information for the /store and /storetmp file systems.
b. Remove the noauto option for the /store and /storetmp file systems.
3. Save and close the file.
Editing an HA cluster
You can edit the advanced options for your HA cluster.
Procedure
1.
2.
3.
4.
5.
6.
7.
8.
9.
On the navigation menu ( ), click Admin.
On the navigation menu, click System Configuration.
Click the System and License Management icon.
Select the row for the HA cluster that you want to edit.
From the toolbar, select High Availability > Edit HA Host.
Edit the parameters in the table in the advanced options section.
Click Next.
Review the information.
Click Finish.
Setting an HA host offline
You can set the primary or secondary high-availability (HA) host to Offline from
the Active or Standby state.
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
On the navigation menu, click System Configuration.
Click the System and License Management icon.
Select the HA host that you want to set to offline.
From the toolbar, select High Availability > Set System Offline .
Setting an HA host online
You can set the primary or secondary HA host to Online.
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
On the navigation menu, click System Configuration.
Click the System and License Management icon.
Select the offline HA host that you want to set to Online.
From the toolbar, select High Availability > Set System Online.
What to do next
On the System and License Management window, verify the status of the HA host. Choose from one of the
following options:
•
•
If the primary HA host displays a status of Active, HA host is restored.
If you experience a problem, restore the primary or secondary HA host. For more
information, see Restoring a failed secondary HA host or Restoring a failed primary HA host.
Switching a primary HA host to active
You can set the primary high-availability (HA) host to be the active system.
Before you begin
The primary HA host must be the standby system and the secondary HA host must be the active system.
About this task
If your primary host is recovered from a failure, it is automatically assigned as the standby system in your HA
cluster. You must manually switch the primary HA host to be the active system and the secondary HA host to be
the standby system.
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
On the navigation menu, click System Configuration.
Click the System and License Management icon.
In the System and License Management window, select the secondary HA host.
From the toolbar, select High Availability > Set System Offline.
Your primary HA host is automatically switched to be the Active HA host.
Note: Your IBM® QRadar® SIEM user interface might be inaccessible during this time. To
return the secondary HA host to standby and return the primary HA host to active run either
of the following commands:
o
From the active host run:
/opt/qradar/ha/bin/ha giveback
The host that was active is now the standby host and the standby host is now the
active host.
o
From the standby host run:
/opt/qradar/ha/bin/ha takeover
The host that was on standby is now the active host and the host that was the active
host is now the standby host.
6. In the System and License Management window, select the secondary HA host.
7. From the toolbar, select High Availability > Set System Online.
Your secondary HA host is now the standby system.
What to do next
When you can access the System and License Management window, check the status column. Ensure
that the primary HA host is the active system and the secondary HA host is the standby system.
Upgrading QRadar SIEM
You must upgrade all of the IBM® QRadar® products in your deployment to the same version.
Before you begin
When you run the upgrade, any QRadar Event Collectors are detected. These event collectors must be
migrated from GlusterFS to Distributed Replicated Block Device before the upgrade can continue. For
more information, see Migrating event collectors from GlusterFS to Distributed Replicated Block Device.
Determine the minimum QRadar version that is required for the version of QRadar to which you
want to update.
•
•
Click Help > About to check your current version of QRadar.
To determine whether you can upgrade to a version of QRadar, go to QRadar Software
101 (https://www.ibm.com/community/qradar/home/software/) and check the release
notes of the version you want to upgrade to.
About this task
To ensure that IBM QRadar upgrades without errors, ensure that you use only the supported
versions of QRadar software.
Important:
•
•
Software versions for all IBM QRadar appliances in a deployment must be the same version
and fix level. Deployments that use different QRadar versions of software are not supported.
Custom DSMs are not removed during the upgrade.
Upgrade your QRadar Console first, and then upgrade each managed host. In high-availability (HA)
deployments, when you upgrade the HA primary host, the HA secondary host is automatically
upgraded.
The following QRadar systems can be upgraded concurrently:
•
•
•
Event processors
Event collectors
Flow processors
•
•
•
QFlow collectors
Data nodes
App hosts
With QRadar 7.5.0 Update Package 2 you can enable secure boot. If Secure Boot is to be enabled on
the system the public key must be imported after the patch completes. For more information,
see Enabling Secure Boot.
Procedure
1. Download the .sfs file from Fix Central (www.ibm.com/support/fixcentral).
o If you are upgrading QRadar SIEM, download the <QRadar>.sfs file.
o If your deployment includes an IBM QRadar Incident Forensics (6000) appliance,
download the <identifier>_Forensics_patchupdate<build_number>.sfs file. The .sfs file upgrades the entire QRadar deployment,
including QRadar Incident Forensics and QRadar Network Insights.
2. Use SSH to log in to your system as the root user.
3. Copy the SFS file to the /storetmp or /var/log directory or to another location that has
sufficient disk space.
Important: If the SFS file is in the /storetmp directory and you do not upgrade, when the
overnight diskmaintd.pl utility runs, the SFS file is deleted. For more information, see Daily
disk maintenance (https://www.ibm.com/support/pages/qradar-732-files-storetmp-areremoved-daily-disk-maintenance).
To verify you have enough space (5 GB) in the QRadar Console, type the following command:
df -h /storetmp /var/log | tee diskchecks.txt
Important: Don't copy the file to an existing QRadar system directory such as
the /store directory.
4. To create the /media/updates directory, type the following command:
mkdir -p /media/updates
5. Use the command cd to change to the directory where you copied the SFS file.
6. To mount the SFS file to the /media/updates directory, type the following command:
mount -o loop <QRadar>.sfs /media/updates
7. To run the installer, type the following command:
/media/updates/installer
If you receive the following error message, you have a QRadar Incident Forensics appliance
in your deployment. Download the QRadar Incident Forensics patch file from IBM Fix
Central (www.ibm.com/support/fixcentral). The patch file is named similar to this one:
<identifier>_Forensics_patchupdate-<build_number>.sfs. For more information about
upgrading with a QRadar Incident Forensics appliance in your deployment, see Upgrading
QRadar Incident Forensics.
Error: This patch is incompatible with Forensics deployments
[ERROR](testmode) Patch pretest 'Check for QIF appliances in deployment'
failed. (check_qif.sh)
[ERROR](testmode) Failed 1/8 pretests. Aborting the patch.
[ERROR](testmode) Failed pretests
[ERROR](testmode) Pre Patch Testing shows a configuration issue. Patching
this host cannot continue.
[INFO](testmode) Set ip-130-86 status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
[ERROR] Failed to apply patch on localhost, not checking any managed hosts.
An error was encountered attempting to process patches.
Please contact customer support for further assistance.
What to do next
1. Unmount /media/updates by typing the following command:
umount /media/updates
2. Delete the SFS file.
3. Perform an automatic update to ensure that your configuration files contain the latest
network security information. For more information, see Checking for new updates.
4. Delete the patch file to free up space on the partition.
5. Clear your web browser cache. After you upgrade QRadar, the Vulnerabilities tab might not
be displayed. To use QRadar Vulnerability Manager after you upgrade, you must upload and
allocate a valid license key. For more information, see the Administration Guide for your
product.
6. Determine whether there are changes that must be deployed. For more information,
see Deploy Changes.
•
Migrating event collectors from GlusterFS to Distributed Replicated Block Device
If the QRadar upgrade detects stand-alone or clustered event collectors with GlusterFS in
your deployment, the upgrade fails. You must run a migration script separately on QRadar
7.3.2 Fix Pack 3 or later before you upgrade to QRadar 7.4.2 or later. If your event collectors
are deployed on QRadar 7.1 or earlier and then upgraded to a later version, you must
upgrade the file systems table (fstab) before you migrate GlusterFS to Distributed Replicated
Block Device.
QRadar Network Insights overview
IBM® QRadar® Network Insights provides in-depth visibility into network communications on a
real-time basis to extend the capabilities of your IBM QRadar deployment.
Through the deep analysis of network activity and application content, QRadar Network
Insights empowers QRadar Sense Analytics to detect threat activity that would otherwise go
unnoticed.
QRadar Network Insights provides in-depth analysis of both network metadata and application
content to detect suspicious activity that is hidden among normal traffic and extract content to
provide QRadar with visibility into network threat activity. The intelligence that is provided
by QRadar Network Insights integrates seamlessly with traditional data sources and threat
intelligence to extend QRadar detection, analysis, and threat detection capabilities.
QRadar Network Insights provides visibility across a range of use cases, including:
•
•
•
•
•
•
Malware detection and analysis
Phishing email and campaign detection
Insider threats
Lateral movement attack detection
Data exfiltration protection
Identify compliance gaps
Benefits of
QRadar Network Insights
The following list highlights some of the benefits of using QRadar Network Insights:
•
•
•
•
•
•
Uses in-depth packet inspection to identify advanced threats and malicious content.
Extends the capabilities of QRadar to detect phishing attacks, malware intrusions, lateral
movement, and data exfiltration.
Records application activities, captures key artifacts, and identifies assets, applications, and
users that participate in network communications.
Applies Layer 7 content analysis for advanced security insights.
File analytics analyzes and enables tracking of files.
What's new for users in QRadar Network Insights 7.5.0
IBM QRadar Network Insights 7.5.0 provides users with more IBM X-Force®
Exchange integration and improvements to file type identification and application detection.
Data nodes
A data node is an appliance that you can add to your event and flow processors to increase storage
capacity and improve search performance. You can add an unlimited number of data nodes to
your IBM® QRadar® deployment, and they can be added at any time. Each data node can be
connected to only one processor, but a processor can support multiple data nodes.
QRadar: Troubleshooting disk space usage
problems
Troubleshooting
Problem
The partitions are critical for the regular functioning of Linux and QRadar® SIEM. this
article is to help the administrator with the identification of files and directories when a
partition triggers the disk usage alerts. These issues might also generate issues such as
software upgrade failing disk space tests and configuration deployment not running.
Cause
By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk
usage across the following partitions:
QRadar Partition
Critical
Threshold
Critical Services Stop (7.4.2 and later)
/
Yes, at 95%
Yes, when less than 100GiB
/store
Yes, at 95%
Yes, when less than 100GiB
/transient
Yes, at 95%
Yes, when less than 100GiB
/storetmp
Yes, at 95%
Yes, when less than 100GiB
/opt
Yes, at 95%
Yes, when less than 100GiB
/var
No
No
/var/log
No
No
/var/log/auditNo
No
/tmp
No
No
/home
No
No
Note: 100GiB = 107.3GB
If any of these partitions exceeds 90% usage, a warning notification is sent to the UI.
In /var/log/qradar.log, a log similar to the following appears:
[hostcontext.hostcontext] com.q1labs.hostcontext.ds.DiskSpaceSentinel: [WARN] [-/-]System disk resources above warning threshold
IMPORTANT: For the partitions listed in the table as critical for system
functionality, system services are stopped to avoid the partition becoming full and prevent
further issues. A maximum threshold notification is sent to the UI and can also be seen
in /var/log/qradar.log:
[hostcontext.hostcontext]com.q1labs.hostcontext.ds.DiskSpaceSentinel: [ERROR] [-/-]Disk usage on at least one disk has exceeded
the maximum threshold level of 0.95. The following disks have exceeded the maximum
threshold level: /transient. Processes are being
shut down to prevent data corruption. To minimize the disruption in service, reduce
disk usage on this system.
While the other partitions denoted as noncritical, the disk sentry check gives a warning
when the threshold is met, but system processes are not stopped and don't cause an outage.
When the system recovers back under the threshold, a notification is sent to the UI, and the
following message is seen in /var/log/qradar.log:
[hostcontext.hostcontext] com.q1labs.hostcontext.ds.DiskSpaceSentinel: [INFO] [-/-]System disk resources back to normal levels
Diagnosing The Problem
The first step in diagnosing the problem is determining which partition has the problem.
Verify the managed host affected
1. Log in to the QRadar user interface as an admin user.
2. Click the bell icon and hover the Disk Sentry alert.
In the previous image, the affected host has the IP 10.11.12.13 and the partition
affected is "/".
3. SSH to the Console, then to the affected managed host if not the Console.
4. Use the df -Th command to get the output of the partitions.
5. df -Th
Example output:
Filesystem
Size
/dev/mapper/rootrhel-root
13G
devtmpfs
16G
tmpfs
16G
tmpfs
16G
tmpfs
16G
/dev/mapper/rootrhel-var
5.0G
/dev/sda3
32G
/dev/mapper/rootrhel-home
1014M
/dev/sda2
1014M
/dev/mapper/rootrhel-tmp
3.0G
/dev/mapper/rootrhel-opt
13G
/dev/mapper/rootrhel-storetmp
15G
/dev/mapper/rootrhel-varlog
15G
/dev/mapper/storerhel-transient
40G
/dev/mapper/rootrhel-varlogaudit 3.0G
tmpfs
3.2G
/dev/drbd0
158G
Used Avail Use% Mounted on
2.9G 9.7G 23% /
0
16G
0% /dev
20K
16G
1% /dev/shm
1.7G
15G 11% /run
0
16G
0% /sys/fs/cgroup
208M 4.8G
5% /var
4.1G
28G 13% /recovery
33M 982M
4% /home
224M 791M 23% /boot
53M 3.0G
2% /tmp
5.1G 7.5G 41% /opt
34M
15G
1% /storetmp
3.6G
12G 24% /var/log
40G 236M 100% /transient
205M 2.8G
7% /var/log/audit
0 3.2G
0% /run/user/0
78G
80G 50% /store
Notice that /dev/mapper/storerhel-transient has 100% in
the Use% column. This means /transient is the partition causing the alert.
Finding undersized appliances
QRadar installed on virtual machines with less than 256GB (minimum disk storage) can
cause some partitions to default to the "/" partition. Use the lsblk command to find out
whether the disk size is less than 256GB and /store and /transient partition exists
on the system.
Once the conflicting managed host is identified, go to the Resolving The Problem section
to find details about finding large files and directories, and review the linked article for
the specific partition.
Resolving The Problem
There are a couple of reasons a QRadar partition might have high disk usage:
• Undersized appliances not meeting the minimum disk requirements.
• Large files or directories on the partition causing it to fill.
• Lots of smaller files build up over time and cause a certain directory on
the partition to grow excessively.
Identify directories and files with large disk usage
Use the du and find commands to list the largest directories and files.
1. The following du command return with a recursive directory output for
the /partition/directory, sorted by the smallest to the largest.
du -chaxd1 /<partition> | sort -h | tail
Output Example for "/":
61M
122M
444M
589M
941M
958M
3.2G
7.9G
/usr/sbin
/usr/local
/usr/lib64
/usr/bin
/usr/lib
/usr/share
/usr
/root
12G
12G
/
total
In the previous output, the /root partition is the largest.
NOTE: Sometimes the ssh session can time out before the du command
completes. In this case, it is best to run the du command inside a screen
session, which does not terminate upon ssh timeout, and is accessible until
the session is terminated. From the command prompt, run screen
Run the du command from step "a." If the ssh session times out before the
command completes, you can reattach to the screen session. You first need to
find the screen session ID. Then, run
Output example:
In this case, the screen ID is 17376. To reattach to the screen session, run
Once finished, the output of the du command is presented.
You can also use the "exclude" option with du to identify other large
directories when analyzing a partition with a known large directory (such
as ariel on the /store partition).
du -chaxd1 -exclude=ariel /store
Once finished, the output of the du command is presented, omitting the
excluded directory.
2. The following find command returns the largest files found in a partition,
sorted by the smallest to the largest.
find /<partition> -xdev -type f -size +100M | xargs ls -lhSr
Output Example for "/":
-rw------- 1 root root 596M Jun 13 13:29 /core.26490
-rw-r--r-- 1 root root 7.9G Jan 10 16:02 /root/scripts/test_file.zip
In the previous output, the test_file.zip is a forgotten file, and core.26490 is
a system core file resulted from an abnormal exit of a process.
2. Search in the Disk Space 101 portal for specific information about each partition.
Alternatively, use the direct links in the following table.
QRadar Partition
/
Articles
QRadar: About / partition
QRadar: Delete files or directories to gain space in / partition
/store
QRadar: About /store partition
QRadar: Delete files or directories to gain space in /store partition
/transient
QRadar: About /transient partition
QRadar: Delete files or directories to gain space in /transient partition
/storetmp
QRadar: About /storetmp partition
QRadar: Delete files or directories to gain space in /storetmp partition
/opt
QRadar: About /opt partition
QRadar: Delete files or directories to gain space in /opt partition
/var
QRadar: About /var partition
QRadar: Delete files or directories to gain space in /var partition
/var/log
QRadar: About /var/log partition
QRadar: /var/log and /var/log/audit fills to capacity due to logrotate issue
/var/log/audit
QRadar: About /var/log/audit partition
QRadar: /var/log and /var/log/audit fills to capacity due to logrotate issue
/tmp
QRadar: About /tmp partition
QRadar: Delete files or directories to gain space in /tmp partition
/home
QRadar: About /home partition
QRadar: Delete files or directories to gain space in /home partition
Result
The files and directories contributing to the lack of disk space are evident. Administrators
can proceed with the troubleshooting steps to remove the files or directories.
If the files are not evident enough, the administrators can contact QRadar Support for
assistance.
Changing the network settings of a QRadar
Console in a multi-system deployment
To change the network settings in a multi-system IBM® QRadar® deployment, remove all managed
hosts, change the network settings, add the managed hosts again, and then reassign the component.
Before you begin
•
•
You must have a local connection to your QRadar Console
If you are adding a network adapter to either physical appliance or a virtual machine, you
must shut down the appliance before you add the network adapter. Power on the appliance
before you follow this procedure.
Important: You cannot change the IP address of any host to the IP address of a previously deleted Managed
Host.
Procedure
1. To remove managed hosts, log in to QRadar:
https://IP_Address_QRadar
The Username is admin.
a. On the navigation menu ( ), click Admin.
b. Click the System and License Management icon.
c. Select the managed host that you want to remove.
d. Select Deployment Actions > Remove Host.
e. in the Admin settings, click Deploy Changes.
2. Type the following command: qchange_netsetup.
Important:
a. If you attempt to run qchange_netsetup over a serial connection, the connection can
be misidentified as a network connection. To run over a serial connection
use qchange_netsetup -y. This command allows you to bypass the validation check
that detects a network connection.
b. Verify all external storage which is not /store/ariel or /store is not mounted.
3. Follow the instructions in the wizard to complete the configuration.
The following table contains descriptions and notes to help you configure the network
settings.
Network Setting
Description
Internet Protocol
IPv4 or IPv6
Host name
Secondary DNS server
address
Fully qualified domain name
Optional
Optional
Used to access the server, usually from a different network or the
Public IP address for
Internet.
networks that use Network
Address Translation (NAT) Configured by using Network Address Translation (NAT) services on
your network or firewall settings on your network. (NAT translates an
IP address in one network to a different IP address in another
network).
If you do not have an email server, use localhost.
Email server name
Table 1. Description of network settings for a multi-system QRadar Console deployment
After you configure the installation parameters, a series of messages are displayed. The
installation process might take several minutes.
4. To re-add and reassign the managed hosts, log in to QRadar.
https://IP_Address_QRadar
The Username is admin.
a.
b.
c.
d.
On the navigation menu ( ), click Admin.
Click the System and License Management icon.
Click Deployment Actions > Add Host.
Follow the instructions in the wizard to add a host.
Select the Network Address Translation option to configure a public IP address for
the server. This IP address is a secondary IP address that is used to access the server,
usually from a different network or the Internet. The Public IP address is often
configured by using Network Address Translation (NAT) services on your network or
firewall settings on your network. NAT translates an IP address in one network to a
different IP address in another network
5. Reassign all components that are not your QRadar Console to your managed hosts .
a. On the navigation menu ( ), click Admin.
b. Click the System and License Management icon.
c. Select the host that you want to reassign.
d. Click Deployment Actions > Edit Host Connection.
e. Enter the IP address of the source host in the Modify Connection window.
Managed hosts
For greater flexibility over data collection and event and flow processing, build a distributed IBM®
QRadar® deployment by adding non-console managed hosts, such as collectors, processors, and
data nodes.
Software compatibility requirements
Software versions for all QRadar appliances in your deployment must be at the same version and
update package level. Deployments that use different versions of software are not supported
because mixed software environments can prevent rules from firing, prevent offenses from being
created or updated, or cause errors in search results.
When a managed host uses a software version that is different than the QRadar Console, you might
be able to view components that were already assigned to the host, but you cannot configure the
component or add or assign new components.
Internet Protocol (IP) requirements
The following table describes the various combinations of IP protocols that are supported when
you add non-console managed hosts.
QRadar Console
ManagedQRadar ConsoleQRadar Console
(dual-stack,
QRadar Console (dual-stack, HA)
hosts
(IPv6, single) (IPv6, HA)
single)
IPv4,
single
No
No
Yes*
No
IPv4, HA No
No
No
No
IPv6,
single
Yes
Yes
Yes
No
IPv6, HA Yes
Yes
Yes
No
Table 1. Supported combinations of IP protocols on non-console managed hosts
Restriction: *By default, you cannot add an IPv4-only managed host to a dual-stack single console. You must
run a script to enable an IPv4-only managed host. For more information, see Adding an IPv4-only managed
host in a dual-stack environment.
A dual-stack console supports both IPv4 and IPv6. The following list outlines the conditions you
must follow in dual-stack environments:
•
•
•
You can add IPv6 managed hosts to a dual-stack single console, or to an IPv6-only console.
You can add only IPv4 managed hosts to a dual-stack single console.
Do not add a managed host to a dual-stack console that is configured for HA.
•
Do not add an IPv4 managed host that is not in an HA pair to an IPv6-only console, or to a
dual-stack console that is in an HA pair.
Important: IBM does not support the following configurations:
•
•
•
Adding a managed host to a dual-stack console that is configured for HA
Adding an IPv4 managed host that is not in an HA pair to an IPv6-only console
Adding an IPv4 managed host that is not in an HA pair to a dual-stack console that is in an
HA pair
Bandwidth considerations for managed hosts
To replicate state and configuration data, ensure that you have a minimum bandwidth of 100 Mbps
between the IBM® QRadar® console and all managed hosts. Higher bandwidth is necessary when
you search log and network activity, and you have over 10,000 events per second (EPS).
An Event Collector that is configured to store and forward data to an Event Processor forwards the
data according to the schedule that you set. Ensure that you have sufficient bandwidth to cover the
amount of data that is collected, otherwise the forwarding appliance cannot maintain the scheduled
pace.
Use the following methods to mitigate bandwidth limitations between data centers:
Process and send data to hosts at the primary data center
Design your deployment to process and send data as it's collected to hosts at the primary data
center where the console resides. In this design, all user-based searches query the data from the
local data center rather than waiting for remote sites to send back data.
You can deploy a store and forward event collector, such as a QRadar 15XX physical or virtual
appliance, in the remote locations to control bursts of data across the network. Bandwidth is used
in the remote locations, and searches for data occur at the primary data center, rather than at a
remote location.
Don't run data-intensive searches over limited bandwidth connections
Ensure that users don't run data-intensive searches over links that have limited bandwidth.
Specifying precise filters on the search limits the amount of data that is retrieved from the remote
locations, and reduces the bandwidth that is required to send the query result back.
Encryption
To provide secure data transfer between each of the appliances in your environment, IBM®
QRadar® has integrated encryption support that uses OpenSSH. Encryption occurs between
managed hosts, and is enabled by default when you add a managed host.
When encryption is enabled, a secure tunnel is created on the client that initiates the connection, by
using an SSH protocol connection. When encryption is enabled on a managed host, an SSH tunnel is
created for all client applications on the managed host. When encryption is enabled on a nonConsole managed host, encryption tunnels are automatically created for databases and other
support service connections to the Console. Encryption ensures that all data between managed
hosts is encrypted.
For example, with encryption enabled on an Event Processor, the connection between the Event
Processor and Event Collector is encrypted, and the connection between the Event
Processor and Magistrate is encrypted.
The SSH tunnel between two managed hosts can be initiated from the remote host instead of the
local host. For example, if you have a connection from an Event Processor in a secure environment
to an Event Collector that is outside of the secure environment, and you have a firewall rule that
would prevent you from having a host outside the secure environment connect to a host in the
secure environment, you can switch which host creates the tunnel so that the connection is
established from the Event Processor by selecting the Remote Tunnel Initiation checkbox for
the Event Collector.
You cannot reverse the tunnels from your Console to managed hosts.
Adding a managed host
Add managed hosts, such as event and flow collectors, event and flow processors, and data nodes, to
distribute data collection and processing activities across your IBM® QRadar® deployment.
Before you begin
Ensure that the managed host has the same IBM QRadar version and update packages level as
the QRadar Console that you are using to manage it.
If you want to enable Network Address Translation (NAT) for a managed host, the network must
use static NAT translation. For more information, see NAT-enabled networks.
Warning: Your firewall might block the managed host from being added because of multiple attempts to log
in to the QRadar Console by using SSH. To resolve this problem, tune your firewall to prevent the managed
host from being blocked.
About this task
The following table describes the components that you can connect:
Source
connection
Target
Description
connection
QRadar Flow
Collector
Event
Collector
You can connect a IBM QRadar Flow Collector only to an Event Collector. The
number of connections is not restricted.
You can't connect a QRadar Flow Collector to the Event Collector on a
15xx appliance.
You can connect an Event Collector to only one Event Processor.
Event Collector
Event
Processor
You can connect a non-console Event Collector to an Event Processor on
the same system.
A console Event Collector can be connected only to a console Event
Processor. You can't remove this connection.
You can't connect a console Event Processor to a non-console Event Processor.
Event Processor
Event
Processor
You can connect a non-console Event Processor to another console or
non-console Event Processor, but not both at the same time.
When a non-console managed host is added, the non-console Event
Processor is connected to the console Event Processor.
Data Node
Event
Processor
You can connect a data node to an event or flow processor only. You can connect
multiple Data Nodes to the same processor to create a storage cluster.
Event Collector
Off-site
target
The number of connections is not restricted.
The number of connections is not restricted.
Off-site source
Event
Collector
An Event Collector that is connected to an event-only appliance can't
receive an off-site connection from system hardware that has the Receive
Flows feature enabled.
An Event Collector that is connected to a QFlow-only appliance can't
receive an off-site connection from a remote system that has
the https://ibmid.acrolinx.cloud Receive Flows feature enabled.
Table 1. Supported component connections
If you configured IBM QRadar Incident Forensics in your deployment, you can add a QRadar
Incident Forensics managed host.
If you configured IBM QRadar Vulnerability Manager in your deployment, you can add vulnerability
scanners and a vulnerability processor
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
If you configured IBM QRadar Risk Manager in your deployment, you can add a managed host.
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
In the System Configuration section, click System and License Management.
In the Display list, select Systems.
On the Deployment Actions menu, click Add Host.
Configure the settings for the managed host by providing the fixed IP address, and the root
password to access the operating system shell on the appliance.
6. Click Add.
7. Optional: Use the Deployment actions > View Deployment menu to see visualizations of
your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of
your deployment visualization.
8. On the Admin tab, click Advanced > Deploy Full Configuration.
Important: QRadar continues to collect events when you deploy the full configuration.
When the event collection service must restart, QRadar does not restart it automatically. A
message displays that gives you the option to cancel the deployment and restart the service
at a more convenient time.
Adding an IPv4-only managed host in a dualstack environment
•
To add an IPv4-only managed host to a dual-stack Console, you must run scripts to prepare
both the managed host and the Console before you can add the managed host to the Console.
About this task
A dual-stack Console is one that supports both IPv4 and IPv6. You cannot add an IPv4-only managed host to
a QRadar® High Availability (HA) deployment.
QRadar Console
ManagedQRadar ConsoleQRadar Console
(dual-stack,
QRadar Console (dual-stack, HA)
hosts
(IPv6, single) (IPv6, HA)
single)
IPv4,
single
No
No
Yes*
No
IPv4, HA No
No
No
No
IPv6,
single
Yes
Yes
Yes
No
IPv6, HA Yes
Yes
Yes
No
Table 1. Supported combinations of IP protocols on non-console managed hosts
Procedure
1. To enable your QRadar Console for dual-stack deployment, type the following command:
/opt/qradar/bin/setup_v6v4_console.sh ip=<IPv4_address_of_the_Console>
netmask=<netmask> gateway=<gateway>
This example assumes that the IPv4 address of the Console is 192.0.2.2, the subnet mask is
255.255.255.0, and the gateway is 192.0.2.1.
/opt/qradar/bin/setup_v6v4_console.sh ip=192.0.2.2 netmask=255.255.255.0
gateway=192.0.2.1
2. To allow an IPv4-only managed host to be added to your deployment, type the following
command on the Console:
/opt/qradar/bin/add_v6v4_host.sh host=<IP_address_of_the_managed_host>
This example assumes that the IPv4 address of the managed host is 192.0.2.3.
/opt/qradar/bin/add_v6v4_host.sh host=192.0.2.3
3. Add the IPv4-only managed host to the deployment.
Configuring a managed host
Configure a managed host to specify which role the managed host fulfills in your deployment. For
example, you can configure the managed host as a collector, processor, or a data node. You can also
change the encryption settings, and assign the host to a network address translation (NAT) group.
To make network configuration changes, such as an IP address change to your QRadar®
Console and managed host systems after you install your QRadar deployment, use
the qchange_netsetup utility. If you use qchange_netsetup, verify all external storage which
is not /store/ariel or /store is not mounted.
Before you begin
Ensure that the managed host has the same IBM® QRadar version and update package level as
the QRadar Console that is used to manage it. You can't edit or remove a managed host that uses a
different version of QRadar.
If you want to enable Network Address Translation (NAT) for a managed host, the network must
use static NAT translation. For more information, see NAT-enabled networks.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
In the System Configuration section, click System and License Management.
In the Display list, select Systems.
Select the host in the host table, and on the Deployment Actions menu, click Edit Host.
a. To configure the managed host to use a NAT-enabled network, select the Network
Address Translation checkbox, and then configure the NAT Group and Public IP
address.
b. To configure the components on the managed host, click the Component
Management settings icon ( ) and configure the options.
c. Click Save.
5. On the Admin tab, click Advanced > Deploy Full Configuration.
Important: QRadar continues to collect events when you deploy the full configuration.
When the event collection service must restart, QRadar does not restart it automatically. A
message displays that gives you the option to cancel the deployment and restart the service
at a more convenient time.
Removing a managed host
You can remove non-Console managed hosts from your deployment. You can't remove a managed
host that hosts the IBM QRadar Console.
Before you begin
Ensure that the managed host has the same IBM QRadar version and update package level as
the QRadar Console that is used to manage it. You can't remove a host that is running a different
version of QRadar.
Important: If a data node is attached to the component that you want to remove, you must move the data
node to another host before you remove the original host.
Important: QRadar continues to collect events when you deploy the full configuration. When the
event collection service must restart, QRadar does not restart it automatically. A message displays
that gives you the option to cancel the deployment and restart the service at a more convenient
time.
•
Configuring your local firewall
Use the local firewall to manage access to the IBM QRadar managed host from specific
devices that are outside the network. When the firewall list is empty, access to the managed
host is disabled, except through the ports that are opened by default.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click System and License Management.
3.
4.
5.
6.
In the Display list, select Systems.
Select the host for which you want to configure firewall access settings.
From the Actions menu, click View and Manage System.
Click the Firewall tab and type the information for the device that needs to connect
to the host.
a. Configure access for devices that are outside of your deployment and need to
connect to this host.
b. Add this access rule.
7. Click Save.
If you change the External Flow Source Monitoring Port parameter in
the QFlow configuration, you must also update your firewall access configuration.
•
Adding an email server
IBM QRadar uses an email server to distribute alerts, reports, notifications, and event
messages.
You can configure an email server for your entire QRadar deployment, or multiple email
servers.
Important: QRadar only supports encryption for the email server using STARTTLS.
Important: If you configure the mail server setting for a host as localhost, then the mail
messages don't leave that host.
Procedure
1. On the Admin tab, click Email Server Management.
2. Click Add, and configure the parameters for your email server.
3. Click Save.
Tip: Keep the TLS option set to On to send encrypted email. Sending encrypted email
requires an external TLS certificate. For more information, see Importing external
TLS certificates.
4. To edit the port for an email server, click the Other Settings ( ) icon for the server,
enter the port number in the Port field, and then click Save.
5. To delete an email server, click the Other Settings icon for the server, and then
click Delete.
6. After you configure an email server, you can assign it to one or more hosts.
a. On the System and License Management page, select a host.
b. Change the Display list to show Systems.
c. Click Actions > View and Manage System.
d. On the Email Server tab, select an email server and click Save.
e. Test the connection to the email server by clicking the Test
Connection button.
f. Click Save.
•
Importing external TLS certificates
You must import an external TLS certificate on any host that sends encrypted email.
You must import an external TLS certificate on any host that sends encrypted email.
Procedure
1. Copy the TLS certificate to the /etc/pki/catrust/source/anchors/ directory on the host that sends encrypted email.
For example, to import a certificate titled TLS_email.crt, type the following
command:
openssl s_client -connect <emailServer>:<port> < /dev/null | openssl
x509 /etc/pki/ca-trust/source/anchors/TLS_email.crt
2. To update the certificates in the certificate authority (CA), type the following
commands:
update-ca-trust enable
update-ca-trust extract
Managed hosts
For greater flexibility over data collection and event and flow processing, build a distributed IBM®
QRadar® deployment by adding non-console managed hosts, such as collectors, processors, and
data nodes.
Software compatibility requirements
Software versions for all QRadar appliances in your deployment must be at the same version and
update package level. Deployments that use different versions of software are not supported
because mixed software environments can prevent rules from firing, prevent offenses from being
created or updated, or cause errors in search results.
When a managed host uses a software version that is different than the QRadar Console, you might
be able to view components that were already assigned to the host, but you cannot configure the
component or add or assign new components.
Internet Protocol (IP) requirements
The following table describes the various combinations of IP protocols that are supported when
you add non-console managed hosts.
QRadar Console
ManagedQRadar ConsoleQRadar Console
(dual-stack,
QRadar Console (dual-stack, HA)
hosts
(IPv6, single) (IPv6, HA)
single)
IPv4,
single
No
No
Yes*
No
IPv4, HA No
No
No
No
IPv6,
single
Yes
Yes
Yes
No
IPv6, HA Yes
Yes
Yes
No
Table 1. Supported combinations of IP protocols on non-console managed hosts
Restriction: *By default, you cannot add an IPv4-only managed host to a dual-stack single console. You must
run a script to enable an IPv4-only managed host. For more information, see Adding an IPv4-only managed
host in a dual-stack environment.
A dual-stack console supports both IPv4 and IPv6. The following list outlines the conditions you
must follow in dual-stack environments:
•
•
•
•
You can add IPv6 managed hosts to a dual-stack single console, or to an IPv6-only console.
You can add only IPv4 managed hosts to a dual-stack single console.
Do not add a managed host to a dual-stack console that is configured for HA.
Do not add an IPv4 managed host that is not in an HA pair to an IPv6-only console, or to a
dual-stack console that is in an HA pair.
Important: IBM does not support the following configurations:
•
•
•
Adding a managed host to a dual-stack console that is configured for HA
Adding an IPv4 managed host that is not in an HA pair to an IPv6-only console
Adding an IPv4 managed host that is not in an HA pair to a dual-stack console that is in an
HA pair
•
Bandwidth considerations for managed hosts
To replicate state and configuration data, ensure that you have a minimum bandwidth of
100 Mbps between the IBM QRadar console and all managed hosts. Higher bandwidth is
necessary when you search log and network activity, and you have over 10,000 events per
second (EPS).
•
•
•
•
•
•
•
•
Encryption
To provide secure data transfer between each of the appliances in your environment, IBM
QRadar has integrated encryption support that uses OpenSSH. Encryption occurs between
managed hosts, and is enabled by default when you add a managed host.
Adding a managed host
Add managed hosts, such as event and flow collectors, event and flow processors, and data
nodes, to distribute data collection and processing activities across your IBM
QRadar deployment.
Adding an IPv4-only managed host in a dual-stack environment
To add an IPv4-only managed host to a dual-stack Console, you must run scripts to prepare
both the managed host and the Console before you can add the managed host to the Console.
Configuring a managed host
Configure a managed host to specify which role the managed host fulfills in your
deployment. For example, you can configure the managed host as a collector, processor, or a
data node. You can also change the encryption settings, and assign the host to a network
address translation (NAT) group.
Removing a managed host
You can remove non-Console managed hosts from your deployment. You can't remove a
managed host that hosts the IBM QRadar Console.
Configuring your local firewall
Use the local firewall to manage access to the IBM QRadar managed host from specific
devices that are outside the network. When the firewall list is empty, access to the managed
host is disabled, except through the ports that are opened by default.
Adding an email server
IBM QRadar uses an email server to distribute alerts, reports, notifications, and event
messages.
Importing external TLS certificates
You must import an external TLS certificate on any host that sends encrypted email.
TASK: 1.3 Understand distributed architecture
SUBTASKS:
App Host
An App Host is a managed host that is dedicated to running apps. provide extra storage, memory,
and CPU resources for your apps without impacting the processing capacity of your Console. Apps
such as User Behavior Analytics with Machine Learning Analytics require more resources than are
currently available on the Console.
App Host information
The following list describes information about App Hosts:
•
•
You cannot upgrade to V7.3.2 or later with an App Node in your deployment.
You can only have one App Host per deployment.
•
•
You can run all of your apps on an App Host, or on the Console. It's not possible to run some
apps on the App Host and some others on the Console.
Port 5000 must be open on your Console.
App Host specifications
Note: *The suggested specifications for medium and large sized deployments haven't been tested. If you are
using some of the larger apps, such as the Pulse Dashboard or User Behavior Analytics with Machine
Learning, the minimum requirements are probably insufficient. Consider upgrading your deployment
environment.
CPU
RAM
cores
Disk
Space
Description
Small
4
256 GB
Minimum requirements for an App Host. You can run most apps with
the minimum requirements, but not larger apps such as QRadar DNS
Analyzer and User Behavior Analytics with Machine Learning.
Medium
12 or 64 GB or 500 GB or *You can run all apps that exist today, but this specification does not
more more
more
give you room for future apps.
Large
24 or 128 GB 1 TB or
more or more more
12 GB
*You can run all apps that exist today, and you would have room for
future apps.
Table 1. App Host specifications
Data Nodes and data storage
IBM® QRadar® processor appliances and All-in-One appliances can store data but many
companies require the stand-alone storage and processing capabilities of the Data Node to handle
specific storage requirements and to help with implementing data retention policies. Many
companies are impacted by regulations and laws that mandate keeping data records for specific
periods.
Data Node information
The following list describes information about Data Nodes:
•
•
•
•
•
•
Data Nodes add storage and processing capacity.
Data Nodes are plug-n-play and can be added to a deployment at any time.
Data Nodes integrate seamlessly with existing deployments.
Use Data Nodes to reduce the processing load on processor appliances by removing the data
storage processing load from the processor.
Users can scale storage and processing power independently of data collection.
As of QRadar V.7.2.7, a new data format with native data compression is used. Data is
compressed in memory and is written out to disk in a proprietary binary compressed
format. The new data format enables a better search performance and a more efficient use of
system resources than the previous data format. The previous data format did not have a
native built-in compression in older versions of QRadar.
The following diagram shows an example of some uses for Data Nodes in a deployment.
The following list describes the different elements that you need to consider when you deploy Data
Nodes.
Data clustering
Data Nodes add storage capacity to a deployment, and also improve performance
by distributing data that is collected across multiple storage volumes. When the data is
searched, multiple hosts, or a cluster does the search. The cluster can improve search
performance, but doesn't require you to add multiple event processors. Data Nodes multiply
the storage for each processor.
Note: You can connect a Data Node to only one processor at a time, but a processor can support
multiple Data Nodes.
Deployment considerations
•
Data Nodes perform similar search and analytic functions as event and flow
processors in a QRadar deployment.
The operational speed on a cluster is affected by the slowest member of a
cluster. Data Node system performance improves if Data Nodes are sized similarly to
the Event Processors and Flow Processors in a deployment. To facilitate similar sizing
between Data Nodes and event and flow processors, Data Nodes are available on
some core appliances..
QRadar xx05 M6 appliance
Use the IBM® QRadar® xx05 (MTM 4563-Q3E) appliance for various appliance types in your
deployment. QRadar xx05 is based on the Lenovo System SR630 M6.
The QRadar xx05 supports the following appliance types:
•
•
•
•
•
•
•
•
•
•
•
•
QRadar Event Processor 1605
QRadar Flow Processor 1705
QRadar 1805 Event and Flow processor
QRadar 3105 (All-in-One)
QRadar 3105 (Console)
QRadar Log Manager 1605
QRadar Risk Manager
QRadar Vulnerability Manager
QRadar Log Manager 3105 (All-in-One)
QRadar Log Manager 3105 Console
QRadar App Host
QRadar Data Node 1405
The following table describes hardware information and requirements for the QRadar
xx05 appliance:
Description Value
QRadar Event Processor 1605: 20,000 EPS
Maximum
capacity
CPU
QRadar Flow Processor 1705: 1,200,000 FPM
QRadar 1805 Event and Flow processor: 5000 EPS, 200,000 FPM
QRadar 3105 (All-in-One): 5000 EPS, 200,000 FPM
2 x Xeon Silver 4210 10C 2.1 GHz 85W
2 x 10 GbE Short Range SFP+
Network
management
Use these transceivers with the 2 x 10 GbE SFP+ ports, labeled as [3] in the appliance
transceivers
diagram
4 x 1 Gb Ethernet ports
Ports
Memory
Storage
2 x 10 GbE SFP+ ports
1 x RJ-45 10/100/1000 Mb Ethernet systems management (IMM) port
2 x 16 Gbps Fibre Channel SFP+ ports
64 GB (4 x 16 GB)
10 x 1.2 TB 7.2 K 12 Gbps 2.5" NL SAS 930-16i 4 Gb / RAID 6
Description Value
QRadar 3105: 6 TB available to store event and flow data
All other xx05 appliances: 8 TB available to store event and flow data
Event Collector
Included
components
Event processor for processing events
Internal storage for events
QRadar Data Node appliance
Table 1. QRadar xx05 specifications
The following image is of the QRadar xx05 appliance.
Figure 1. Front and rear panel of the QRadar xx05 appliance.
LabelDescription
1
Event data storage
2
Management ports (1 GbE TX)
3
Management ports (10 GbE SFP+)
4
1x RJ-45 10/100/1000 Mb Ethernet systems management (IMM) port
5
Fibre Channel ports (16 Gb SFP+)
Table 2. Legend for use with the QRadar xx05 image
QRadar xx29 M6 appliance
The IBM® QRadar® xx29 (MTM 4563-Q4A) appliance supports various appliance types in your
deployment. QRadar xx29 is based on the Lenovo System SR650 M6.
The QRadar xx29 supports the following appliance types:
•
•
QRadar Event Processor 1629
QRadar Flow Processor 1729
•
•
•
•
•
QRadar Event and Flow Processor 1829
QRadar 3129 (All-in-One)
QRadar 3129 (Console)
QRadar App Host
QRadar Data Node 1429
You can configure the QRadar xx29 as a QRadar Event Collector 1501 (sometimes referred to as a
1529).
The following table describes hardware information and requirements for the QRadar
xx29 appliance:
Description
Value
QRadar Event Collector 1501 40,000 EPS
QRadar Event Processor 1629: 40,000 EPS
Maximum
capacity
QRadar Flow Processor 1729: 2,400,000 FPM
QRadar Event and Flow Processor 1829: : 15,000 EPS, 300,000 FPM
QRadar 3129 (All-in-One): 15,000 EPS, 300,000 FPM
Network
2 x 10 GbE Short Range SFP+
management
transceivers Use these transceivers with the 2 x 10 GbE SFP+ ports, labeled as [4] in the appliance diagram
4 x 1 Gb Ethernet ports
Ports
2 x 10 GbE SFP+ ports
1 x RJ-45 10/100/1000 Mb Ethernet systems management (IMM) port
Memory
2 x 16 Gbps Fibre Channel SFP+ ports
8 x 32 GB (256 GB)
12 x 8 TB 7.2 K 12 Gbps NL SAS 930-16i 4 GB / RAID 6
Storage
3129: 64 TB available to store event and flow data
All other xx29 appliances: 77 TB available to store event and flow data
Event Collector
Included
components
Event processor for processing events and flows
Internal storage for events and flows
QRadar Data Node appliance
Table 1. QRadar xx29 specifications
The following image is of the QRadar xx29 appliance.
Figure 1. Front and rear panel of the QRadar xx29 appliance
LabelDescription
1
Event data storage
2
Management ports (1 GbE TX)
3
1 x RJ-45 10/100/1000 Mb Ethernet systems management (IMM) port
4
Management ports (10 GbE SFP+)
5
Fibre Channel ports (16 Gb SFP+)
Table 2. Legend for use with the QRadar xx29 image
QRadar xx29-C M5 appliance
The IBM® QRadar® xx29-C (MTM 4654-Q3A) supports various appliance types in your
deployment.
The QRadar xx29-C appliance can be used for the following appliance types:
•
•
•
•
•
•
•
•
•
•
QRadar Event Processor 1629
QRadar Flow Processor 1729
QRadar Event and Flow Processor 1829
QRadar 3129 (All-in-One)
QRadar 3129 (Console)
QRadar Log Manager 1629
QRadar Log Manager 3129 (All-in-One)
QRadar Log Manager 3129 (Console)
QRadar App Host
QRadar 1400 Data Node
View hardware information and requirements for the QRadar xx29-C in the following table:
Description Value
Maximum QRadar Event Processor 1629: 40,000 EPS
capacity
Description Value
QRadar Flow Processor 1729: 2,400,000 FPM
QRadar Event and Flow Processor 1829: : 15,000 EPS, 300,000 FPM
QRadar 3129 (All-in-One): 15,000 EPS, 300,000 FPM
2 x 10 GbE Short Range SFP+
Network
management
Use these transceivers with the 2 x 10 GbE SFP+ ports, labeled as [3] in the appliance
transceivers
diagram.
2 x 16 Gbps Fibre Channel HBA ports
Ports
Memory
Storage
4 x 10/100/1000 Base-T Ethernet management ports
1 x RJ-45 10/100/1000 Mb Ethernet systems management IPMI (iDRAC) port
2 x 10 GbE SFP+ Ethernet management ports
128 GB, 8 x 16 GB 1866 MHz RDIMM
12 x 8 TB 7.2 K 12 Gbps 512e 3.5” NLSAS, 80 TB total (RAID6) 68 TB available to store
event and flow data.
Power
Dual redundant 1100 W AC
supply
Unit weight 73 lbs
Physical
29.0 inches deep x 17.1 inches wide x 3.4 inches high
dimensions
Table 1. QRadar xx29-C specifications
The following image is of the QRadar xx29-C appliance.
Figure 1. Front and rear panel of the QRadar xx29-C appliance
LabelDescription
1
Event data storage
2
1 x RJ-45 10/100/1000 Mb Ethernet systems management IPMI (iDRAC) port
3
Management ports (10 GbE SFP+)
4
Management ports (1 GbE TX)
LabelDescription
5
Fibre channel ports (16 Gb SFP+)
Table 2. Legend for use with the QRadar xx29-C image
QRadar xx48 M6 appliance
The IBM® QRadar® xx48 (MTM 4563-Q5B) appliance captures logs from sources that generate a
large amount of traffic without a need for load balancing. QRadar xx48 is based on the Lenovo
System SR630 M6.
The QRadar xx48 appliance handles the higher levels of performance that are required by
enterprise class clients. For example, you can use the QRadar xx48 appliance for the following
requirements:
•
•
You want faster processing to search and analyze a large amount of data.
You want to reduce the footprint of an IBM QRadar deployment, so you install QRadar
xx48 appliances to reduce rack space.
The QRadar xx48 supports the following appliances types:
•
•
•
•
•
•
•
QRadar Event Processor 1648
QRadar Flow Processor 1748
QRadar Event and Flow Processor 1848
QRadar 3148 (All-in-One)
QRadar 3148 (Console)
QRadar App Host
QRadar Data Node 1448
You can configure the QRadar xx48 as a QRadar Event Collector 1501 (sometimes referred to as
1548).
The following table describes hardware information and requirements for the QRadar
xx48 appliance:
Description Value
QRadar Event Collector 1501: 80,000 EPS
QRadar Event Processor 1648: 80,000 EPS
Maximum
capacity
QRadar Flow Processor 1748: 3,600,000 FPM
QRadar Event and Flow Processor 1848: 30,000 EPS, 1,200,000 FPM
QRadar 3148 (All-in-One): 30,000 EPS, 1,200,000 FPM
2 x 10 GbE Short Range SFP+
Network
management
Use these transceivers with the 2 x 10 GbE SFP+ ports, labeled as [3] in the appliance
transceivers
diagram
4 x 1 Gb Ethernet ports
Ports
Description Value
2 x 10 GbE SFP+ ports
1 x RJ-45 10/100/1000 Mb Ethernet systems management (IMM) port
Memory
2 x 16 Gbps Fibre Channel SFP+ ports
8 x 32 GB (256 GB)
6 x 3.84 TB 2.5" SAS SSD, 930-8i RAID 6
Storage
QRadar 3148: 13 TB available to store event and flow data
All other xx48 appliances: 15 TB available to store event and flow data
Dimensions 29.5 inches deep x 17.1 inches wide x 1.7 inches high
Power
Dual redundant 750 W AC
supply
Table 1. QRadar xx48 specifications
The following image is of the QRadar xx48 appliance.
Figure 1. Front and rear panel of the QRadar xx48 appliance
LabelDescription
1
Event data storage
2
Management ports (1 GbE TX)
3
Management ports (10 GbE SFP+)
4
1 x RJ-45 10/100/1000 Mb Ethernet systems management (IMM) port
5
Fibre Channel ports (16 Gb SFP+)
Table 2. Legend for use with the QRadar xx48 image
QRadar xx48-C M5 appliance
The IBM® QRadar® xx48-C (MTM 4654-Q4B) captures logs from sources that generate a large
amount of traffic without a need for load balancing.
The QRadar xx48-C appliance handles the higher levels of performance that are required by
enterprise class clients. For example, companies can use the QRadar xx48-C for the following
requirements:
•
•
A company wants faster processing to search and analyze a large amount of data.
A company wants to reduce the footprint of an IBM QRadar deployment, so they
install QRadar xx48-C appliances to reduce rack space.
The following appliances are examples of appliance types that you can use the QRadar xx48-C for:
•
•
•
•
•
•
•
QRadar Event Processor 1648
QRadar Flow Processor 1748
QRadar Event and Flow Processor 1848
QRadar 3148 (All-in-One)
QRadar 3148 (Console)
QRadar App Host
QRadar 1400 Data Node
You can configure the QRadar xx48-C as a QRadar Event Collector 1501 (sometimes referred to as
1548). The default EPS threshold (capability) on M5 xx48-C appliances is 56,000. This value can be
overridden to values not exceeding 80,000 by completing the following steps.
1. Add EC_APPLIANCE_EPS_THRESHOLD_TEMPLATE=80000 to /opt/qradar/conf/nva.conf on the
1501 to increase the supported event rate to the desired level, subject to performance and
license limitations.
2. Restart ecs-ec-ingress on the appliance: systemctl restart ecs-ec-ingress.
3. Perform a full deploy.
View hardware information and requirements for the QRadar xx48-C in the following table.
Description Value
QRadar Event Collector 1501: 56,000 EPS (default) 80,000 EPS with override
QRadar Event Processor 1648: 80,000 EPS
Maximum
capacity
QRadar Flow Processor 1748: 3,600,000 FPM
QRadar Event and Flow Processor 1848: 30,000 EPS, 1,200,000 FPM
CPU
QRadar 3148 (All-in-One): 30,000 EPS, 1,200,000 FPM
2 x Xeon Gold 6132 14C 2.6 GHz 19 MB Cache 3.70 GHz 140 W
2 x 10 GbE Short Range SFP+
Network
management
Use these transceivers with the 2 x 10 GbE SFP+ ports, labeled as [3] in the appliance
transceivers
diagram
2 x 16 Gbps Fibre Channel HBA ports
Ports
4 x 10/100/1000 Base-T Ethernet ports
Description Value
1 x RJ-45 10/100/1000 Mb Ethernet systems management IPMI (iDRAC) port
2 x 10 Gbps SFP+ ports
Memory
128 GB, 8 x 16 GB 1866 MHz RDIMM
Storage /
6 x 3.84 TB 12 Gb SAS 2.5" SSD, 15.36 TB Total (RAID6) 12 TB available to store event
Hard disks and flow data.
Power
Dual redundant 1100 W AC
supply
Unit weight 48.5 lbs
Physical
31.3 inches deep x 17.1 inches wide x 1.7 inches high
dimensions
Table 1. QRadar xx48-C overview
Figure 1. QRadar xx48-C
LabelDescription
1
Event data storage
2
1 x RJ-45 10/100/1000 Mb Ethernet systems management IPMI (iDRAC) port
3
Management ports (10 GbE SFP+)
4
Management ports (1 GbE TX)
5
Fibre channel ports (16 Gb SFP+)
Table 2. Legend for use with the QRadar xx48-C image
•
Data Nodes are available in three formats: software (on your own hardware),
physical, and appliances. You can mix the formats in a single cluster.
Bandwidth and latency
Ensure that you have a 1 Gbps link and less than 10 ms latency between hosts in the cluster.
Searches that yield many results require more bandwidth.
Appliance compatibility
Data Nodes are compatible with all existing QRadar appliances that have an Event
Processor or Flow Processor component, including All-In-One appliances. Data Nodes are not
compatible with QRadar Incident Forensics PCAP appliances.
Data Nodes support high availability (HA).
Installation of Data Nodes
Data Nodes use standard TCP/IP networking, and do not require proprietary or specialized
interconnect hardware.
Install each Data Node that you want to add to your deployment the same as you would
install any other QRadar appliance. Associate Data Nodes with either an event or flow
processor.
You can attach multiple Data Nodes to a single Event Processor or Flow Processor in a manyto-one configuration.
When you deploy high availability (HA) pairs with Data Node appliances, install, deploy, and
rebalance data with the HA appliances before you synchronize the HA pair. The combined
effect of the data rebalancing and the replication process that is utilized for HA results in
significant performance degradation. If HA is set up on appliances to which Data Nodes are
being introduced, then disconnect HA on the appliances and then reconnect it when the
rebalance of the cluster is complete.
Decommissioning Data Nodes
Use the System and License Management window to remove Data Nodes from your
deployment, as with any other QRadar appliance. Decommissioning does not erase data on
the host, nor does it move the data to your other appliances. If you need to retain access to
the data that was on the Data Nodes, you must identify a location to move that data to.
Data Rebalancing
Adding a Data Node to a cluster distributes data to each Data Node. If it is possible, data
rebalancing tries to maintain the same percentage of available space on each Data Node.
New Data Nodes added to a cluster initiate more rebalancing from cluster event and flow
processors to achieve efficient disk usage on the newly added Data Node appliances.
Data rebalancing is automatic and concurrent with other cluster activity, such as queries and
data collection. No downtime is experienced during data rebalancing.
Data Nodes offer no performance improvement in the cluster until data rebalancing is
complete. Rebalancing can cause minor performance degradation during search operations,
but data collection and processing continue unaffected.
Important: When you add Data Nodes to a cluster, they must either all be encrypted, or all be
unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
Note: Encrypted data transmission between Data Nodes and Event Processors is not supported.
Management and Operations
Data Nodes are self-managed and require no regular user intervention to maintain normal
operation. QRadar manages activities, such as data backups, high availability, and retention
policies, for all hosts, including Data Node appliances.
Data Node failure
If a Data Node fails, the remaining members of the cluster continue to process data.
When the failed Data Node returns to service, data rebalancing can occur to maintain proper
data distribution in the cluster, and then normal processing resumes. During the downtime,
data on the failed Data Node is unavailable, and I/O errors that occur appear in search
results from the log and network activity viewers in the QRadar user interface.
For catastrophic failures that require appliance replacement or the reinstallation of QRadar,
decommission Data Nodes from the deployment and replace them using standard
installation steps. Copy any data that is not lost in the failure to the new Data Node before
you deploy. The rebalancing algorithm accounts for data that exists on a Data Node, and
shuffles only data that was collected during the failure.
For Data Nodes deployed with an HA pair, a hardware failure causes a failover, and
operations continue to function normally.
SAN Overview
To increase the amount of storage space on your appliance, you can move a portion of your data to
an offboard storage device. You can move your /store, /store/ariel, or /store/backup file
systems.
Multiple methods are available for adding external storage, including iSCSI, Fiber Channel, and NFS
(Network File System). You must use iSCSI or Fiber Channel to store data that is accessible and
searchable in the UI, such as the /store/ariel directory, and reserve the use of NFS for data
backups only.
Moving the /store file system to an external device might affect QRadar performance.
After migration, all data I/O to the /store file system is no longer done on the local disk. Before
you move your QRadar data to an external storage device, you must consider the following
information:
•
•
Searches that are marked as saved are also in the /transient directory. If you experience
a local disk failure, these searches are not saved.
A transient partition that exists before you move your data is likely to remain in existence
after the move, and it can be mounted on an iSCSI, or Fiber Channel storage mount.
Data encryption
Event data in QRadar® is not encrypted when stored, there are a number of things that can be done
to protect data that is stored on the system.
•
The /store or /store/ariel partitions can be placed on an external device, which uses
transparent (to QRadar) cryptography. For more information on external storage options,
see Offboard storage overview.
•
Event data can be protected from tampering by the use of event hashing. For more
information, see Configuring system settings.
To enable data encryption during QRadar software installations, see Installing RHEL on your system.
Important: To set up encryption on the storage, see the documentation for your storage solution.
Forensics and full packet collection
Use IBM® QRadar® Incident Forensics in your deployment to retrace the step-by-step actions of a potential
attacker, and conduct an in-depth forensics investigation of suspected malicious network security incidents.
QRadar Incident Forensics reconstructs raw network data that is related to a security incident back into its
original form.
QRadar Incident Forensics integrates with the IBM QRadar Security Intelligence Platform and is compatible
with many third-party packet capture offerings.
QRadar Incident Forensics offers an optional QRadar Network Packet Capture appliance to store and manage
data that is used by QRadar Incident Forensics if no other network packet capture (PCAP) device is deployed.
Any number of these appliances can be installed as a tap on a network or sub-network to collect the raw packet
data.
QRadar Network Packet Capture components
The following components can be included in a QRadar deployment:
QRadar Console
Provides the QRadar product user interface. In distributed deployments, use the QRadar Console to
manage multiple QRadar Incident Forensics Processor hosts.
QRadar Incident Forensics Processor
Provides the QRadar Incident Forensics product interface. The interface delivers tools to
retrace the step-by-step actions of cyber criminals, reconstruct raw network data that is
related to a security incident, search across available unstructured data, and visually
reconstruct sessions and events.
You must add QRadar Incident Forensics Processor as a managed host before you can use
the security intelligence forensics capability.
QRadar Incident Forensics Standalone
Provides the QRadar Incident Forensics product user interface. Installing QRadar Incident
Forensics Standalone provides the tools that you need to do forensics investigations. Only
forensics investigative and the related administrative functions are available.
QRadar Network Packet Capture
You can install an optional QRadar Network Packet Capture appliance. If no other packet
capture device is deployed, you can use this appliance to store data that is used by QRadar
Incident Forensics. You can install any number of these appliances as a network tap or
subnetwork to collect the raw packet data.
If no packet capture device is attached, you can manually upload the packet capture files in
the user interface or by using FTP.
Depending on your network and packet capture requirements, you can connect up to five
packet capture devices to a QRadar Incident Forensics appliance.
All-in-One deployment
In standalone or all-in-one deployments, you install the IBM QRadar Incident Forensics
Standalone software. These single appliance deployments are similar to installing the QRadar
Console and QRadar Incident Forensics managed host on one appliance, but without log
management, network activity monitoring, or other security intelligence features. For a stand-alone
network forensics solution, install the QRadar Incident Forensics Standalone in small to midsize
deployments.
The following diagram shows a basic QRadar Incident Forensics All-in-One deployment.
Figure 1. All-in-one deployment
Distributed deployment
The following diagram shows a QRadar Incident Forensics distributed deployment.
Software versions for all IBM QRadar appliances in a deployment must be the same version and fix
level. Deployments that use different versions of software are not supported.
Figure 2. Distributed deployment
The following diagram shows packet forwarding from a IBM QRadar Flow Collector 1310 with a
10G Napatech network card to a QRadar Network Packet Capture appliance.
The QRadar Flow Collector uses a dedicated Napatech monitoring card to copy incoming packets
from one port on the card to a second port that connects to a QRadar Network Packet
Capture appliance.
Figure 3. Packet forwarding
•
Forwarding packets to QRadar Network Packet Capture
You can monitor network traffic by sending raw data packets to a IBM QRadar Flow
Collector 1310 appliance. The QRadar Flow Collector uses a dedicated Napatech monitoring
card to copy incoming packets from one port on the card to a second port that connects to
a QRadar Network Packet Capture appliance.
Before you begin
Ensure that the following hardware is set up in your environment:
•
•
•
You attached the cable to port 1 of the Napatech card on the QRadar Flow Collector 1310
appliance.
You attached the cable that is connected to port 2 of the Napatech card, which is the
forwarding port, to the QRadar Network Packet Capture appliance.
Verify layer 2 connectivity by checking for link lights on both appliances.
Procedure
1. Using SSH from your IBM QRadar Console, log in to QRadar Flow Collector as the root user.
On the QRadar Flow Collector appliance, edit the following file.
/opt/qradar/init/apply_tunings
a. Locate the following line, which is around line 137.
b. apply_multithread_qflow_changes()
c. {
d.
APPLIANCEID=`$NVABIN/myver -a`
e.
if [ "$APPLIANCEID" == "1310" ]; then
f.
MODELNUM=$(/opt/napatech/bin/AdapterInfo 2>&1 | grep "Active
FPGA Image" | cut -d'-' -f2)
if [ "$MODELNUM" == "9220" ]; then..
g. In the AppendToConf lines that follow the code in the preceding step, add these lines:
h. AppendToConf SV_NAPATECH_FORWARD YES
AppendToConf SV_NAPATECH_FORWARD_INTERFACE_SRCDST "0:1"
These statements enable packet forwarding, and forward packets from port 0 to port
1.
i.
Ensure that multithreading is enabled, by verifying that the following line is in
the /opt/qradar/conf/nva.conf
file.
MULTI_THREAD_ON=YES
2. Run the apply_tunings script to update the configuration files on the QRadar Flow
Collector, by typing the following command:
./apply_tunings restart
3. Restart IBM QRadar services by typing the following command:
systemctl restart hostcontext
4. Optional: Verify that your Napatech card is receiving and transmitting data.
a. To verify that the Napatech card is receiving data, type the following command:
/opt/napatech/bin/Statistics -dec -interactive
The "RX" packet and byte statistics increment if the card is receiving data.
b. To verify that the Napatech card is transmitting data, type the following command:
/opt/napatech/bin/Statistics -dec -interactive
The "TX" statistics increment if the card is transmitting data.
5. Verify that your QRadar Network Packet Capture is receiving packets from your QRadar
Flow Collector appliance.
a. Using SSH from your QRadar Console, log in to your QRadar Network Packet
Capture appliance as root on port 4477.
b. Verify that the QRadar Network Packet Capture appliance is receiving packets by
typing the following command:
watch -d cat /var/www/html/statisdata/int0.txt
The int0.txt file updates as data flows into your QRadar Network Packet
Capture appliance.
Geographically distributed deployments
In geographically distributed deployments your IBM® QRadar® deployment might be impacted by
intermittent or poor connectivity to remote data centers. You might also be impacted by local
regulations, such as complying with specific state or country regulations to keep data in the place of
origin. Both of these situations require that you keep collectors on site. If you must keep data in the
place of origin, then you must keep the processor on site.
For example, your company is growing and this growth not only increases activity in the network,
but it also requires that you expand your QRadar deployment to other countries. Data retention
laws vary from country to country, so the QRadar deployment must be planned with these
regulations in mind.
You note these following conditions:
•
•
Your company must collect event data from one of the office locations that has intermittent
connectivity.
Your company must comply with data retention regulations in the countries where data is
collected. For example, if Germany requires that data remains in-country, then that data
must not be stored outside that country.
Figure 1. Geographically Distributed Deployment
In the geographically distributed deployment, the following processes occur:
•
•
•
Your company installs collectors and processors in the German data center to comply with
local data laws.
In the French data center, your company installs collectors, so that data is sent by the
collectors to the head office, which is processed and stored at the head office. Search speeds
are increased by having the processor appliances on the same high-speed network segment
as the QRadar Console.
Your company adds a store-and-forward Event Collector that has scheduled and rate-limited
forwarding connections in the remote data center. The scheduled and rate-limited
connections compensate for intermittent network connectivity and ensures that the
requirement for more bandwidth is avoided during regular business hours.
If you’re constantly searching for data on a remote processor, it’s better to have that processor on
the same high-speed network segment as the QRadar Console. If the bandwidth between
the QRadar Console and remote processor is not good, you might experience latency with your
searches, especially when you're doing multiple concurrent searches.
Expanding deployments to add more capacity
Your business might create or expand a deployment beyond an IBM® QRadar® All-in-One
appliance because of the lack of processing or data storage capacity, or when you have specific data
collection requirements.
The topology and composition of your QRadar deployment are influenced by the capability and
capacity of that deployment to collect, process, and store all the data that you want to analyze in
your network.
If your processing or storage needs expand beyond the capacity of your All-in-One appliance, you
can reconfigure your QRadar environment to a distributed deployment. For more information
see, Adding an appliance to an All-in-One console.
To get rough estimates of the events per second (EPS) or flows per minute (FPM) that you need to
process in your deployment, use the size of your logs that are collected from firewalls, proxy
servers, and Windows boxes.
Reasons to add event or flow collectors to an All-in-One deployment
You might need to add flow or event collectors to your deployment under these conditions:
•
•
•
Your data collection requirements exceed the collection capability of the All-in-One
appliance.
You must collect events and flows in a different location than where your All-in-One
appliance is installed.
You are monitoring larger, or higher-rate packet-based flow sources that are faster than the
50 Mbps connection on the All-in-One.
A 3128 All-in-One appliance can collect up to 15,000 events per second (EPS) and 300,000 flows
per minute (FPM). If your collection requirements are greater, you might want to add Event
Collectors and Flow Collectors to your deployment. For example, you can add a QRadar Flow
Collector 1202, which collects up to 3 Gbps.
An All-in-One appliance processes the events and flows that are collected. By adding Event
Collectors and Flow Collectors, you can use the processing that the All-in-One appliance usually
does for searches and other security tasks.
Packet-based flow sources require a Flow Collector that is connected either to a Flow Processor, or
to an All-in-One appliance in deployments where there is no Flow Processor appliance. You can
collect external flow sources, such as NetFlow, or IPFIX, directly on a Flow Processor or All-in-One
appliance.
Adding remote collectors to a deployment
Add QRadar Event Collectors or QRadar Flow Collectors to expand a deployment when you need to
collect more events locally and collect events and flows from a remote location.
For example, you are a manufacturing company that has a QRadar All-in-One deployment and
you add e-commerce and a remote sales office. You now must monitor for security threats and
are also now subject to PCI audits.
You hire more employees and the Internet usage changes from mostly downloading to twoway traffic between your employees and the Internet. Here are details about your company.
•
•
•
•
•
The current events per second (EPS) license is 1000 EPS.
You want to collect events and flows at the sales office and events from the e-commerce
platform.
Event collection from the e-commerce platform requires up to 2000 events-per-second
(EPS).
Event collection from the remote sales office requires up to 2000 events-per-second (EPS).
The flows per minute (FPM) license is sufficient to collect flows at the remote office.
You take the following actions:
1. You add the e-commerce platform at your head office, and then you open a remote sales
office.
2. You install an Event Collector and a Flow Collector at the remote sales office that sends data
over the Internet to the All-in-One appliance at your head office.
3. You upgrade your EPS license from 1000 EPS to 5000 EPS to meet the requirements for the
extra events that are collected at the remote office.
The following diagram shows an example deployment of when an Event Collector and a Flow
Collector are added at a remote office.
Figure 1. Collectors in remote office
In this deployment, the following processes occur:
•
•
•
•
•
At your remote office, the Event Collector collects data from log sources and the Flow
Collector collects data from routers and switches. The collectors coalesce and normalize the
data.
The collectors compress and send data to the All-in-One appliance over the wide area
network.
The All-in-One appliance processes, and stores the data.
Your company monitors network activity by using the QRadar web application for searches,
analysis, reporting, and for managing alerts and offenses.
The All-in-one collects and processes events from the local network.
Adding processing capacity to an All-in-One deployment
Add Event Processors and Flow Processors to your QRadar deployment to increase processing
capacity and increase storage. Adding processors frees up resources on your QRadar Console by
moving the processing and storage load to dedicated servers.
When you add Event Processors or Flow Processors to an All-in-One appliance the All-in-One acts
as a QRadar Console. The processing power on the All-in-One appliance is dedicated to managing
and searching the data that is sent by the processors, and data is now stored on the Event
Processors and other storage devices, rather than on the Console.
You typically add Event Processors and Flow Processors to your QRadar deployment for the
following reasons:
•
•
•
•
As your deployment grows, the workload exceeds the processing capacity of the All-in-One
appliance.
Your security operations center employs more analysts who do more concurrent searches.
The types of monitored data, and the retention period for that data increases, which
increases processing and storage requirements.
As your security analyst team grows, you require better search performance.
Running multiple concurrent QRadar searches and adding more types of log sources that you
monitor, affects the processing performance of your All-in-One appliance. As you increase the
number of searches and the amount of monitored data, add Event Processors and Flow
Processors to improve the performance of your QRadar deployment.
When you scale your QRadar deployment beyond the 15,000 EPS and 300,000 FPM on the most
powerful All-in-One appliance, you must add processor appliances to process that data.
Example: Adding a
QRadar Event Processor to your deployment
You can add a QRadar Event Processor 1628, which collects and processes up to 40,000 EPS. You
increase your capacity by another 40,000 EPS every time you add a QRadar Event Processor
1628 to your deployment. Add a QRadar Flow Processor 1728, which collects and processes up to
1,200,000 FPM.
The QRadar Event Processor 1628 is a collector and a processor. If you have a distributed network,
it’s a good practice to add Event Collectors to distribute the load and to free system resources on
the Event Processor.
In the following diagram, processing capacity is added when an Event Processor and a Flow Processor are
added to an QRadar 3128 (All-in-One), and the following changes take place:
•
•
Event and flow processing is moved off the All-in-One appliance to the event and flow
processors.
Event processing capacity increases to 40,000 EPS, which includes the 15,000 EPS that was
on the All-in-One.
•
•
Flow processing capacity increases to 1,200,000 FPM, which includes the 300,000 FPM that
was on the All-in-One.
Data that is sent by the event and flow collectors is processed and stored on the event and
flow processors.
Figure 1. Adding processing capacity
Search performance is faster when you install Event Processors and Flow Processors on the same
network as your QRadar Console.
Adding processors and collectors expands the processing capacity of your QRadar deployment. You
can also increase the storage capacity of your deployment. Your company's data retention needs
can increase due to more traffic or to changes to retention policies. Adding Data Nodes to your
deployment expands your data storage capacity, and improves search performance.
When to add Collectors to Processors
Add Event Collectors and Flow Collectors to Event Processors and Flow Processors for the same
reasons that you add collectors to an All-in-One appliance:
•
Your data collection requirements exceed the collection capability of your processor.
•
•
You must collect events and flows at a different location than where your processor is
installed.
You are monitoring packet-based flow sources.
Note: Event Collectors can buffer events, but Flow Collectors can't buffer flows.
Because search performance is improved when processors are installed on the same network as the
console, adding collectors in remote locations, and then sending that data to the processor, speeds
up your QRadar searches.
Adding an appliance to an All-in-One console
Any All-in-One console can become part of a distributed deployment by adding another appliance
to extend the resources and performance of the All-in-One console. Adding more appliances can
increase storage, process more data, and search faster. The Console appliance manages the other
QRadar appliances in the network. When you add appliances to an All-in-One console, it becomes a
distributed deployment console.
About this task
Adding hosts allows users to expand on the capabilities, storage, and resources from an All-in-One
appliance to create a distributed deployment.
Procedure
1.
2.
3.
4.
5.
6.
7.
8.
9.
Log in to the All-in One Console as an administrator.
From the Admin tab, click the System and License Management icon.
In the Display list, select Systems.
On the Deployment Actions menu, select Add Host.
Enter the Host IP, Host Password (root user password). and configure the properties to
Encrypt Host Connections or define Network Address Translation parameters.
Check either Encrypt Host Connections or Network Address Translation and configure
your choice.
Click Add.
From the Admin tab, click Deploy Changes.
Click Continue to restart services.
Results
The host is added to the deployment and the appliance is added to the user interface. After the host
is added, you might need to allocate licenses to the appliance. For more information, see License
management.
Common ports and servers used by QRadar
IBM® QRadar® requires that certain ports are ready to receive information
from QRadar components and external infrastructure. To ensure that QRadar is using the most
recent security information, it also requires access to public servers and RSS feeds.
Warning: If you change any common ports, your QRadar deployment might break.
SSH communication on port 22
All the ports that are used by the QRadar console to communicate with managed hosts can be
tunneled, by encryption, through port 22 over SSH.
The console connects to the managed hosts by using an encrypted SSH session to communicate
securely. These SSH sessions are initiated from the console to provide data to the managed host.
For example, the QRadar Console can initiate multiple SSH sessions to the Event
Processor appliances for secure communication. This communication can include tunneled ports
over SSH, such as HTTPS data for port 443 and Ariel query data for port 32006. IBM QRadar Flow
Collector that use encryption can initiate SSH sessions to Flow Processor appliances that require
data.
Open ports that are not required by
QRadar
You might find additional open ports in the following situations:
•
•
When you install QRadar on your own hardware, you may see open ports that are used by
services, daemons, and programs included in Red Hat Enterprise Linux®.
When you mount or export a network file share, you might see dynamically assigned ports
that are required for RPC services, such as rpc.mountd and rpc.rquotad.
QRadar port usage
Review the list of common ports that IBM QRadar services and components use to communicate
across the network. You can use the port list to determine which ports must be open in your
network. For example, you can determine which ports must be open for the QRadar Console to
communicate with remote event processors.
Warning: If you change any common ports, your QRadar deployment might break.
WinCollect remote polling
WinCollect agents that remotely poll other Microsoft Windows operating systems might require
additional port assignments.
QRadar listening ports
The following table shows the QRadar ports that are open in a LISTEN state. The LISTEN ports are valid
only when iptables is enabled on your system. Unless otherwise noted, information about the assigned port
number applies to all QRadar products.
Port
Description Protocol
Direction
Requirement
Remote management access.
Adding a remote system as a
managed host.
Log source protocols to retrieve
22
SSH
TCP
Bidirectional from the QRadar
files from external devices, for
Console to all other components. example the log file protocol.
Users who use the commandline interface to communicate
from desktops to the Console.
High-availability (HA).
25
SMTP
TCP
111 and
random
Port mapper TCP/UDP
generat
ed port
123
Network Time
Protocol
UDP
(NTP)
135 and
dynamic
ally
allocated DCOM
ports
above
1024 for
TCP
From all managed hosts to the
SMTP gateway.
Managed hosts (MH) that
communicate with the QRadar
Console.
Users that connect to
the QRadar Console.
Outbound from the QRadar
Console to the NTP Server
Outbound from the MH to
the QRadar Console
Emails from QRadar to an SMTP
gateway.
Delivery of error and warning
email messages to an
administrative email contact.
Remote Procedure Calls (RPC)
for required services, such as
Network File System (NFS).
Time synchronization via
Chrony between:
•
•
QRadar Console and NTP
server
QRadar Managed Hosts
and QRadar Console
Bidirectional traffic between
WinCollect agents and Windows
operating systems that are
remotely polled for events.
This traffic is generated by
WinCollect, Microsoft Security
Event Log Protocol, or Adaptive
Log Exporter.
Bidirectional traffic
between QRadar
Note: DCOM typically allocates a
random port range for
communication. You can configure
Port
Description Protocol
RPC
calls.
Direction
Requirement
Console components or IBM
QRadar event collectors that
use either Microsoft Security
Event Log Protocol or Adaptive
Log Exporter agents and
Windows operating systems
that are remotely polled for
events.
Microsoft Windows products to
use a specific port. For more
information, see your Microsoft
Windows documentation.
Bidirectional traffic between
WinCollect agents and Windows
operating systems that are
remotely polled for events.
137
Windows
NetBIOS name UDP
service
This traffic is generated by
Bidirectional traffic
WinCollect, Microsoft Security
between QRadar
Console components or QRadar Event Log Protocol, or Adaptive
Event Collectors that use either Log Exporter.
Microsoft Security Event Log
Protocol or Adaptive Log
Exporter agents and Windows
operating systems that are
remotely polled for events.
Bidirectional traffic between
WinCollect agents and Windows
operating systems that are
remotely polled for events.
138
139
Windows
NetBIOS
datagram
service
Windows
NetBIOS
session
service
UDP
This traffic is generated by
Bidirectional traffic
WinCollect, Microsoft Security
between QRadar
Console components or QRadar Event Log Protocol, or Adaptive
Event Collectors that use either Log Exporter.
Microsoft Security Event Log
Protocol or Adaptive Log
Exporter agents and Windows
operating systems that are
remotely polled for events.
Bidirectional traffic between
WinCollect agents and Windows
operating systems that are
remotely polled for events.
TCP
Bidirectional traffic
between QRadar
Console components or QRadar
Event Collectors that use either
Microsoft Security Event Log
Protocol or Adaptive Log
This traffic is generated by
WinCollect, Microsoft Security
Event Log Protocol, or Adaptive
Log Exporter.
Port
Description Protocol
Direction
Requirement
Exporter agents and Windows
operating systems that are
remotely polled for events.
162
NetSNMP
UDP
199
NetSNMP
TCP
427
Service
Location
UDP/TCP
Protocol (SLP)
UDP port for the NetSNMP daemon
that listens for communications
(v1, v2c, and v3) from external log
External log sources to QRadar sources. The port is open only
when the SNMP agent is enabled.
Event Collectors.
QRadar managed hosts that
connect to the QRadar Console.
TCP port for the NetSNMP daemon
that listens for communications
(v1, v2c, and v3) from external log
External log sources to QRadar sources. The port is open only
when the SNMP agent is enabled.
Event Collectors.
QRadar managed hosts that
connect to the QRadar Console.
The Integrated Management
Module uses the port to find
services on a LAN.
Configuration downloads to
managed hosts from the QRadar
Console.
QRadar managed hosts that
443
Apache/HTTP
TCP
S
Bidirectional traffic for secure
connect to the QRadar Console.
communications from all products
to the QRadar Console.
Users to have log in access
to QRadar.
Unidirectional traffic from the
App Host to the QRadar
QRadar Console that manage
Console.
and provide configuration
updates for WinCollect agents.
Apps that require access to
the QRadar API.
445
Microsoft
Directory
Service
Bidirectional traffic between
WinCollect agents and Windows
operating systems that are
remotely polled for events.
TCP
Bidirectional traffic
between QRadar
Console components or QRadar
Event Collectors that use the
Microsoft Security Event Log
Protocol and Windows
This traffic is generated by
WinCollect, Microsoft Security
Event Log Protocol, or Adaptive
Log Exporter.
Port
Description Protocol
Direction
Requirement
operating systems that are
remotely polled for events.
Bidirectional traffic between
Adaptive Log Exporter agents
and Windows operating
systems that are remotely
polled for events.
External network appliances that
provide TCP syslog events use
External log sources to send event
bidirectional traffic.
data to QRadar components.
UDP/TCP
External network appliances Syslog traffic includes
that provide UDP syslog events WinCollect agents, event
use uni-directional traffic.
collectors, and Adaptive Log
Exporter agents capable of
Internal syslog traffic
sending either UDP or TCP
from QRadar hosts to
events to QRadar.
the QRadar Console.
514
Syslog
762
Network File
System (NFS)
mount
TCP/UDP
daemon
(mountd)
The Network File System (NFS)
Connections between the QRadar mount daemon, which processes
requests to mount a file system at a
Console and NFS server.
specified location.
1514
Syslog-ng
TCP/UDP
Connection between the
local Event Collector component
and local Event
Processor component to the
syslog-ng daemon for logging.
2049
NFS
TCP
The Network File System (NFS)
Connections between the QRadar
protocol to share files or data
Console and NFS server.
between components.
2055
NetFlow data UDP
From the management interface
on the flow source (typically a
router) to the IBM QRadar Flow
Collector.
2376
Docker
TCP
command port
Internal communications. This
port is not available externally.
3389
Remote
Desktop
Protocol
(RDP) and
TCP/UDP
Internal logging port for syslog-ng.
NetFlow datagram from
components, such as routers.
Used to
manage QRadar application
framework resources.
If the Microsoft Windows
operating system is configured to
support RDP and Ethernet over
USB, a user can initiate a session to
the server over the management
Port
Description Protocol
Direction
Requirement
Ethernet over
USB is enabled
network. This means the default
port for RDP, 3389 must be open.
Integrated
Management
Module remot TCP/UDP
e presence
port
Use this port to interact with
the QRadar console through
the Integrated Management
Module.
4333
Redirect port TCP
This port is assigned as a redirect
port for Address Resolution
Protocol (ARP) requests
in QRadar offense resolution.
5000
Used to allow
communicatio
n to the
docker siregistry
running on
the Console.
This allows all
TCP
managed
hosts to pull
images from
the Console
that will be
used to create
local
containers.
Unidirectional from the QRadar
Console to a QRadar App Host.
5432
Postgres
TCP
Communication for the managed Required for provisioning
host that is used to access the local managed hosts from
database instance.
the Admin tab.
6514
Syslog
TCP
External network appliances that External log sources to send
provide encrypted TCP syslog
encrypted event data
events use bidirectional traffic.
to QRadar components.
3900
7676,
7677,
and four
Messaging
randoml
connections
y bound
(IMQ)
ports
above
32000.
Used with an App Host. It allows
the Console to deploy apps to an
App Host and to manage those
apps.
Message queue broker for
communications between
components on a managed host.
TCP
Message queue communications
between components on a
managed host.
Note: You must permit access to
these ports from
the QRadar console to unencrypted
hosts.
Ports 7676 and 7677 are static
TCP ports, and four extra
Port
Description Protocol
Direction
Requirement
connections are created on
random ports.
For more information about
finding randomly bound ports,
see Viewing IMQ port
associations.
5791,
7700,
7777,
7778,
7779,
7780,
7781,
7782,
7783,
7787,
7788,
7790,
7791,
7792,
7793,
7794,
7795,
7799,
8989,
and
8990.
JMX server
ports
7789
HA
Distributed
TCP/UDP
Replicated
Block Device
Distributed Replicated Block
Bidirectional between the
Device is used to keep drives
secondary host and primary host synchronized between the primary
and secondary hosts in HA
in an HA cluster.
configurations.
7800
Apache
Tomcat
TCP
From the Event Processor to
the QRadar Console.
Real-time (streaming) for events.
7801
Apache
Tomcat
TCP
From the Event Processor to
the QRadar Console.
Real-time (streaming) for flows.
7803
Anomaly
Detection
Engine
TCP
From the Event Processor to
the QRadar Console.
Anomaly detection engine port.
7804
QRM Arc
builder
TCP
Internal control communications This port is used for QRadar Risk
between QRadar processes and
Manager only. It is not available
ARC builder.
externally.
TCP
JMX server (Java™ Management
Beans) monitoring for all internal
Internal communications. These QRadar processes to expose
ports are not available externally. supportability metrics.
These ports are used
by QRadar support.
Port
Description Protocol
Direction
Requirement
7805
Syslog tunnel
communicatio TCP
n
Used for encrypted communication
Bidirectional between the QRadar
between the console and managed
Console and managed hosts
hosts.
8000
Event
Collection
TCP
service (ECS)
From the Event Collector to
the QRadar Console.
Listening port for specific Event
Collection Service (ECS).
8001
SNMP daemon
TCP
port
External SNMP systems that
request SNMP trap information
from the QRadar Console.
Listening port for external SNMP
data requests.
8005
Apache
Tomcat
TCP
Internal communications. Not
available externally.
8009
Apache
Tomcat
TCP
Tomcat connector, where the
From the HTTP daemon (HTTPd)
request is used and proxied for the
process to Tomcat.
web service.
8080
Apache
Tomcat
TCP
Tomcat connector, where the
From the HTTP daemon (HTTPd)
request is used and proxied for the
process to Tomcat.
web service.
8082
Secure tunnel
for QRadar
TCP
Risk Manager
Open to control tomcat.
8413
WinCollect
agents
TCP
This port is bound and only
accepts connections from the
local host.
Bidirectional traffic between
the QRadar Console and QRadar
Risk Manager
Required when encryption is used
between QRadar Risk Manager and
the QRadar Console.
Bidirectional traffic between
WinCollect agent and QRadar
Console.
This traffic is generated by the
WinCollect agent and
communication is encrypted. It is
required to provide configuration
updates to the WinCollect agent
and to use WinCollect in connected
mode.
Used by Apache Tomcat to read
information from the host that is
running the QRadar Vulnerability
Manager processor.
8844
Apache
Tomcat
TCP
Unidirectional from the QRadar
Console to the appliance that is
running the QRadar Vulnerability
Manager processor.
Important: The IBM QRadar
Vulnerability Manager scanner is
end of life (EOL) in 7.5.0 Update
Package 6, and is no longer
supported in any version of IBM
QRadar. For more information,
see QRadar Vulnerability Manager:
End of service product
notification (https://www.ibm.co
Port
Description Protocol
Direction
Requirement
m/support/pages/node/6853425)
.
Used with an App Host. It allows
the Console to deploy apps to an
App Host and to manage those
apps.
9000
Conman
9090
XForce IP
Reputation
TCP
database and
server
Internal communications. Not
available externally.
Communications
between QRadar processes and the
XForce Reputation IP database.
9381
Certificate
TCP
files download
Unidirectional
from QRadar managed host or
external network to QRadar
Console
Downloading QRadar CA certificate
and CRL files, which can be used to
validate QRadar generated
certificates.
9381
localca-server TCP
Bidirectional
between QRadar components.
Used to hold QRadar local root and
intermediate certificates, as well as
associated CRLs.
9393,
9394
vault-qrd
TCP
Internal communications. Not
available externally.
Used to hold secrets and allow
secure access to them to services.
TCP
Bidirectional Java Remote Method When the web application is
Invocation (RMI) communication registered, one additional port is
between Java Virtual Machines
dynamically assigned.
9913
plus one
Web
dynamic
application
ally
container
assigned
port
9995
9999
TCP
Unidirectional from the QRadar
Console to a QRadar App Host.
NetFlow data UDP
IBM QRadar
Vulnerability
TCP
Manager proc
essor
From the management interface
on the flow source (typically a
router) to the QRadar Flow
Collector.
NetFlow datagram from
components, such as routers.
Used for QRadar Vulnerability
Manager (QVM) command
information. The QRadar
Console connects to this port on
the host that is running the QRadar
Unidirectional from the scanner to Vulnerability Manager processor.
the appliance running the QRadar This port is only used when QVM is
Vulnerability Manager processor enabled.
Important: The IBM QRadar
Vulnerability Manager scanner is
end of life (EOL) in 7.5.0 Update
Package 6, and is no longer
supported in any version of IBM
Port
Description Protocol
Direction
Requirement
QRadar. For more information,
see QRadar Vulnerability Manager:
End of service product
notification (https://www.ibm.co
m/support/pages/node/6853425)
.
In QRadar V7.2.5 and earlier, this
port is used for server changes,
such as the hosts root password
and firewall access.
10000
QRadar webbased, system
TCP/UDP
administratio
n interface
User desktop systems to
all QRadar hosts.
10101,
10102
Heartbeat
command
TCP
Bidirectional traffic between the Required to ensure that the HA
primary and secondary HA nodes. nodes are still active.
12500
Socat binary
TCP
Port used for tunneling chrony udp
Outbound from MH to the QRadar
requests over tcp when QRadar
Console
Console or MH is encrypted
TCP
Unidirectional from the QRadar
Console to a QRadar App Host.
Port 10000 is disabled in V7.2.6.
14433
traefik
Used with an App Host. It allows
the Console to deploy apps to an
App Host and to manage those
apps.
Required to be open for internal
communication between QRM
and QRadar.
15432
Used for QRadar Vulnerability
Manager (QVM) configuration and
storage. This port is only used
when QVM is enabled.
15433
15434
Postgres
TCP
Important: The IBM QRadar
Vulnerability Manager scanner is
Communication for the managed end of life (EOL) in 7.5.0 Update
host that is used to access the local Package 6, and is no longer
database instance.
supported in any version of IBM
QRadar. For more information,
see QRadar Vulnerability Manager:
End of service product
notification (https://www.ibm.co
m/support/pages/node/6853425)
.
Required to be open for internal
communication between
Forensics and QRadar.
Port
Description Protocol
20000SSH Tunnel
23000
TCP
Direction
Requirement
Bidirectional from the QRadar
Console to all other encrypted
managed hosts.
Local listening point for SSH
tunnels used for Java Message
Service (JMS) communication with
encrypted managed hosts. Used to
perform long-running
asynchronous tasks, such as
updating networking configuration
via System and License
Management.
23111
SOAP web
server
23333
Emulex Fibre
TCP
Channel
User desktop systems that connect Emulex Fibre Channel
to QRadar appliances with a Fibre HBAnywhere Remote Management
Channel card.
service (elxmgmt).
26000
traefik
TCP
Bidirectional
between QRadar components.
Used with an App Host that is
encrypted. Required for app
services discovery.
TCP
Unidirectional from the QRadar
Console to a QRadar App Host.
Used with an App Host that is
encrypted. It allows the Console to
deploy apps to an App Host and to
manage those apps.
TCP
Bidirectional
between QRadar components.
Normalized flow data that is
communicated from an off-site
source or between QRadar Flow
Collectors.
TCP
Bidirectional
between QRadar components.
Normalized event data that is
communicated from an off-site
source or between QRadar Event
Collectors.
Data flow communication port
between QRadar Event
Collectors when on separate
managed hosts.
26001
Conman
32000
Normalized
flow
forwarding
32004
Normalized
event
forwarding
SOAP web server port for the
Event Collection Service (ECS).
TCP
32005
Data flow
TCP
Bidirectional
between QRadar components.
32006
Ariel queries TCP
Bidirectional
between QRadar components.
Communication port between the
Ariel proxy server and
the Ariel query server.
32007
Offense data TCP
Bidirectional
between QRadar components.
Events and flows contributing to
an offense or involved in global
correlation.
32009
Identity data TCP
Bidirectional
between QRadar components.
Identity data that is communicated
between the passive Vulnerability
Port
Description Protocol
Direction
Requirement
Information Service (VIS) and the
Event Collection Service (ECS).
32010
Flow listening
TCP
source port
Bidirectional
between QRadar components.
Flow listening port to collect data
from QRadar Flow Collectors.
32011
Ariel listening
TCP
port
Bidirectional
between QRadar components.
Ariel listening port for database
searches, progress information,
and other associated commands.
Data flow
32000(flows, events, TCP
33999
flow context)
Bidirectional
between QRadar components.
Data flows, such as events, flows,
flow context, event search queries,
and Docker proxy.
Unidirectional from QRadar to
another QRadar system or 3rd
party flow collector.
Used to map exporter IP and port
combinations to a unique port to
be used to forward flows.
4000040500
QFlow process
New in for flow
7.5.0
forwarding
Update
Package
6
UDP
Collecting incoming packet
capture (PCAP) data from
Juniper Networks SRX Series
appliances.
40799
ICMP
PCAP data
ICMP
UDP
From Juniper Networks SRX Series
Note: The packet capture on your
appliances to QRadar.
device can use a different port. For
more information about
configuring packet capture, see
your Juniper Networks SRX Series
appliance documentation.
Testing the network connection
Bidirectional traffic between the between the secondary host and
secondary host and primary host primary host in an HA cluster by
using Internet Control Message
in an HA cluster.
Protocol (ICMP).
Table 1. Listening ports that are used by QRadar services and components
Viewing IMQ port associations
Several ports that are used by IBM QRadar allocate extra random port numbers. For example,
Message Queues (IMQ) open random ports for communication between components on a managed
host. You can view the random port assignments for IMQ by using telnet to connect to the local host
and doing a lookup on the port number.
Procedure
1. Using SSH, log in to the QRadar Console as the root user.
2. To display a list of associated ports for the IMQ messaging connection, type the following
command:
telnet localhost 7676
The results from the telnet command might look similar to this output:
[root@domain ~]# telnet localhost 7676
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
101 imqbroker 4.4 Update 1
portmapper tcp PORTMAPPER 7676
[imqvarhome=/opt/openmq/mq/var,imqhome=/opt/openmq/mq,sessionid=<session_id
>]
cluster_discovery tcp CLUSTER_DISCOVERY 44913
jmxrmi rmi JMX 0 [url=service:jmx:rmi://domain.ibm.com/stub/<urlpath>]
admin tcp ADMIN 43691
jms tcp NORMAL 7677
cluster tcp CLUSTER 36615
The telnet output shows 3 of the 4 random high-numbered TCP ports for IMQ. The fourth
port, which is not shown, is a JMX Remote Method Invocation (RMI) port that is available
over the JMX URL that is shown in the output.
If the telnet connection is refused, it means that IMQ is not currently running. It is probable
that the system is either starting up or shutting down, or that services were shut down
manually.
Searching for ports in use by QRadar
Use the netstat command to determine which ports are in use on the IBM QRadar Console or
managed host. Use the netstat command to view all listening and established ports on the
system.
Procedure
1. Using SSH, log in to your QRadar Console, as the root user.
2. To display all active connections and the TCP and UDP ports on which the computer is
listening, type the following command:
netstat -nap
3. To search for specific information from the netstat port list, type the following command:
netstat -nap | grep port
Examples:
o
To display all ports that match 199, type the following command:
netstat -nap | grep 199
o
To display information on all listening ports, type the following command:
netstat -nap | grep LISTEN
QRadar public servers
To provide you with the most current security information, IBM QRadar requires access to a
number of public servers.
Public servers
IP address or hostname
Description
IBM QRadar Vulnerability Manager DMZ scanner
194.153.113.31
Important: The IBM QRadar Vulnerability Manager scanner is end of life
(EOL) in 7.5.0 Update Package 6, and is no longer supported in any
version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425).
QRadar Vulnerability Manager DMZ scanner
194.153.113.32
Important: The IBM QRadar Vulnerability Manager scanner is end of life
(EOL) in 7.5.0 Update Package 6, and is no longer supported in any
version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425).
QRadar auto-update servers.
autoupdate.qradar.ibmcloud.co For more information about auto-update servers, see QRadar:
Important auto update server changes for
m/
administrators (https://www.ibm.com/support/pages/node/624
4622).
update.xforcesecurity.com
X-Force® Threat Feed update server
license.xforcesecurity.com
X-Force Threat Feed licensing server
Table 1. Public servers that QRadar must access. This table lists descriptions for the IP addresses or
hostnames that QRadar accesses. https://www.ibm.com/support/pages/node/6244622
Docker containers and network interfaces
A Docker network defines a communication trust zone where communication is unrestricted
between containers in that network.
Each network is associated with a bridge interface on the host, and firewall rules are defined
to filter traffic between these interfaces. Typically, containers within a zone that share the
same Docker network and host bridge interface can communicate with each other. An
exception to this general rule is that apps run on the same dockerApps network, but are
isolated from each other by the firewall.
Docker interfaces
To view a list of Docker interfaces, type the following command:
docker network ls
Here's an example of the output:
[root@q1dk00
NETWORK ID
943dd35a4747
9e2ba36111d1
514471d98b42
~]# docker network ls
NAME
DRIVER SCOPE
appProxy bridge local
dockerApps bridge local
dockerInfra bridge local
The dockerApps interface is used to apply rules for communication between apps.
The appProxy interface displays the nginx_framework_apps_proxy container.
The dockerInfra interface is used to host service launcher and qoauth. Apps are
isolated from most infrastructure components but they must be able to connect to service
launcher and qoauth to manage secrets and authorization.
Information about Docker interfaces
Type the following command to get information about Docker interfaces:
docker inspect <docker_container_ID> | grep NetworkMode
Here's an example of the output:
"NetworkMode": "appProxy"
This example shows how you use the docker inspect
<docker_container_ID> command and pipe it to less to view more network details:
docker inspect d9b3e58649de | less
Here's an example of the output:
"Networks": {
"dockerApps": {
"IPAMConfig": null,
"Links": null,
"Aliases": [
"d9b3e58649de"
], "NetworkID":
"79bc4716da5139a89cfa5360a3b72824e67701523768822d11b53caeaa5e349e",
"EndpointID":
"9dba9d9a174b037f72333945b72cdf60c3719fdb9a3a10a14a8ee3cc0e92a856",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "2003:db8:1::1",
"GlobalIPv6Address": "2003:db8:1::2",
"GlobalIPv6PrefixLen": 64,
"MacAddress": "02:42:ac:12:00:02"
}
The output in this example shows the configuration of the network that is used by the
specified container (d9b3e58649de), and shows the Docker network interface name
(dockerApps) and the IP address of the network that is assigned to the Docker container.
TASK: 1.4 Manage configuration and data backups
1.4.1. Understand and configure data retention
1.4.2. Import config backup
• through the GUI
• through file system
1.4.3. Restore config backup options
1.4.4. Schedule config backup
1.4.5. Restore data backup
Backup and recovery
You can back up and recover IBM® QRadar® configuration information and data.
You can use the backup and recovery feature to back up your event and flow data; however, you
must restore event and flow data manually. For more information, see Restoring data.
Each managed host in your deployment, including the QRadar Console, creates and stores all
backup files in the /store/backup/ directory. Your system might include
a /store/backup mount from an external SAN or NAS service. External services provide long
term, offline retention of data, which is commonly required for compliancy regulations, such as PCI.
By default, at midnight QRadar creates a daily backup archive of your configuration information.
The backup archive includes configuration information, data, or both from the previous day
You can use two types of backups: configuration backups and data backups.
Important: Individual QRadar managed hosts do not have their own nightly configuration backup files.
The QRadar Console's configuration backup is a single file that contains a full database backup of all
configuration parameters for all hosts in the deployment. All configuration backups are stored on
the QRadar Console by default.
Configuration backups include the following components:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Application configuration
Assets
Custom logos
Custom rules
Device Support Modules (DSMs)
Event categories
Flow sources
Flow and event searches
Groups
Index management information
License key information
Log sources
Offenses
Reference set elements
Store and Forward schedules
User and user roles information
Vulnerability data (if IBM QRadar Vulnerability Manager is installed)
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0
Update Package 6, and is no longer supported in any version of IBM QRadar. For more
information, see QRadar Vulnerability Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425).
Data backups include the following information:
•
•
•
•
•
Audit log information
Event data
Flow data
Report data
Indexes
The data backup does not include application data. To configure and manage backups for
application data, see Backing up and restoring app data.
Backup QRadar configurations and data
By default, IBM® QRadar® creates a backup archive of your configuration information daily at
midnight. The backup archive includes your configuration information, data, or both from the
previous day. You can customize this nightly backup and create an on-demand configuration
backup, as required.
Scheduling nightly backup
Use the Backup Recovery Configuration window to configure a night scheduled backup process.
About this task
By default, the nightly backup process includes only your configuration files. You can customize
your nightly backup process to include data from your IBM® QRadar® Console and selected
managed hosts. You can also customize your backup retention period, the backup archive location,
the time limit for a backup to process before timing out, and the backup priority in relation to
other QRadar processes.
Note: The nightly backup starts running at midnight in the timezone where the QRadar Console is installed.
If QRadar automatic updates are scheduled to run at the same time, the performance of QRadar might be
impacted.
The Backup Recovery Configuration window provides the following parameters:
ParameterDescription
General Backup Configuration
Type the location where you want to store your backup file. The default location
is /store/backup. This path must exist before the backup process is initiated. If this
path does not exist, the backup process aborts.
If you modify this path, make sure the new path is valid on every system in your
deployment.
If you change the path to the backup repository, all files in the previous repository
automatically are moved to the new path.
Backup
Repository The directory must match one of the following formats:
Path
•
•
•
•
/store/backup/*
/mount/*
/mnt/*
/home/*
Active data is stored on the /store directory. If you have both active data and backup
archives stored in the same directory, data storage capacity might easily be reached and
your scheduled backups might fail. We recommend you specify a storage location on
another system or copy your backup archives to another system after the backup process
ParameterDescription
is complete. You can use a Network File System (NFS) storage solution in
your QRadar deployment. For more information on using NFS, see the Offboard Storage
Guide.
Type or select the length of time, in days, that you want to store backup files. The default
Backup
Retention is 7 days.
Period
(days)
Nightly
Backup
Schedule
This period of time only affects backup files generated as a result of a scheduled process.
On-demand backups or imported backup files are not affected by this value.
Select a backup option.
This option is only displayed if you select the Configuration and Data Backups option.
Select the All hosts in your deployment are listed. The first host in the list is your Console; it is
managed enabled for data backup by default, therefore no check box is displayed. If you have
hosts you managed hosts in your deployment, the managed hosts are listed below the Console and
would like each managed host includes a check box.
to run data
backups: Select the check box for the managed hosts you want to run data backups on.
For each host (Console or managed hosts), you can optionally clear the data items you
want to exclude from the backup archive.
Configuration Only Backup
Backup
Type or select the length of time, in minutes, that you want to allow the backup to run. The
Time Limit default is 180 minutes. If the backup process exceeds the configured time limit, the backup
(min)
process is automatically canceled.
Backup
Priority
From this list box, select the level of importance that you want the system to place on the
configuration backup process compared to other processes.
A priority of medium or high have a greater impact on system performance.
Data Backup
Backup
Type or select the length of time, in minutes, that you want to allow the backup to run. The
Time Limit default is 1020 minutes. If the backup process exceeds the configured time limit, the backup is
(min)
automatically canceled.
Backup
Priority
From the list, select the level of importance you want the system to place on the data
backup process compared to other processes.
A priority of medium or high have a greater impact on system performance.
Table 1. Backup Recovery Configuration parameters
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Backup and Recovery.
3.
4.
5.
6.
7.
On the toolbar, click Configure.
On the Backup Recovery Configuration window, customize your nightly backup.
Click Save.
Close the Backup Archives window.
On the Admin tab, click Deploy Changes.
Creating an on-demand configuration backup archive
If you must back up your configuration files at a time other than your nightly scheduled backup, you
can create an on-demand backup archive. On-demand backup archives include only configuration
information.
About this task
You initiate an on-demand backup archive during a period when IBM® QRadar® has low
processing load, such as after normal office hours. During the backup process, system performance
is affected.
Procedure
1.
2.
3.
4.
Option
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
From the toolbar, click On Demand Backup.
Enter values for the following parameters:
Description
Type a unique name that you want to assign to this backup archive. The name can be up
to 100 alphanumeric characters in length. The name can contain following characters:
underscore (_), dash (-), or period (.).
DescriptionType a description for this configuration backup archive. The description can be up to
255 characters in length.
Name
5. Click Run Backup.
You can start a new backup or restore processes only after the on-demand backup is
complete. You can monitor the backup archive process in the Backup Archives window.
Creating an email notification for a failed backup
To receive a notification by email about a backup failure on the IBM QRadar Console or
a QRadar Event Processor, create a rule that is based on the system notification message.
Before you begin
You must configure an email server to distribute system notifications in QRadar. For more information,
see Configuring your local firewall.
About this task
If a backup fails, you see one of the following backup failure system notifications:
•
•
•
Backup: requires more disk space
Backup: last Backup exceeded execution threshold
Backup: unable to execute request
Procedure
1.
2.
3.
4.
Click the Offenses tab.
In the Offenses pane, click Rules.
Click Actions > New Event Rule.
In the Rule Wizard, check the Skip this page when running this rules wizard box and
click Next.
5. In the filter box, type the following search query:
when the event QID is one of the following QIDs
Learn more about tests:Figure 1. Rule Wizard event test
6.
7.
8.
9.
Click the green add (+) icon.
In the Rule pane, click the QIDs link.
In the QID/Name field, type Backup:
Select the following QIDs and click Add +:
o Backup requires more disk space
o Backup: last backup exceeded execution threshold
o Backup unable to execute request
Learn more about QIDs:Figure 2. Rule Wizard QIDs
10. Click Submit.
11. In the Rule pane, type the following name for your rule test and click Next:
Backup Failure
12. In the Rule Response section, check the Email box and type the email addresses you want to
notify.
Manage existing backup archives
Use the Backup and Recovery icon on the Admin tab to view and manage all successful backup
archives.
•
Importing a backup archive
Importing a backup archive is useful if you want to restore a backup archive that was
created on another IBM QRadar host.
About this task
If you place a QRadar backup archive file in the /store/backupHost/inbound directory
on the Console server, the backup archive file is automatically imported.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
In the Upload Archive field, click Browse.
Locate and select the archive file that you want to upload. The archive file must
include a .tgz extension.
5. Click Open.
6. Click Upload.
•
Deleting a backup archive
To delete a backup archive file, the backup archive file and the Host Context component
must be located on the same system. The system must also be in communication with
the IBM QRadar Console and no other backup can be in progress.
About this task
If a backup file is deleted, it is removed from the disk and from the database. Also, the entry
is removed from this list and an audit event is generated to indicate the removal.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
In the Existing Backups section, select the archive that you want to delete.
Click Delete.
Restore QRadar configurations and data
Restoring a backup archive is useful if you want to restore previously archived configuration files,
offense data, and asset data on your IBM QRadar system.
Before you restore a backup archive, note the following considerations:
•
•
•
•
You can restore only a backup archive that is created within the same release of software
and its software update level. For example, if you are running QRadar 7.5.0 p1, make sure
that the backup archive is created on the QRadar 7.5.0 p1 Console.
The restore process restores only your configuration information, offense data, and asset
data. For more information, see Restoring data.
If the backup archive originated on a NATed Console system, you can restore only that back
up archive on a NATed system.
You cannot complete a configuration restore on a console in which the IP address matches
the IP address of a managed host in the backup.
Restriction: Your restore might fail if you are taking a configuration from another deployment and run
the qchange_netsetup utility to change the private IP address of the console.
The qchange_netsetup utility modifies the deployed configuration, but not the backup one. When you
perform a restore, the backup configuration is read, and the restore might convert components with the
wrong IP address.
If possible, before you restore a configuration backup, run an on-demand backup to preserve the current
environment. The following description is a high-level view of the configuration restore process:
•
•
•
•
•
•
Tomcat is shut down
All system processes are shut down.
All files are extracted from the backup archive and restored to disk.
Database tables are restored.
All system processes are restored.
Tomcat is restarted.
Important:
•
•
If you are restoring WinCollect data, you must install the WinCollect SFS that matches the
version of WinCollect in your backup before you restore the configuration. For more
information, see WinCollect files are not restored during a configuration restore
When you do a cross deployment restore or when you restore after a factory reinstall, the
managed host that is attached to the original console is automatically pointed to the newly
restored deployment. However, any changes before the restore regarding deployment (add
or remove managed hosts), causes the restore process to fail.
For more information about how to back up or restore an archive, see the following topics.
•
Restoring a backup archive
You can restore a backup archive. Restoring a backup archive is useful if you have a system
hardware failure or you want to restore a backup archive on a replacement appliance.
About this task
You can restart the Console only after the restore process is complete.
The restore process can take up to several hours; the process time depends on the size of the
backup archive that must be restored. When complete, a confirmation message is displayed.
A window provides the status of the restore process. This window provides any errors for
each host and instructions for resolving the errors.
The following parameters are available in the Restore a Backup window:
Parameter
Description
Name
The name of the backup archive.
Description The description, if any, of the backup archive.
The type of backup. Only configuration backups can be restored, therefore, this parameter
displays config.
Type
Select All
When selected, this option indicates that all configuration items are included in the
Configuration
restoration of the backup archive.
Items
Lists the configuration items to include in the restoration of the backup archive. To
Restore
Configurationremove items, you can clear the check boxes for each item you want to remove or
clear the Select All Configuration Items check box.
Select All
Data Items
When selected, this option indicates that all data items are included in the restoration
of the backup archive.
Lists the configuration items to include in the restoration of the backup archive. All
Restore Data items are cleared by default. To restore data items, you can select the check boxes for
each item you want to restore.
Table 1. Restore a Backup parameters
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
Select the archive that you want to restore.
Click Restore.
On the Restore a Backup window, configure the parameters.
Select the Custom Rules Configuration check box to restore the rules and reference
data that is used by apps. Select the Users Configuration check box to restore
authorized tokens that are used by apps.
The following table lists the restore configurations and what is included in each:
Note: The content included in each configuration is not limited to the content that is
listed.
Restore
ConfigurationContent Included
Custom Rules
Configuration
o
o
o
Rules
Reference Sets
Reference Data
Restore
ConfigurationContent Included
o
o
o
o
o
o
o
Saved Searches
Forwarding Destinations
Routing Rules
Custom Properties
Historical Searches
Historical Rules
Retention Bucket Configuration
Deployment All content.
Configuration
If you select this option, it is recommended that you select all other
configuration options.
Users
o Users
Configuration
o User Roles
o Security Profiles
o Authorized Services
o Dashboards
o User Settings
o User Quick Searches
License
Report
Templates
System
Settings
o
o
o
License keys
License Pool Allocations
License history
Report templates
This does not include generated report content.
o System Settings
o Asset Profiler Configuration
QVM Scan
QVM Scan profiles and results
profiles and
Important: The IBM® QRadar® Vulnerability Manager scanner is end of life
results
(EOL) in 7.5.0 Update Package 6, and is no longer supported in any version
of IBM QRadar. For more information, see QRadar Vulnerability Manager:
End of service product
notification (https://www.ibm.com/support/pages/node/6853425).
Installed
App configurations
Applications
ConfigurationThis does not include app data.
Apps depending on authorized services might not work as expected
if Users Configuration is not selected.
When Installed Applications Configuration is selected,
the Deployment Configuration group is auto-selected.
Restore
ConfigurationContent Included
Assets
Offenses
Asset model
When Assets is selected, the Deployment Configuration group is
auto-selected.
o Offense data
o Offense associations (for example, QID links, rule links, or asset
links)
o Offense searches
o When Offenses is selected, the Deployment Configuration group
is auto-selected.
Important:
When you restore to another system where only partial options are
restored and rules are restored but related offenses are not. For
example, when you restore deployment configuration without
offenses.
When you are restoring to a new or rebuilt system and if you had rules
that created offenses that were indexed on custom properties of the
system that the backup was created on, restore the offenses so that the
offense types (offense indexed fields) are restored correctly.
If this is not done, you need to edit any rules that create offenses
indexed on custom properties and re-link them to the correct property
again.
The following default normalized fields are not affected by this.
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Source IP
Destination IP
QID
Username
Source MAC
Destination MAC
Device
Hostname
Source port
Destination port
Source IPV6
Destination IPV6
Source ASN
Destination ASN
Rule
Application ID
Source identity
Restore
ConfigurationContent Included
o
o
Destination identity
Search result
6.
7.
8.
9.
Click Restore.
Click OK.
Click OK.
Choose one of the following options:
o If the user interface was closed during the restore process, open a web
browser and log in to IBM QRadar.
o If the user interface was not closed, the login window is displayed. Log in
to QRadar.
10. Follow the instructions on the status window.
What to do next
After you verify that your data is restored to your system, ensure that your DSMs,
vulnerability assessment (VA) scanners, and log source protocols are also restored.
If the backup archive originated on an HA cluster, you must click Deploy Changes to
restore the HA cluster configuration after the restore is complete. If disk replication is
enabled, the secondary host immediately synchronizes data after the system is restored.
If the secondary host was removed from the deployment after a backup, the secondary
host displays a failed status on the System and License Management window.
Restoring a backup archive created on a different QRadar system
Each backup archive includes the IP address information of the system where it was created. When
you restore a backup archive from a different IBM QRadar system, the IP address of the backup
archive and the system that you are restoring are mismatched. You can correct the mismatched IP
addresses.
About this task
You can restart the Console only after the restore process is complete. The restore process can take
up to several hours; the process time depends on the size of the backup archive that must be
restored. When complete, a confirmation message is displayed.
A window provides the status of the restore process, and provides any errors for each host and
instructions for resolving the errors.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
Select the archive that you want to restore, and click Restore.
On the Restore a Backup window, configure the following parameters and then
click Restore.
Parameter
Description
Select All
Configuration Items
Indicates that all configuration items are included in the restoration of the
backup archive. This checkbox is selected by default.
Restore Configuration Lists the configuration items to include in the restoration of the
backup archive. All items are selected by default.
Select All Data Items Indicates that all data items are included in the restoration of the
backup archive. This checkbox is selected by default.
Lists the configuration items to include in the restoration of the
Restore Data
backup archive. All items are cleared by default.
Table 1. Restore a Backup parameters
5. Stop the IP table service on each managed host in your deployment. The IP tables is
a Linux®-based firewall.
a. Using SSH, log in to the managed host as the root user.
b. For App Host, type the following commands:
systemctl stop docker_iptables_monitor.timer
systemctl stop iptables
c. For all other managed hosts, type the following command:
service iptables stop
d. Repeat for all managed hosts in your deployment.
6. Ensure that the power is off on the original QRadar console that the backup was taken from.
7. On the Restore a Backup window, click Test Hosts Access.
8. After testing is complete for all managed hosts, verify that the status in the Access
Status column indicates a status of OK.
9. If the Access Status column indicates a status of No Access for a host, stop iptables again,
and then click Test Host Access again to attempt a connection.
10. On the Restore a Backup window, configure the parameters.
Important: By selecting the Installed Applications Configuration checkbox, you restore
the install app configurations only. Extension configurations are not restored. Select
the Deployment Configuration checkbox if you want to restore extension configurations.
11. Click Restore.
12. Click OK.
13. Click OK to log in.
14. Choose one of the following options:
a. If the user interface was closed during the user restore process, open a web browser
and log in to QRadar.
b. If the interface was not closed, the login window is displayed. Log in to QRadar.
15. View the results of the restore process and follow the instructions to resolve any errors.
16. Refresh your web browser window.
17. From the Admin tab, select Advanced > Deploy Full Configuration.
QRadar continues to collect events when you deploy the full configuration. When the event
collection service must restart, QRadar does not restart it automatically. A message displays
that gives you the option to cancel the deployment and restart the service at a more
convenient time.
18. To enable the IP tables for an App Host, type the following command:
systemctl start docker_iptables_monitor.timer
What to do next
After you verify that your data is restored to your system, you must reapply RPMs for any DSMs,
vulnerability assessment (VA) scanners, or log source protocols.
If the backup archive originated on an HA cluster, you must click Deploy Changes to restore the HA
cluster configuration after the restore is complete. If disk replication is enabled, the secondary host
immediately synchronizes data after the system is restored. If the secondary host was removed
from the deployment after a backup, the secondary host displays a failed status on the System and
License Management window.
Restoring data
You can restore the data on your IBM QRadar Console and managed hosts from backup files. The
data portion of the backup files includes information such as source and destination IP address
information, asset data, event category information, vulnerability data, flow data, and event data.
Each managed host in your deployment, including the QRadar Console, creates all backup files in
the /store/backup/ directory. Your system might include a /store/backup mount from an
external SAN or NAS service. External services provide long term, offline retention of data, which is
commonly required for compliancy regulations, such as PCI.
Before you begin
Restriction: If you are restoring data on a new QRadar Console, the configuration backup must be restored
before you restore the data backup.
Ensure that the following conditions are met:
•
•
•
•
You know the location of the managed host where the data is backed up.
If your deployment includes a separate mount point for that volume,
the /store or /store/ariel directory has sufficient space for the data that you want to
recover.
You know the date and time for the data that you want to recover.
If your configuration has been changed, before you restore the data backup, you must
restore the configuration backup.
Procedure
1. Use SSH to log in to IBM QRadar as the root user.
2. Go to the /store/backup directory.
3. To list the backup files, type the following command:
ls -l
4. If backup files are listed, go to the root directory by typing the following command:
cd /
Important: The restored files must be in the /store directory. If you type cd instead of cd
/, the files are restored to the /root/store directory.
5. To extract the backup files to their original directory, type the following command:
tar -zxpvPf /store/backup/backup.name.hostname_hostID .target
date.backup type.timestamp.tgz
File name variable Description
name
The name of the backup.
File name variable Description
hostname_hostID
The name of the QRadar system that hosts the backup file followed by the
identifier for the QRadar system.
target date
The date that the backup file was created. The format of the target date
is day_month_year.
backup type
The options are data or config.
timestamp
The time that the backup file was created.
Table 1. Description of file name variables
Results
Daily backup of data captures all data on each host. If you want to restore data on a managed host
that contains only event or flow data, only that data is restored to that host. If you want to maintain
the restored data, increase your data retention settings to prevent the nightly disk maintenance
routines from deleting your restored data.
Verifying restored data
Verify that your data is restored correctly in IBM QRadar.
Procedure
1. To verify that the files are restored, review the contents of one of the restored directories by
typing the following command:
cd /store/ariel/flows/payloads/<yyyy/mm/dd>
cd /store/ariel/events/payloads/<yyyy/mm/dd>
You can view the restored directories that are created for each hour of the day. If directories
are missing, data might not be captured for that time period.
2. Verify that the restored data is available.
a. Log in to the QRadar interface.
b. Click the Log Activity or Network Activity tab.
c. Select Edit Search from the Search list on the toolbar.
d. In the Time Range pane of the Search window, select Specific Interval.
e. Select the time range of the data you restored and then click Filter.
f. View the results to verify the restored data.
g. If your restored data is not available in the QRadar interface, verify that data is
restored in the correct location and file permissions are correctly configured.
Restored files must be in the /store directory. If you typed cd instead of cd
/ when you extracted the restored files, check the /root/store directory for the
restored files. If you did not change directories before you extracted the restored
files, check the /store/backup/store directory for the restored files.
Typically, files are restored with the original permissions. However, if the files are not
owned by the root user account, issues might occur. The correct ownership of
directories and files
in /store/ariel/events/payloads and /store/ariel/flows/payloads
is root:root. If the files and folders do not have the correct ownership, change the
ownership by using the chown command.
The correct permissions of directories and files
in /store/ariel/events/payloads and /store/ariel/flows/payloads
is 755 for folders, and 644 for files. If the files and folders do not have the correct
permissions, change the permissions by using the chmod command.
What to do next
After you verified that your data is restored, you must complete an auto update in QRadar. The auto
update ensures DSMs, vulnerability assessment (VA) scanners, and log source protocols are at the
latest version. For more information, see c_tuning_guide_deploy_dsmupdates.html.
Retrieving backup files missing from the disk
When the backup files are missing from the disk, the respective backup table entry on the Backup
and Recovery page is marked with an exclamation icon to show that the file is not retrievable. Files
that are missing cannot be downloaded or restored. This issue can occur when you are using
external storage that is no longer available, or is offline.
Procedure
1. On the Admin tab, click Backup and Recovery.
2. If the external storage is offline or no longer available, delete the table entry by using
the Delete option at the top of the Backup and Recovery page.
Note: If you are not expecting this behavior and are using external storage for your backup
archive location, investigate whether the storage system is still accessible. If it is offline, and
you are able to restore the directory, the indicator icons are automatically updated and
removed when the system detects the restored files.
3. On the Backup and Recovery page, click Configure and take note of the Backup
Repository Path.
4. Log out of QRadar® and log back in to ensure that the files are again accessible by fixing the
external mount or restoring missing files to the appropriate backup location.
5. Refresh the Backup and Recovery page to synchronize the backups.
WinCollect files are not restored during a configuration restore
When you complete a configuration restore and some WinCollect files are not restored, it might be
because the installation ISO contains a previous version of WinCollect.
The QRadar® ISO contains a built-in version of WinCollect. When you restore by using that ISO,
it deploys the WinCollect files that are stored in that ISO, rather than the files from your
backup.
To remedy this issue, you must install the WinCollect SFS that matches the version
of WinCollect in your backup before you restore the configuration. Perform the following
tasks in this order:
1. Perform QRadar backup.
2. Bring new hardware online and deploy the ISO.
3. Install the WinCollect SFS that matches the version of WinCollect in your backup on the
Console.
4. Restore the configuration backup.
The appropriate WinCollect files are deployed with the configuration restore.
Backup and restore applications
IBM QRadar provides a way to backup and restore application configurations separate from the
application data.
Application configurations are backed up as part of the nightly configuration backup. The
configuration backup includes apps that are installed on the QRadar Console and on an App
Host. You can restore the application configuration by selecting the Installed Applications
Configuration option when you restore a backup.
Application data is backed up separate from the application configuration by using an easy-touse script that runs nightly. You can also use the script to restore the app data, and to
configure backup times and data retention periods for app data.
•
Backing up and restoring apps
Use the IBM QRadar Backup and Recovery window on the Admin tab to back up and restore
apps.
About this task
You can back up your apps by creating a configuration backup. For information on backing
up your apps, see Backup QRadar configurations and data. A configuration backup does not
back up your app's data. For information on backing up your app's data, see Backing up and
restoring app data.
If an App Host is attached to your QRadar Console, the App Host's configuration is backed up
as part of the console's Deployment Configuration. You cannot restore an App Host on
a QRadar Console with a different IP address than the App Host was initially configured with.
Commented [LER1]: Aquí y hay que vlaidar si esta ien la
gia
By default, apps are restored to console unless an App Host is present. If QRadar cannot
restore apps to your App Host, it attempts to back restore them to the QRadar Console. The
number of App Host apps that can be restored onto the console is constrained by the amount
of memory that is available on the QRadar Console. Apps that are defined as node_only in
their application manifest file cannot be restored to the QRadar Console.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
Select an existing backup in the Backup and Recovery window and click Restore.
Ensure that the Installed Applications Configuration check box is selected, and
click Restore.
Note: By selecting the Installed Applications Configuration check box, you restore
the install app configurations only. Extension configurations are not restored. Select
the Deployment Configuration check box if you want to restore extension
configurations.
•
Backing up and restoring app data
Use the app-volume-backup.py script to back up and recover app data.
About this task
A configuration backup that you do on the backup and Recovery window does not back up
your apps' data. The /opt/qradar/bin/app-volume-backup.py script runs nightly at
2:30 AM, and backs up each installed application's /store mounted volume. By default,
data is retained for 7 days.
Use the script to do the following tasks:
•
•
•
•
Back up data manually for installed apps.
List all installed app data backups on the system.
Restore data for installed apps.
Run the retention process and set the retention period for backups.
This script is on both the QRadar® Console and the App Host if one is installed. The script
backs up app data only if apps are on the current host.
Procedure
1. Use SSH to log in to your Console or your App Host as the root user.
2. Go to the /opt/qradar/bin/ directory.
o Use the following command to back up app data:
./app-volume-backup.py backup
The app-volume-backup.py script runs nightly at 2:30 AM local time to
back up all installed apps. Backup archives are stored in
the /store/apps/backup folder. You can change the backup archives
location by editing the APP_VOLUME_BACKUP_DIR variable
in /store/configservices/staging/globalconfig/nva.conf.
You must deploy changes after you edit this variable.
o
To view all data backups for installed apps, enter the following command:
./app-volume-backup.py ls
This command outputs all backup archives that are stored in the backup
archives folder.
o
To restore a backup archive, enter the following command:
./app-volume-backup.py restore -i
<backup_name>
Use the ls command to find the name of a backup archive.
o
New in 7.5.0To restore data for a specific application instance, rather than
restoring all instances, enter the following command:
./app-volume-backup.py restore-interactive -i
<backup name>
Note: This function was added in QRadar 7.5.0 Update Package 1, and works
only with backups that were created after updating to 7.5.0 Update Package 1.
o
New in 7.5.0 Update Package 6To backup data for an individual application
instance, enter the following command:
/opt/qradar/bin/app-volume-backup.py backup -u
<app definition
uuid>
In a multitenant deployment, you must specify the security profile associated
with the application instance that you want to backup. For
example, /opt/qradar/bin/app-volume-backup.py backup -u <app
definition uuid> -s <security profile id>
o
New in 7.5.0 Update Package 6To restore data for an individual application
instance, enter the following command:
/opt/qradar/bin/app-volume-backup.py restore -i
<backup
tarball> -n -u <app definition uuid>
In a multitenant deployment, you must specify the security profile associated
with the application instance that you want to restore. For
example, /opt/qradar/bin/app-volume-backup.py restore -i <backup
tarball> -n -u <app definition uuid> -s <security profile
id>
o
By default, all backup archives are retained for one week. The retention
process runs nightly at 2:30 AM local time with the backup.
▪ To perform retention manually, and use the default retention period,
enter the following command:
./app-volume-backup.py retention
▪
You can also set the retention period manually by adding -t (time defaults to 1) and -p (period - defaults to 0) switches.
The -p switch accepts three values: 0 for a week, 1 for a day, and 2 for
an hour.
For example, to set the retention period for a backup to 3 weeks, enter
the following command:
./app-volume-backup.py retention -t 3 -p 0
o
If you want to change the retention time that is used by the nightly timer, add
flags to the retention command found in the following systemd service file.
/usr/lib/systemd/system/app-data-backup.service
For example, to change the retention period that is used by the nightly
retention process to 5 days, locate the following line:
ExecStart=/opt/qradar/bin/app-volume-backup.py retention
Replace it with:
ExecStart=/opt/qradar/bin/app-volume-backup.py retention -t 5 -p 1
Save your changes, and run the systemctl daemon-reload command for
systemd to apply the changes.
3. App containers are restarted automatically after the restore is complete.
Data redundancy and recovery in QRadar deployments
To safeguard from data loss, configure your deployments to include data redundancy and recovery
functionality. Data Synchronization is possible when you have two identical QRadar systems in
separate geographic environments that are a mirror of each other, and data is synchronized at both
sites. Forwarding data uses off-site forwarding, which is set up on both the primary and secondary
deployments. You can set up data synchronization with deployments that are in different
geographical locations.
Data Synchronization App
Implement the Data Synchronization app to safeguard your IBM® QRadar® configurations and
data by mirroring your data to another identical QRadar system. Recovery from a data loss is
possible when you have two identical QRadar systems in separate geographic environments that
are a mirror of each other, and data is collected at both sites. To learn more about the Data
Synchronization app, see Redundancy and recovery for QRadar deployments.
If you do not meet the requirements for the Data Synchronization app, the following are
some alternative solutions. Recovery from data loss is possible when you forward live data,
for example, flows and events from a primary QRadar system, to a parallel system at another
site.
Primary QRadar Console and backup console
A hardware failure solution, where the backup console is a copy of the primary server, with
the same configuration but stays powered off. Only one console is operational at any one
time. If the primary console fails, you manually turn the power on the backup console,
apply the primary configuration backup, and use the IP address from the primary console.
After you restore the primary server and before you turn it on, you manually turn off the
backup server. If the system is down for a long time, apply the backup console
configuration backup to the primary server.
Event and flow forwarding
Events and flows are forwarded from a primary site to a secondary site. Identical
architectures in two separate data centers are required.
Distributing the same events and flows to the primary and secondary sites
Distribute the same event and flow data to two live sites by using a load balancer or other
method to deliver the same data to mirrored appliances. Each site has a record of the log
data that is sent.
•
Primary QRadar Console and backup QRadar Console
When the primary QRadar Console fails and you want the backup QRadar Console to
take up the role of the primary, you manually turn the power on the backup console,
apply the configuration backup and the IP address from the primary. Use a similar
switchover method for other appliances such as a QRadar Flow Collector or an Event
Collector, where each appliance has a cold backup or spare that is an identical
appliance.
The backup console takes over the primary QRadar Console role from the time of activation,
and does not store past events, flow, or offenses from the original primary QRadar Console.
Use this type of deployment for your appliances, to minimize downtime, when there is a
hardware failure.
•
•
•
A backup console requires its own dedicated license key (matching the EPS
and FPM values of the primary console).
The backup console uses a standard appliance Activation key.
The license configuration of the backup console needs to match the values of
the primary QRadar Console; this includes the EPS and FPS values of the
primary QRadar Console.
Example: If the primary QRadar Event Processor was licensed for 15K EPS,
the redundant backup console should also be licensed for 15K EPS.
•
•
•
There are special failover upgrade parts that need to be purchased for the
backup console.
From a technical perspective, the license for both primary and backup
consoles are identical, however for compliance reasons the backup console
(and associated license) cannot not be processing live data unless a failure has
occurred with the primary QRadar Console.
Data collected by the backup console will need to be copied back to the
Primary console when the Primary console once again becomes functional.
If the primary fails, take the following steps to set up the backup console as the
primary QRadar Console:
1. Power on the backup console.
2. Add the IP address from the primary console.
3. Restore configuration backup data from the primary console to the backup
console.
The backup console functions as the primary console until the primary console is
brought back online. Ensure that both servers are not online at the same time.
•
Configuring the IP address on the backup console
When the primary QRadar Console fails, you configure the secondary backup
console to take on the primary console role. Add the IP address of the
failed QRadar Console to the backup console so that your QRadar system
continues to function.
Procedure
1. Use SSH to log in to as the root user.
2. To configure the IP address on the backup console, follow these steps:
a. Type the following command:
qchange_netsetup
Note: Verify all external storage which is not /store/ariel or
/store is not mounted.
•
Backup and recovery
Back up your IBM® QRadar configuration information and data so that you
can recover from a system failure or data loss.
Use the backup and recovery that is built-in to QRadar to back up your
data. However, you must restore the data manually. By
default, QRadar creates a daily backup archive of your configuration
information at midnight. The backup archive includes configuration
information, generated data, or both from the previous day.
You can create the following types of backup:
•
•
•
Configuration backups, which include system configuration data, for
example, assets and log sources in your QRadar deployment.
Data backups, which include information that is generated by a
working QRadar deployment such as log information or event dates.
Event and flow forwarding from a primary data center to another data center
To ensure that there is a redundant data store for events, flows, offenses, and that there is an
identical architecture in two separate data centers, forward event and flow data from site 1
to site 2.
The following information is provided only for general guidance and is not intended or
designed as a how-to guide.
This scenario is dependent upon site 1 remaining active. If site 1 fails, data is not
transmitted to Site 2, but the data is current up to the time of failure. In the case of
failure at site 1, you implement recovery of your data, by manually changing IP
addresses and use a backup and restore to fail over from site 1 to site 2, and to switch
to site 2 for all QRadar® hosts.
The following list describes the setup for event and flow forwarding from the primary
site to the secondary site:
•
•
•
There is an identical distributed architecture in two separate data centers, which
includes a primary data center and a secondary data center.
The primary QRadar Console is active and collecting all events and flows from log
sources and is generating correlated offenses.
You configure off-site targets on the primary QRadar Console to enable forwarding of
event and flow data from the primary data center to the event and flow processors in
another data center.
Fast path: Use routing rules instead of off-site targets because the setup is easier.
•
Periodically, use the content management tool to update content from the
primary QRadar Console to the secondary QRadar Console.
For more information about forwarding destinations and routing rules, see the IBM
QRadar Administration Guide.
In the case of a failure at site 1, you can use a high-availability (HA) deployment to
trigger an automatic failover to site 2. The secondary HA host on site 2 takes over the
role of the primary HA host on site 1. Site 2 continues to collect, store, and process
event and flow data. Secondary HA hosts that are in a standby state don't have services
that are running but data is synchronized if disk replication is enabled. For more
information about HA deployment planning, see HA deployment planning.
Note: You can use a load balancer to divide events, and split flows such as NetFlow, J-Flow, and sFlow
but you can't use a load balancer to split QFlows. Use external technologies such as a regenerative tap
to divide QFlow and send to the backup site.
The following diagram shows how site 2 is used as a redundant data store for site 1.
Event and flow data are forwarded from site 1 to site 2.
Figure 1. Event and flow forwarding from site 1 to site 2 for disaster recovery
•
Event and flow forwarding configuration
For data redundancy, configure IBM® QRadar systems to forward data from one site to a
backup site.
The target system that receives the data from QRadar is known as a forwarding
destination. QRadar systems ensure that all forwarded data is unaltered. Newer
versions of QRadar systems can receive data from earlier versions
of QRadar systems. However, earlier versions cannot receive data from later
versions. To avoid compatibility issues, upgrade all receivers before you
upgrade QRadar systems that send data. Follow these steps to set up forwarding:
1. Configure one or more forwarding destinations.
A forwarding destination is the target system that receives the event and flow
data from the IBM QRadar primary console. You must add forwarding
destinations before you can configure bulk or selective data forwarding. For more
information about forwarding destinations, see the IBM QRadar Administration
Guide.
2. Configure routing rules, custom rules, or both.
After you add one or more forwarding destinations for your event and flow data,
you can create filter-based routing rules to forward large quantities of data. For
more information about routing rules, see the IBM QRadar Administration Guide.
3. Configure data exports, imports, and updates.
You use the content management tool to move data from your primary QRadar
Console to the QRadar secondary console. Export security and configuration
content from IBM QRadar into an external, portable format.
•
Load balancing of events and flows between two sites
When you are running two live IBM QRadar deployments at both a primary and secondary
site, you send event and flow data to both sites. Each site has a record of the log data that is
sent. Use the content management tool to keep the data synchronized between the
deployments
The following diagram shows two live sites, where data from each site is replicated to
the other site.
Figure 1. Load balancing of events and flows between two sites
•
Restoring configuration data from the primary to the secondary QRadar Console
After you set up the secondary QRadar Console as the destination for the logs, you either add
or import a backup archive from the primary QRadar Console. You can restore a backup
archive that is created on another QRadar host. Log in to the secondary QRadar Console and
do a full restore of the primary console backup archive to the secondary QRadar Console.
•
Event and flow data redundancy
Send the same events and flows to separate data centers or geographically separate sites
and enable data redundancy by using a load balancer or other method to deliver the same
data to mirrored appliances.
Backup and Restore the QRadar Analyst Workflow
If you need to restore QRadar Analyst Workflow to a different QRadar console, you must
reinstall QRadar Analyst Workflow after the QRadar restore.
Data back up and restore
You can use a command-line interface (CLI) script to back up data that is stored on IBM® QRadar®
SIEM Console managed hosts.
You can use the CLI script to restore IBM QRadar Risk Manager after a data failure or hardware
failure on the appliance.
A backup script is included in QRadar Risk Manager, which can be scheduled by using crontab. The
script automatically creates a daily archive of QRadar Risk Manager data at 3:00 AM. By
default, QRadar Risk Manager keeps the last five backups. If you have network or attached storage,
you must create a cron job to copy QRadar Risk Manager back archives to a network storage
location.
The backup archive includes the following data:
•
•
•
•
•
QRadar Risk Manager device configurations
Connection data
Topology data
Policy Monitor questions
QRadar Risk Manager database tables
For information about migrating from QRadar Risk Manager Maintenance Release 5 to this current
release, see the IBM QRadar Risk Manager Migration Guide.
Prerequisites for backing up and restoring data
You must understand how data is backed up, stored, and archived before you back up and restore
your data.
Data backup location
Data is backed up in the /store/qrm_backups local directory. Your system might include a
mount /store/backup from an external SAN or NAS service. External services provide long-term
offline retention of data. Long-term storage might be required for compliance regulations, such as
Payment Card Industry (PCI) standards.
Appliance version
The version of the appliance that created the backup in the archive is stored. A backup can be
restored only in an IBM® QRadar® Risk Manager appliance if it is the same version.
Data backup frequency and archival information
Daily data backups are created at 3:00 AM. Only the last five backup files are stored. A backup
archive is created if there is enough free space on QRadar Risk Manager.
Format of backup files
Use the following format to save backup files:
backup-<target date>-<timestamp>.tgz
Where, <target date> is the date that the backup file was created.
The format of the target date is <day>_<month>_<year>. <timestamp> is the time that the
backup file was created.
The format of the time stamp is <hour>_<minute>_<second>.
Backing up your data
Automatic backup occurs daily, at 3:00 AM, or you can start the backup process manually.
Procedure
1. Using SSH, log in your IBM® QRadar® SIEM Console as the root user.
2. Using SSH from the QRadar Console, log in to QRadar Risk Manager as the root user.
3. Start a QRadar Risk Manager backup by typing the following command:
/opt/qradar/bin/dbmaint/risk_manager_backup.sh
Results
The script that is used to start the backup process might take several minutes to start.
The following message is an example of the output that is displayed, after the script completes the backup
process:
Fri Sep 11 10:14:41 EDT 2015
- Risk Manager Backup complete,
wrote /store/qrm_backups/backup-2015-09-11-10-14-39.tgz
Restoring data
You can use a restore script to restore data from a QRadar Risk Manager backup.
Before you begin
The QRadar Risk Manager appliance and the backup archive must be the same version of QRadar Risk
Manager. If the script detects a version difference between the archive and the QRadar Risk
Manager managed host, an error is displayed.
About this task
Use the restore script to specify the archive that you are restoring to QRadar Risk Manager. This
process requires you to stop services on QRadar Risk Manager. Stopping services logs off all QRadar
Risk Manager users and stops multiple processes.
The following table describes the parameters that you can use to restore a backup archive.
OptionDescription
-f
Overwrites any existing QRadar Risk Manager data on your system with the data in the restore file.
Selecting this parameter allows the script to overwrite any existing device configurations in
Configuration Source Management with the device configurations from the backup file.
-w
Do not delete directories before you restore QRadar Risk Manager data.
-h
The help for the restore script.
Table 1. Parameters used to restore a backup archive to QRadar Risk Manager
Procedure
1.
2.
3.
4.
Using SSH, log in your IBM® QRadar SIEM Console as the root user.
Using SSH from the QRadar SIEM Console, log in to QRadar Risk Manager as the root user.
Stop hostcontext by typing systemctl stop hostcontext.
Type the following command to restore a backup archive to QRadar Risk Manager:
/opt/qradar/bin/risk_manager_restore.sh -r /store/qrm_backups/<backup>.
Where <backup> is the QRadar Risk Manager
archive that you want to restore.
For example, backup-2012-09-11-10-14-39.tgz.
5. Start hostcontext by typing systemctl start hostcontext.
Scheduling nightly backup
Use the Backup Recovery Configuration window to configure a night scheduled backup process.
About this task
By default, the nightly backup process includes only your configuration files.
Note: The nightly backup starts running at midnight in the timezone where the QRadar Console is installed.
If QRadar automatic updates are scheduled to run at the same time, the performance of QRadar might be
impacted.
The Backup Recovery Configuration window provides the following parameters:
ParameterDescription
General Backup Configuration
Type the location where you want to store your backup file. The default location
is /store/backup. This path must exist before the backup process is initiated. If this
path does not exist, the backup process aborts.
If you modify this path, make sure the new path is valid on every system in your
deployment.
If you change the path to the backup repository, all files in the previous repository
automatically are moved to the new path.
The directory must match one of the following formats:
Backup
Repository
• /store/backup/*
Path
•
•
•
/mount/*
/mnt/*
/home/*
Active data is stored on the /store directory. If you have both active data and backup
archives stored in the same directory, data storage capacity might easily be reached and
your scheduled backups might fail. We recommend you specify a storage location on
another system or copy your backup archives to another system after the backup process
is complete. You can use a Network File System (NFS) storage solution in
your QRadar deployment. For more information on using NFS, see the Offboard Storage
Guide.
Type or select the length of time, in days, that you want to store backup files. The default
Backup
Retention is 7 days.
Period
(days)
This period of time only affects backup files generated as a result of a scheduled process.
On-demand backups or imported backup files are not affected by this value.
ParameterDescription
Nightly
Backup
Schedule
Select a backup option.
This option is only displayed if you select the Configuration and Data Backups option.
Select the All hosts in your deployment are listed. The first host in the list is your Console; it is
managed enabled for data backup by default, therefore no check box is displayed. If you have
hosts you managed hosts in your deployment, the managed hosts are listed below the Console and
would like each managed host includes a check box.
to run data
backups: Select the check box for the managed hosts you want to run data backups on.
For each host (Console or managed hosts), you can optionally clear the data items you
want to exclude from the backup archive.
Configuration Only Backup
Backup
Type or select the length of time, in minutes, that you want to allow the backup to run. The
Time Limit default is 180 minutes. If the backup process exceeds the configured time limit, the backup
(min)
process is automatically canceled.
Backup
Priority
From this list box, select the level of importance that you want the system to place on the
configuration backup process compared to other processes.
A priority of medium or high have a greater impact on system performance.
Data Backup
Backup
Type or select the length of time, in minutes, that you want to allow the backup to run. The
Time Limit default is 1020 minutes. If the backup process exceeds the configured time limit, the backup is
(min)
automatically canceled.
Backup
Priority
From the list, select the level of importance you want the system to place on the data
backup process compared to other processes.
A priority of medium or high have a greater impact on system performance.
Table 1. Backup Recovery Configuration parameters
Procedure
1.
2.
3.
4.
5.
6.
7.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
On the toolbar, click Configure.
On the Backup Recovery Configuration window, customize your nightly backup.
Click Save.
Close the Backup Archives window.
On the Admin tab, click Deploy Changes.
Backup QRadar configurations and data
By default, IBM® QRadar® creates a backup archive of your configuration information daily at
midnight.
Scheduling nightly backup
Use the Backup Recovery Configuration window to configure a night scheduled backup process.
Use the Backup Recovery Configuration window to configure a night scheduled backup process.
About this task
By default, the nightly backup process includes only your configuration files.
Note: The nightly backup starts running at midnight in the timezone where the QRadar Console is installed.
If QRadar automatic updates are scheduled to run at the same time, the performance of QRadar might be
impacted.
The Backup Recovery Configuration window provides the following parameters:
ParameterDescription
General Backup Configuration
Type the location where you want to store your backup file. The default location
is /store/backup. This path must exist before the backup process is initiated. If this
path does not exist, the backup process aborts.
If you modify this path, make sure the new path is valid on every system in your
deployment.
If you change the path to the backup repository, all files in the previous repository
automatically are moved to the new path.
The directory must match one of the following formats:
Backup
Repository
• /store/backup/*
Path
•
•
•
/mount/*
/mnt/*
/home/*
Active data is stored on the /store directory. If you have both active data and backup
archives stored in the same directory, data storage capacity might easily be reached and
your scheduled backups might fail. We recommend you specify a storage location on
another system or copy your backup archives to another system after the backup process
is complete. You can use a Network File System (NFS) storage solution in
your QRadar deployment. For more information on using NFS, see the Offboard Storage
Guide.
ParameterDescription
Type or select the length of time, in days, that you want to store backup files. The default
Backup
Retention is 7 days.
Period
This period of time only affects backup files generated as a result of a scheduled process.
(days)
On-demand backups or imported backup files are not affected by this value.
Nightly
Backup
Schedule
Select a backup option.
This option is only displayed if you select the Configuration and Data Backups option.
Select the All hosts in your deployment are listed. The first host in the list is your Console; it is
managed enabled for data backup by default, therefore no check box is displayed. If you have
hosts you managed hosts in your deployment, the managed hosts are listed below the Console and
would like each managed host includes a check box.
to run data
backups: Select the check box for the managed hosts you want to run data backups on.
For each host (Console or managed hosts), you can optionally clear the data items you
want to exclude from the backup archive.
Configuration Only Backup
Backup
Type or select the length of time, in minutes, that you want to allow the backup to run. The
Time Limit default is 180 minutes. If the backup process exceeds the configured time limit, the backup
(min)
process is automatically canceled.
Backup
Priority
From this list box, select the level of importance that you want the system to place on the
configuration backup process compared to other processes.
A priority of medium or high have a greater impact on system performance.
Data Backup
Backup
Type or select the length of time, in minutes, that you want to allow the backup to run. The
Time Limit default is 1020 minutes. If the backup process exceeds the configured time limit, the backup is
(min)
automatically canceled.
Backup
Priority
From the list, select the level of importance you want the system to place on the data
backup process compared to other processes.
A priority of medium or high have a greater impact on system performance.
Table 1. Backup Recovery Configuration parameters
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
On the toolbar, click Configure.
On the Backup Recovery Configuration window, customize your nightly backup.
Click Save.
6. Close the Backup Archives window.
7. On the Admin tab, click Deploy Changes.
Creating an on-demand configuration backup archive
If you must back up your configuration files at a time other than your nightly scheduled backup,.
On-demand backup archives include only configuration information.
During the backup process, system performance is affected.
Procedure
1.
2.
3.
4.
Option
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
From the toolbar, click On Demand Backup.
Enter values for the following parameters:
Description
Type a unique name that you want to assign to this backup archive. The name can be up
to 100 alphanumeric characters in length. The name can contain following characters:
underscore (_), dash (-), or period (.).
DescriptionType a description for this configuration backup archive. The description can be up to
255 characters in length.
Name
5. Click Run Backup.
You can start a new backup or restore processes only after the on-demand backup is
complete. You can monitor the backup archive process in the Backup Archives window.
Data retention
Retention buckets define how long event and flow data is retained in IBM® QRadar®.
As QRadar receives events and flows, each one is compared against the retention bucket filter
criteria. When an event or flow matches a retention bucket filter, it is stored in that retention
bucket until the deletion policy time period is reached. The default retention period is 30 days;
then, the data is immediately deleted.
Retention buckets are sequenced in priority order from the top row to the bottom row. A record is
stored in the bucket that matches the filter criteria with highest priority. If the record does not
match any of your configured retention buckets, the record is stored in the default retention bucket,
which is always located below the list of configurable retention buckets.
Tenant data
You can configure up to 10 retention buckets for shared data, and up to 10 retention buckets for
each tenant.
When data comes into the system, the data is assessed to determine whether it is shared data or
whether the data belongs to a tenant. Tenant-specific data is compared to the retention bucket
filters that are defined for that tenant. When the data matches a retention bucket filter, the data is
stored in that retention bucket until the retention policy time period is reached.
If you don't configure retention buckets for the tenant, the data is automatically placed in the
default retention bucket for the tenant. The default retention period is 30 days, unless you
configure a tenant-specific retention bucket.
For more information about tenant data retention, see Retention policies for tenants.
Configuring retention buckets
Configure retention policies to define how long IBM QRadar is required to keep event and flow data,
and what to do when that data reaches a certain age.
About this task
Changes to the retention bucket filters are applied immediately to incoming data only. For example,
if you configured a retention bucket to retain all data from source IP address 10.0.0.0/8 for 1 day,
and you later edit the filter to retain data from source IP 192.168.0.1, the change is not retroactive.
Immediately upon changing the filter, the retention bucket has 24 hours of 10.0.0.0/8 data, and all
data that is collected after the filter change is 192.168.0.1 data.
The retention policy on the bucket is applied to all data in the bucket, regardless of the filters
criteria. Using the previous example, if you changed the retention policy from 1 day to 7 days, both
the 10.0.0.0/8 data and the 192.168.0.1 data in the bucket is retained for 7 days.
The Distribution of a retention bucket indicates the retention bucket usage as a percentage of total
data retention in all your retention buckets. The distribution is calculated on a per-tenant basis.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the Data sources section, click Event Retention or Flow Retention.
3. If you configured tenants, in the Tenant list, select the tenant that you want the retention
bucket to apply to.
Note: To manage retention policies for shared data in a multi-tenant configuration,
choose N/A in the Tenant list.
4. To configure a new retention bucket, follow these steps:
a. Double-click the first empty row in the table to open the Retention
Properties window.
b. Configure the retention bucket parameters.
Learn more about retention bucket parameters:
Properties Description
Name
Type a unique name for the retention bucket.
Keep data The retention period that specifies how long the data is to be kept. When the retention period is
placed in
reached, data is deleted according to the Delete data in this
this bucket
bucket parameter. QRadar does not delete data within the retention period.
for
Select Immediately after the retention period has expired to delete data immediately on
matching the Keep data placed in this bucket for parameter. The data is deleted
at the next scheduled disk maintenance process, regardless of disk storage requirements.
Select When storage space is required to keep data that matches the Keep data
placed in this bucket for parameter in storage until the disk monitoring
system detects that storage is required.
Delete data
Deletions that are based on storage space begin when the free disk space drops to 15%
in this
bucket
or less, and the deletions continue until the free disk space is 18% or the policy time
frame that is set in the Keep data placed in this bucket for field runs out. For example,
if the used disk space reaches 85% for records, data is deleted until the used percentage
drops to 82%. When storage is required, only data that matches the Keep data placed
in this bucket for field is deleted.
If the bucket is set to Delete data in this bucket: immediately after the retention
period has expired, no disk space checks are done and the deletion task immediately
removes any data that is past the retention.
DescriptionType a description for the retention bucket.
Current
Filters
Configure the filter criteria that each piece of data is to be compared against.
c. Click Add Filter after you specify each set of filter criteria.
d. Click Save.
5. To edit an existing retention bucket, select the row from the table and click Edit.
6. To delete a retention bucket, select the row from the table and click Delete.
7. Click Save.
Incoming data that matches the retention policy properties is immediately stored in the
retention bucket.
Managing retention bucket sequence
You can change the order of the retention buckets to ensure that data is being matched against the
retention buckets in the order that matches your requirements.
About this task
Retention buckets are sequenced in priority order from the top row to the bottom row on the Event
Retention and Flow Retention windows. A record is stored in the first retention bucket that matches the record
parameters.
You cannot move the default retention bucket. It always resides at the bottom of the list.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the Data sources section, click Event Retention or Flow Retention.
3. If you configured tenants, in the Tenant list, select the tenant for the retention buckets that
you want to reorder.
Note: To manage retention policies for shared data in a multi-tenant configuration,
choose N/A in the Tenant list.
4. Select the row that corresponds to the retention bucket that you want to move, and
click Up or Down to move it to the correct location.
5. Click Save.
Enabling and disabling a retention bucket
When you configure and save a retention bucket, it is enabled by default. You can disable a bucket
to tune your event or flow retention.
About this task
When you disable a bucket, any new events or flows that match the requirements for the disabled
bucket are stored in the next bucket that matches the event or flow properties.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the Data sources section, click Event Retention or Flow Retention.
3. If you configured tenants, in the Tenant list, select the tenant for the retention bucket that
you want to change.
Note: To manage retention policies for shared data in a multi-tenant configuration,
choose N/A in the Tenant list.
4. Select the retention bucket you want to disable, and then click Enable/Disable.
Deleting a Retention Bucket
When you delete a retention bucket, only the criteria that defines the bucket is deleted. The events
or flows that were stored in the bucket are collected by the default retention bucket. The default
retention period is 30 days; then, the data is immediately deleted.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the Data sources section, click Event Retention or Flow Retention.
3. If you configured tenants, in the Tenant list, select the tenant for the retention bucket that
you want to delete.
Note: To manage retention policies for shared data in a multi-tenant configuration,
choose N/A in the Tenant list.
4. Select the retention bucket that you want to delete, and then click Delete.
TASK: 1.5 Configure custom SNMP and email templates
SUBTASKS:
Customizing the SNMP trap output
IBM® QRadar® uses SNMP to send traps that provide information when rule conditions are met.
By default, QRadar uses the QRadar management information base (MIB) to manage the devices in
the communications network. However, you can customize the output of the SNMP traps to adhere
to another MIB.
Important: SNMPv3 rule responses are sent out as SNMP informs and not traps.
Procedure
1. Use SSH to log in to QRadar as the root user.
2. Go to the /opt/qradar/conf directory and make backup copies of the following files:
o eventCRE.snmp.xml
o offenseCRE.snmp.xml
3. Open the configuration file for editing.
o To edit the SNMP parameters for event rules, open the eventCRE.snmp.xml file.
o To edit the SNMP parameters for offense rules, open
the offenseCRE.snmp.xml file.
4. To change the trap that is used for SNMP trap notification, update the following text with the
appropriate trap object identifier (OID):
5. -<creSNMPTrap version="3" OID="1.3.6.1.4.1.20212.1.1"
name="eventCRENotification">
6. Use the following table to help you update the variable binding information:
Each variable binding associates a particular MIB object instance with its current value.
Value type
Description
Example
Alphanumeric
characters
string
You can
configure
multiple
values.
A numerical name="ATTACKER_PORT"
integer32
type="integer32">%ATTACKER_PORT%
value
Each SNMP
trap carries
an identifier
that is
OID="1.3.6.1.4.1.20212.2.46"
oid
assigned to
an object
within the
MIB
A numerical
gauge32
value range
A numerical
value that
increments
within a
counter64
defined
minimum and
maximum
range
Table 1. Value types for variable binding
7. For each of the value types, include any of the following fields:
Field
Description
Example
Example: 1If the value type is ipAddress, you
For more information about these fields, see must use a variable that is an IP address. The
Native
the /opt/qradar/conf/snmp.help file.string value type accepts any format.
Example: 1If you used the default file information
and want to include this information in the SNMP
trap, include the following code:
Custom
Custom SNMP trap information that you
configured for the custom rules wizard
<variableBinding name="My Color
Variable Binding"
OID="1.3.6.1.4.1.20212.3.1"
type="string">
My favorite color
is %MyColor%</variableBinding>
Field
Description
Example
1Surround
the field name with percentage (%) signs. Within the percentage signs, fields must match
the value type.
Table 2. Fields for the variable bindings
8. Save and close the file.
9. Copy the file from the /opt/qradar/conf directory to
the /store/configservices/staging/globalconfig directory.
10. Log in to the QRadar as an administrator.
11. On the navigation menu ( ), click Admin.
12. Select Advanced > Deploy Full Configuration.
Important: QRadar continues to collect events when you deploy the full configuration.
When the event collection service must restart, QRadar does not restart it automatically. A
message displays that gives you the option to cancel the deployment and restart the service
at a more convenient time.
Configuring custom offense email notifications
You can create templates for email notifications that are triggered for offenses.
You customize the content that is included in the email notification by editing the alertconfig.xml file.
You must create a temporary directory where you can safely edit your copy of the files, without the
risk of overwriting the default files. After you edit and save the alert-config.xml file, you must
run a script that validates your changes. The validation script automatically applies your changes to
a staging area. You must deploy the full configuration to rebuild the configuration files for all
appliances.
Procedure
1. Use SSH to log in to the QRadar® Console as the root user.
2. Create a new temporary directory to use to safely edit copies of the default files.
3. Type the following command to copy the files that are stored in
the custom_alerts directory to the temporary directory:
cp /store/configservices/staging/globalconfig/templates/custom_alerts/*.*
<directory_name>
The <directory_name> is the name of the temporary directory that you created.
If the file does not exist in the staging directory, you might find it in
the /opt/qradar/conf/templates/custom_alerts directory.
4. Confirm that the files were copied successfully:
a. To list the files in the directory, type ls -lah.
b. Verify that the alert-config.xml file is listed.
5. Open the alert-config.xml file for editing.
6. Add a new <template> element for the new offense template.
a. Required: Enter offense for the template type value.
<templatetype>offense</templatetype>
b. Type a name for the offense template.
For example, <templatename>Default offense template</templatename>
If you have more than one template, ensure that the template name is unique.
c. Set the <active> element to true.
<active>true</active>
Important: The <active></active> property must be set to true for each template
type that you want to appear as an option in QRadar. There must be at least one
active template for each type.
d. Edit the parameters in the <body> or <subject> elements to include the information
that you want to see.
The following lists provide the values that you can use in the offense template. $Label
values provide the label for the item and the $Value values provide the data.
Offense parameters
$Value.DefaultSubject
$Value.Intro
$Value.OffenseId
$Value.OffenseStartTime
$Value.OffenseUrl
$Value.OffenseMRSC
$Value.OffenseDescription
$Value.EventCounts
$Label.OffenseSourceSummary
$Value.OffenseSourceSummary
$Label.TopSourceIPs
$Value.TopSourceIPs
$Label.TopDestinationIPs
$Value.TopDestinationIPs
$Label.TopLogSources
$Value.TopLogSources
$Label.TopUsers
$Value.TopUsers
$Label.TopCategories
$Value.TopCategories
$Label.TopAnnotations
$Value.TopAnnotations
$Label.ContributingCreRules
$Value.ContributingCreRules
Configuring event and flow custom email
notifications
When you configure rules in IBM® QRadar®, specify that each time the rule generates a response,
an email notification is sent to recipients. The email notification provides useful information, such
as event or flow properties.
About this task
You can customize the content that is included in the email notification for rule response by editing
the alert-config.xml file.
Note: References to flows do not apply to IBM QRadar Log Manager.
You must create a temporary directory where you can safely edit your copy of the files, without the
risk of overwriting the default files. After you edit and save the alert-config.xml file, you must
run a script that validates your changes. The validation script automatically applies your changes to
a staging area. You must deploy the full configuration to rebuild the configuration files for all
appliances.
Important: For IBM QRadar on Cloud, you must open a ticket with IBM Support to get a copy of the alertconfig.xml file. You must open another ticket to apply the updated alert-config.xml file to
your QRadar on Cloud instance.
Procedure
1. Use SSH to log in to the QRadar Console as the root user.
2. Create a new temporary directory to use to safely edit copies of the default files.
3. To copy the files that are stored in the custom_alerts directory to the temporary
directory, type the following command:
cp /store/configservices/staging/globalconfig/templates/custom_alerts/*.*
<directory_name>
The <directory_name> is the name of the temporary directory that you created.
4. Confirm that the files were copied successfully:
a. To list the files in the directory, type ls -lah.
b. Verify that the alert-config.xml file is listed.
5. Open the alert-config.xml file for editing.
6. Edit the contents of the <template> element.
a. Required: Specify the type of template to use. Valid options are event or flow.
<templatetype>event</templatetype>
<templatetype>flow</templatetype>
b. Type a name for the email template:
<templatename>Default flow template</templatename>
If you have more than one template, ensure that the template name is unique.
c. Set the <active> element to true:
<active>true</active>
d. Edit the parameters in the <body> or <subject> elements to include the information
that you want to see.
Important: The <active></active> property must be set to True for each event and
flow template type that you want to appear as an option in QRadar. There must be at
least one active template for each type.
You must also ensure that the <filename></filename> property is left empty.
Notification parameters that you can use in the template:
Common Parameters
Event Parameters
Flow Parameters
AppName
EventCollectorID
Type
RuleName
DeviceId
CompoundAppID
RuleDescription
DeviceName
FlowSourceIDs
EventName
DeviceTime
SourceASNList
EventDescription
DstPostNATPort
DestinationASNList
EventProcessorId
SrcPostNATPort
InputIFIndexList
Qid
DstMACAddress
OutputIFIndexList
Common Parameters
Event Parameters
Flow Parameters
Category
DstPostNATIPAddress
AppId
RemoteDestinationIP
DstPreNATIPAddress
Host
Payload
SrcMACAddress
Port
Credibility
SrcPostNATIPAddress
SourceBytes
Relevance
SrcPreNATIPAddress
SourcePackets
Source
SrcPreNATPor
Direction
SourcePort
DstPreNATPort
SourceTOS
SourceIP
SourceDSCP
Destination
SourcePrecedence
DestinationPort
DestinationTOS
DestinationIP
DestinationDSCP
DestinationUserName
SourceASN
Protocol
DestinationASN
StartTime
InputIFIndex
Duration
OutputIFIndex
StopTime
FirstPacketTime
EventCount
LastPacketTime
SourceV6
TotalSourceBytes
DestinationV6
TotalDestinationBytes
UserName
TotalSourcePackets
DestinationNetwork
TotalDestinationPackets
SourceNetwork
SourceQOS
Severity
DestinationQOS
CustomProperty
SourcePayload
CustomPropertiesList
CalculatedProperty
CalculatedPropertiesList
AQLCustomProperty
AqlCustomPropertiesList
Common Parameters
Event Parameters
Flow Parameters
LogSourceId
LogSourceName
Table 1. Accepted Notification Parameters
Note: If you do not want to retrieve the entire list when you use the
CustomProperties, CalculatedProperties, or AqlCustomProperties parameter, you can
select a specific property by using the following tags:
▪
▪
Custom
Property: ${body.CustomProperty("<custom_property_name>")}
Calculated
Property: ${body.CalculatedProperty("<calculated_property_name>
")}
▪
AQL Custom
Property: ${body.AqlCustomProperty("<AQL_custom_property_name>"
)}
7. Optional: To create multiple email templates, copy and paste the following sample email
template in the <template> element in the alert-config.xml file. Repeat Step 6 for each
template that you add.
Sample email template:
<template>
<templatename>Default Flow</templatename>
<templatetype>flow</templatetype>
<active>true</active>
<filename></filename>
<subject>${RuleName} Fired </subject>
<body>
The ${AppName} event custom rule engine sent an automated response:
${StartTime}
Rule Name:
Rule Description:
${RuleName}
${RuleDescription}
Source
Source
Source
Source
${SourceIP}
${SourcePort}
${UserName}
${SourceNetwork}
IP:
Port:
Username (from event):
Network:
Destination
Destination
Destination
Destination
Protocol:
IP:
${DestinationIP}
Port:
${DestinationPort}
Username (from Asset Identity): ${DestinationUserName}
Network:
${DestinationNetwork}
${Protocol}
QID:
${Qid}
Event Name:
Event Description:
Category:
${EventName}
${EventDescription}
${Category}
Log Source ID:
Log Source Name:
${LogSourceId}
${LogSourceName}
Payload:
${Payload}
CustomPropertiesList:
${CustomPropertiesList}
AQL Custom Property, CEP_aql_1:
${body.AqlCustomProperty("CEP_aql_1")}
Calculated Property, CEP_calc_2:
${body.CalculatedProperty("CEP_calc_2")}
Regex Property, CEP_reg_3:
${body.CustomProperty("CEP_reg_3")}
</body>
<from></from>
<to></to>
<cc></cc>
<bcc></bcc>
</template>
Note: Currently, the DomainID for multi-tenancy or overlapping IP addresses isn’t available
in the custom email templates.
8. Save and close the alert-config.xml file.
9. Validate the changes by typing the following command.
/opt/qradar/bin/runCustAlertValidator.sh <directory_name>
The <directory_name> parameter is the name of the temporary directory that you
created.
If the script validates the changes successfully, the following message is displayed: File
alert-config.xml was deployed successfully to staging!
10. Deploy the changes in QRadar.
a. Log in to QRadar.
b. On the navigation menu ( ), click Admin.
c. Click Advanced > Deploy Full Configuration.
Important: QRadar continues to collect events when you deploy the full
configuration. When the event collection service must restart, QRadar does not
restart it automatically. A message displays that gives you the option to cancel the
deployment and restart the service at a more convenient time.
TASK: 1.6 Manage network hierarchy
SUBTASKS:
TASK: 1.7 Use and manage reference data
SUBTASKS:
Defining your network hierarchy
A default network hierarchy that contains pre-defined network groups is included in IBM®
QRadar®. You can edit the pre-defined network hierarchy objects, or you can create new network
groups or objects.
About this task
Network objects are containers for Classless Inter-Domain Routing (CIDR) addresses. Any IP
address that is defined in a CIDR range in the network hierarchy is considered to be a local address.
Any IP address that is not defined in a CIDR range in the network hierarchy is considered to be a
remote address. A CIDR can belong only to one network object, but subsets of a CIDR range can
belong to another network object. Network traffic matches the most exact CIDR. A network object
can have multiple CIDR ranges assigned to it.
Some of the default building blocks and rules in QRadar use the default network hierarchy objects.
Before you change a default network hierarchy object, search the rules and building blocks to
understand how the object is used and which rules and building blocks might need adjustments
after you modify the object. It is important to keep the network hierarchy, rules, and building
blocks up to date to prevent false offenses.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Network Hierarchy.
3. From the menu tree on the Network Views window, select the area of the network in which
you want to work.
4. To add network objects, click Add and complete the following fields:
Option
Description
Name
The unique name of the network object.
Tip: You can use periods in network object names to define network object hierarchies. For
example, if you enter the object name D.E.F, you create a three-tier hierarchy with E as a
subnode of D, and F as a subnode of E.
Group
The network group in which to add the network object. Select from the Group list, or click Add
a New Group.
Option
Description
Tip: When you add a network group, you can use periods in network group names to define
network group hierarchies. For example, if you enter the group name A.B.C, you create a
three-tier hierarchy with B as a subnode of A, and C as a subnode of B.
Restriction: The lengths of the name and the group combined must not be more than 255
characters.
IP/CIDR(s) Type an IP address or CIDR range for the network object, and click Add. You can add multiple IP
addresses and CIDR ranges.
DescriptionA description of the network object.
Country / The country or region in which the network object is located.
Region
Longitude The geographic location (longitude and latitude) of the network object. These fields are coand
dependent.
Latitude
5. Click Create.
6. Repeat the steps to add more network objects, or click Edit or Delete to work with existing
network objects.
Types of reference data collections
IBM® QRadar® has different types of reference data collections that can handle different levels of
data complexity. The most common types are reference sets and reference maps.
If you want to use the same reference data in both QRadar SIEM and QRadar Risk Manager, use a
reference set. You can't use other types of reference data collections with QRadar Risk Manager.
Type of
collection
Description
How to use
Use a reference set to
compare a property
A collection of
Reference set
value against a list,
unique values.
such as IP addresses
or user names.
A collection of
Use a reference map
data that maps a to verify a unique
Reference map
unique key to a combination of two
value.
property values.
A collection of
Use a reference map
data that maps a of sets to verify a
Reference map
key to multiple combination of two
of sets
values. Every key property values
is unique and
against a list.
Examples
To verify whether a login ID that was used
to log in to QRadar is assigned to a user,
create a reference set with
the LoginID parameter.
To correlate user activity on your network,
create a reference map that uses
the LoginID parameter as a key, and
the Username as a value.
To test for authorized access to a patent,
create a map of sets that uses a custom
event property for Patent ID as the key,
and the Username parameter as the value.
Type of
collection
Description
How to use
Examples
maps to one
Use the map of sets to populate a list of
reference set.
authorized users.
A collection of
data that maps
one key to
To test for network bandwidth violations,
another key,
Use a reference map create a map of maps that uses the Source
which is then
IP parameter as the first key,
Reference map
of maps to verify a
mapped to a
of maps
combination of three the Application parameter as the second
single value.
property values.
key, and the Total Bytes parameter as
Every key is
the value.
unique and maps
to one reference
map.
A collection of
data that maps
one key to
Use a reference table Create a reference table that
another key,
to verify a
stores Username as the first key, Source
Reference
which is then
combination of three
IP as the second key with an
table
mapped to a
property values when
assigned cidr data type, and Source
single value. The one of the properties
second key is
is a specific data type. Port as the value.
assigned a data
type.
Table 1. Types of reference data collections
Viewing the contents of a reference set
View information about the data elements in the reference set, such as the domain assignment, the expiry
on the data, and when the element was last seen in your network.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Reference Set Management.
Select a reference set and click View Contents.
Click the Content tab to view information about each data element.
Tip: Use the search field to filter for all elements that match a keyword. You can't search for
data in the Time To Live column.
Learn more about the data elements:
The following table describes the information that is shown for each data element in the
reference set.
ParameterDescription
Domain
Domain-specific reference data can be viewed by tenant users who have access to the domain,
MSSP Administrators, and users who do not have a tenant assignment. Users in all tenants can
view shared reference data.
Value
The data element that is stored in the reference set. For example, the value might show user
names or IP addresses.
Origin
Shows the user name when the data element is added manually, and the file name when the data
was added by importing it from an external file. Shows the rule name when the data element is
added in response to a rule.
Time to
Live
The time that is remaining until this element is removed from the reference set.
Date Last
The date and time that this element was last detected on your network.
Seen
Table 1. Information about the reference set data elements
5. Click the References tab to view the rules that use the reference set in a rule test or in a rule
response.
ParameterDescription
Rule
Name
Name of the rule that is configured to use the reference set.
Group
The group that the rule belongs to.
Category Shows if the rule is a custom rule or an anomaly detection rule.
Type
Shows event, flow, common, or offense to indicate the type of data that the rule is tested
against.
Enabled
A rule must be enabled for the custom rule engine to evaluate it.
Response The responses that are configured for this rule.
System indicates a default rule.
Origin
Modified indicates that a default rule was customized.
User indicates a user-created rule.
Table 2. Content tab parameters
6. To view or edit an associated rule, double-click the rule in the References list and complete
the rule wizard.
Adding, editing, and deleting reference sets
Use a reference set to compare a property value, such as an IP address or user name, against a list. You can
use reference sets with rules to keep watch lists. For example, you can create a rule to detect when an
employee accesses a prohibited website and then add that employee's IP address to a reference set.
About this task
After you add data to the reference set, the Number of Elements and Associated
Rules parameters are automatically updated.
When you edit a reference set, you can change the data values, but you can't change the type of data
that the reference set contains.
Before a reference set is deleted, QRadar® runs a dependency check to see whether the reference
set has rules that are associated with it.
Note: If you use techniques to obfuscate data on the event properties that you want to compare to the
reference set data, use an alphanumeric reference set and add the obfuscated data values.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Reference Set Management.
3. To add a reference set:
a. Click Add and configure the parameters.
Learn more about reference set parameters:
The following table describes each of the parameters that are used to configure a
reference set.
ParameterDescription
Name
The maximum length of the reference set name is 255 characters.
Select the data types for the reference elements. You can't edit the Type parameter after
you create a reference set.
Type
The IP type stores IPv4 addresses. The Alphanumeric (Ignore Case) type automatically
changes any alphanumeric value to lowercase.
To compare obfuscated event and flow properties to the reference data, you must use an
alphanumeric reference set.
Time to Specifies when reference elements expire. If you select the Lives Forever default setting,
Live of
the reference elements don’t expire.
elements
ParameterDescription
If you specify an amount of time, indicate whether the time-to-live interval is based on
when the data was first seen, or was last seen.
QRadar removes expired elements from the reference set periodically (by default, every
5 minutes).
Specifies how expired reference elements are logged in the qradar.log file when they
are removed from the reference set.
When
elements
expire
The Log each element in a separate log entry option triggers an Expired
ReferenceData element log event for each reference element that is removed. The
event contains the reference set name and the element value.
The Log elements in one log entry option triggers one Expired ReferenceData
element log event for all reference elements that are removed at the same time. The
event contains the reference set name and the element values.
The Do not log elements option does not trigger a log event for removed reference
elements.
Table 1. Reference Set parameters
b. Click Create.
4. Click Edit or Delete to work with existing reference sets.
Tip: To delete multiple reference sets, use the Quick Search text box to search for the
reference sets that you want to delete, and then click Delete Listed.
Creating reference data collections by using
the command line
Use the command line to manage reference data collections that cannot be managed in IBM®
QRadar®, such as reference maps, map of sets, map of maps, and tables. Although it's easier to
manage reference sets using QRadar, use the command line when you want to schedule
management tasks.
About this task
Use the ReferenceDataUtil.sh script to manage reference sets and other types of reference
data collections.
When you use an external file to populate the reference data collection, the first non-comment line
in the file identifies the column names in the reference data collection. Each line after that is a data
record that gets added to the collection. While the data type for the reference collection values is
specified when the collection is created, each key is an alphanumeric string.
The following table shows examples of how to format data in an external file that is to be used for
populating reference maps.
Type of
reference Data formatting examples
collection
key1,data
Reference
key1,value1
map
key2,value2
key1,data
Reference
map of
key1,value1
sets
key1,value2
key1,key2,data
Reference
map of
map1,key1,value1
maps
map1,key2,value2
Table 1. Formatting data in an external file to be used for populating reference data collections
You can also create reference data collections by using the /reference_data endpoint in
the QRadar RESTful API.
Procedure
1. Using SSH, log in to IBM QRadar as the root user.
2. Go to the /opt/qradar/bin directory.
3. To create the reference data collection, type the following command:
4. ./ReferenceDataUtil.sh create name
5. [SET | MAP | MAPOFSETS | MAPOFMAPS | REFTABLE]
6. [ALN | NUM | IP | PORT | ALNIC | DATE]
[-timeoutType=[FIRST_SEEN | LAST_SEEN]] [-timeToLive=]
7. To populate the map with data from an external file, type the following command:
8. ./ReferenceDataUtil.sh load name filename
[-encoding=...] [-sdf=" ... "]
Example
Here are some examples of how to use the command line to create different types of reference data
collections:
•
Create an alphanumeric map:
./ReferenceDataUtil.sh create testALN MAP ALN
•
Create a map of sets that contains port values that will age out 3 hours after they were last
seen:
•
./ReferenceDataUtil.sh create testPORT MAPOFSETS PORT
-timeoutType=LAST_SEEN -timeToLive='3 hours'
•
Create a map of maps that contains numeric values that will age out 3 hours 15 minutes after
they were first seen:
•
./ReferenceDataUtil.sh create testNUM MAPOFMAPS
NUM -timeoutType=FIRST_SEEN -timeToLive='3 hours 15 minutes'
•
•
Create a reference table where the default format is alphanumeric:
./ReferenceDataUtil.sh create testTable REFTABLE
ALN -keyType=ipKey:IP,portKey:PORT,numKey:NUM,dateKey:DATE
Command reference for reference data utilities
You can manage your reference data collections by using the ReferenceDataUtil.sh utility on
the command line. The following commands are available to use with the script.
Reference data query examples
Use AQL queries to get data from reference sets, reference maps, or reference tables. You can create
and populate reference data by using rules to populate reference sets, by using external threat
feeds, for example, LDAP Threat Intelligence App, or by using imported data files for your reference
set.
Tip: For information on how to use quotation marks in AQL queries, see Quotation marks.
Use the following examples to help you create queries to extract data from your reference data.
Use reference tables to get external metadata for user names that show up in events
SELECT
REFERENCETABLE('user_data','FullName',username) AS 'Full Name',
REFERENCETABLE('user_data','Location',username) AS 'Location',
REFERENCETABLE('user_data','Manager',username) AS 'Manager',
UNIQUECOUNT(username) AS 'Userid Count',
UNIQUECOUNT(sourceip) AS 'Source IP Count',
COUNT(*) AS 'Event Count'
FROM events
WHERE qidname(qid)ILIKE '%logon%'
GROUP BY "Full Name", "Location", "Manager"
LAST 1 days
Use the reference table to get external data such as the full name, location, and manager name for
users who logged in to the network in the last 24 hours.
Get the global user IDs for users in events who are flagged for suspicious activity
SELECT
REFERENCEMAP('GlobalID_Mapping',username) AS 'Global ID',
REFERENCETABLE('user_data','FullName', 'Global ID') AS 'Full Name',
UNIQUECOUNT(username),
COUNT(*) AS 'Event count'
FROM events
WHERE RULENAME(creEventlist)
ILIKE '%suspicious%'
GROUP BY "Global ID"
LAST 2 days
In this example, individual users have multiple accounts across the network. The organization
requires a single view of a user's activity. Use reference data to map local user IDs to a global ID.
The query returns the user accounts that are used by a global ID for events that are flagged as
suspicious.
Use a reference map lookup to extract global user names for user names that are
returned in events
SELECT
QIDNAME(qid) as 'Event name',
starttime AS Time,
sourceip AS 'Source IP',
destinationip AS 'Destination IP',
username AS 'Event Username',
REFERENCEMAP('GlobalID_Mapping', username) AS 'Global User'
FROM events
WHERE "Global User" = 'John Ariel'
LAST 1 days
Use the reference map to look up the global user names for user names that are returned in events.
Use the WHERE clause to return only events for the global user John Ariel. John Ariel might have a
few different user names but these user names are mapped to a global user, for example, in an
external identity mapping system, you can map a global user to several user names used by the
same global user.
Monitoring high network utilization by users
SELECT
LONG(REFERENCETABLE('PeerGroupStats', 'average',
REFERENCEMAP('PeerGroup',username)))
AS PGave,
LONG(REFERENCETABLE('PeerGroupStats', 'stdev',
REFERENCEMAP('PeerGroup',username)))
AS PGstd,
SUM(sourcebytes+destinationbytes) AS UserTotal
FROM flows
WHERE flowtype = 'L2R'
GROUP BY UserTotal
HAVING UserTotal > (PGAve+ 3*PGStd)
Returns user names where the flow utilization is three times greater than the average user.
You need a reference set to store network utilization of peers by user name and total bytes.
Threat ratings and categories
SELECT
REFERENCETABLE('ip_threat_data','Category',destinationip)
AS 'Threat Category',
REFERENCETABLE('ip_threat_data','Rating', destinationip)
AS 'Threat Rating',
UNIQUECOUNT(sourceip)
AS 'Source IP Count',
UNIQUECOUNT(destinationip)
AS 'Destination IP Count'
FROM events
GROUP BY "Threat Category", "Threat Rating" LAST 24 HOURS
Returns the threat category and the threat rating.
You can look up reference table threat data and include it in your searches.
Copying query examples from the AQL guide
If you copy and paste a query example that contains single or double quotation marks from the AQL
Guide, you must retype the quotation marks to be sure that the query parses.
Creating reference data collections with the
APIs
You can use the application program interface (API) to manage IBM® QRadar® reference data
collections.
Procedure
1. Use a web browser to access https://<Console IP>/api_doc and log in as the
administrator.
2. Select the latest iteration of the IBM QRadar API.
3. Select the /reference_data directory.
4. To create a new reference set, follow these steps:
a. Select /sets.
b. Click POST and enter the relevant information in the Value fields.
Learn more about the parameters to create a reference set:
The following table provides information about the parameters that are required to
create a reference set:
Parameter Type Value
Data MIME
Type Type
Sample
element_typequery(required)Stringtext/plainString <one of: ALN, NUM, IP, PORT, ALNIC, DATE>
name
query(required)Stringtext/plainString
fields
query(optional) Stringtext/plainfield_one (field_two, field_three), field_four
time_to_live query(optional) Stringtext/plainString
timeout_type query(optional) Stringtext/plainString <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>
Table 1. Parameters - Reference Set
c. Click Try It Out! to finish creating the reference data collection and to view the
results.
5. To create a new reference map, follow these steps:
a. Click /maps.
b. Click POST and enter the relevant information in the Value fields.
Learn more about the parameters to create a reference map:
The following table provides information about the parameters that are required to
create a reference map:
Parameter Type Value
Data MIME
Type Type
Sample
element_typequery(required)Stringtext/plainString <one of: ALN, NUM, IP, PORT, ALNIC, DATE>
name
query(required)Stringtext/plainString
fields
query(optional) Stringtext/plainfield_one (field_two, field_three), field_four
key_label
query(optional) Stringtext/plainString
time_to_live query(optional) Stringtext/plainString
timeout_type query(optional) Stringtext/plainString <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>
value_label query(optional) Stringtext/plainString
Table 2. Parameters - Reference Map
c. Click Try It Out! to finish creating the reference data collection and to view the
results.
6. To create a new reference map of sets, follow these steps:
a. Select /map_of_sets.
b. Click POST and enter the relevant information in the Value fields.
Learn more about the parameters to create a reference map of sets:
The following table provides information about the parameters that are required to
create a reference map of sets:
Parameter Type Value
Data MIME
Type Type
Sample
element_typequery(required)Stringtext/plainString <one of: ALN, NUM, IP, PORT, ALNIC, DATE>
name
query(required)Stringtext/plainString
fields
query(optional) Stringtext/plainfield_one (field_two, field_three), field_four
key_label
query(optional) Stringtext/plainString
time_to_live query(optional) Stringtext/plainString
timeout_type query(optional) Stringtext/plainString <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>
value_label query(optional) Stringtext/plainString
Table 3. Parameters - Reference Map of Sets
c. Click Try It Out! to finish creating the reference data collection and to view the
results.
7. To create a new reference table or map of maps, follow these steps:
a. Click /tables.
b. Click POST and enter the relevant information in the Value fields.
Learn more about the parameters to create a reference table or a map of maps:
The following table provides information about the parameters that are required to
create a reference table or a map of maps:
Data
MIME Type
Type
Parameter
Type Value
Sample
element_type
query(required)Stringtext/plain
String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>
name
query(required)Stringtext/plain
String
fields
query(optional) Stringtext/plain
field_one (field_two, field_three), field_four
[ { "element_type": "String <one of: ALN, NUM, IP,
key_name_typesquery(optional) Array application/json
PORT, ALNIC, DATE>", "key_name": "String" }]
outer_key_label query(optional) Stringtext/plain
String
time_to_live
query(optional) Stringtext/plain
String
timeout_type
query(optional) Stringtext/plain
String <one of: UNKNOWN, FIRST_SEEN,
LAST_SEEN>
Table 4. Parameters - Reference Table
c. Click Try It Out! to finish creating the reference data collection and to view the
results.
TASK: 1.8 Manage automatic update
SUBTASKS:
Automatic updates
Using IBM® QRadar®, you can either replace your existing configuration files or integrate the
updated files with your existing files.
The QRadar console must be connected to the internet to receive updates. If your console is not
connected to the internet, you must configure an internal update server. For information about
setting up an automatic update server, see the IBM QRadar User Guide.
Download software updates from IBM Fix Central (www.ibm.com/support/fixcentral/).
Update files can include the following updates:
•
•
•
•
Configuration updates, which include configuration file changes, vulnerability, QID map, and
security threat information updates.
DSM updates, which include corrections to parsing issues, scanner changes, and protocol
updates.
Major updates, which include items such as updated JAR files.
Minor updates, which include items such as extra online help content or updated scripts.
Configuring automatic update settings
You can customize the frequency of IBM QRadar updates, update types, server configuration, and
backup settings.
About this task
You can select the Auto Deploy to automatically deploy updates. If Auto Deploy is not selected,
then you must manually deploy changes, from the Dashboard tab, after updates are installed.
Restriction: In high-availability (HA) environment, automatic updates aren't installed when a secondary
host is active. The updates are installed only after the primary host become the active node.
You can select Auto Restart Service to allow automatic updates that require the user interface to
restart. A user interface disruption occurs when the service restarts. Alternatively, you can
manually install the updated from the Check for Updates window.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Auto Update.
3. Click Change Settings.
4. On the Basic tab, select the schedule for updates.
a. In the Configuration Updates section, select the method that you want to use for
updating your configuration files.
▪ To merge your existing configuration files with the server updates without
affecting your custom signatures, custom entries, and remote network
configurations, select Auto Integrate.
▪ To override your customizations with server settings, select Auto Update.
b. In the DSM, Scanner, Protocol Updates section, select an option to install updates.
c. In the Major Updates section, select an option for receiving major updates for new
releases.
d. In the Minor Updates section, select an option for receiving patches for minor
system issues.
e. If you want to deploy update changes automatically after updates are installed, select
the Auto Deploy check box.
f. If you want to restart the user interface service automatically after updates are
installed, select the Auto Restart Service check box.
5. Click the Advanced tab to configure the update server and backup settings.
a. In Web Server field, type the web server from which you want to obtain the updates.
The default web server is https://auto-update.qradar.ibmcloud.com/.
b. In the Directory field, type the directory location on which the web server stores the
updates.
The default directory is autoupdates/.
c. Optional: Configure the settings for proxy server.
If the application server uses a proxy server to connect to the Internet, you must
configure the proxy server. If you are using an authenticated proxy, you must provide
the username and password for the proxy server.
d. In the Backup Retention Period list, type or select the number of days that you want
to store files that are replaced during the update process.
The files are stored in the location that is specified in the Backup Location. The
minimum is one day and the maximum is 65535 years.
e. In the Backup Location field, type the location where you want to store backup files.
f. In the Download Path field, type the directory path location to which you want to
store DSM, minor, and major updates.
The default directory path is /store/configservices/staging/updates.
6. Click Save.
QRadar: Important auto update server changes
for administrators
Troubleshooting
Problem
IBM® is migrating QRadar SIEM auto update servers to a new location in the IBM Cloud®.
This notice is intended to remind administrators that they must change their auto update
configuration to use a new IBM Cloud® web server to avoid interruptions with daily and
weekly software updates. Administrators who use IP-based firewall rules in their
organization must also update their corporate firewall rules to allow traffic to the IBM
Cloud auto update web server.
Resolving The Problem
Notice: Administrators must change their auto update server configuration before 30
November 2020 to avoid interruptions with your auto update download. A benign error
message can be displayed in the user interface when you update your configuration as
described in APAR IJ29298.
About
IBM® is migrating the QRadar® auto update servers to the IBM Cloud to better serve
updates globally starting on 27 July 2020. Administrators with firewalls that use IP-based
rules will experience interruptions to auto update downloads after November 30,2020.
This server change allows a single host name and IP address to be leveraged through IBM
Cloud® clusters for all QRadar auto updates globally.
Server changes Web server hostname
Static IP address
and port
Location Description
New server
cluster
https://auto169.47.251.244:443Global
update.qradar.ibmcloud.com/
Legacy server
https://qmmunity.q1labs.com/69.20.113.167
United
States
Active until 30 November
2020
Legacy server
https://qmmunityeu.q1labs.com/
Europe
Active until 30 November
2020
212.64.156.13
New server active on 27 July
2020
Affected versions
All QRadar® products and versions are impacted by this change.
IMPORTANT: Administrators who fail to update their corporate firewalls might
experience an interruption in service after 30 November 2020. QRadar® Support
recommends that all administrators update their QRadar Console's auto update settings
during a maintenance window and confirm that auto updates complete successfully.
Summary
Administrators can update their QRadar auto update servers to use the new server
location starting on 27 July 2020. Administrators must contact their corporate firewall
team to ensure that any IP-based firewall rules are updated before November 30, 2020 to
use the new static IP address at 169.47.251.244. QRadar Support recommends that
administrators can add both the auto update host name and the static IP address to their
corporate firewall policy rules to allow traffic:
Web server
Static IP address and
Location Description
port
https://autoupdate.qradar.ibmcloud.com/
169.47.251.244:443
Global
New server active on 27 July
2020
TASK: 1.9 Demonstrate the use of the asset database
SUBTASKS
Sources of asset data
Asset data is received from several different sources in your IBM® QRadar® deployment.
Asset data is written to the asset database incrementally, usually 2 or 3 pieces of data at a time.
With exception of updates from network vulnerability scanners, each asset update contains
information about only one asset at a time.
Asset data usually comes from one of the following asset data sources:
Events
Event payloads, such as those created by DHCP or authentication servers, often contain user logins,
IP addresses, host names, MAC addresses, and other asset information. This data is immediately
provided to the asset database to help determine which asset the asset update applies to.
Events are the primary cause for asset growth deviations.
Flows
Flow payloads contain communication information such as IP address, port, and protocol that is
collected over regular, configurable intervals. At the end of each interval, the data is provided to
the asset database, one IP address at a time.
Because asset data from flows is paired with an asset based on a single identifier, the IP
address, flow data is never the cause of asset growth deviations.
Important: Asset generation from IPv6 flows is not supported.
Vulnerability scanners
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update
Package 6, and is no longer supported in any version of IBM QRadar. For more information,
see QRadar Vulnerability Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425).
QRadar integrates with both IBM and third-party vulnerability scanners that can provide asset
data such as operating system, installed software, and patch information. The type of data varies
from scanner to scanner and can vary from scan to scan. As new assets, port information, and
vulnerabilities are discovered, data is brought into the asset profile based on the CIDR ranges that
are defined in the scan.
It is possible for scanners to introduce asset growth deviations but it is rare.
User interface
Users who have the Assets role can import or provide asset information directly to the asset
database. Asset updates that are provided directly by a user are for a specific asset. Therefore the
asset reconciliation stage is bypassed.
Asset updates that are provided by users do not introduce asset growth deviations.
Domain-aware asset data
When an asset data source is configured with domain information, all asset data that comes from
that data source is automatically tagged with the same domain. Because the data in the asset model
is domain-aware, the domain information is applied to all QRadar components, including identities,
offenses, asset profiles, and server discovery.
When you view the asset profile, some fields might be blank. Blank fields exist when the system did
not receive this information in an asset update, or the information exceeded the asset retention
period. The default retention period is 120 days. An IP address that appears as 0.0.0.0 indicates that
the asset does not contain IP address information.
Incoming asset data workflow
IBM® QRadar® uses identity information in an event payload to determine whether to create a
new asset or update an existing asset.
Important: Asset generation from IPv6 flows is not supported.
Figure 1. Asset data workflow diagram
1. QRadar receives the event. The asset profiler examines the event payload for identity
information.
2. If the identity information includes a MAC address, a NetBIOS host name, or a DNS host
name that are already associated with an asset in the asset database, then that asset is
updated with any new information.
3. If the only available identity information is an IP address, the system reconciles the update
to the existing asset that has the same IP address.
4. If an asset update has an IP address that matches an existing asset but the other identity
information does not match, the system uses other information to rule out a false-positive
match before the existing asset is updated.
5. If the identity information does not match an existing asset in the database, then a new asset
is created based on the information in the event payload.
Asset profile data in CSV format
An asset profile is a collection of information about a specific asset. The profile includes information
about the services that are running on the asset and any identity information that is known. You can
import asset profile data in CSV format.
When you import asset profile data in CSV format, the file must be in the following format:
ip,name,weight,description
The following table describes the parameters that you must configure.
Parameter Description
IP
Specifies any valid IP address in the dot decimal format; for example, 192.168.5.34.
Specifies the name of the asset up to 255 characters in length. Commas are not valid in
Name
this field because they invalidate the import process; for example, WebServer01.
Specifies a number 0 - 10, which indicates the importance of the asset on your
Weight
network. A value of 0 denotes low importance, while 10 denotes a high importance.
Specifies a textual description for this asset up to 255 characters in length. This value is
Description
optional.
Table 1. Asset profile import CSV format parameters
The following entries can be included in a CSV file:
•
•
192.168.5.34,WebServer01,5,Main Production Web Server
192.168.5.35,MailServ01,0,
The CSV import process merges any asset profile information that is stored in
your QRadar® system.
Tuning the number of IP addresses allowed for
a single asset
IBM® QRadar® monitors the number of IP addresses that a single asset accumulates over time.
By default, QRadar generates a system message when a single asset accumulates more than 75 IP
addresses. If you expect assets to accumulate more than 75 IP addresses, you can tune the Number
of IPs Allowed for a Single Asset value to avoid future system messages.
About this task
Setting the limit for the number of IP addresses too high prevents QRadar from detecting asset
growth deviations before they have a negative impact on the rest of the deployment. Setting the
limit too low increases the number of asset growth deviations that are reported.
You can use the following guideline when you tune the Number of IPs Allowed for a Single
Asset setting for the first time.
Number of IP addresses that are allowed for a single asset = (<retention time
(days)> x <estimated IP addresses per day>) + <buffer number of IP
addresses>
Where
•
•
<estimated IP addresses per day> is the number of IP addresses that a single
asset might accumulate in one day under normal conditions
<retention time (days)> is the preferred amount of time to retain the asset IP
addresses
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
In the Assets section, click Asset Profiler Configuration.
Click Asset Profiler Configuration.
Adjust the configuration values and click Save.
Deploy the changes into your environment for the updates to take effect.
Updates to asset data
IBM® QRadar® uses identity information in an event payload to determine whether to create a new asset
or update an existing asset.
Each asset update must contain trusted information about a single asset. When QRadar receives an
asset update, the system determines which asset to which the update applies.
Asset reconciliation is the process of determining the relationship between asset updates and the
related asset in the asset database. Asset reconciliation occurs after QRadar receives the update but
before the information is written to the asset database.
Identity information
Every asset must contain at least one piece of identity data. Subsequent updates that contain one or
more pieces of that same identity data are reconciled with the asset that owns that data. Updates
that are based on IP addresses are handled carefully to avoid false-positive asset matches. False
positive asset matches occur when one physical asset is assigned ownership of an IP address that
was previously owned by another asset in the system.
When multiple pieces of identity data are provided, the asset profiler prioritizes the information from the
most deterministic to the least in the following order:
•
•
•
•
MAC address
NetBIOS host name
DNS host name
IP address
MAC addresses, NetBIOS host names, and DNS host names are unique and therefore are considered
as definitive identity data. Incoming updates that match an existing asset only by the IP address are
handled differently than updates that match more definitive identity data.
Asset reconciliation exclusion rules
With each asset update that enters IBM QRadar, the asset reconciliation exclusion rules apply tests
to the MAC address, NetBIOS host name, DNS host name, and IP address in the asset update.
Tip: QRadar excludes events based on data that is received in the event, not on any data that is later
inferred or linked to the event.
In domain-aware environments, the asset reconciliation exclusion rules track the behavior of asset
data separately for each domain.
The asset reconciliation exclusion rules test the following scenarios:
Scenario
Rule response
When a MAC address is associated to three or Add the MAC address to the Asset Reconciliation
more different IP addresses in 2 hours or less Domain MAC blacklist
Scenario
Rule response
When a DNS host name is associated to three
Add the DNS host name to the Asset Reconciliation
or more different IP addresses in 2 hours or
Domain DNS blacklist
less
When a NetBIOS host name is associated to
Add the NetBIOS host name to the Asset
three or more different IP addresses in 2
Reconciliation Domain NetBIOS blacklist
hours or less
When an IPv4 address is associated to three
Add the IP address to the Asset Reconciliation
or more different MAC addresses in 2 hours or
Domain IPv4 blacklist
less
When a NetBIOS host name is associated to
Add the NetBIOS host name to the Asset
three or more different MAC addresses in 2
Reconciliation Domain NetBIOS blacklist
hours or less
When a DNS host name is associated to three
Add the DNS host name to the Asset Reconciliation
or more different MAC addresses in 2 hours or
Domain DNS blacklist
less
When an IPv4 address is associated to three
Add the IP address to the Asset Reconciliation
or more different DNS host names in 2 hours
Domain IPv4 blacklist
or less
When a NetBIOS host name is associated to
Add the NetBIOS host name to the Asset
three or more different DNS host names in 2
Reconciliation Domain NetBIOS blacklist
hours or less
When a MAC address is associated to three or
Add the MAC address to the Asset Reconciliation
more different DNS host names in 2 hours or
Domain MAC blacklist
less
When an IPv4 address is associated to three
Add the IP address to the Asset Reconciliation
or more different NetBIOS host names in 2
Domain IPv4 blacklist
hours or less
When a DNS host name is associated to three
Add the DNS host name to the Asset Reconciliation
or more different NetBIOS host names in 2
Domain DNS blacklist
hours or less
When a MAC address is associated to three or
Add the MAC address to the Asset Reconciliation
more different NetBIOS host names in 2 hours
Domain MAC blacklist
or less
Table 1. Rule tests and responses
You can view these rules on the Offenses tab by clicking Rules and then selecting the asset
reconciliation exclusion group in the drop-down list.
Asset merging
Asset merging is the process where the information for one asset is combined with the
information for another asset under the premise that they are actually the same physical asset.
Asset merging occurs when an asset update contains identity data that matches two different asset
profiles. For example, a single update that contains a NetBIOS host name that matches one asset
profile and a MAC address that matches a different asset profile might trigger an asset merge.
Some systems can cause high volumes of asset merging because they have asset data
sources that inadvertently combine identity information from two different physical assets
into a single asset update. Some examples of these systems include the following
environments:
•
•
•
•
•
•
Central syslog servers that act as an event proxy
Virtual machines
Automated installation environments
Non-unique host names, common with assets like iPads and iPhones.
Virtual private networks that have shared MAC addresses
Log source extensions where the identity field is OverrideAndAlwaysSend=true
Assets that have many IP addresses, MAC addresses, or host names show deviations in asset
growth and can trigger system notifications.
Identification of asset growth deviations
Sometimes, asset data sources produce updates that IBM® QRadar® cannot handle properly without
manual remediation. Depending on the cause of the abnormal asset growth, you can either fix the asset
data source that is causing the problem or you can block asset updates that come from that data source.
Asset growth deviations occur when the number of asset updates for a single device grows beyond
the limit that is set by the retention threshold for a specific type of the identity information. Proper
handling of asset growth deviations is critical to maintaining an accurate asset model.
At the root of every asset growth deviation is an asset data source whose data is untrustworthy for
updating the asset model. When a potential asset growth deviation is identified, you must look at
the source of the information to determine whether there is a reasonable explanation for the asset
to accumulate large amounts of identity data. The cause of an asset growth deviation is specific to
an environment.
DHCP server example of unnatural asset growth in an asset profile
Consider a virtual private network (VPN) server in a Dynamic Host Configuration Protocol (DHCP)
network. The VPN server is configured to assign IP addresses to incoming VPN clients by proxying
DHCP requests on behalf of the client to the network's DHCP server.
From the perspective of the DHCP server, the same MAC address repeatedly requests many IP
address assignments. In the context of network operations, the VPN server is delegating the IP
addresses to the clients, but the DHCP server can't distinguish when a request is made by one asset
on behalf of another.
The DHCP server log, which is configured as a QRadar log source, generates a DHCP
acknowledgment (DHCP ACK) event that associates the MAC address of the VPN server with the IP
address that it assigned to the VPN client. When asset reconciliation occurs, the system reconciles
this event by MAC address, which results in a single existing asset that grows by one IP address for
every DHCP ACK event that is parsed.
Eventually, one asset profile contains every IP address that was allocated to the VPN server. This
asset growth deviation is caused by asset updates that contain information about more than one
asset.
Threshold settings
When an asset in the database reaches a specific number of properties, such as multiple IP
addresses or MAC addresses, QRadar blocks that asset from receiving more updates.
The Asset Profiler threshold settings specify the conditions under which an asset is blocked from
updates. The asset is updated normally up to the threshold value. When the system collects enough
data to exceed the threshold, the asset shows an asset growth deviation. Future updates to the asset
are blocked until the growth deviation is rectified.
System notifications that indicate asset growth deviations
IBM QRadar generates system notifications to help you identify and manage the asset growth
deviations in your environment.
IBM® QRadar® generates system notifications to help you identify and manage the asset growth
deviations in your environment.
The following system messages indicate that QRadar identified potential asset growth deviations:
•
•
The system detected asset profiles that exceed the normal size threshold
The asset blacklist rules have added new asset data to the asset blacklists
The system notification messages include links to reports to help you identify the assets that have
growth deviations.
Asset data that changes frequently
Asset growth can be caused by large volumes of asset data that changes legitimately, such as in these
situations:
•
•
A mobile device that travels from office-to-office frequently and is assigned a new IP address
whenever it logs in.
A device that connects to a public wifi with short IP addresses leases, such as at a university
campus, might collect large volumes of asset data over a semester.
QRadar might mistakenly report this activity as an asset growth deviation. If the asset growth is
legitimate, you can take steps to ensure that the asset data is handled properly. For more
information, see c_qradar_adm_prevent_asset_grwth_deviat.html.
Example: How configuration errors for log source extensions can cause asset growth
deviations
Customized log source extensions that are improperly configured can cause asset growth
deviations.
You configure a customized log source extension to provide asset updates to IBM® QRadar® by
parsing user names from the event payload that is on a central log server. You configure the log
source extension to override the event host name property so that the asset updates that are
generated by the custom log source always specify the DNS host name of the central log server.
Instead of QRadar receiving an update that has the host name of the asset that the user logged in to,
the log source generates many asset updates that all have the same host name.
In this situation, the asset growth deviation is caused by one asset profile that contains many IP
addresses and user names.
Troubleshooting asset profiles that exceed the normal size threshold
IBM QRadar generates the following system notification when the accumulation of data under a
single asset exceeds the configured threshold limits for identity data.
The system detected asset profiles that exceed the normal size threshold
Explanation
The payload of the notification shows a list of the top five most frequently deviating assets and why the
system marked each asset as a growth deviation. As shown in the following example, the payload also
shows the number of times that the asset attempted to grow beyond the asset size threshold.
Feb 13 20:13:23 127.0.0.1 [AssetProfilerLogTimer]
com.q1labs.assetprofile.updateresolution.UpdateResolutionManager:
[INFO] [NOT:0010006101][192.0.2.83/- -] [-/- -]
The top five most frequently deviating asset profiles between
Feb 13, 2015 8:10:23 PM AST and Feb 13, 2015 8:13:23 PM AST:
[ASSET ID:1003, REASON:Too Many IPs, COUNT:508],
[ASSET ID:1002, REASON:Too many DNS Names, COUNT:93],
[ASSET ID:1001, REASON:Too many MAC Addresses, COUNT:62]
When the asset data exceeds the configured threshold, QRadar blocks the asset from future
updates. This intervention prevents the system from receiving more corrupted data and mitigates
the performance impacts that might occur if the system attempts to reconcile incoming updates
against an abnormally large asset profile.
Required user action
Use the information in the notification payload to identify the assets that are contributing to the
asset growth deviation and determine what is causing the abnormal growth. The notification
provides a link to a report of all assets that experienced deviating asset growth over the past 24
hours.
After you resolve the asset growth deviation in your environment, you can run the report again.
1. Click the Log Activity tab and click Search > New Search.
2. Select the Deviating Asset Growth: Asset Report saved search.
3. Use the report to identify and repair inaccurate asset data that was created during the
deviation.
New asset data is added to the asset blocklists
IBM QRadar generates the following system notification when a piece of asset data exhibits
behavior that is consistent with deviating asset growth.
The asset blacklist rules have added new asset data to the asset
blacklists
Explanation
Asset exclusion rules monitor asset data for consistency and integrity. The rules track specific
pieces of asset data over time to ensure that they are consistently being observed with the same
subset of data within a reasonable time.
For example, if an asset update includes both a MAC address and a DNS host name, the MAC address
is associated with that DNS host name for a sustained period. Subsequent asset updates that
contain that MAC address also contain that same DNS host name when one is included in the asset
update. If the MAC address suddenly is associated with a different DNS host name for a short
period, the change is monitored. If the MAC address changes again within a short period, the MAC
address is flagged as contributing to an instance of deviating or abnormal asset growth.
Required user action
Use the information in the notification payload to identify the rules that are used to monitor asset
data. Click the Asset deviations by log source link in the notification to see the asset deviations
that occurred in the last 24 hours.
If the asset data is valid, QRadar administrators can configure QRadar to resolve the problem.
•
•
If your blocklists are populating too aggressively, you can tune the asset reconciliation
exclusion rules that populate them.
If you want to add the data to the asset database, you can remove the asset data from the
blocklist and add it to the corresponding asset allowlist. Adding asset data to the allowlist
prevents it from inadvertently reappearing on the blocklist.
Tuning the Asset Profiler retention settings
IBM® QRadar® uses the asset retention settings to manage the size of the asset profiles.
The default retention period for most asset data is 120 days after the last time it was either
passively or actively observed in QRadar. User names are retained for 30 days.
Asset data that is added manually by QRadar users does not usually contribute to asset growth
deviations. By default, this data is retained forever. For all other types of asset data, the Retain
Forever flag is suggested only for static environments.
About this task
You can adjust the retention time based on the type of asset identity data that is in the event. For
example, if multiple IP addresses are merging under one asset, you can change the Asset IP
Retention period from 120 days to a lower value.
When you change the asset retention period for a specific type of asset data, the new retention
period is applied to all asset data in QRadar. Existing asset data that already exceeds the new
threshold is removed when the deployment is complete. To ensure that you can always identify
named hosts even when the asset data is beyond the retention period, the asset retention cleanup
process does not remove the last known host name value for an asset.
Before you determine how many days that you want to retain the asset data, understand the following
characteristics about longer retention periods:
•
•
•
provides a better historical view of your assets.
creates larger data volumes per asset in the asset database.
increases the probability that stale data will contribute to asset growth deviation messages.
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Asset Profiler Configuration.
Click Asset Profiler Retention Configuration.
Adjust the retention values and click Save.
Deploy the changes into your environment for the updates to take effect.
TASK: 1.10 Install and configure apps
SUBTASKS:
1.10.1. Install apps
1.10.2. Manage authorized services
1.10.3. Backup and restore applications
1.10.4. Configure out-of-the-box installed Apps
Apps overview
After a developer creates an app, IBM certifies and publishes it in the IBM Security App
Exchange. QRadar administrators can then browse and download the apps and then install the apps
into QRadar to address specific security requirements.
The IBM Security App Exchange is a community-based sharing hub, that you use to share apps across IBM
Security products. By participating in App Exchange, you can use the rapidly assembled, innovative
workflows, visualizations, analytics, and use cases that are packaged into apps to address specific security
requirements. Easy-to-use solutions are developed by partners, consultants, developers to address key
security challenges. To detect and remediate threats, use these shared security components, from realtime correlation and behavioral modeling to custom responses and reference data.
Note: The combined memory requirements of all the apps that are installed on a QRadar Console cannot
exceed 10 per cent of the total available memory, or the apps won't work. If you exceed the 10 per cent
memory allocation and want to run more apps, use a dedicated appliance for your apps (AppNode appliance
for QRadar V7.3.1 or the AppHost appliance for QRadar V7.3.2 or later).
The IBM QRadar Assistant app helps you to manage and update your app and content extension
inventory, view app and content extension recommendations, follow the QRadar Twitter feed, and
get links to useful information. The app is automatically installed with QRadar V7.3.2 or later.
The following diagram shows the workflow for an app and the role who is typically responsible for
the work.
Figure 1. App workflow
FAQ
What is an app?
Apps create or add new functions in QRadar by providing new tabs, API methods, dashboard
items, menus, toolbar buttons, configuration pages, and more within the QRadar user
interface. You download apps from the IBM Security App Exchange. Apps that are created by
using the GUI Application Framework Software Development Kit integrate with
the QRadar user interface to deliver new security intelligence capabilities or extend the
current functions.
Every downloaded file from the IBM Security App Exchange is known as an extension. An
extension can consist of an app or security product enhancement (content extension) that is
packaged as an archive (.zip) file, which you can deploy on QRadar by using the Extensions
Management tool on the Admin tab.
Who can create an app?
You can use the GUI Application Framework Software Development Kit to create apps. For
more information about the GUI Application Framework Software Development Kit, see
the IBM Security QRadar App Framework Guide.
You download (https://developer.ibm.com/qradar/) the SDK from IBM developerWorks®.
How do I share my app?
Only certified content is shared in the IBM Security App Exchange, a new platform for
collaborating where you can respond quickly and address your security and platform
enhancement requirements. In the IBM Security App Exchange, you can find available apps,
discover their purpose, and what they look like, and learn what other users say about the
apps.
How do I get an app that I downloaded into QRadar?
A QRadar administrator downloads an extension and imports it into QRadar by using
the Extensions Management tool, which is used to upload the downloaded extension from
a local source.
Where do I get help for an app?
You can see information about an app in the overview section when you download the app
from the IBM Security App Exchange. For apps developed solely by IBM, you can find
information in the IBM Knowledge Center.
How much memory does an app need?
The combined memory requirements of all the apps that are installed on a QRadar Console cannot
exceed 10 per cent of the total available memory. If you install an app that causes the 10 per cent
memory limit to be exceeded, the app does not work.
If your app requires a minimum memory allocation, you must specify this allocation as part
of your app manifest. The default allocation is 200 MB.
What is the difference between an app, a content extension, and a content pack?
Extension
From within QRadar, an extension is a term that is used for everything that you download
from the IBM Security App Exchange. Sometimes that extension contains individual content
items, such as custom AQL functions or custom actions, and sometimes the extension
contains an app that is developed by using the GUI App Framework Software Development
Kit. You use the Extensions Management tool to install extensions.
App
An app is content that is created when you use the GUI App Framework Software
Development Kit. The app extends or creates new functions in QRadar.
Content extension
A content extension is typically used to update QRadar security template information or add
new content such as rules, reports, searches, logos, reference sets, custom properties.
Content extensions are not created by using the GUI Application Framework Software
Development Kit.
You download content packs from IBM Fix Central in RPM format.
Typically, content extensions differ from content packs because you download content packs
(RPM files) from IBM Fix Central (www.ibm.com/support/fixcentral).
Backup and restore applications
IBM® QRadar® provides a way to backup and restore application configurations separate from the
application data.
Application configurations are backed up as part of the nightly configuration backup. The
configuration backup includes apps that are installed on the QRadar Console and on an App Host.
You can restore the application configuration by selecting the Installed Applications
Configuration option when you restore a backup.
Application data is backed up separate from the application configuration by using an easy-to-use
script that runs nightly. You can also use the script to restore the app data, and to configure backup
times and data retention periods for app data.
Backing up and restoring apps
Use the IBM QRadar Backup and Recovery window on the Admin tab to back up and restore apps.
You can back up your apps by creating a configuration backup. A configuration backup does not
back up your app's data. For information on backing up your app's data, see Backing up and
restoring app data.
If an App Host is attached to your QRadar Console, the App Host's configuration is backed up as part
of the console's Deployment Configuration. You cannot restore an App Host on a QRadar
Console with a different IP address than the App Host was initially configured with.
By default, apps are restored to console unless an App Host is present. If QRadar cannot restore
apps to your App Host, it attempts to back restore them to the QRadar Console. The number of App
Host apps that can be restored onto the console is constrained by the amount of memory that is
available on the QRadar Console. Apps that are defined as node_only in their application manifest
file cannot be restored to the QRadar Console.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Backup and Recovery.
Select an existing backup in the Backup and Recovery window and click Restore.
Ensure that the Installed Applications Configuration check box is selected, and
click Restore.
Note: By selecting the Installed Applications Configuration check box, you restore the
install app configurations only. Extension configurations are not restored. Select
the Deployment Configuration check box if you want to restore extension configurations.
Backing up and restoring app data
Use the app-volume-backup.py script to back up and recover app data.
A configuration backup that you do on the backup and Recovery window does not back up your
apps' data. The /opt/qradar/bin/app-volume-backup.py script runs nightly at 2:30 AM,
and backs up each installed application's /store mounted volume. By default, data is retained for
7 days.
Use the script to do the following tasks:
•
•
•
•
Back up data manually for installed apps.
List all installed app data backups on the system.
Restore data for installed apps.
Run the retention process and set the retention period for backups.
This script is on both the QRadar® Console and the App Host if one is installed. The script backs up
app data only if apps are on the current host.
Procedure
1. Use SSH to log in to your Console or your App Host as the root user.
2. Go to the /opt/qradar/bin/ directory.
o Use the following command to back up app data:
./app-volume-backup.py backup
The app-volume-backup.py script runs nightly at 2:30 AM local time to back up
all installed apps. Backup archives are stored in the /store/apps/backup folder.
You can change the backup archives location by editing
the APP_VOLUME_BACKUP_DIR variable
in /store/configservices/staging/globalconfig/nva.conf. You must
deploy changes after you edit this variable.
o
To view all data backups for installed apps, enter the following command:
./app-volume-backup.py ls
This command outputs all backup archives that are stored in the backup archives
folder.
o
To restore a backup archive, enter the following command:
./app-volume-backup.py restore -i
<backup_name>
Use the ls command to find the name of a backup archive.
o
New in 7.5.0To restore data for a specific application instance, rather than restoring
all instances, enter the following command:
./app-volume-backup.py restore-interactive -i
<backup name>
Note: This function was added in QRadar 7.5.0 Update Package 1, and works only
with backups that were created after updating to 7.5.0 Update Package 1.
o
New in 7.5.0 Update Package 6To backup data for an individual application instance,
enter the following command:
/opt/qradar/bin/app-volume-backup.py backup -u
<app definition uuid>
In a multitenant deployment, you must specify the security profile associated with
the application instance that you want to backup. For
example, /opt/qradar/bin/app-volume-backup.py backup -u <app
definition uuid> -s <security profile id>
o
New in 7.5.0 Update Package 6To restore data for an individual application instance,
enter the following command:
/opt/qradar/bin/app-volume-backup.py restore -i
u
<backup tarball> -n -
<app definition uuid>
In a multitenant deployment, you must specify the security profile associated with
the application instance that you want to restore. For
example, /opt/qradar/bin/app-volume-backup.py restore -i <backup
tarball> -n -u <app definition uuid> -s <security profile id>
o
By default, all backup archives are retained for one week. The retention process runs
nightly at 2:30 AM local time with the backup.
▪ To perform retention manually, and use the default retention period, enter the
following command:
./app-volume-backup.py retention
▪
You can also set the retention period manually by adding -t (time - defaults to
1) and -p (period - defaults to 0) switches.
The -p switch accepts three values: 0 for a week, 1 for a day, and 2 for an
hour.
For example, to set the retention period for a backup to 3 weeks, enter the
following command:
./app-volume-backup.py retention -t 3 -p 0
o
If you want to change the retention time that is used by the nightly timer, add flags to
the retention command found in the following systemd service file.
/usr/lib/systemd/system/app-data-backup.service
For example, to change the retention period that is used by the nightly retention
process to 5 days, locate the following line:
ExecStart=/opt/qradar/bin/app-volume-backup.py retention
Replace it with:
ExecStart=/opt/qradar/bin/app-volume-backup.py retention -t 5 -p 1
Save your changes, and run the systemctl daemon-reload command for systemd to
apply the changes.
App containers are restarted automatically after the restore is complete.
Configuring the QRadar Assistant app
The QRadar® Assistant app is included in QRadar installations of version 7.3.1 and later. You can
download the app from the IBM® Security App Exchange (https://exchange.xforce.ibmcloud.com/)
for those versions. An Admin user must configure certain options to enable the Assistant app in
your QRadar environment.
About this task
QRadar requires that you use authentication tokens to authenticate the API that calls the app. Use
the Authorized Services to create authentication tokens before using the QRadar Assistant App. You
must have QRadar administrator privilege to create authorized service tokens.
QRadar on Cloud administrators should use Self Serve App to create authentication tokens with
Admin security profile and Admin user role. See Authorized Service Tokens .
Procedure
1. Click the Assistant app icon (
).
2. If you are the Admin configuring the Assistant app for the first time, complete the following
steps:
a. Enter a valid authorized service token into the banner on the Assistant app page and
click Save.
For more information, see How to add an authorized
service (https://www.ibm.com/docs/en/qsip/7.4?topic=services-addingauthorized-service).
Important: The security profile for the token must be Admin.
b. Click Settings, select the API Authentications tab, and enter your X-Force®
Exchange API Key and API Password. For more information, see Obtaining an API Key
and Password (https://api.xforce.ibmcloud.com/doc/#auth).
c. For Assistant 3.5.0 or later, click the gear icon on the Assistant app page to go to
the Settings page, and then enter the authorized service token, your X-Force®
Exchange API Key, and API password.
After an Admin configures the authorized service token and API key and password, other
Admin users do not need to perform this configuration. Non-Admin users can use the
Assistant app, but are not authorized to download and install apps.
3. To configure a proxy server for communication with X-Force Exchange, click Settings, select
the Proxy tab, and enter the following information for your proxy server:
a. Protocol
b. Address
c. Port
d. User name
e. Password
4. Click Save, then close the Settings window.
5. If you want to use the QRadar Phone Home Service, click Agree.
Managing authorized services
You can configure authorized services on the Admin tab to authenticate an API call for your IBM®
QRadar® deployment.
The QRadar RESTful API uses authorized services to authenticate API calls to the QRadar Console.
You can add or revoke an authorized service at any time. For more information about the RESTful
API, see the IBM QRadar API Guide.
The Manage Authorized Services window provides the following information:
Parameter
Description
Service Name The name of the authorized service.
Authorized By The name of the user or administrator that authorized the addition of the service.
Authentication
Removed in 7.4.3 The token that is associated with this authorized service.
Token
User Role
The user role that is associated with this authorized service.
Security
Profile
The security profile that is associated with this authorized service.
Created
The date that this authorized service was created.
Expires
The date and time that the authorized service expires. By default, the authorized service is valid for 30 days.
Table 1. Parameters for authorized services
Viewing authorized services
Removed in 7.4.3 The Authorized Services window displays a list of authorized services, from
which you can copy the token for the service.
Adding an authorized service
Use the Add Authorized Service window to add a new authorized service.
The authorized service token cannot be made visible after you close the Authorized Service
Created Successfully dialog. Copy the token to a secure location before you close the dialog.
Revoking authorized services
Use the Add Authorized Service window to revoke an authorized service.
Section 2: Performance Optimization
TASK: 2.1 Construct identity exclusions
SUBTASKS:
2.1.1. Display understanding of identity exclusions
• Identity exclusion searches
• Differences between identity exclusions searches and blocklists
2.1.2. Create identity exclusion searches
Identity exclusion searches
Identity exclusion searches can be used to manage single assets that accumulate large volumes of
similar identity information for known, valid reasons.
For example, log sources can provide large volumes of asset identity information to the asset
database. They provide IBM® QRadar® with near real-time changes to asset information and they
can keep your asset database current. But log sources are most often the source of asset growth
deviations and other asset-related anomalies.
When a log source sends incorrect asset data to QRadar, try to fix the log source so that the data it
sends is usable by the asset database. If the log source cannot be fixed, you can build an identity
exclusion search that blocks the asset information from entering the asset database.
You can also use an identity exclusion search where Identity_Username+Is Any Of + Anonymous
Logon to ensure that you are not updating assets that are related to service accounts or automated
services.
Differences between identity exclusion searches and blacklists
While identity exclusion searches appear to have similar functionality to asset blacklists, there are
significant differences.
Blacklists can specify only raw asset data, such as MAC addresses and host names, that is to be
excluded. Identity exclusion searches filter out asset data based on search fields like log source,
category, and event name.
Blacklists do not account for the type of data source that is providing the data, whereas identity
exclusion searches can be applied to events only. Identity exclusion searches can block asset
updates based on common event search fields, such as event type, event name, category, and log
source.
Creating identity exclusion searches
To exclude certain events from providing asset data to the asset database, you can create an IBM
QRadar identity exclusion search.
The filters that you create for the search must match events that you want to exclude, not the
events that you want to keep.
You might find it helpful to run the search against events that are already in the system. However,
when you save the search, you must select Real Time (streaming) in the Timespan options. If you
do not choose this setting, the search does not match any results when it runs against the live
stream of events that are coming into QRadar.
When you update the saved identity exclusion search without changing the name, the identity
exclusion list that is used by the Asset Profiler is updated. For example, you might edit the search to
add more filtering of the asset data that you want to exclude. The new values are included and the
asset exclusion starts immediately after the search is saved.
Procedure
1. Create a search to identify the events that do not provide asset data to the asset database.
a. On the Log Activity tab, click Search > New Search.
b. Create the search by adding search criteria and filters to match the events that you
want to exclude from asset updates.
c. In the Time Range box, select Real Time (streaming) and then click Filter to run
the search.
d. On the search results screen, click Save Criteria and provide the information for the
saved search.
Note: You can assign the saved search to a search group. An Identity Exclusion search
group exists in the Authentication, Identity and User Activity folder.
e. Click OK to save the search.
2. Identify the search that you created as an identity exclusion search.
a. On the navigation menu ( ), click Admin.
b. In the System Configuration section, click Asset Profiler Configuration.
c. Click Manage Identity Exclusion at the bottom of the screen.
d. Select the identity exclusion search that you created from the list of searches on the
left and click the add icon (>).
Tip: If you can't find the search, type the first few letters into the filter at the top of
the list.
e. Click Save.
3. On the Admin tab, click Deploy changes for the updates to take effect.
TASK: 2.2 Deal with resource restrictions
SUBTASKS:
2.2.1. Document the function of resource restrictions in distributed and non-distributed
environments
• Access wise
• Resource limitation wise
• Canceled searches
• Empty search results
• Inconsistent search results
• Limited search results
2.2.2. Configure resource restrictions
• Set resource restrictions to apply time or data limitations to event and flow searches
• Execution time, time span, record limit
2.2.3. Explain different types of resource restrictions
• User-based
• Role-based
• Tenant-based
Types of resource restrictions
You can set limitations on searches by configuring either time or data set restrictions based on user, role,
or tenant.
Resource restrictions are applied in the following order: user, user role, and tenant. For example,
restrictions that are set for a user take precedence over restrictions that are set for the user role or
tenant that the user is assigned to.
You can set the following types of restrictions on event and flow searches:
•
•
•
The length of time that a search runs before data is returned.
The time span of the data to be searched.
The number of records that are processed by the Ariel query server.
Note: Ariel search stops when the record limit is reached, but all in-progress search results
are returned to the search manager and are not truncated. Therefore, the search result set is
often larger than the specified record limit.
User-based restrictions
User-based restrictions define limits for an individual user, and they take precedence over role and
tenant restrictions.
For example, your organization hires university students to work with the junior analysts in your
SOC. The students have the same user role as the other junior analysts, but you apply more
restrictive user-based restrictions until the students are properly trained in
building QRadar® queries.
Role-based restrictions
Role-based restrictions allow you to define groups of users who require different levels of access to
your QRadar deployment. By setting role-based restrictions, you can balance the needs of different
types of users.
Tenant-based restrictions
In a Managed Security Service Provider (MSSP) or a multi-divisional organization, tenant-based
restrictions can help you ensure quality of service by preventing resource contention and
degradation of services. You can prevent a tenant from querying terabytes of data that can
negatively impact the system performance for all other tenants.
As an MSSP, you might define standard resource restrictions based on a set of criteria that each
tenant is compared to. For example, the standard configuration for a medium-sized tenant might
include resource restrictions that limit searches to accessing only the last 14 days of data and a
maximum of 10,000 records returned.
Configuring resource restrictions
Set resource restrictions to apply time or data limitations to event and flow searches.
About this task
You can set the following types of resource restrictions:
•
•
•
Execution time restrictions specify the maximum amount of time that a query runs before
data is returned.
Time span restrictions specify the time span of the data to be searched.
Record limit restrictions specify the number of data records that are returned by a search
query.
Users who run searches that are limited by resource restrictions see the resource restriction icon (
) next to the search criteria.
Note: The search result set is often larger than the specified record limit. When the record limit is reached,
the search manager signals all search participants to stop (there are multiple search participants even on a
single system), but results continue to accumulate until the search fully stops on all participants. All search
results are added to the result set.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Resource Restrictions.
3. If your deployment has tenants that are configured, click Role or Tenant to specify the type
of restrictions to set.
4. Double-click the role or tenant that you want to set restrictions for.
5. To set restrictions for all users who are assigned to the user role or tenant, follow these
steps:
a. Click the summary row at the top to open the Edit Restriction dialog box.
b. Click Enabled for the type of restriction that you want to set, and specify the
restriction values.
c. Click Save.
6. To set restrictions for a specific user, follow these steps:
a. Double-click the user that you want to set the restrictions for.
To search for a user, type the user name in the filter field.
b. Click Enabled for the type of restriction that you want to set, and specify the
restriction values.
c. Click Save.
TASK: 2.3 Rule configuration and tuning
SUBTASKS:
2.3.1. Explain different types of correlation rules
• Event rules
• Flow rules
• Common rules
• Offense rules
2.3.2. Create different types of correlation rules
• Rule creation wizard
• Test groups
• Response parameters
2.3.3. Tune rules
• Tuning wizard
• Basic rule tests familiarity
2.3.4. Identify expensive rules with QRadar support tolos
QRadar tuning
Before you tune QRadar, wait one day to enable QRadar to detect servers on your network, store
events and flows, and create offenses that are based on existing rules.
Administrators can do the following tuning tasks:
•
•
•
•
Optimize event and flow payload searches by enabling a payload index on the Log
Activity and Network Activity.
Provide a faster initial deployment and easier tuning by automatically or manually adding
servers to building blocks.
Configure responses to event, flow, and offense conditions by creating or modifying custom
rules and anomaly detection rules.
Ensure that each host in your network creates offenses that are based on the most current
rules, discovered servers, and network hierarchy.
Payload indexing
Use the Quick Filter function, which is available on the Log Activity and Network Activity tabs, to
search event and flow payloads.
To optimize the Quick Filter, you can enable a payload index Quick Filter property.
Enabling payload indexing might decrease system performance. Monitor the index statistics after
you enable payload indexing on the Quick Filter property.
For more information, see Index management.
Enabling payload indexing
You can optimize event and flow payload searches by enabling a payload index on the Log
Activity and Network Activity Quick Filter property.
Procedure
1.
2.
3.
4.
5.
6.
7.
Click the Admin tab.
In the System Configuration section, click Index Management.
In the Search field, type quick filter.
Right-click the Quick Filter property that you want to index.
Click Enable Index.
Click Save, and then click OK.
Optional: To disable a payload index, choose one of the following options:
o Click Disable Index.
o Right-click a property and select Disable Index from the menu.
Servers and building blocks
IBM QRadar automatically discovers and classifies servers in your network, providing a faster
initial deployment and easier tuning when network changes occur.
To ensure that the appropriate rules are applied to the server type, you can add individual devices or
entire address ranges of devices. You can manually enter server types that do not conform to unique
protocols into their respective Host Definition Building Block. For example, adding the following server
types to building blocks reduces the need for further false positive tuning:
•
•
•
•
Add network management servers to the BB:HostDefinition: Network Management
Servers building block.
Add proxy servers to the BB:HostDefinition: Proxy Servers building block.
Add virus and Windows update servers to the BB:HostDefinition: Virus Definition and
Other Update Servers building block.
Add vulnerability assessment (VA) scanners to the BB-HostDefinition: VA Scanner Source
IP building block.
The Server Discovery function uses the asset profile database to discover several types of servers
on your network. The Server Discovery function lists automatically discovered servers and you can
select which servers you want to include in building blocks.
Using Building blocks, you can reuse specific rule tests in other rules. You can reduce the number of
false positives by using building blocks to tune QRadar and enable extra correlation rules.
Adding servers to building blocks automatically
The Server Discovery function uses the asset profile database to discover different server types that
are based on port definitions. Then, you can select the servers to add to a server-type building block
for rules.
Procedure
1. Click Assets > Server Discovery.
2. In the Server Type list, select the server type that you want to discover.
Keep the remaining parameters as default.
3. Click Discover Servers.
4. In the Matching Servers pane, select the checkbox of all servers you want to assign to the
server role.
5. Click Approve Selected Servers.
Remember: You can right-click any IP address or host name to display DNS resolution
information.
Adding servers to building blocks manually
If a server is not automatically detected, you can manually add the server to its corresponding Host
Definition Building Block.
Procedure
1.
2.
3.
4.
Click the Offenses tab.
In the navigation pane, click Rules.
In the Display list, select Building Blocks.
In the Group list, select Host Definitions.
The name of the building block corresponds with the server type. For
example, BB:HostDefinition: Proxy Servers applies to all proxy servers in your
environment.
5. To manually add a host or network, double-click the corresponding Host Definition Building
Block appropriate to your environment.
6. In the Building Block field, click the underlined value for the source or destination IP
address.
7. In the Enter an IP address or CIDR field, type the host names or IP address ranges that you
want to assign to the building block.
8. Click Add > Submit.
9. Click Finish.
10. Repeat these steps for each server type that you want to add.
Configuring rules
From the Log Activity, Network Activity, and Offenses tab, you can configure rules or building
blocks.
Procedure
1.
2.
3.
4.
5.
Click the Offenses tab.
Double-click the offense that you want to investigate.
Click Display > Rules.
Double-click a rule.
Close the Rules wizard.
The Creation Date property changes to the date and time when you last updated a rule.
6. In the Rules page, click Actions.
7. Optional: If you want to prevent the offense from being removed from the database after the
offense retention period is elapsed, select Protect Offense.
8. Optional: If you want to assign the offense to a IBM QRadar user, select Assign.
Cleaning the SIM data model
Clean the SIM data model to ensure that each host creates offenses that are based on the most
current rules, discovered servers, and network hierarchy.
Procedure
1. Click the Admin tab.
2. On the toolbar, select Advanced > Clean SIM Model.
3. Select an option:
o Soft Clean to set the offenses to inactive.
o Soft Clean with the optional Deactivate all offenses check box to close
all offenses.
o Hard Clean to erase all entries.
4. Select the Are you sure you want to reset the data model checkbox.
5. Click Proceed.
6. After the SIM reset process is complete, refresh your browser.
Results
When you clean the SIM model, all existing offenses are closed. Cleaning the SIM model does not
affect existing events and flows.
Creating a custom rule
IBM® QRadar® includes rules that detect a wide range of activities, including excessive firewall denies,
multiple failed login attempts, and potential botnet activity. You can also create your own rules to detect
unusual activity.
Before you begin
Before you create a new rule, you must have the Offenses > Maintain Custom Rules permission.
About this task
When you define rule tests, test against the smallest data possible. Testing in this way helps rule
test performance and ensures that you don't create expensive rules. To optimize performance, start
with broad categories that narrow the data that is evaluated by the rule test. For example, start
with a rule test for a specific log source type, network location, flow source, or context (R2L, L2R,
L2L). Any mid-level tests might include IP addresses, port traffic, or any other associated test. The
rule must test payload and regex expressions last.
Similar rules are grouped by category. For example, Audit, Exploit, DDoS, Recon, and more. When
you delete an item from a group, the rule or building block is only deleted from the group; it
remains available on the Rules page. When you delete a group, the rules or building blocks of that
group remain available on the Rules page.
Procedure
1. From the Offenses, Log Activity, or Network Activity tabs, click Rules.
2. From the Display list, select Rules to create a new rule.
3. Optional: From the Display list, select Building Blocks to create a new rule by using
building blocks.
4. From the Actions list, select a rule type.
Each rule type tests against incoming data from different sources in real time. For example,
event rules test incoming log source data and offense rules test the parameters of an offense
to trigger more responses.
5. In the Rule Wizard window, select the Skip this page when running this rules
wizard checkbox and click Next.
If you select the Skip this page when running this rules wizard checkbox,
the Welcome page does not appear each time that you start.
6. On the Rule Test Stack Editor page, in the Rule pane, type a unique name that you want to
assign to this rule in the Apply text box.
7. From the list box, select Local or Global.
o If you select Local, all rules are processed on the Event Processor on which they were
received and offenses are created only for the events that are processed locally.
o If you select Global, all matching events are sent to the QRadar Console for
processing and therefore, the QRadar Console uses more bandwidth and processing
resources.
Learn more about Local and Global rules:
Global rule tests
Use global rules to detect things like "multiple user login failures" where the events from
that user might appear on multiple Event processors. For example, if you configured
a Local rule for five login failures in 10 minutes from the same username, all 5 of those login
failures must appear on the same Event Processor. Therefore, if three login failures were on
one Event Processor and 2 were on another, no offense is generated. However, if you set this
rule to Global, it generates an offense.
8. From the Test Group list, select one or more tests that you want to add to this rule. The CRE
evaluates rule tests line-by-line in order. The first test is evaluated and when true, the next
line is evaluated until the final test is reached.
If you want to select the when the event matches this AQL filter query test for a new
event rule, click the add (+) icon. In the Rule pane, click This and enter an AQL WHERE
clause query in the Enter an AQL filter query text box.
Learn more about using rules for events that are not detected:
The following rule tests can be triggered individually, but rule tests in the same rule test
stack are not acted upon.
o
o
o
when the event(s) have not been detected by one or more of these log source
types for this many seconds
when the event(s) have not been detected by one or more of these log sources
for this many seconds
when the event(s) have not been detected by one or more of these log source
groups for this many seconds
These rule tests are not activated by an incoming event, but instead are activated when a
specific event is not seen for a specific time interval that you configured. QRadar uses
a watcher task that periodically queries the last time that an event was seen (last seen time),
and stores this time for the event, for each log source. The rule is triggered when the
difference between this last seen time and the current time exceeds the number of seconds
that is configured in the rule.
9. To export the configured rule as a building block to use with other rules, click Export as
Building Block.
10. On the Rule Responses page, configure the responses that you want this rule to generate.
Learn more about rule response page parameters:
Parameter
Description
Severity
Select this checkbox to assign a severity level to the event, where 0 is the lowest and 10 is
the highest. The severity is displayed in the Annotation pane of the event details.
Credibility
Select this checkbox to assign credibility to the log source. For example, is the log source
noisy or expensive? The range is 0 (lowest) to 10 (highest) and the default is 10. Credibility
is displayed in the Annotation pane of the event details.
Relevance
Select this checkbox to assign relevance to the weight of the asset. For example, how much
do you care about the asset? The range is 0 (lowest) to 10 (highest) and the default is 10.
Relevance is displayed in the Annotation pane of the event details.
Bypass further Select this checkbox to match an event or flow to bypass all other rules in the rule
rule correlation engine and prevent it from creating an offense. The event is written to storage for
event
searching and reporting.
Select this checkbox to dispatch a new event in addition to the original event or flow,
which is processed like all other events in the system.
Dispatch New
Event
Dispatches a new event with the original event, and is processed like all other events
in the system.
The Dispatch New Event parameters are displayed when you select this checkbox .
By default, the checkbox is clear.
Email
Select this checkbox to change the Email Locale setting from the System Settings on
the Admin tab.
Parameter
Description
Select this checkbox to log the event or flow locally.
Send to Local
Syslog
By default, this checkbox is clear.
Note: Only normalized events can be logged locally on an appliance. If you want to send raw
event data, you must use the Send to Forwarding Destinations option to send the data to a
remote syslog host.
Select this checkbox to log the event or flow on a forwarding destination.
Send to
Forwarding
Destinations
A forwarding destination is a vendor system, such as SIEM, ticketing, or alerting
systems. When you select this checkbox, a list of forwarding destinations is
displayed.
Notify
To add, edit, or delete a forwarding destination, click the Manage Destinations link.
Select this checkbox to display events that are generated as a result of this rule in
the System Notifications item on the Dashboard tab.
If you enable notifications, configure the Response Limiter parameter.
Select this checkbox to add events that are generated as a result of this rule to a
reference set. You must be an administrator to add data to a reference set.
Add to
Reference Set
To add data to a reference set, follow these steps:
o
o
From the first list, select the property of the event or flow that you
want to add.
From the second list, select the reference set to which you want to add
the specified data.
Add to
Reference Data To use this rule response, you must create the reference data collection.
Select this checkbox to remove data from a reference set.
To remove data from a reference set:
o
Remove from
Reference Set
o
From the first list box, select the property of the event or flow that you
want to remove. Options include all normalized or custom data.
From the second list box, select the reference set from which you want
to remove the specified data.
The Remove from Reference Set rule response provides the following function:
Refresh
Click Refresh to refresh the first list box to ensure that the list is current.
Remove from
Reference Data To use this rule response, you must have a reference data collection.
Parameter
Description
Select this checkbox to write scripts that do specific actions in response to network events.
For example, you might write a script to create a firewall rule that blocks a particular source
Execute Custom IP address from your network in response to repeated login failures.
Action
You add and configure custom actions by using the Define Actions icon on
the Admin tab.
Response
Limiter
Select this checkbox to configure the frequency in which you want this rule to respond.
Table 1. Event , Flow and Common Rule, and Offense Rule Response page parameters
An SNMP notification might resemble the following example:
"Wed Sep 28 12:20:57 GMT 2005, Custom Rule Engine Notification Rule 'SNMPTRAPTst' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name:
ICMP Destination Unreachable Communication with Destination Host is
Administratively Prohibited, QID: 1000156, Category: 1014, Notes:
Offense description"
A syslog output might resemble the following example:
Sep 28 12:39:01 localhost.localdomain ECS:
Rule 'Name of Rule' Fired: 172.16.60.219:12642
-> 172.16.210.126:6666 6, Event Name: SCAN SYN FIN, QID:
1000398, Category: 1011, Notes: Event description
•
Example: Configuring a Modified Offense Rule Test
You can apply a modified offense rule test when any offense property is changed based on
the events that are associated with that offense. Modified rule tests allow for better
configuration of how and when rules are implemented.
IBM® QRadar building blocks
Building blocks group commonly used tests to build complex logic so that they can be used in rules.
Building blocks use the same tests that rules use, but have no actions that are associated with them.
They're often configured to test groups of IP addresses, privileged user names, or collections of
event names. For example, you might create a building block that includes the IP addresses of all
mail servers in your network, then use that building block in another rule, to exclude those hosts.
The building block defaults are provided as guidelines, which can be reviewed and edited based on
the needs of your network.
You can configure the host definition building blocks (BB:HostDefinition) to enable QRadar® to
discover and classify more servers on your network. If a particular server is not automatically
detected, you can manually add the server to its corresponding host definition building block. This
action ensures that the appropriate rules are applied to the particular server type. You can also
manually add IP address ranges instead of individual devices.
Edit the following building blocks to reduce the number of offenses that are generated by high
volume traffic servers:
BB:HostDefinition
VA Scanner Source IP
BB:HostDefinition
Network Management Servers
BB:HostDefinition
Virus Definition and Other Update Servers
BB:HostDefinition
Proxy Servers
BB:NetworkDefinition
NAT Address Range
BB:NetworkDefinition
Trusted Network
Tuning building blocks
Building blocks group commonly used tests, to build complex logic, so they can be used in rules.
You can edit building blocks to reduce the number of false positives that are generated
by IBM® QRadar®.
About this task
To edit building blocks, you must add the IP address or IP addresses of the server or servers into
the appropriate building blocks.
Procedure
1.
2.
3.
4.
5.
6.
Click the Offenses tab.
On the navigation menu, click Rules.
From the Display list, select Building Blocks.
Double-click the building block that you want to edit.
Update the building block.
Click Finish.
The following table describes editable building blocks.
Building Block
BB:NetworkDefinition:
NAT Address Range
BB:HostDefinition:
Network Management
Servers
Description
Edit the and where either the source or destination IP is one of the
following test to include the IP addresses of the Network Address
Translation (NAT) servers.
Edit this building block only if you have a detection in the nonNATd address space. Editing this building block means that offenses are
not created for attacks that are targeted or sourced from this IP address
range.
Network management systems create traffic, such as ICMP (Internet
Control Message Protocol) sweeps to discover hosts. QRadar SIEM might
consider this threatening traffic. To ignore this behavior and define
network management systems, edit the and when either the source or
destination IP is one of the following test to include the IP addresses of
the Network Management Servers (NMS), and other hosts that normally
perform network discovery or monitoring.
Edit the and when either the source or destination IP is one of the
following test to include the IP addresses of the proxy servers.
BB:HostDefinition: Proxy Edit this building block if you have sufficient detection on the proxy
Servers
server. Editing this building block prevents offense creation for attacks
BB:HostDefinition: VA
Scanner Source IP
that are targeted or sourced from the proxy server. This adjustment is
useful when hundreds of hosts use a single proxy server and that single IP
address of the proxy server might be infected with spyware.
Vulnerability assessment products launch attacks that can result in
offense creation. To avoid this behavior and define vulnerability
assessment products or any server that you want to ignore as a source,
edit the and when the source IP is one of the following test to include
the IP addresses of the following scanners:
o
o
VA Scanners
Authorized Scanners
BB:HostDefinition: Virus Edit the and when either the source or destination IP is one of the
Definition and Other
following test to include the IP addresses of virus protection and update
Update Servers
function servers.
Edit the and when the source is located in test to include geographic
BB:Category Definition: locations that you want to prevent from accessing your network. This
Countries with no Remote change enables the use of rules, such as anomaly: Remote Access from
Access
Foreign Country to create an offense when successful logins are detected
from remote locations.
Edit the and when either the source or destination IP is one of the
following test to include the IP addresses of servers that are used for
BB:ComplianceDefinition:Gramm-Leach-Bliley Act (GLBA) compliance. By populating this building
GLBA Servers
block, you can use rules such as Compliance: Excessive Failed Logins to
Compliance IS, which create offenses for compliance and regulationbased situations.
Building Block
Description
Edit the and when either the source or destination IP is one of the
following test to include the IP addresses of servers that are used for
BB:ComplianceDefinition:Health Insurance Portability and Accountability Act (HIPAA) compliance.
HIPAA Servers
By populating this building block, you can use rules, such as Compliance:
Excessive Failed Logins to Compliance IS, which create offenses for
compliance and regulation-based situations.
Edit the and when either the source or destination IP is one of the
following test to include the IP addresses of servers that are used for SOX
BB:ComplianceDefinition:(Sarbanes-Oxley Act) compliance. By populating this building block, you
SOX Servers
can use rules, such as Compliance: Excessive Failed Logins to
Compliance IS, which create offenses for compliance and regulationbased situations.
Edit the and when either the source or destination IP is one of the
following test to include the IP addresses of servers that are used for PCI
BB:ComplianceDefinition:DSS (Payment Card Industry Data Security Standards) compliance. By
PCI DSS Servers
populating this building block, you can use rules such as Compliance:
Excessive Failed Logins to Compliance IS, which creates offenses for
compliance and regulation-based situations.
Edit the and when either the source or destination IP is one of the
BB:NetworkDefinition: following test to include the broadcast addresses of your network. This
Broadcast Address Space change removes false positive events that might be caused by the use of
broadcast messages.
BB:NetworkDefinition:
Client Networks
Edit the and when the local network is test to include workstation
networks that users are operating.
BB:NetworkDefinition:
Server Networks
Edit the when the local network is test to include any server networks.
Edit the and when the local network is test to include the IP addresses
that are considered to be a dark net. Any traffic or events that are directed
towards a dark net is considered suspicious.
Edit the and when the any IP is a part of any of the following test to
BB:NetworkDefinition: include the remote services that might be used to obtain information from
DLP Addresses
the network. This change can include services, such as WebMail hosts or
file sharing sites.
BB:NetworkDefinition:
Darknet Addresses
BB:NetworkDefinition:
DMZ Addresses
Edit the and when the local network test to include networks that are
considered to be part of the network’s DMZ.
BB:PortDefinition:
Authorized L2R Ports
Edit the and when the destination port is one of the following test to
include common outbound ports that are allowed on the network.
BB:NetworkDefinition:
Watch List Addresses
Edit the and when the local network is to include the remote networks
that are on a watch list. This change helps to identify events from hosts
that are on a watch list.
BB:FalsePositive: User
Edit this building block to include any categories that you want to
Defined Server Type False consider as false positives for hosts that are defined in
Positive Category
the BB:HostDefinition: User Defined Server Type building block.
Building Block
Description
BB:FalsePositive: User
Edit this building block to include any events that you want to consider as
Defined Server Type False false positives for hosts that are defined in the BB:HostDefinition: User
Positive Events
Defined Server Type building block.
Edit this building block to include the IP address of your custom server
type. After you add the servers, you must add any events or categories
BB:HostDefinition: User that you want to consider as false positives to this server, as defined in
Defined Server Type
the BB:FalsePositives: User Defined Server Type False Positive Category
or the BB:False Positives: User Defined Server Type False Positive
Events building blocks.
Table 1. Building blocks to edit.
You can include a CIDR range or subnet in any of the building blocks instead of listing the IP
addresses. For example, 192.168.1/24 includes addresses 192.168.1.0 to 192.168.1.255. You
can also include CIDR ranges in any of the BB:HostDefinition building blocks.
Tip: For more information, see the IBM QRadar Administration Guide.
Use the IBM QRadar Use Case Manager to review your building blocks. Download the app at
the IBM Security App
Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/bf01ee398bde8e5866fe5
1d0e1ee684a).
Creating an OR condition within the CRE
You can create a conditional OR test within the Custom Rules Engine (CRE), which gives you more
options for defining your rules by using building blocks.
About this task
For each extra test that you add, it can be only an AND or AND NOT conditional test. To create an
OR condition within the CRE you must place each separate set of conditions into a building block,
and then create a new rule or building block that uses the when <selected_rule> matches any
of the following rules rule.
Both building blocks are then loaded when the test is applied.
Procedure
1. Click the Offenses tab.
2. On the navigation menu, click Rules.
3. From the Actions list, select one of the following options:
o New Event Rule Select this option to configure a rule for events.
o New Flow Rule Select this option to configure a rule for flows.
o New Common Rule Select this option to configure a rule for events and flows.
o New Offense Rule Select this option to configure a rule for offenses.
4. Read the introductory text and then click Next.
You are prompted to Choose the source from which you want this rule to generate.
The default is the rule type that you selected on the Offenses tab.
5. Optional: Select the rule type that you want to apply to the rule, and then click Next.
6. From the Type to filter menu, select one of the following corresponding tests that is based
on the option that you choose in step 3, and then click the (+) icon for the test.
o when an event matches any|all of the following rules
o when a flow matches any|all of the following rules
o when a flow or an event matches any|all of the following rules
o when the offense matches any of the following offense rules
For example, if you select New Event Rule in step 3, select when an event matches any|all
of the following rules.
7. In the Rule pane, select one of the following corresponding tests that is based on the option
that you choose in step 3, and then click rules.
o and when an event matches any of the following rules
o and when a flow matches any of the following rules
o and when a flow or an event matches any of the following rules
o and when the offense matches any of the following offense rules
For example, if you select New Event Rule in step 3, select and when an event matches
any of the following rules, and then click rules.
8. From the Select the rule(s) to match and click 'Add' field, select multiple building blocks
by holding down the Ctrl key and click Add +.
If you select the offense rule, select building blocks from the Select an offense rule and
click 'Add' field.
9. Click Submit.
Guidelines for tuning system performance
How you tune IBM® QRadar® depends on different scenarios and whether you have one target or
many targets within your network.
To ensure reliable system performance, you must consider the following guidelines:
•
•
•
•
Disable rules that produce numerous unwanted offenses.
To tune CRE rules, increase the rule threshold by doubling the numeric parameters and the
time interval.
Consider modifying rules to consider the local network context rather than the remote
network context.
When you edit a rule with the attach events for the next 300 seconds option enabled, wait
300 seconds before you close the related offenses.
The following table provides information on how to tune false positives according to these differing
scenarios.
Scenario
One attacker,
one event
One Target
Use the False Positive
Wizard to tune the
specific event.
Many Targets
Use the False Positive Wizard to tune the specific
event.
One attacker,
Use the False Positive
many unique
Wizard to tune the
Use the False Positive Wizard to tune the category.
events in the
category.
same category
Use the False Positive
Many attackers,
Edit the building blocks by using the Custom Rules
Wizard to tune the
one event
Editor to tune the specific event.
specific event.
Many attackers,
Use the False Positive
many events in
Edit building blocks by using the Custom Rules
Wizard to tune the
the same
Editor to tune the category.
category.
category
Investigate the offense
and determine the nature
One attacker, of the attacker. If the
Investigate the offense and determine the nature of the
many unique
offense or offenses can be
attacker. If the offense or offenses can be tuned out, edit
events in
tuned out, edit the
the building blocks by using the Custom Rules Editor to
different
building blocks by using
tune the categories for the host IP address.
categories
the Custom Rules
Editor to tune categories
for the host IP address.
Many attackers,
Edit the building blocks
many unique
by using the Custom
Edit the building blocks by using the Custom Rules
events in
Rules Editor to tune the Editor to tune the categories.
different
categories.
categories
Scenario
One Target
Many Targets
Table 1. Tuning methodology.
•
Tuning false positives
You can tune false positive events and flows to prevent them from creating offenses.
https://www.ibm.com/docs/en/qsip/7.5?topic=performance-tuning-false-positives
Tuning false positives
You can tune false positive events and flows to prevent them from creating offenses.
Before you begin
To create a new rule, you must have the Offenses > Maintain Custom Rules permission for
creating customized rules to tune false positives. For more information about roles and
permissions, see the IBM® QRadar User Guide.
Procedure
1. Click the Log Activity tab, or the Network Activity tab.
2. Select the event or flow that you want to tune.
3. Click False Positive.
Note: If you are viewing events or flows in streaming mode, you must pause streaming
before you click False Positive.
4. Select one of the following Event or Flow Property options:
o Event/Flow(s) with a specific QID of <Event>
o Any Event/Flow(s) with a low-level category of <Event>
o Any Event/Flow(s) with a high-level category of <Event>
5. Select one of the following Traffic Direction options:
o <Source IP Address> to <Destination IP Address>
o <Source IP Address> to Any Destination
o Any Source to <Destination IP Address>
o Any Source to any Destination
6. Click Tune.
QRadar® prevents you from selecting Any Events/Flow(s) and Any Source To Any
Destination. This change creates a custom rule and prevents QRadar from creating offenses.
False positives configuration
The rule FalsePositive: False Positive Rules and Building Blocks is the first rule to execute in the
CRE. When it loads, all of its dependencies are loaded and tested.
Manage the configuration of false positives to minimize their impact on legitimate threats and
vulnerabilities. To prevent IBM® QRadar® from generating an excessive number of false positives,
you can tune false positive events and flows to prevent them from creating offenses.
False positive rule chains
The first rule to execute in the custom rules engine (CRE) is FalsePositive:False Positive Rules and
Building Blocks. When it loads, all of its dependencies are loaded and tested.
When an event or flow successfully matches the rule, it bypasses all other rules in the CRE to
prevent it from creating an offense.
Creating false positive building blocks
When you create false positive building blocks within QRadar, you must review the following
information:
Naming conventions
Use a methodology similar to the default rule set, by creating new building blocks by using the
following naming convention:
<CustomerName>-BB:False Positive: All False Positive Building Blocks,
where <CustomerName> is a name that you assign to the false positive building block.
False positive building blocks
Building blocks must contain the test: and when a flow or an event matches any of the
following rules. This test is a collection point for false positive building blocks and helps you to
quickly find and identify customizations. Note the following guidelines when you create your false
positive building blocks:
•
•
•
When the <CustomerName>-BB:False Positive: All False Positive Building
Block is created, add it to the test in the rule FalsePositive: False Positive Rules
and Building Blocks.
When the new false positive building block is created, you can create new building
blocks to match the traffic that you want to prevent from creating offenses. Add these
building blocks to the <CustomerName>-BB:False Positive: All False Positive
Building block.
To prevent events from creating offenses, you must create a new building block that
matches the traffic that you are interested in. Save as a building
block <CustomerName>-BB:False Positive: <name_of_rule>, then
edit <CustomerName>-BB:False Positive: All False Positive building blocks, to
include the rule that you created.
Note: If you add a rule or building block that includes a rule to the FalsePositive: False Positive
Rules and Building Blocks rule, the rule that you add runs before the event bypasses the CRE and
might create offenses by overriding the false positive test.
Custom rule testing order
When you build custom rules, you must optimize the order of the testing to ensure that the rules do
not impact custom rules engine (CRE) performance.
The tests in a rule are executed in the order that they are displayed in the user interface. The most
memory intensive tests for the CRE are the payload and regular expression searches. To ensure that
these tests run against a smaller subset of data and execute faster, you must first include one of the
following tests:
•
•
•
•
•
•
•
•
when the event(s) were detected by one or more of these log source types
when the event QID is one of the following QIDs
when the source IP is one of the following IP addresses
when the destination IP is one of the following IP addresses
when the local IP is one of the following IP addresses
when the remote IP is one of the following IP addresses
when either the source or destination IP is one of the following IP addresses
when the event(s) were detected by one of more of these log sources
You can further optimize QRadar® by exporting common tests to building blocks. Building blocks
execute per event as opposed to multiple times if tests are individually included in a rule.
QRadar: Troubleshooting Custom Rule
performance with findExpensiveCustomRules.sh
Problem
If not tuned properly, custom rules can cause performance issues. Warning messages such
as "Custom Rule Engine has sent a total of X event(s) directly to storage" in qradar.error
can indicate issues with rules. This article explains how to troubleshoot rule performance
by using the findExpensiveCustomRules.sh script.
Cause
A common cause for this issue is rules that need to be tuned in the QRadar deployment. If
a rule takes too long to execute, it could cause a performance issue. The result can cause
events to be routed directly to storage.
Examples of Expensive Rules are:
•
•
Payload-related tests that use Pattern or Curly regex-based calls.
The order in the rule can make the difference between a good rule and an expensive
rule.
Host and Port Profiles are expensive, especially if the asset and port vulnerability
databases are large.
Diagnosing The Problem
If events were sent to store, messages similar to the following appear in qradar.error:
[[type=com.eventgnosis.system.ThreadedEventProcessor][parent=device_name:ecs ep/EP/Processor2]] com.q1labs.semsources.cre.CRE: [WARN] [NOT:0080004101][x.x.x.x/-] [-/- -]Custom Rule Engine has sent a total of 5455 event(s) directly to storage.
5455 event(s) were sent in the last 60 seconds. Queue is at 80 percent capacity.
[[type=com.eventgnosis.system.ThreadedEventProcessor][parent=device_name:ecs ep/EP/Processor2]] com.q1labs.semsources.cre.CRE: [WARN] [NOT:0080004101][x.x.x.x/-] [-/- -]Custom Rule Engine has sent a total of 2734 event(s) directly to storage.
2734 event(s) were sent in the last 60 seconds. Queue is at 100 percent capacity.
Resolving The Problem
What is the findExpensiveCustomRules script?
The findExpensiveCustomRules.sh script is designed to query the QRadar data
pipeline and report on the processing statistics from the Custom Rules Engine (CRE). The
script monitors metrics and collects statistics on how many events hit each rule, how long
it takes to process a rule, total execution time, and average execution time. When the
script completes, it turns off these performance metrics.
The findExpensiveCustomRules.sh script is a useful tool for creating on-demand
reports for rule performance and not for tracking historical rule data in QRadar. The core
functionality of this script is often run when users see events routed to storage between
components in QRadar.
Part 1: How to run the findExpensiveCustomRules script
1. Using SSH, log in to the QRadar appliance that is reporting the events routed to
store.
The following appliance types run ECS-EP and the log files show the hostname of
the appliance that is reporting the issue:
o QRadar 16xx Event Processor appliances
o QRadar 17xx Flow Processor appliances
o QRadar 18xx Combination Event and Flow appliances
o QRadar 21xx Log Manager appliance
o QRadar 31xx Consoles
2. Run the findExpensiveCustomRules.sh script to review for any rules that are
expensive and tune them as required:
/opt/qradar/support/findExpensiveCustomRules.sh -d /root
Note: The -d option specifies the path of the output
of findExpensiveCustomRules.sh
Example output:
Data can be found in /root/CustomRule-2022-03-02-905476050.tar.gz
3. Use WinSCP or an equivalent tool to move the CustomRule-yyyy-mm-ddseconds.tar.gz file to your local laptop or workstation.
4. Use a compression utility to extract the CustomRule-yyyy-mm-ddseconds.tar.gz file to a .tar file.
5. Extract the .tar file a second time to access the Expensive Custom Rules report
text file. The output contains a .txt file, .xml file, and a folder named "reports".
6. Open CustomRule-yyyy-mm-dd-seconds.txt file in any spreadsheet
program as a CSV file.
Alternatively the output can be analyzed by using the command line by:
• Decompressing the file generated
tar -xvzf <file_name>
Example:
tar -xvzf CustomRule-2022-10-24-17-37.tar.gz
• Moving to the new decompressed
cd CustomRule-2022-10-24-17-37
•
folder:
Open the reports/AverageTestTime<date_stamp>.report and reports/AverageResponseTime.report files.
head reports/AverageTestTime-* reports/AverageResponseTime-* | sed
's/com.*\,name\=//g'
Part 2: What to look for in the CustomRule report
1. Sort the AverageResponseTime column and AverageTestTime column to look for
large values. It identifies which rules take more time on average to run than others.
Expensive rules are displayed first and are typically a magnitude larger in size than
the rules that are running efficiently. Look for values that are 0.01 or larger; these
are considered potentially expensive rules that require review.
2. Alternately, review the TotalExecutionTime column to find the rules that are
taking much longer to complete than other rules.
3. Typically, rules that use "Payload Contains" or "Payload Matches REGEX" are
expensive.
4. Review the output of this report to match rule names from the Dashboard System
Notifications to execution time for that specific rule in QRadar.
5. If AverageExecutionTime is high, but the event count is low, the rule might not be
what is causing the issue.
Example report:
Output example if the file is being reviewed by using the command line:
==> reports/AverageTestTime-2023-06-09-17-24.report <==
0.00628894 Rule_QRadar Audit> Shared Account
0.005786699999999997 Rule_Reference Test
0.002238430000000001 Rule_User>BB>HostDefinition> Server Type 3 - User Defined
0.0018611400000000022 Rule_Excessive Firewall Denies from Single Source
0.0018289500000000021 Rule_BB>HostDefinition> Virus Definition and Other Update
Servers
0.0018138199999999996 Rule_Local host on Botnet CandC List (DST)
0.0018058699999999996 Rule_Host Port Scan Detected by Remote Host
0.0017851399999999984 Rule_BB>NetworkDefinition> Honeypot like Addresses
0.0017358700000000016 Rule_BB>NetworkDefinition> Broadcast Address Space
0.001588610000000001 Rule_BB>NetworkDefinition> Darknet Addresses
==> reports/AverageResponseTime-2023-06-09-17-24.report <==
0.12540199999999999 Rule_System> Notification
0.08520499999999999 Rule_test_rule_support
0.052504999999999996 Rule_QRadar Audit> Shared Account
0.02857951 Rule_QRadar Audit> QRadar Hosts
3.7099999999999996E-4 Rule_BB>DeviceDefinition> FW fsl Router fsl Switch
2.53E-4 Rule_BB>PortDefinition> SSH Ports
2.37E-4 Rule_BB>CategoryDefinition> Firewall or ACL Denies
1.9846000000000008E-4 Rule_Source Address is a Bogon IP
1.945789473684211E-4 Rule_BB>CategoryDefinition> Superuser Accounts
1.882699999999999E-4 Rule_Source Asset Weight is Low
Part 3: What to do next
1. Find the expensive Rule in the Offenses tab and disable it. Do not modify or delete
the rule yet.
2. Verify in the Dashboard notifications to confirm if the warnings no longer appear.
3. If the notifications are still occurring, recheck the CustomRule report and
verify whether there are any other entries that look suspicious.
4. If you confirm that the disabled rule is causing the notifications, modify it to be less
expensive or delete it.
Note: The sequence that the rules are laid out can make a difference in
performance. Information on best practices for writing rules can be found
in Everything you need to know about QRadar Rules (for beginners and experts)
Part 4: Alternate issues that can cause Custom Rule error messages
•
•
•
•
•
Verify whether any rules are configured as Global rules. In some cases, Global rules
can cause excessive events to be processed by the console and resulting in an MPC
queue to max out. In this case, change any Global rules to Local rules, if possible.
Verify how many Managed Hosts (MHs) are in the deployment. Sometimes, when
there are several MHs in the deployment, and only the console has 1k EPS, it might
be required to get a 5k EPS console license from the licensing team. In this case,
request a 5k EPS console license from [email protected].
Payload-related tests that use "Pattern" or "Curly" regex-based calls can be
expensive. Payload tests can end up scanning every event, if not careful. Try to filter
on log source, log source type, and maybe an IP address before doing payload tests.
The order of tests makes a difference in the rule or CRE.
Host and Port profiles are also expensive, especially if the asset database, port
profile, or vulnerabilities data is large. For more information on host and port
profiles, see the tuning guide.
If the X-force data feed is enabled, X-force lookups can cause the error message.
Custom rules
IBM® QRadar® includes rules that detect a wide range of activities, including excessive firewall
denies, multiple failed login attempts, and potential botnet activity. You can also create your own
rules to detect unusual activity.
What are custom rules?
Customize default rules to detect unusual activity in your network.
Rule types
Each of the event, flow, common, and offense rule types test against incoming data from different sources
in real time. There are multiple types of rule tests. Some check for simple properties from the data set.
Other rule tests are more complicated. They track multiple, event, flow, and offense sequences over a
period of time and use "counter" that is on one or more parameters before a rule response is triggered.
Event rules
Test against incoming log source data that is processed in real time by the QRadar Event Processor.
You create an event rule to detect a single event or event sequences. For example, to monitor your
network for unsuccessful login attempts, access multiple hosts, or a reconnaissance event followed
by an exploit, you create an event rule. It is common for event rules to create offenses as a
response.
Flow rules
Test against incoming flow data that is processed by the QRadar Flow Processor. You can create a
flow rule to detect a single flow or flow sequences. It is common for flow rules to create offenses as
a response.
Common rules
Test against event and flow data. For example, you can create a common rule to detect events and
flows that have a specific source IP address. It is common for common rules to create offenses as a
response.
Offense rules
Test the parameters of an offense to trigger more responses. For example, a response generates
when an offense occurs during a specific date and time. An offense rule processes offenses only
when changes are made to the offense. For example, when new events are added, or the system
scheduled the offense for reassessment. It is common for offense rules to email a notification as a
response.
Managing rules
You can create, edit, assign rules to groups, and delete groups of rules. By categorizing your rules or
building blocks into groups, you can efficiently view and track your rules. For example, you can
view all rules that are related to compliance.
Domain-specific rules
If a rule has a domain test, you can restrict that rule so that it is applied only to events that are
happening within a specified domain. An event that has a domain tag that is different from the
domain that is set on, the rule does not trigger a response.
To create a rule that tests conditions across the entire system, set the domain condition to Any
Domain.
Rule conditions
Most rule tests evaluate a single condition, like the existence of an element in a reference data
collection or testing a value against a property of an event. For complex comparisons, you can test
event rules by building an Ariel Query Language (AQL) query with WHERE clause conditions. You
can use all of the WHERE clause functions to write complex criteria that can eliminate the need to
run numerous individual tests. For example, use an AQL WHERE clause to check whether inbound
SSL or web traffic is being tracked on a reference set.
You can run tests on the property of an event, flow, or offense, such as source IP address, severity of
event, or rate analysis.
With functions, you can use building blocks and other rules to create a multi-event, multi-flow, or
multi-offense function. You can connect rules by using functions that support Boolean operators,
such as OR and AND. For example, if you want to connect event rules, you can use when an event
matches any|all of the following rules function.
TASK: 2.4 Index management
SUBTASKS:
2.4.1. Enable indexes
2.4.2. Enable payload indexing
2.4.3. Describe the use of index management
• What is an index
• Reading the index management interface
2.4.4. Configure retention period for payload indexes
Enabling indexes
The Index Management window lists all event and flow properties that can be indexed and provides
statistics for the properties. Toolbar options allow you to enable and disable indexing on selected event
and flow properties.
About this task
Modifying database indexing might decrease system performance. Ensure that you monitor the
statistics after you enable indexing on multiple properties.
Procedure
1.
2.
3.
4.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Index Management.
Select one or more properties from the Index Management list.
Choose one of the following options:
Situation
Time frame Action
Reason
The index is disabled
and % of Searches
Using Property is
above 30% and % of
Searches Missing
Index is above 30%.
24 hours, 7
days, or 30
days
Click Enable
Index.
This search property is used often. Enabling an
index can improve performance.
Click Disable
Index.
The enabled index is not used in the searches.
Disable the indexed property to preserve disk
space.
The index is enabled
and % of Searches
30 days
Using Property is zero.
5. Click Save.
6. Click OK.
Results
In lists that include event and flow properties, indexed property names are appended with the
following text: [Indexed]. Examples of such lists include the search parameters on the Log
Activity and Network Activity tab search criteria pages, and the Add Filter window.
Index management
Use Index Management to control database indexing on event and flow properties. To improve the
speed of searches in IBM® QRadar®, narrow the overall data by adding an indexed field in your
search query.
An index is a set of items that specify information about data in a file and its location in the file
system. Data indexes are built in real-time as data is streamed or are built upon request after data is
collected. Searching is more efficient because systems that use indexes don't have to read through
every piece of data to locate matches. The index contains references to unique terms in the data and
their locations. Because indexes use disk space, storage space might be used to decrease search
time.
Use indexing event and flow properties first to optimize your searches. You can enable indexing on
any property that is listed in the Index Management window and you can enable indexing on more
than one property. When a search starts in QRadar, the search engine first filters the data set by
indexed properties. The indexed filter eliminates portions of the data set and reduces the overall
data volume and number of event or flow logs that must be searched. Without any
filters, QRadar takes more time to return the results for large data sets.
For example, you might want to find all the logs in the past six months that match the text: The
operation is not allowed. By default, QRadar stores full text indexing for the past 30 days.
Therefore, to complete a search from the last 6 months, the system must reread every payload
value from every event or flow in that time frame to find matches. Your results display faster when
you search with an indexed value filter such as a Log Source Type, Event Name, or Source IP.
The Index Management feature also provides statistics, such as:
•
•
The percentage of saved searches running in your deployment that include the indexed
property
The volume of data that is written to the disk by the index during the selected time frame
To enable payload indexing, you must enable indexing on the Quick Filter property.
•
•
Enabling indexes
The Index Management window lists all event and flow properties that can be indexed and
provides statistics for the properties. Toolbar options allow you to enable and disable
indexing on selected event and flow properties.
Enabling payload indexing to optimize search times
You use the Quick Filter feature on the Log Activity and Network Activity tab to search
event and flow payloads by using a text string. To optimize event and flow search times,
enable payload indexing on the Quick Filter property.
Restriction: Payload indexing increases disk storage requirements and might affect
system performance. Enable payload indexing if your deployment meets the following
conditions:
•
•
The event and flow processors are at less than 70% disk usage.
The event and flow processors are less than 70% of the maximum events per second
(EPS) or flows per interface (FPI) rating.
Configuring the retention period for payload indexes
By default, IBM® QRadar® sets 30 days for the data retention period of the payload index. You can
search for specific values in quick filter indexes beyond 30 days by changing the default retention
in QRadar.
Before you begin
Your virtual and physical appliances require a minimum of 24 GB of RAM to enable full payload
indexing. However, 48 GB of RAM is suggested.
The minimum and suggested RAM values applies to all QRadar systems, such as 16xx, 17xx, or 18xx
appliances, that are processing events or flows.
About this task
The retention values reflect the time spans that you are typically searching. The minimum retention
period is 1 day and the maximum is 2 years.
Note: Quick Filter searches that use a time frame outside of the Payload Index Retention setting can trigger
slow and resource-intensive system responses. For example, if the payload index retention is set for 1 day,
and you use a time frame for the last 30 hours in the search.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click System Settings.
3. In the Database Settings section, select a retention time period from the Payload Index
Retention list.
4. Click Save.
5. Close the System Settings window.
6. On the Admin tab, click Deploy Changes.
What to do next
If you retain payload indexes longer than the default value, extra disk space is used. After you select
a greater value in the Payload Index Retention field, monitor system notifications to ensure that you
do not fill disk space.
Enabling payload indexing to optimize search
times
You use the Quick Filter feature on the Log Activity and Network Activity tab to search event and
flow payloads by using a text string. To optimize event and flow search times, enable payload
indexing on the Quick Filter property.
Restriction: Payload indexing increases disk storage requirements and might affect system performance.
Enable payload indexing if your deployment meets the following conditions:
•
•
The event and flow processors are at less than 70% disk usage.
The event and flow processors are less than 70% of the maximum events per second (EPS)
or flows per interface (FPI) rating.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Index Management.
3. In the Quick Search field, type Quick Filter.
The Quick Filter property is displayed.
4. Select the Quick Filter property that you want to index.
In the results table, use the value in the Database column to identify the events or
flows Quick Filter property.
5. On the toolbar, click Enable Index. A green dot indicates that the payload index is enabled.
If a list includes event or flow properties that are indexed, the property names are appended
with the following text: [Indexed].
6. Click Save.
TASK: 2.5 Search management
SUBTASKS:
2.5.1. Manage saved searches
2.5.2. Manage search results
• Explain different types of parameters (new search, save results, cancel, delete, notify,view)
Scheduled search
Use the Scheduled search option to schedule a search and view the results.
You can schedule a search that runs at a specific time of day or night. If you schedule a search to run
in the night, you can investigate in the morning. Unlike reports, you have the option of grouping the
search results and investigating further. You can search on number of failed logins in your network
group. If the result is typically 10 and the result of the search is 100, you can group the search
results for easier investigating. To see which user has the most failed logins, you can group by user
name. You can continue to investigate further.
You can schedule a search on events or flows from the Reports tab. You must select a previously
saved set of search criteria for scheduling.
1. Create a report
Specify the following information in the Report Wizard window:
o
o
The chart type is Events/Logs or Flows.
The report is based on a saved search.
Note: QRadar® does not support reports based on AQL searches that contain
subselect statements.
o
Generate an offense.
You can choose the create an individual offense option or the add result to an
existing offense option.
You can also generate a manual search.
2. View search results
You can view the results of your scheduled search from the Offenses tab.
•
Scheduled search offenses are identified by the Offense Type column.
If you create an individual offense, an offense is generated each time that the report is run. If
you add the saved search result to an existing offense, an offense is created the first time that
the report runs. Subsequent report runs append to this offense. If no results are returned,
the system does not append or create an offense.
•
To view the most recent search result in the Offense Summary window, double-click a
scheduled search offense in the offense list. To view the list of all scheduled search runs,
click Search Results in the Last 5 Search Results pane.
You can assign a Scheduled search offense to a user.
Advanced search options
Use the Advanced Search field to enter an Ariel Query Language (AQL) that specifies the fields that
you want and how you want to group them to run a query.
Note: When you type an AQL query, use single quotation marks for a string comparison, and use double
quotation marks for a property value comparison.
Attention: The XFORCE_IP_CONFIDENCE function does not work in AQL advanced searches in
languages other than English.
The Advanced Search field has auto completion and syntax highlighting.
Use auto completion and syntax highlighting to help create queries. For information about
supported web browsers, see Supported web browsers
Note: If you use a quick filter on the Log Activity tab, you must refresh your browser window before you
run an advanced search.
Accessing Advanced Search
Access the Advanced Search option from the Search toolbar that is on the Network
Activity and Log Activity tabs to type an AQL query.
Select Advanced Search from the list box on the Search toolbar.
Expand the Advanced Search field by following these steps:
1. Drag the expand icon that is at the right of the field.
2. Press Shift + Enter to go to the next line.
3. Press Enter.
You can right-click any value in the search result and filter on that value.
Double-click any row in the search result to see more detail.
All searches, including AQL searches, are included in the audit log.
AQL search string examples
The following table provides examples of AQL search strings.
Description
Example
Select default columns from events.
SELECT * FROM events
Select default columns from flows.
SELECT * FROM flows
Select specific columns.
SELECT sourceip, destinationip FROM events
Description
Example
Select specific columns and order the
results.
SELECT sourceip, destinationip FROM events
ORDER BY destinationip
Run an aggregated search query.
SELECT sourceip, SUM(magnitude) AS magsum
FROM events GROUP BY sourceip
Run a function call in a SELECT clause.
SELECT CATEGORYNAME(category) AS
namedCategory FROM events
SELECT CATEGORYNAME(category) AS
Filter the search results by using a WHERE
namedCategory, magnitude FROM events WHERE
clause.
magnitude > 1
Search for events that triggered a specific SELECT LOGSOURCENAME(logsourceid), * from
rule, which is based on the rule name or events where RULENAME(creeventlist) ILIKE
partial text in the rule name.
'%suspicious%'
Reference field names that contain special SELECT sourceip, destinationip,
characters, such as arithmetic characters
"+field/name+" FROM events WHERE
or spaces, by enclosing the field name in
"+field/name+" LIKE '%test%'
double quotation marks.
Table 1. Examples of AQL search strings
The following table provides examples of AQL search strings for X-Force®.
Description
Example
Check an IP address
against an XForce category with a
confidence value.
select * from events where
XFORCE_IP_CONFIDENCE('Spam',sourceip)>3
Search for X-Force URL
categories associated
with a URL.
select url, XFORCE_URL_CATEGORY(url) as myCategories
from events where XFORCE_URL_CATEGORY(url) IS NOT NULL
Retrieve X-Force IP
categories that are
associated with an IP.
select sourceip, XFORCE_IP_CATEGORY(sourceip) as
IPcategories from events where
XFORCE_IP_CATEGORY(sourceip) IS NOT NULL
Table 2. Examples of AQL search strings for X-Force
For more information about functions, search fields and operators, see the Ariel Query Language
guide.
•
•
AQL search string examples
Use the Ariel Query Language (AQL) to retrieve specific fields from the events, flows, and
simarc tables in the Ariel database.
Converting a saved search to an AQL string
Convert a saved search to an AQL string and modify it to create your own searches to quickly
find the data you want. Now you can create searches faster than by typing the search
criteria. You can also save the search for future use.
Saving search criteria
You can save configured search criteria so that you can reuse the criteria and use the saved search
criteria in other components, such as reports. Saved search criteria does not expire.
About this task
If you specify a time range for your search, then your search name is appended with the specified
time range. For example, a saved search named Exploits by Source with a time range of Last 5
minutes becomes Exploits by Source - Last 5 minutes.
If you change a column set in a previously saved search, and then save the search criteria using the
same name, previous accumulations for time series charts are lost.
Procedure
1. Choose one of the following options:
o Click the Log Activity tab.
o Click the Network Activity tab.
2. Perform a search.
3. Click Save Criteria.
4. Enter values for the parameters:
Option
Description
Parameter Description
Search
Name
Type the unique name that you want to assign to this search criteria.
Assign
Select the check box for the group you want to assign this saved search. If you do not select a
Search to group, this saved search is assigned to the Other group by default. For more information,
Group(s) see Managing search groups.
Manage
Groups
Click Manage Groups to manage search groups. For more information, see Managing search
groups.
Timespan Choose one of the following options:
options:
o
Real Time (streaming) - Select this option to filter your search results while in
streaming mode.
Option
Description
o
o
o
Last Interval (auto refresh) - Select this option to filter your search results
while in auto-refresh mode. The Log Activity and Network
Activity tabs refreshes at one-minute intervals to display the most recent
information.
Recent - Select this option and, from this list box, select the time range that you
want to filter for.
Specific Interval- Select this option and, from the calendar, select the date and
time range you want to filter for.
Include in Select this check box to include this search in your Quick Search list box on the toolbar.
my Quick
Searches
Include in Select this check box to include the data from your saved search on the Dashboard tab. For more
my
information about the Dashboard tab, see Dashboard management.
Dashboard
Note: This parameter is only displayed if the search is grouped.
Set as
Default
Select this check box to set this search as your default search.
Share with Select this check box to share these search requirements with all users.
Everyone
Restriction: You must have the Admin security profile to share search requirements.
5. Click OK.
Quick filter search options
Search event and flow payloads by typing a text search string that uses simple words or phrases.
Quick filter is one of the fastest methods that you use to search for event or flow payloads for specific data.
For example, you can use quick filter to find these types of information:
•
•
•
•
Every firewall device that is assigned to a specific address range in the past week
A series of PDF files that were sent by a Gmail account in the past five days
All records in a two-month period that exactly match a hyphenated user name
A list of website addresses that end in .ca
You can filter your searches from these locations:
Log Activity toolbar and Network Activity toolbars
Select Quick Filter from the list box on the Search toolbar to type a text search string. Click
the Quick Filter icon to apply your Quick Filter to the list of events or flows.
Add Filter Dialog box
Click the Add Filter icon on the Log Activity or Network Activity tab.
Select Quick Filter as your filter parameter and type a text search string.
Flow search pages
Add a quick filter to your list of filters.
Note: Quick Filter searches that use a time frame outside of the Payload Index Retention setting can trigger
slow and resource-intensive system responses. For example, if the payload index retention is set for 1 day,
and you use a time frame for the last 30 hours in the search.
When you view flows in real-time (streaming) or last interval mode, you can type only simple words or
phrases in the Quick Filter field. When you view events or flows in a time-range, follow these syntax
guidelines:
Description
Example
Include any plain text that you expect to
Firewall
find in the payload.
Search for exact phrases by including
multiple terms in double quotation
marks.
"Firewall deny"
Include single and multiple character
wildcards. The search term cannot start F?rewall or F??ew*
with a wildcard.
Group terms with logical expressions,
such as AND, OR, and NOT. To be
recognized as logical expressions and
not as search terms, the syntax and
operators must be uppercase.
(%PIX* AND ("Accessed URL" OR "Deny udp
src") AND 10.100.100.*)
When you create search criteria that
includes the NOT logical expression, you
(%PIX* AND ("Accessed URL" OR "Deny udp
must include at least one other logical
expression type, otherwise, no results src") NOT 10.100.100.*)
are returned.
Precede the following characters by a
backslash to indicate that the character
is part of your search term: + - &&
"%PIX\-5\-304001"
|| ! () {} [] ^ " ~ * ? :
\.
Table 1. Quick filter syntax guidelines
Limitations
Quick filter searches operate on raw event or flow log data and don't distinguish between the fields.
For example, quick filter searches return matches for both source IP address and destination IP
address, unless you include terms that can narrow the results.
Search terms are matched in sequence from the first character in the payload word or phrase. The
search term user matches user_1 and user_2, but does not match the following
phrases: ruser, myuser, or anyuser.
Quick filter searches use the English locale. Locale is a setting that identifies language or geography
and determines formatting conventions such as collation, case conversion, character classification,
the language of messages, date and time representation, and numeric representation.
The locale is set by your operating system. You can configure QRadar® to override the operating
system locale setting. For example, you can set the locale to English and the QRadar Console can be
set to Italiano (Italian).
If you use Unicode characters in your quick filter search query, unexpected search results might be
returned.
If you choose a locale that is not English, you can use the Advanced search option in QRadar for
searching event and payload data.
How does Quick Filter search and payload tokens work?
Text that is in the payload is split into words, phrases, symbols, or other elements. These tokens are
delimited by space and punctuation. The tokens don't always match user-specified search terms, which
cause some search terms not to be found when they don't match the generated token. The delimiter
characters are discarded but exceptions exist such as the following exceptions:
•
Periods that are not followed by white space are included as part of the token.
For example, 192.0.2.0:56 is tokenized as host token 192.0.2.0 and port token 56.
•
•
Words are split at hyphens, unless the word contains a number, in which case, the token is
not split and the numbers and hyphens are retained as one token.
Internet domain names and email addresses are preserved as a single token.
192.0.2.0/home/www is tokenized as one token and the URL is not separated.
192.0.2.7:/calling1/www2/scp4/path5/fff is tokenized as host 192.0.2.7 and
the remainder is one token /calling1/www2/scp4/path5/fff
File names and URL names that contain more than one underscore are split before a period (.).
Example of multiple underscores in a file name:
If you use hurricane_katrina_ladm118.jpg as a search term, it is split into the following tokens:
•
•
hurricane
katrina_ladm118.jpg
Search the payload for the full search term by placing double quotation marks around the search
term: "hurricane_katrina_ladm118.jpg"
Example of multiple underscores in a relative file path:
The thumb.ladm1180830/thumb.ladm11808301806.hurricane_katrina_ladm118.jpg is
split into the following tokens:
•
•
thumb.ladm1180830/thumb.ladm11808301806.hurricane
katrina_ladm118.jpg
To search for hurricane_katrina_ladm118.jpg, which consists of one partial and one full token,
place an asterisk in front of the query term, *hurricane_katrina_ladm118.jpg
Finding IOCs quickly with lazy search
You use the IBM® QRadar® lazy search to search for an indicator of compromise (IOC), such as
unusual outbound network traffic or anomalies in privileged user account activity.
Before you begin
Lazy search returns the first 1000 events that are related to the search criterion. For example, if you
need to search for a particular MD5 as part of a malware outbreak investigation, you do not need to
review every related event. Do a lazy search to quickly return a limited result set.
To take advantage of the lazy search, you must have the Admin security profile, or a nonadministrator security profile that is configured in the following way:
•
•
Permission precedence set to No Restrictions.
Access to all networks and log sources.
Lazy search cannot be used by users with non-administrator security profiles on networks where
domains are configured.
Procedure
1. To do a lazy search for quick filters, do these steps:
a. On the Log Activity tab, in the Quick Filter field, enter a value.
b. From the View list, select a time range.
2. To do a lazy search for basic searches, do these steps:
a. On the Log Activity tab, click Search > New Search.
b. Select a Recent time range or set a Specific Interval.
c. Ensure that Order by field value is set to Start Time and the Results Limit field
value is 1000 or less. Aggregated columns must not be included in the search.
d. Enter a value for the Quick Filter parameter and click Add Filter.
3. To disable lazy search completely, do these steps:
a. Click the System Settings on the Admin tab.
b. In the System Settings window, remove any values from the Default Search
Limit field.
Using a subsearch to refine search results
You can use a subsearch to search within a set of completed search results. The subsearch is used to
refine search results, without searching the database again.
Before you begin
When you define a search that you want to use as a base for subsearching, make sure that Real Time
(streaming) option is disabled and the search is not grouped.
About this task
This feature is not available for grouped searches, searches in progress, or in streaming mode.
Procedure
1. Choose one of the following options:
o Click the Log Activity tab.
o Click the Network Activity tab.
2. Perform a search.
3. When your search is complete, add another filter:
o Click Add Filter.
o From the first list box, select a parameter that you want to search for.
o From the second list box, select the modifier that you want to use for the search. The
list of modifiers that are available depends on the attribute that is selected in the first
list.
o In the entry field, type specific information that is related to your search.
o Click Add Filter.
Results
The Original Filter pane specifies the original filters that are applied to the base search. The
Current® Filter pane specifies the filters that are applied to the subsearch. You can clear subsearch
filters without restarting the base search. Click the Clear Filter link next to the filter you want to
clear. If you clear a filter from the Original Filter pane, the base search is relaunched.
If you delete the base search criteria for saved subsearch criteria, you still have access to saved
subsearch criteria. If you add a filter, the subsearch searches the entire database since the search
function no longer bases the search on a previously searched data set.
Adding filters to improve search performance
When you search for event or flow information, you can improve performance by adding filters to
search fields that are indexed.
About this task
The following table provides information about the fields that are indexed:
QRadar SIEM Tab
Indexed Filter
Username
Source or Destination IP
Destination Port
Log Activity tab (Events)
Has Identity
Device Type
Device ID
Category
Matches Custom Rule
Application
Network Activity tab (Flows)
Source or Destination IP
Destination Port
Table 1. Log viewer and flow viewer indexed fields
Procedure
1.
2.
3.
4.
5.
Click the Log Activity tab, or the Network Activity tab.
On the toolbar, click Add Filter.
From the first list, select an index filter.
From the second list, select the modifier that you want to use.
Type or select the information for your filter. The controls that are displayed depend on the
index filter that you added.
6. Click Add Filter.
What to do next
You can monitor the performance of your search by expanding the Current Statistics option on
the Search page. The page displays the volume of data that loads from data files and indexes. If your
search does not display a count in the index file count, then add an indexed filter to the search.
•
Enabling quick filtering
You can enable the Quick Filter property to optimize event and flow search times.
Searching for offenses that are indexed on a
custom property
Define search criteria to filter the offense list and make it easier to see which offenses you need to
investigate. You can use the offense type in your search criteria to find all offenses that are based on
a custom property. You can filter the query results to show offenses that have a specific custom
property capture result.
Before you begin
The custom property must be used as a rule index. For more information, see Offense indexing.
Procedure
1. Click the Offenses tab.
2. From the Search list, select New Search.
3. On the Offense Source pane, select the custom property in the Offense Type list.
The Offense Type list shows only normalized fields and custom properties that are used as
rule indexes. You cannot use Offense Source to search DateTime properties.
4. Optional: To search for offenses that have a specific value in the custom property capture
result, type the value that you want to search for in the filter box.
5. Configure other search parameters to satisfy your search requirements.
6. Click Search.
Results
All offenses that meet the search criteria are shown in the offense list. When you view the offense
summary, the custom property that you searched on is shown in the Offense Type field. The custom
property capture result is shown in the Custom Property Value field in the Offense Source
Summary pane.
QRadar: How to manage accumulated search
results that are found in the Log activity tab
under Managed Search Results
Question & Answer
Question
How can you manage large search result data on a daily basis?
Answer
Steps to manage Search Results:
1. Log in to the QRadar User Interface.
2. Open the Admin settings:
1. In IBM Security QRadar V7.3.1, click the navigation menu
,
and then click Admin to open the Admin tab.
2. In IBM Security QRadar V7.3.0 or earlier, click the Admin tab.
3. Click on the System settings icon within the System Configuration section.
4. Select the Ariel Database Settings in the left hand column to bring you to
the appropriate settings.
5. Change the Search Results Retention Period setting to the number of days,
weeks, or months that are desired to retain the search results.
Note: If you select 1 day, then after 24 hours from that time, your search
results will be cleared for all users. The default is 1 day.
Results: You can now modify the default Search Results Retention Period.
TASK: 2.6 Manage routing rules and event forwarding
SUBTASKS:
2.6.1. Explain routing rules configuration and usage
• Different routing options for rules
• Create a routing rule
Routing options for rules
You can choose from four rule routing options: Forward, Drop, Bypass correlation, and Log Only.
The following table describes the different options and how to use them.
Routing type
Description
Forward
Data is forwarded to the specified forwarding destination. Data is also stored in the
database and processed by the Custom Rules Engine (CRE).
Drop
Data is dropped. The data is not stored in the database and is not processed by the
CRE. This option is not available if you select the Offline option. Any events that are
dropped are credited back 100% to the license.
Data bypasses CRE, but it is stored in the database. This option is not available if you
select the Offline option.
Bypass Correlation The Bypass correlation option does not require an entitlement
for QRadar® Data Store. Bypass correlation allows events that are received in
batches to bypass real-time rules. You can use the events in analytic apps and
for historical correlation runs. For historical correlation runs, the events can
be replayed as though they were received in real time.
Events are stored and flagged in the database as Log Only and bypass CRE. These
events are not available for historical correlation, and are credited back 100% to the
license. This option is not available for flows or if you select the Offline option.
Log Only (Exclude
Analytics)
Important: Do not choose this option for internal events because they are
automatically credited back 100% to the license. These events still bypass correlation
if they match the routing rule but are not flagged as Log Only.
The Log Only option requires an entitlement for QRadar Data Store. After the
entitlement is purchased and the Log Only option is selected, events that
match the routing rule are stored to disk and are available to view and for
searches. The events bypass the custom rule engine and no real-time
correlation or analytics occur. The events can't contribute to offenses and are
ignored when historical correlation runs. Some apps will also ignore Log Only
events (https://www-ibm.com/support/docview.wss?uid=swg22009471).
Table 1. Rule routing options
The following table describes different routing option combinations that you can use. These options are
not available in offline mode.
Routing
combination
Description
Data is forwarded to the specified forwarding destination. Data is not stored in the
Forward and Drop database and is not processed by the CRE. Any events that are dropped are credited
back 100% to the license.
Forward and BypassData is forwarded to the specified forwarding destination. Data is stored in the
Correlation
database, but it is not processed by the CRE.
Forward and Log
Only (Exclude
Analytics)
Events are forwarded to the specified forwarding destination. Events are stored and
flagged in the database as Log Only and bypass CRE. These events are not available for
historical correlation, and are credited back 100% to the license.
Table 2. Rule routing combination options
If data matches multiple rules, the safest routing option is applied. For example, if data that matches
a rule that is configured to drop and a rule to bypass CRE processing, the data is not dropped.
Instead, the data bypasses the CRE and is stored in the database.
Configuring routing rules to forward data
About this task
You can configure routing rules to forward data in either online or offline mode:
•
•
In Online mode, your data remains current because forwarding is done in real time. If the
forwarding destination becomes unreachable, any data that is sent to that destination is not
delivered, resulting in missing data on that remote system. To ensure that delivery is
successful, use offline mode.
In Offline mode, all data is first stored in the database and then sent to the forwarding
destination. This mode ensures that no data is lost; however, delays in data forwarding can
occur.
Procedure
1.
2.
3.
4.
5.
6.
On the navigation menu ( ), click Admin.
In the System Configuration section, click Routing Rules.
On the toolbar, click Add.
In the Routing Rule window, type a name and description for your routing rule.
In the Mode field, select one of the following options: Online or Offline.
In the Forwarding Event Collector or Forwarding Event Processor list, select the event
collector from which you want to forward data.
Learn more about the forwarding appliance:
Forwarding Event Collector
Specifies the Event Collector that you want this routing rule to process data from. This
option displays when you select the Online option.
Note: Online/Realtime forwarding is not impacted by any Rate Limit or Scheduling
configurations that might be configured on a Store and Forward (15xx) event collectors.
Forwarding Event Processor
Specifies the Event Processor that you want this routing rule to process data from. This
option is displayed when you select the Offline option.
Restriction: This option is not available if Drop is selected from the Routing Options pane.
7. In the Data Source field, select which data source you want to route: Events or Flows.
The labels for the next section change based on which data source you select.
8. Specify which events or flows to forward by applying filters:
a. To forward all incoming data, select the Match All Incoming Events or Match All
Incoming Flows checkbox.
Restriction: If you select this checkbox, you cannot add a filter.
b. To forward only some events or flows, specify the filter criteria, and then click Add
Filter.
9. Specify the routing options to apply to the forwarded data:
a. Optional: If you want to edit, add, or delete a forwarding destination, click
the Manage Destinations link.
b. To forward log data that matches the specified filters, select the Forward checkbox
and then select the checkbox for each forwarding destination.
Restriction: If you select the Forward checkbox, you can select only one of these
check boxes: Drop, Bypass Correlation, or Log Only.
For more information, see Routing options for rules.
10. Click Save.
Section 3: Data Source Configuration
This section accounts for 14% of the exam (9 out of 62 questions).
TASK: 3.1 Manage flow sources
SUBTASKS:
3.1.1. Understand flow sources
• What are flow sources
• What are the types
• External versus internal
3.1.2. Add or edit a flow source
3.1.3. Enable, disable, and delete a flow source
3.1.4. Understand Flow source alias
• Add
• Delete
Types of flow sources
IBM® QRadar® Flow Collector can process flows from multiple sources, which are categorized as
either internal or external sources.
Internal flow sources
Sources that include packet data by connecting to a SPAN port or a network TAP are considered
internal sources. These sources provide raw packet data to a monitoring port on the Flow Collector,
which converts the packet details into flow records.
QRadar does not keep the entire packet payload. Instead, it captures a snapshot of the flow,
referred to as the payload or content capture, which includes packets from the beginning of the
communication. Flow collection from internal sources normally requires a dedicated Flow
Collector.
External flow sources
QRadar supports the following external flow sources:
•
•
•
•
•
•
•
NetFlow
IPFIX
sFlow
J-Flow
Packeteer
Napatech interface
Network interface
External sources do not require as much CPU utilization to process so you can send the flows
directly to a Flow Processor. In this configuration, you may have a dedicated flow collector and a
flow processor, both receiving and creating flow data.
If your Flow Collector collects flows from multiple sources, you can assign each flow source a
distinct name. A distinct name helps to distinguish the external flow data from other sources.
QRadar SIEM can forward external flow source data by using the spoofing or non-spoofing method:
Spoofing
Resends the inbound data that is received from a flow source to a secondary destination.
To configure the spoofing method, configure the flow source so that the Monitoring
Interface is set to the management port on which the data is received.
When you use a specific interface, the Flow Collector uses a promiscuous mode capture to
collect the flow data, rather than the default UDP listening port on port 2055. This way, the
Flow Collector can capture and forward the data.
Non-Spoofing
For the non-spoofing method, configure the Monitoring Interface parameter in the flow source
configuration as Any.
The Flow Collector opens the listening port, which is the port that is configured as
the Monitoring Port, to accept the flow data. The data is processed and forwarded to
another flow source destination.When the data is forwarded, the source IP address of the
flow becomes the IP address of the QRadar SIEM system, not the original router that sent the
data.
Adding a flow source
If you add a network interface to your appliance after the initial installation, you must add it as a
flow source before you can use it to monitor network flows. After you change the flow sources
configuration, you must deploy the changes.
Procedure
1.
2.
3.
4.
Log in to the QRadar® Console as an administrator.
Click the Admin tab.
In the Flows section, click Flow Sources, and click Add.
Configure the flow source details.
a. In the Flow Source Name field, type a descriptive name.
b. In the Target Flow Collector field, select a flow collector or accept the value
provided.
c. In the Flow Source Type list, select Netflow v.1/v.5/v.7/v.9/IPFIX.
d. In the Monitoring Interface, select the network interface that supplies the flow
traffic.
e. In the Monitoring Port field, select a port or accept the value provided.
f. In the Linking Protocol list, select the protocol to use.
g. To forward flows, select the Enable Flow Forwarding checkbox and configure the
settings.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
Adding or editing a flow source
Use the Flow Source window on the Admin tab to add or edit a flow source.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the Data Sources section, under Flows, click Flow Sources.
3. Do one of the following actions:
o To add a flow source, click Add.
o To edit a flow source, select the flow source and click Edit.
4. To create this flow source from an existing flow source, select the Build from existing flow
source check box, and select a flow source from the Use as Template list.
5. Enter the name for the Flow Source Name.
Tip: If the external flow source is also a physical device, use the device name as the flow
source name. If the flow source is not a physical device, use a recognizable name.
For example, if you want to use IPFIX traffic, enter ipf1. If you want to use NetFlow traffic,
enter nf1.
6. Select a flow source from the Flow Source Type list and configure the properties.
o If you select the Flowlog File option, ensure that you configure the location of the
Flowlog file for the Source File Path parameter.
o If you select the JFlow, Netflow, Packeteer FDR, or sFlow options in the Flow
Source Type parameter, ensure that you configure an available port for
the Monitoring Port parameter.
The default port for the first NetFlow flow source that is configured in your network
is 2055. For each additional NetFlow flow source, the default port number
increments by 1. For example, the default NetFlow flow source for the
second NetFlow flow source is 2056.
o
If you select the Napatech Interface option, enter the Flow Interface that you want
to assign to the flow source.
Restriction: The Napatech Interface option is displayed only if you installed
the Napatech Network Adapter on your system.
o
If you select the Network Interface option, for the Flow Interface, configure only
one log source for each Ethernet interface.
Restriction: You cannot send different flow types to the same port.
7. If traffic on your network is configured to take alternate paths for inbound and outbound
traffic, select the Enable Asymmetric Flows check box.
8. Click Save.
9. On the Admin tab, click Deploy Changes.
Flow sources
IBM® QRadar® Network Insights uses two types of flow sources.
Flow source for incoming network traffic
The QRadar Network Insights host processes raw traffic from a network interface flow
source.
When you add a QRadar Network Insights host, an input flow source is automatically created for
all non-management interfaces that are available on the host.
•
•
For Napatech network interfaces, flow sources are auto-detected and enabled by
default. They cannot be edited, disabled, or deleted.
For non-Napatech network interfaces, the auto-detected flow sources are disabled by
default. You must enable them if you want to use them for monitoring network flows.
QRadar flow sources
When you install IBM QRadar, a default_Netflow flow source is automatically added to the
deployment. This flow source is enabled by default.
New flow sources are created as you add QRadar Flow Collectors and Flow Processors to the
deployment.
QRadar Network Insights exports the network traffic flow records to an IPFIX flow source
that is running elsewhere in your QRadar deployment.
Flow source example
In the following example, a QRadar Network Insights host (qnihw1) is connected to a QRadar
Console (qradarhw1).
•
•
•
•
The default_Netflow flow source is auto-detected and enabled.
An input flow source is created for all non-management interfaces that are connected to
the QRadar Network Insights host, but they are not enabled.
The system did not create a flow source for the management interface of the
appliance (ens2f0).
You can edit or change the enabled status for each of the flow sources.
An appliance that uses a Napatech network interface is connected.
•
•
The napatech0 flow source is auto-detected and enabled.
You cannot edit, delete, or change the enabled status for these flow sources.
•
•
Enabling a flow source
Flow sources that are used to monitor network flows must be enabled. After you enable the
flow source, you must deploy the changes.
Adding a flow source
If you add a network interface to your appliance after the initial installation, you must add it
as a flow source before you can use it to monitor network flows. After you change the flow
sources configuration, you must deploy the changes.
Flow source aliases
A flow source alias uses a virtual name to identify external flows that are sent to the same port on a
flow collector. For example, the IBM® QRadar® Flow Collector can have a single NetFlow flow
source that is listening on port 2055, and can have multiple NetFlow sources sending to the
same QRadar Flow Collector. By using flow source aliases, you can identify the
different NetFlow sources based by their IP addresses.
When QRadar Flow Collector receives traffic from a device that has an IP address but does not have
a current alias, the QRadar Flow Collector attempts a reverse DNS lookup. The lookup is used to
determine the host name of the device.
You can configure the QRadar Flow Collector to automatically create flow source aliases. When
the QRadar Flow Collector receives traffic from a device that has an IP address but does not have a
current alias, it does a reverse DNS lookup to determine the host name of the device.
If the lookup is successful, the QRadar Flow Collector adds this information to the database and
reports the information to all QRadar Flow Collector components in your deployment. If the lookup
fails, QRadar creates a default alias for the flow source based on the flow source name and the
source IP address. For example, the default alias might appear as default_NetFlow_172.16.10.139.
•
•
Adding a flow source alias
Use the Flow Source Alias window to add a flow source alias.
Deleting a flow source alias
Use the Flow Source Alias window to delete a flow source alias.
Enabling and disabling a flow source
Using the Flow Source window, you can enable or disable a flow source.
Deleting a Flow Source
Use the Flow Source window to delete a flow source.
TASK: 3.2 Manage log sources
SUBTASKS:
3.2.1. Add log sources
3.2.2. Filter log sources
3.2.3. Test log sources
3.2.4. Bulk add/edit log sources
3.2.5. Disconnected log collector (DLC)
• Understanding
• Collecting events
Gateway log source
Use a gateway log source to configure a protocol to use many Device Support Modules (DSMs)
instead of relying on a single DSM type. With a gateway log source, event aggregator protocols can
dynamically handle various event types. Before you configure your gateway log source, you must
understand the difference between protocols, DSMs, and log sources.
Protocol
Protocols provide the capability of collecting a set of data files by using various connection options.
These connections pull the data back, or passively receive data, into the event pipeline
in QRadar®. Then, the corresponding DSM parses and normalizes the data.
DSM
A DSM is a code module that parses received events from multiple log sources and converts them
to a standard taxonomy format that can be displayed as output. Each type of log source has a
corresponding DSM.
Log source
A log source is a data source that creates an event log. For more information, see Introduction to
log source management.
Gateway log sources support the following protocols:
•
•
•
•
•
•
•
•
•
Amazon AWS S3 REST
Amazon AWS Web Services
Google Cloud Pub Sub
HTTP Receiver
Kafka
Microsoft Azure Event Hubs
TCPMutilineSyslog
TLS Syslog
UDPMutilineSyslog
Tip: To provide the best fit for the generic data, use the Universal DSM when you configure your gateway log
source.
A gateway log source does not use a DSM. It delegates the DSM parsing to stand-alone Syslog log
sources that have an appropriate identifier and DSM. These log sources are a collector log source
(the gateway) and a parser log source. Parser log sources match data that comes in from the
gateway and do not actively collect the events themselves.
Before you create your gateway log source, you must know what types of data you expect to collect
from the data gateway. Data gateways can collect many data types and QRadar does not support all
data types by default. To parse the data correctly, a DSM must exist that can handle the events that
you are collecting. Even if QRadar supports the event’s source, if the gateway returns it in an
unexpected format, the DSM might not parse it. For example, if the data gateway returns an event in
a JSON format, but the DSM expects a LEEF format, you might need a custom DSM to parse the data.
A gateway log source works in the same way as other log sources by using its selected protocol to
reach out and collect events. The difference between a gateway log source and other log sources
occurs when the collected events are ready to be posted. A normal log source attempts to force the
events to be parsed by the selected DSM. A gateway log source sends the events as a Syslog payload
with a default identifier set to either 0.0.0.0 or to the connected Services IP address.
When an event is posted to the event pipeline as a Syslog payload, the events are handled by log
source auto detection. If an existing dummy log source with the provided identifier exists, the event
is handled by that log source, regardless of whether the event parses with that DSM. If no existing
dummy log source exists, the event is parsed by DSMs that support auto detection. If the event
correctly parses with a DSM, then it updates the identifier to “IP or Host @ DSM” and creates a log
source.
Log sources that are automatically created do not have their identifier set by the protocol. These log
sources identifiers are in the “IP or Host @ DSM Type” format. To match to an automatically created
dummy log source, the Syslog payload must have an identifier that is the same IP or Host, and the
selected DSM must be able to parse it. The default identifier is sent as [IP or Host], not “IP or Host
@ DSM Type”. For the identifier to be updated with the DSM Type, it must parse with that DSM
Type. If you use the default settings, events that cannot be parsed are sent directly to sim-generic.
Tip:
Manually created log sources that have an identifier that matches the identifier of the Syslog
payload are used even if the DSM of the log source fails to parse the event.
To configure a gateway log source, enable the Use As A Gateway Log Source option for the
selected protocol. If you enable this option, the events are sent to the event pipeline and are
autodetected. To get the maximum value from this feature, use the Log source identifier pattern.
•
Log source identifier pattern
Use the log source identifier pattern to customize the identifier that is sent with payloads
when an event is posted. You can choose identifiers for your event formats and event types.
To use the full capabilities of the log source identifier pattern, you must have a basic
understanding of regular expressions (regex) and how to use them.
The log source identifier pattern accepts a list of key-value pairs. A key is an identifier
that is represented as a regex. The value is a regex that matches to event data. When
the regex matches to the data within the event, then it posts the event with the identifier
that is associated with that value.
Basic example
Key1 = value1
Key2 = value2
Key3 = value3
In this example, if an event contains a value of “value1”, the identifier for that event is key1.
If an event contains a value of “value2”, the identifier is Key2. If an event contains both
“value1” and “value2”, the first identifier, Key1, is matched.
In this example, you must manually create three Syslog log sources, one for each of the
identifier options.
Regex example
Key1 = value1
Key2 = \d\d\d (where \d\d\d is a regex that matches to three consecutive digits.)
\1= \d(\d) (where \d(\d) is a regex that matches to two consecutive digits and captures the
second digit. \1 references the first captured value in the value field.)
In this example, the following statements are true:
•
•
•
•
\d represents a "digit".
If an event contains a value of “value1”, the identifier for that event is Key1.
If an event contains “111” or “652” or any three consecutive digits, the identifier
would be Key2.
If an event contains two consecutive digits such as “11’, “73”, and “24”, the identifier
is \1. The regex saves the second value (“1”, “3” and “4” in the examples) for future
use with the parentheses. The value that is saved by the regex is used later as the
identifier. If you set the key to “\1”, the key matches to the first saved value in the
regex. In this case, the identifier is not a hardcoded value, but instead it can be ten
values (0 - 9.) Three identifiers are in the sample events (“1”, “3” and “4”.)
You must create a log source with the identifiers Key1 and Key2, and a log source for each
possible Key1 value. In this example, for the events to go to the correct log source, you must
create three Syslog log sources. For the log sources, one has the identifier set to “1”, one has
the identifier set to “3” and one has the identifier set to “4”. To capture all of the possible
identifiers, you need ten Syslog log sources. Each log source corresponds to a single digit.
Tips for using the log source identifier pattern
It is important to know what type of data you are receiving and how granular you need your
log sources to be. Each QRadar® environment is unique. The following tips can help you to
configure the log source identifier pattern.
Keep the data separated at the source
Most gateway supported services, such as Microsoft Azure Event Hubs and Google
Pub Sub, offer ways to separate the data at the source. Keep your data in separate
sources to reduce the complexity on the QRadar side. For example, if you want to
collect Windows Logs, Linux® Logs and Audit Logs, use three separate gateway log
sources to simplify the configuration. If you collect all of those logs in one
source, QRadar must identify the events and associate them with the correct log
source.
Hardcode the regex if possible
If you hardcode the key, all of the events that match the value’s regex are collected by
a single log source. This action requires less effort to create and maintain log sources,
and they are easier to monitor.
Use online regex testers
Before you save and enable your log source, use online tools to test the regex.
Use the Event Retriever to determine the identifier
Use the Event Retriever to display the assigned log source identifier in QRadar. You
can also use it to test that your regex and identifier are matching correctly.
DSM Editor overview
Instead of manually creating a log source extension to fix parsing issues or extend support for new
log source types, use the DSM Editor. The DSM Editor provides different views of your data. You use
the DSM Editor to extract fields, define custom properties, categorize events, and define new QID
definition.
The DSM Editor provides the following views:
Workspace
The Workspace shows you raw event data. Use sample event payloads to test the behavior of the
log source type, and then the Workspace area shows you the data that you capture in real time.
All sample events are sent from the workspace to the DSM simulator, where properties are parsed
and QID maps are looked up. The results are displayed in the Log Activity Preview section. Click
the edit icon to open in edit mode.
In the edit mode, you paste up to 100,000 characters of event data into the workspace or edit data
directly. When you edit properties on the Properties tab, matches in the payload are highlighted in
the workspace. Custom properties and overridden system properties are also highlighted in
the Workspace.
New in 7.4.1You can specify a custom delimiter that makes it easier for QRadar® to ingest
multiline events. To ensure that your event is kept intact as a single multiline event, select
the Override event delimiter checkbox to separate the individual events based on another
character or sequence of characters. For example, if your configuration is ingesting multiline
events, you can add a special character to the end of each distinct event in the Workspace, and then
identify this special character as the event delimiter.
New in 7.4.2QRadar can suggest regular expressions (regex) when you enter event data in
the Workspace. If you are not familiar with creating regex expressions, use this feature to generate
your regex. Highlight the payload text that you want to capture and in the Properties tab,
click Suggest Regex. The suggested expression appears in the Expression field. Alternatively, you
can click the Regex button in the Workspace and select the property that you want to write an
expression for. If QRadar cannot generate a suitable regex for your data sample, a system message
appears.
Tip: The regex generator works best for fields in well-structured event payloads. If your payload consists of
complex data from natural language or unstructured events, the regex generator might not be able to parse
it and does not return a result.
Log activity preview
New in 7.4.1 The Parsing Status column was added to the Log Activity Preview.
The Log Activity Preview simulates how the payloads in the workspace appear in the Log
Activity viewer. The Parsing Status column indicates whether your event properties are
successfully parsing and mapping to a QID record. Every standard property that is supported is
displayed. The fields that are marked with an asterisk (*), for example, Event
name, Severity, Low-level category, and QID, are populated from the QID map. Fields that
are populated from the QID map cannot be parsed verbatim from the raw events data in the
workspace, so they cannot be defined or edited. You can adjust their values by selecting the
corresponding event ID and category combination from the Event Mappings tab. Then click Edit to
re-map an event to a different QID record that exists in the system or to a newly created QID.
Important: You must set an Event ID for any system properties to be parsed correctly.
Click the configure icon to select which columns to show or to hide in the Log Activity
Preview window, and to reorder the columns.
Properties
The Properties tab contains the combined set of system and custom properties that constitute a
DSM configuration. Configuring a system property differs from configuring a custom property. You
can override a property, by selecting the Override system behaviour check box and defining the
expression.
Note: If you override the Event Category property, you must also override the Event ID property.
Matches in the payload are highlighted in the event data in the workspace. The highlighting color is
two-toned, depending on what you capture. For example, the orange highlighting represents the
capture group value while the bright yellow highlighting represents the rest of the regex that you
specified. The feedback in the workspace shows whether you have the correct regex. If an
expression is in focus, the highlighting in the workspace reflects only what that expression can
match. If the overall property is in focus, then the highlighting turns green and shows what the
aggregate set of expressions can match, taking into account the order of precedence.
In the Format String field, capture groups are represented by using the $<number> notation. For
example, $1 represents the first capture group from the regex, $2 is the second capture group, and
so on.
You can add multiple expressions to the same property, and you can assign precedence by dragging
and dropping the expressions to the top of the list.
A warning icon beside any of the properties indicates that no expression was added.
Event mappings tab
New in 7.4.1 Support for copying Event ID and Event Category fields was added to the Event
Mapping tab.
The Event Mappings tab displays all the event ID and category combinations that exist in the
system for a selected log source type. If a new event mapping is created, it is added to the list of
event ID and category combination that is displayed in the Event Mappings tab. In general,
the Event Mappings tab displays all event ID and category combinations and the QID records that
they are mapped to.
Configuration tab
You can configure Auto Property Discovery for structured data that are in JSON format. By default,
log source types have Auto Property Discovery turned off.
When you enable Auto Property Discovery on the Configuration tab, the property discovery engine
automatically generates new properties to capture all fields that are present in the events that are
received by a log source type. You can configure the number of consecutive events to be inspected for new
properties in the Discovery Completion Threshold field. Newly discovered properties appear in
the Properties tab, and are made available for use in the rules and search indexes. However, if no new
properties are discovered before the threshold, the discovery process is considered complete and Auto
Property Discovery for that log source type is disabled. You can manually enable the Auto Property
Discovery on the Configuration tab at any time.
Note: To continuously inspect events for a log source type, you must make sure that you set the Discovery
Completion Threshold value to 0.
Protocol configuration options
Protocols in IBM® QRadar® provide the capability of collecting a set of data files by using various
connection options. These connections pull the data back or passively receive data into the event
pipeline in QRadar. Then, the corresponding Device Support Module (DSM) parses and normalizes
the data.
The following standard connection options pull data into the event pipeline:
•
•
•
•
JDBC
FTP
SFTP
SCP
The following standard connection options receive data into the event pipeline:
•
•
•
Syslog
HTTP Receiver
SNMP
QRadar also supports proprietary vendor-specific protocol API calls, such as Amazon Web Services.
•
•
•
•
•
•
•
Akamai Kona REST API protocol configuration options
To receive events from your Akamai Kona Platform, configure a log source to use the Akamai
Kona REST API protocol.
Amazon AWS S3 REST API protocol configuration options
The Amazon AWS S3 REST API protocol is an active outbound protocol that collects AWS
CloudTrail logs from Amazon S3 buckets.
Amazon Web Services protocol configuration options
The Amazon Web Services (AWS) protocol is an outbound/active protocol for IBM
QRadar that collects AWS CloudWatch Logs, Amazon Kinesis Data Streams, and Amazon
Simple Queue Service (SQS) messages.
Apache Kafka protocol configuration options
IBM QRadar uses the Apache Kafka protocol to read streams of event data from topics in a
Kafka cluster that uses the Consumer API. A topic is a category or feed name in Kafka where
messages are stored and published. The Apache Kafka protocol is an outbound or active
protocol, and can be used as a gateway log source by using a custom log source type.
Blue Coat Web Security Service REST API protocol configuration options
To receive events from Blue Coat Web Security Service, configure a log source to use the
Blue Coat Web Security Service REST API protocol.
Centrify Redrock REST API protocol configuration options
The Centrify Redrock REST API protocol is an outbound/active protocol for IBM Security
QRadar that collects events from Centrify Identity Platform.
Cisco Duo protocol configuration options
To receive authentication events from Cisco Duo, configure a log source to use the Cisco Duo
protocol.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cisco Firepower eStreamer protocol configuration options
To collect events in IBM QRadar from a Cisco Firepower eStreamer (Event Streamer)
service, configure a log source to use the Cisco Firepower eStreamer protocol.
Cisco NSEL protocol configuration options
To monitor NetFlow packet flows from a Cisco Adaptive Security Appliance (ASA), configure
the Cisco Network Security Event Logging (NSEL) protocol source.
EMC VMware protocol configuration options
To receive event data from the VMWare web service for virtual environments, configure a
log source to use the EMC VMware protocol.
Forwarded protocol configuration options
To receive events from another Console in your deployment, configure a log source to use
the Forwarded protocol.
Google Cloud Pub/Sub protocol configuration options
The Google Cloud Pub/Sub protocol is an outbound/active protocol for IBM QRadar that
collects Google Cloud Platform (GCP) logs.
Google G Suite Activity Reports REST API protocol options
The Google G Suite Activity Reports REST API protocol is an active outbound protocol
for IBM QRadarthat retrieves logs from Google G Suite.
HCL BigFix SOAP protocol configuration options (formerly known as IBM BigFix)
To receive Log Event Extended Format (LEEF) formatted events from HCL BigFix®
appliances, configure a log source that uses the HCL BigFix SOAP protocol.
HTTP Receiver protocol configuration options
To collect events from devices that forward HTTP or HTTPS requests, configure a log source
to use the HTTP Receiver protocol.
IBM Cloud Object Storage protocol configuration options
The IBM Cloud Object Storage protocol for IBM QRadar is an outbound or active protocol
that collects logs that are contained in objects from IBM Cloud Object Storage buckets.
IBM Fiberlink REST API protocol configuration options
To receive Log Event Extended Format (LEEF) formatted events from IBM MaaS360®
appliances, configure a log source that uses the IBM Fiberlink® REST API protocol.
IBM Security Randori REST API protocol configuration options
To receive events from IBM Security Randori, configure a log source to communicate with
the IBM Security Randori REST API protocol.
IBM Security QRadar EDR REST API protocol configuration options
To receive events from IBM Security QRadar EDR, configure a log source to communicate
with the IBM Security QRadar EDR REST API protocol.
IBM Security Verify Event Service protocol configuration options
To receive events from IBM Security Verify, configure a log source in IBM QRadar to use the
IBM Security Verify Event Service protocol.
JDBC protocol configuration options
QRadar uses the JDBC protocol to collect information from tables or views that contain event
data from several database types.
JDBC - SiteProtector protocol configuration options
You can configure log sources to use the Java™ Database Connectivity (JDBC) - SiteProtector
protocol to remotely poll IBM Proventia® Management SiteProtector® databases for events.
Juniper Networks NSM protocol configuration options
To receive Juniper Networks NSM and Juniper Networks Secure Service Gateway (SSG) logs
events, configure a log source to use the Juniper Networks NSM protocol.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Juniper Security Binary Log Collector protocol configuration options
You can configure a log source to use the Security Binary Log Collector protocol. With this
protocol, Juniper appliances can send audit, system, firewall, and intrusion prevention
system (IPS) events in binary format to QRadar.
Log File protocol configuration options
To receive events from remote hosts, configure a log source to use the Log File protocol.
Microsoft Azure Event Hubs protocol configuration options
The Microsoft Azure Event Hubs protocol is an outbound and active protocol for IBM
Security QRadar that collects events from Microsoft Azure Event Hubs.
Microsoft Defender for Endpoint SIEM REST API protocol configuration options
Configure a Microsoft Defender® for Endpoint SIEM REST API protocol to receive events
from supported Device Support Modules (DSMs).
Microsoft DHCP protocol configuration options
To receive events from Microsoft DHCP servers, configure a log source to use the Microsoft
DHCP protocol.
Microsoft Exchange protocol configuration options
To receive events from SMTP, OWA, and message tracking events from Microsoft Windows
Exchange 2007, 2010, 2013 and 2017 servers, configure a log source to use the Microsoft
Exchange protocol.
Microsoft Graph Security API protocol configuration options
To receive events from the Microsoft Graph Security API, configure a log source in IBM
QRadar to use the Microsoft Graph Security API protocol.
Microsoft IIS protocol configuration options
You can configure a log source to use the Microsoft IIS protocol. This protocol supports a
single point of collection for W3C format log files that are located on a Microsoft IIS web
server.
Microsoft Security Event Log protocol configuration options
Support for the Windows Event Log protocols ended on 31 October 2022.
MQ protocol configuration options
To receive messages from a message queue (MQ) service, configure a log source to use the
MQ protocol. The protocol name displays in IBM QRadar as MQ JMS.
Office 365 Message Trace REST API protocol configuration options
The Office 365 Message Trace REST API protocol for IBM Security QRadar collects message
trace logs from the Message Trace REST API. This active outbound protocol is used to collect
Office 365 email logs.
Office 365 REST API protocol configuration options
The Office 365 REST API protocol for IBM Security QRadar is an active outbound protocol.
Okta REST API protocol configuration options
To receive events from Okta, configure a log source in IBM QRadar by using the Okta REST
API protocol.
OPSEC/LEA protocol configuration options
To receive events on port 18184, configure a log source to use the OPSEC/LEA protocol.
Oracle Database Listener protocol configuration options
To remotely collect log files that are generated from an Oracle database server, configure a
log source to use the Oracle Database Listener protocol source.
PCAP Syslog Combination protocol configuration options
To collect events from Juniper SRX Series Services Gateway or Juniper Junos OS Platform
that forward packet capture (PCAP) data, configure a log source to use the PCAP Syslog
Combination protocol.
•
•
•
•
•
•
•
•
•
•
•
•
•
RabbitMQ protocol configuration options
To receive messages from a Cisco AMP DSM, configure a log source to use the RabbitMQ
protocol.
SDEE protocol configuration options
You can configure a log source to use the Security Device Event Exchange (SDEE)
protocol. QRadar uses the protocol to collect events from appliances that use SDEE servers.
Seculert Protection REST API protocol configuration options
To receive events from Seculert, configure a log source to use the Seculert Protection REST
API protocol.
SMB Tail protocol configuration options
You can configure a log source to use the SMB Tail protocol. Use this protocol to watch
events on a remote Samba share and receive events from the Samba share when new lines
are added to the event log.
SNMPv2 protocol configuration options
You can configure a log source to use the SNMPv2 protocol to receive SNMPv2 events.
SNMPv3 protocol configuration options
You can configure a log source to use the SNMPv3 protocol to receive SNMPv3 events.
Sophos Enterprise Console JDBC protocol configuration options
To receive events from Sophos Enterprise Consoles, configure a log source to use the Sophos
Enterprise Console JDBC protocol.
Sourcefire Defense Center eStreamer protocol options
Sourcefire Defense Center eStreamer protocol is now known as Cisco Firepower eStreamer
protocol.
Syslog Redirect protocol overview
The Syslog Redirect protocol is an inbound/passive protocol that is used as an alternative to
the Syslog protocol. Use this protocol when you want QRadar to identify the specific device
name that sent the events. QRadar can passively listen for Syslog events by using TCP or UDP
on any unused port that you specify.
TCP Multiline Syslog protocol configuration options
The TCP Multiline Syslog protocol is a passive inbound protocol that uses regular
expressions to identify the start and end pattern of multiline events.
TLS Syslog protocol configuration options
Configure a TLS Syslog protocol log source to receive encrypted syslog events from up to 50
network devices that support TLS Syslog event forwarding for each listener port.
UDP multiline syslog protocol configuration options
To create a single-line syslog event from a multiline event, configure a log source to use the
UDP multiline protocol. The UDP multiline syslog protocol uses a regular expression to
identify and reassemble the multiline syslog messages into single event payload.
VMware vCloud Director protocol configuration options
To collect events from VMware vCloud Director virtual environments, create a log source
that uses the VMware vCloud Director protocol, which is an active outbound protocol.
Adding a log source to receive events
Use the QRadar® Log Source Management app to add new log sources to receive events from your
network devices or appliances.
Before you begin
Download and install a device support module (DSM) that supports the log source. A DSM is a
software application that contains the event patterns that are required to identify and parse events.
The events are parsed from the original format of the event log to the format that QRadar can use.
You can install a DSM from IBM® Fix Central (https://www-945.ibm.com/support/fixcentral/). For
more information, see the DSM Configuration Guide.
You can also create a custom log source type without a DSM.
Procedure
1. In the QRadar Log Source Management app, click + New Log Source.
2. Click Single Log Source.
3. On the Select a Log Source Type page, select a log source type and click Select Protocol
Type.
4. On the Select a Protocol Type page, select a protocol and click Configure Log Source
Parameters.
5. On the Configure the Log Source parameters page, configure the log source parameters and
click Configure Protocol Parameters.
6. On the Configure the protocol parameters page, configure the protocol-specific parameters.
7. Optional: If the server certificates for the protocol are uploaded to the centralized certificate
store, select the certificate from the Server Certificate Store Alias list.
If your log source requires a server certificate that is not uploaded to the centralized
certificate store, and you have System Administrator permission, you can upload the
certificate from the IBM QRadar Certificate Management app.
If the QRadar Certificate Management app is installed, in the Server Certificate Store
Alias list, select Upload new certificate. The Certificate Management app opens.
o If the QRadar Certificate Management app is not installed, in the Server Certificate
Store Alias list, select Download Certificate Management app to open the IBM
Security App Exchange and download the app.
8. Optional: If your configuration can be tested, the Test Protocol Parameters option is listed in
the Steps pane. When you test your configuration, you can identify any errors with your
protocol parameters. For more information, see Testing log sources. To test your
configuration, follow these steps:
o Click Test Protocol Parameters, and then click Start Test.
o To fix any errors, click Configure Protocol Parameters.
o
On the Configure the protocol parameters page, configure the protocol-specific
parameters, then test your protocol again.
If your configuration can be tested, but you don't want to test it, click Skip Test and
Finish.
9. Click Finish.
Results
Your log source is listed on the Log Sources page.
Adding a quick log source
Use the Quick Log Source option in the QRadar Log Source Management app to add new log
sources in a single screen. Add a quick log source if you want to add your log sources faster than
using the + New Log Source option.
Use the Quick Log Source option in the QRadar® Log Source Management app to add new log
sources in a single screen. Add a quick log source if you want to add your log sources faster than
using the + New Log Source option.
Procedure
1. In the QRadar Log Source Management app, click the + New Log Source drop down
arrow .
2. Click Quick Log Source.
3. Configure the parameters in the Log Source Summary pane and click Create.
What to do next
Test your log sources. For more information, see Testing log sources.
Adding multiple log sources at the same time
Use the QRadar Log Source Management app to add multiple log sources to IBM QRadar at the same
time. You can add as many log sources as you want.
Procedure
1. In the QRadar Log Source Management app, click + New Log Source and then click Multiple
Log Sources.
2. On the Select a Log Source type page, select a log source type and click Select Protocol
Type.
3. On the Select a protocol type page, select a protocol type and click Configure Common Log
Source Parameters.
4. On the Configure the common Log Source parameters page, configure the parameters that
you want to set for all of the log sources.
5. If you have log sources that have different log source parameter values, clear the relevant
check boxes, and then click Configure Common Protocol Parameters.
6. On the Configure the common protocol parameters page, configure the protocol-specific
parameters that you want to set for all of the log sources.
7. If you have log sources that have different protocol parameter values, clear the relevant
check boxes, and then click Configure Individual Parameters.
8. On the Configure the individual parameters page, upload a CSV file that contains the
individual log source parameter values, and click Add.
A log source is created for each line of this file, except for empty lines and comment lines
that begin with a hashtag (#). Each line must contain the comma-separated list of parameter
values for the Log Source Identifier field, and any other deferred parameters, in the order
shown in the deferred parameters table.
9. Click Bulk Template to download the file template and add the parameters that you want to
configure, in order.
For example, if you deferred the Enabled and Groups parameters, the CSV file must contain
the following values:
Enabled, Groups, Log Source Identifier
If you include a comma in a parameter, enclose the value in double quotation marks.
10. If you do not upload a CSV file:
a. Click Manual to specify the values for the parameters that you deferred.
b. Enter a Log Source Identifier for each new log source and click Add.
11. Click Finish.
What to do next
Test your log sources. For more information, see Testing log sources
QRadar: How does coalescing work in QRadar?
Question & Answer
Question
How does event coalescing work for log sources in QRadar? What data is kept and what is
lost when events are coalesced? How are events displayed with coalescing enabled?
Answer
Event Coalescing helps improve performance and reduce storage for non-critical security
events where the full event payload does not need to be saved. As data comes in and is
coalesced, a large burst of events can convert hundreds of thousands of events into only a
few dozen records. This action is done while QRadar maintains the count of the number of
actual events. Coalescing gives QRadar the ability to detect, enumerate, and track an attack
on a huge scale. It also protects the performance of the pipeline by reducing the workload
of the system, including storage requirements for those events. When events are received
that match a specific criteria, QRadar can use coalescing to determine what to store from
the event payload based on the log source settings in QRadar.
For example, a multitude of similar events created during a Denial Of Service attack can be
converted from hundreds of thousands of events into only a few dozen records, while
maintaining the count of the number of actual events received.
How does coalescing work?
Event data received by QRadar is processed in to normalized fields, along with the original
payload. When coalescing is enabled the following five properties are evaluated to
determine if a data source can be coalesced:
•
•
•
•
•
QRadar Identifier (QID)
Source IP
Destination IP
Destination port
Username
Event coalescing starts after three events have been found with matching properties
within a 10 second window. Additional events that occur within the 10 second period are
coalesced together, with a count of the events noted. For each record containing coalesced
events, only the payload of the first coalesced event is retained.
For example, if 1,005 events are received by QRadar within a 10 second window. Each of
the 1,005 events has the same QRadar Identifier (QID), Source IP, Destination IP,
Destination port, and Username and coalescing is enabled for the log source. The Log
Activity tab represents these 1,005 events as follows:
•
•
The first three events display in Log Activity as individual events with unique event
payloads.
Event 1: full event details saved.
Event 2: full event details saved.
Event 3: full event details saved.
The fourth event contains a unique payload; however, the remaining 1,001 events
that also arrived within that 10 second period are coalesced and only the original
payload for the fourth event is retained.
Event 4: full event details saved.
Event 5-1,005: event details are NOT saved to disk for each individual event. The
count for the fourth event displays in the user interface as Multiple (1001). The
value within parenthesis (x) indicates to the user that this log source coalesced a
number of events as the with a duplicate QRadar Identifier (QID), Source IP,
Destination IP, Destination port, and Username in to the fourth event as these all
occurred within the 10 second window. Events 5-1005 do not have unique event
payloads stored on disk.
Note: Rules created by users intended to count events do update the event count
even if the event is coalesced. For example, a user creates a rule with the test and
when at least 5 events are seen with the same Username. The events that occur
within the multiple field (x) update the count tracked in QRadar and coalesced data
can trigger an offense or rule response.
System wide Event Coalescing Settings
QRadar provides the ability to disable coalescing if there is a requirement to retain all
event payloads. This can be done either at system level, or per log source basis.
Procedure:
To disable coalescing at the system level:
1.
2.
3.
4.
5.
6.
on the Admin tab, click the System Settings icon.
Click Advanced.
Under the System Settings heading, find the Coalescing Events setting.
To disable Coalescing Events for all log sources, select No,
Click Save, and close the window.
From the Admin tab click Deploy Changes.
Event coalescing options for a specific log source
Coalescing can be enabled or disabled on each log source. Administrators can set
coalescing when the log source is created or when editing an existing log source.
Procedure
To disable Coalescing for an existing log source:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Double click on a log source to edit the configuration.
4. Clear the Coalescing Events check box.
What types of log sources should I consider disabling coalescing?
Log sources for DNS systems, Proxy Servers, Anti-Virus systems, Windows servers and
Endpoints can be good candidates for turning coalescing off. These log sources often
include additional event payload information beyond QRadar's normalized fields which
can be unique to the event payload that an administrator would want captured and
searchable for an investigation.
Communication between WinCollect agents
and QRadar
WinCollect agent communication to QRadar Console and Event
Collectors
All WinCollect agents communicate with the QRadar Console and Event Collectors to forward
events to QRadar and request updated information. Managed WinCollect agents also request and
receive updated code and configuration changes. You must ensure firewalls that are between
the QRadar Event Collectors and your WinCollect agents allow traffic on the following ports:
Port 8413
This port is used for managing the WinCollect agents to request and receive code and configuration
updates. Traffic is always initiated from the WinCollect agent, and is sent over TCP.
Communication is encrypted by using the QRadar Console's public key and
the ConfigurationServer.PEM file on the agent.
Port 514
This port is used by the WinCollect agent to forward syslog events to QRadar. You can
configure WinCollect log sources to provide events by using TCP or UDP. You can decide which
transmission protocol to use for each WinCollect log source. Port 514 traffic is always initiated
from the WinCollect agent.
WinCollect agents remotely polling Windows event sources
WinCollect agents that remotely poll other Windows operating systems require extra ports to be
open. These ports need to be open on the WinCollect agent computer and the computer(s) that are
remotely polled, but not on your QRadar appliances. The following table describes the ports that
are used.
Port
ProtocolUsage
135
TCP
Microsoft Endpoint Mapper
137
UDP
NetBIOS name service
138
UDP
NetBIOS datagram service
139
TCP
NetBIOS session service
445
TCP
Microsoft Directory Services for file transfers that use Windows share
49152 – 65535
Note: Exchange
servers are
configured for TCP
a port range of
6005 – 58321
by default.
Default dynamic port range for TCP/IP
Table 1. Port usage for WinCollect remote polling
The MSEVEN protocol uses port 445. The NETBIOS ports (137 - 139) can be used for host name
resolution. When the WinCollect agent polls a remote event log by using MSEVEN6, the initial
communication with the remote machine occurs on port 135 (dynamic port mapper), which assigns
the connection to a dynamic port. The default port range for dynamic ports is between port 49152
and port 65535, but might be different dependent on the server type. For example, Exchange
servers are configured for a port range of 6005 – 58321 by default.
To allow traffic on these dynamic ports, enable and allow the two following inbound rules on the Windows
server that is being polled:
•
•
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)
Important: To limit the number of events that are sent to QRadar, administrators can use exclusion filters
for an event based on the EventID or Process. For more information about WinCollect filtering,
see WinCollect Event Filtering (http://www.ibm.com/support/docview.wss?uid=swg21672656).
Enabling remote log management on Windows
You can enable remote log management only when your log source is configured to remotely poll other
Windows operating systems. You can enable remote log management on Windows 2012 R2 for XPath
queries.
About this task
Note: WinCollect does not support reverting Citrix Virtual Machines that are polled remotely.
Procedure
1.
2.
3.
4.
5.
6.
On your desktop, select Start > Control Panel.
Click the System and Security icon.
Click Allow a program through Windows Firewall.
If prompted, click Continue.
Click Change Settings.
From the Allowed programs and features pane, select Remote Event Log Management.
Depending on your network, you might need to correct or select more network types.
7. Click OK.
Testing log sources
In IBM® QRadar® 7.3.2. Fix Pack 3 or later, test your log source configuration in the QRadar Log
Source Management app to ensure that the parameters that you used are correct. The test runs
from the host that you specify in the Target Event Collector setting, and can collect sample event
data from the target system. The target system is the source of your event data.
Restriction: If the Test tab doesn’t appear for your log source, you can't test the configuration.
In QRadar 7.3.2. Fix Pack 3 or later and QRadar Log Source Management app v5.0.0 or later, only a few
protocols are updated to include test capabilities. Ensure that you install the latest version of your protocols
to get the testing capability when it is available.
To download a Fix Pack, go to Fix Central (https://www-945.ibm.com/support/fixcentral/).
Procedure
1. In the QRadar Log Source Management app, select a log source.
2. On the Log Source Summary pane, click the Test tab, then click Start Test.
If there is high network latency between the QRadar Console and the log source's Target
Event Collector, it might take a moment for the results to appear.
When the test is successful, checkmarks are displayed next to each of the results and sample
event information is generated. If the test is not successful, an X is displayed next to the
result that failed, and no sample event information is generated. When one result fails, the
test of the other results is canceled.
3. Optional: If the test is not successful, click Edit to configure the parameter that caused the
test to fail and test your log source again.
Click the drop-down arrow next to the failed result for more information about the error.
4. Optional: Click the Download icon
5. Click Close.
•
to view the test results in a .txt file.
Protocols available for testing
In QRadar 7.3.2. Fix Pack 3 or later, and QRadar Log Source Management app 5.0.0 or later,
some protocols are updated to include test capabilities. Ensure that you install the latest
version of your protocols to get the testing capability when it is available.
Filtering log sources
Filter your log sources to show only the ones that you need. When you open the QRadar® Log
Source Management app, a list of log sources appears with 20 items. You can click other columns to
change the sorting order, and change the number of items that are displayed in the list.
Procedure
1. On the Admin tab, go to the Apps section and click the QRadar Log Source
Management icon.
2. Search for a log source by using one of the following methods.
o To search by text in the Search bar, enter the full or partial log source name,
description, or log source identifier. Only the log sources that match the search string
are displayed.
o To use the advanced search, in the Search bar, type advanced: <your filter
string> For information about the API filter syntax, see Filter
syntax (https://www.ibm.com/docs/en/qsip/7.5?topic=versions-filter-syntax.html)
For a list of log source fields, see GET
/config/event_sources/log_source_management/log_sources (https://ibmsecuritydo
cs.github.io/qradar_api_19.0/19.0--config-event_sources-log_source_managementlog_sources-GET.html)
o
To search by filters, in the Filter pane, select one or more checkboxes to show only
log sources that match the criteria.
o
To add a column to the list of log sources, click Manage Columns and select the
checkbox for the column that you want to display.
To change the column order, hover over the icon ( ), and drag the columns to
arrange them in the order that you want them to display.
3. Each filter shows a count of the number of options for that filter. Each option in a filter also
has a count, which indicates how many log sources match the option for the filters that you
apply. If the filters exclude log sources that match the option, this number might decrease as
you apply more filters.
TASK: 3.3 Export event and flow data
SUBTASKS:
3.3.1. Export events from QRadar
3.3.2. Export flow data
Exporting events
You can export events in Extensible Markup Language (XML) or Comma-Separated Values (CSV)
format.
Before you begin
The length of time that is required to export your data depends on the number of parameters
specified.
Procedure
1. Click the Log Activity tab.
2. Optional. If you are viewing events in streaming mode, click the Pause icon to pause
streaming.
3. From the Actions list box, select one of the following options:
o Export to XML > Visible Columns - Select this option to export only the columns
that are visible on the Log Activity tab. This is the recommended option.
o Export to XML > Full Export (All Columns) - Select this option to export all event
parameters. A full export can take an extended period of time to complete.
o Export to CSV > Visible Columns - Select this option to export only the columns that
are visible on the Log Activity tab. This is the recommended option.
o Export to CSV > Full Export (All Columns) - Select this option to export all event
parameters. A full export can take an extended period of time to complete.
4. If you want to resume your activities while the export is in progress, click Notify When
Done.
Viewing normalized events
Events are collected in raw format, and then normalized for display on the Log Activity tab.
About this task
Normalization involves parsing raw event data and preparing the data to display readable information
about the tab. When events are normalized, the system normalizes the names as well. Therefore, the name
that is displayed on the Log Activity tab might not match the name that is displayed in the event.
Note: If you selected a time frame to display, a time series chart is displayed. For more information about
using time series charts, see Time series chart overview.
By default, the Log Activity tab displays the following parameters when you view normalized events:
ParameterDescription
The top of the table displays the details of the filters that are applied to the search results. To
Current® clear these filter values, click Clear Filter.
Filters
Note: This parameter is only displayed after you apply a filter.
View
From this list box, you can select the time range that you want to filter for.
When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are
displayed, including:
Note: Click the arrow next to Current Statistics to display or hide the statistics
•
Current
Statistics
•
•
•
•
Total Results - Specifies the total number of results that matched your search
criteria.
Data Files Searched - Specifies the total number of data files searched during the
specified time span.
Compressed Data Files Searched - Specifies the total number of compressed
data files searched within the specified time span.
Index File Count - Specifies the total number of index files searched during the
specified time span.
Duration - Specifies the duration of the search.
Note: Current statistics are useful for troubleshooting. When you contact
Customer Support to troubleshoot events, you might be asked to supply current
statistical information.
Charts
Displays configurable charts that represent the records that are matched by the time interval and
grouping option. Click Hide Charts if you want to remove the charts from your display. The
charts are only displayed after you select a time frame of Last Interval (auto refresh) or above,
and a grouping option to display. For more information about configuring charts, see Chart
management.
Note: If you use Mozilla Firefox as your browser and an ad blocker browser extension is
installed, charts do not display. To displayed charts, you must remove the ad blocker browser
extension. For more information, see your browser documentation.
ParameterDescription
Click this icon to view details of the offense that is associated with this event. For more
information, see Chart management.
Offenses
icon
Note: Depending on your product, this icon is might not be available. You must have IBM®
QRadar® SIEM.
Start Time Specifies the time of the first event, as reported to QRadar by the log source.
Event
Name
Specifies the normalized name of the event.
Log Source
Specifies the log source that originated the event. If there are multiple log sources that are
associated with this event, this field specifies the term Multiple and the number of log sources.
Event
Count
Specifies the total number of events that are bundled in this normalized event. Events are
bundled when many of the same type of event for the same source and destination IP address are
detected within a short time.
Time
Specifies the date and time when QRadar received the event.
Low Level Specifies the low-level category that is associated with this event.
Category
For more information about event categories, see the IBM QRadar Administration Guide.
Specifies the source IP address of the event.
Source IP Note: If you select the Normalized (With IPv6 Columns) display, refer to the Source
IPv6 parameter for IPv6 events.
Source
Port
Specifies the source port of the event.
Specifies the destination IP address of the event.
Destination
Note: If you select the Normalized (With IPv6 Columns) display, refer to the Destination
IP
IPv6 parameter for IPv6 events.
Destination
Specifies the destination port of the event.
Port
Specifies the user name that is associated with this event. User names are often available in
Username authentication-related events. For all other types of events where the user name is not available,
this field specifies N/A.
Magnitude
Specifies the magnitude of this event. Variables include credibility, relevance, and severity. Point
your mouse over the magnitude bar to display values and the calculated magnitude.
Table 1. Log Activity tab - Default (Normalized) parameters
If you select the Normalized (With IPv6 Columns) display, then the Log Activity tab displays the
following extra parameters:
Parameter
Description
Specifies the source IP address of the event.
Source IPv6
Destination
IPv6
Note: IPv4 events display 0.0.0.0.0.0.0.0 in the Source IPv6 and Destination
IPv6 columns.
Specifies the destination IP address of the event.
Note: IPv4 events display 0.0.0.0.0.0.0.0 in the Source IPv6 and Destination
IPv6 columns.
Table 2. Log Activity tab - Normalized (With IPv6 Columns) parameters
Procedure
1. Click the Log Activity tab.
2. Optional: From the Display list box, select Normalized (With IPv6 Columns).
The Normalized (With IPv6 Columns) display shows source and destination IPv6
addresses for IPv6 events.
3. From the View list box, select the time frame that you want to display.
4. Click the Pause icon to pause streaming.
5. Double-click the event that you want to view in greater detail. For more information,
see Event details.
https://www.securitylearningacademy.com/course/view.php?id=6585
Insufficient disk space to export data
38750096 - Insufficient disk space to complete data export request.
Explanation
If the export directory does not contain enough space, the export of event, flow, and offense data is
canceled.
User response
Select one of the following options:
•
•
•
Free some disk space in the /store/exports directory.
Configure the Export Directory property in the System Settings window to use to a
partition that has sufficient disk space.
Configure an offboard storage device.
Exporting flows
You can export flows in Extensible Markup Language (XML) or Comma Separated Values (CSV)
format. The length of time that is required to export your data depends on the number of
parameters specified.
Procedure
1. Click the Network Activity tab.
2. Optional. If you are viewing flows in streaming mode, click the Pause icon to pause
streaming.
3. From the Actions list box, select one of the following options:
o Export to XML > Visible Columns - Select this option to export only the columns
that are visible on the Log Activity tab. This is the recommended option.
o Export to XML > Full Export (All Columns) - Select this option to export all flow
parameters. A full export can take an extended period of time to complete.
o Export to CSV > Visible Columns - Select this option to export only the columns that
are visible on the Log Activity tab. This is the recommended option.
o Export to CSV > Full Export (All Columns) - Select this option to export all flow
parameters. A full export can take an extended period of time to complete.
4. If you want to resume your activities, click Notify When Done.
Results
When the export is complete, you receive notification that the export is complete. If you did not
select the Notify When Done icon, the Status window is displayed.
TASK: 3.4 Vulnerability information source configuration
SUBTASKS:
3.4.1. Understand QRadar vulnerability manager deployments
3.4.2. Add scanners to QVM deployment
3.4.3. Understand QVM
3.4.4. Configure vulnerability scans
3.4.5. Add third-party scanners to QRadar
3.4.6. Install the Java Cryptography Extension on QRadar
3.4.7. Integrate unsupported third-party vulnerability scanners using the AXIS format
Scan policies
Important: The IBM® QRadar® Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package
6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
A scan policy provides you with a central location to configure specific scanning requirements.
You must have the correct license capabilities to perform the following scanning operations. You
can use scan policies to specify scan types, ports to be scanned, vulnerabilities to scan for and
scanning tools to use. In IBM QRadar Vulnerability Manager, a scan policy is associated with a scan
profile and is used to control a vulnerability scan. You use the Scan Policies list on the Details tab
of the Scan Profile Configuration page to associate a scan policy with a scan profile.
You can create a new scan policy or copy and modify a pre-configured policy that is distributed
with QRadar Vulnerability Manager.
Pre-configured scan policies
The following pre-configured scan policies are distributed with QRadar Vulnerability Manager:
•
Full scan, Discovery scan, Database scan, Patch scan, PCI scan, Web scan
A description of each pre-configured scan policy is displayed on the Scan Policies page.
•
Scan policy automatic updates for critical vulnerabilities
As part of IBM QRadar Vulnerability Manager daily automatic updates, you receive new scan
policies for tasks such as detecting zero-day vulnerabilities on your assets.
Use scan policies that are delivered by automatic update to create scan profiles to scan for specific
vulnerabilities. To view all scan policies on your system, go to Administrative > Scan
Policies on the Vulnerabilities tab.
You must not edit scan policies that are delivered by automatic update as your changes might be
overwritten by later updates. You can create a copy and edit it.
If you delete a scan policy that is delivered by automatic update, it can be recovered only
by QRadar customer support.
•
Modifying a pre-configured scan policy
In IBM QRadar Vulnerability Manager, you can copy a pre-configured scan policy and modify
the policy to your exact scanning requirements.
Procedure
1. Click the Vulnerabilities tab.
2. In the navigation pane, select Administrative > Scan Policies.
3. On the Scan Policies page, click a pre-configured scan policy.
4.
5.
6.
7.
8.
On the toolbar, click Edit.
Click Copy.
In the Copy scan policy window, type a new name in the Name field and click OK.
Click the copy of your scan policy and on the toolbar, click Edit.
In the Description field, type new information about the scan policy.
Important: If you modify the new scan policy, you must update the information in
the description.
9. To modify your scan policy, use the Port Scan, Vulnerabilities, Tool Groups,
or Tools tabs.
Restriction: Depending on the Scan Type that you select, you cannot use all the tabs
on the Scan Policy window.
•
Configuring a scan policy
In IBM QRadar Vulnerability Manager, you can configure a scan policy to meet any specific
requirements for your vulnerability scans. You can copy and rename a preconfigured scan
policy or you can add a new scan policy. You can't edit a preconfigured scan policy.
Before you begin
You must have the correct license capabilities to perform the following scanning operations.
Procedure
1.
2.
3.
4.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative > Scan Policies.
On the toolbar, click Add.
Type the name and description of your scan policy.
To configure a scan policy, you must at least configure the mandatory fields in
the New Scan Policy window, which are the Name and Description fields.
5.
6.
7.
8.
From the Scan Type list, select the scan type.
To manage and optimize the asset-discovery process, click the Asset Discovery tab.
To manage the ports and protocols that are used for a scan, click the Port Scan tab.
To include specific vulnerabilities in your patch scan policy, click
the Vulnerabilities tab.
Note: The Vulnerabilities tab is available only when you select a patch scan.
9. To include or exclude tool groups from your scan policy, click the Tool Groups tab.
Note: The Tool Groups tab is available only when you select a zero-credentialed fullscan or full-scan plus policy.
10. To include or exclude tools from a scan policy, click the Tools tab.
Note: The Tools tab is available only when you select a zero-credentialed Full Scan or
Full Scan Plus policy.
Important: If you do not modify the tools or tool groups, and you select
the Full option as your scan type, then all the tools and tool groups that are
associated with a full scan are included in your scan policy.
11. Click Save.
Risk score details
In IBM® QRadar® Vulnerability Manager, vulnerability risk scores provide an indication of the risk
that a vulnerability poses to your organization.
Using IBM QRadar Risk Manager, you can configure policies that adjust vulnerability risk scores and
draw attention to important remediation tasks.
Risk Score
The Risk Score provides specific network context by using the Common Vulnerability Scoring
System (CVSS) base, temporal, and environmental metrics.
When QRadar Risk Manager is not used to manage risk, the Risk Score column shows the CVSS
environmental metric score with a maximum value of 10.
Risk adjustments
If IBM QRadar Risk Manager is installed and you configured vulnerability risk policies, then the risk
adjustments are listed. The adjustments either increase or decrease the overall risk that is
associated with a vulnerability.
Installations and deployments
Depending on the product that you install and whether you upgrade IBM® QRadar® or install a new
system, the Vulnerabilities tab might not be displayed.
IBM Security QRadar Vulnerability
Manager by using the Vulnerabilities tab:
You access
•
•
If you install QRadar SIEM, the Vulnerabilities tab is enabled by default with a temporary
license key.
If you install QRadar Log Manager, the Vulnerabilities tab is not enabled. You can purchase
the license for QRadar Vulnerability Manager separately and enable it by using a license key.
QRadar Vulnerability Manager license
To use QRadar Vulnerability Manager after an installation or upgrade, you must upload and allocate
a valid license key. The license for QRadar Vulnerability Manager license is applied and processed
in real time to QRadar Vulnerability Manager scanned assets that have at least one IP address.
The QRadar Vulnerability Manager scan must fall within the configured retention time for the IP
address of the asset.
1. From the Admin tab, click the Asset Profiler Configuration
2. Find the Asset IP Retention (In Days) row to edit the asset IP retention value.
3. Change the retention value or check that it is suitable for your needs. The default asset IP
retention value is 120 days.
QRadar Vulnerability Manager and QRadar Risk
Manager licenses
IBM QRadar Vulnerability Manager and IBM QRadar Risk Manager are combined into one offering
and both are enabled through a single base license. The combined offering provides an integrated
network scanning and vulnerability management workflow. With the base license, you are entitled
to use QRadar Vulnerability Manager to view vulnerability dashboards, vulnerabilities detected by
third-party scanners, QRadar Vulnerability Manager filters, and QRadar Vulnerability
Manager reports. You can integrate QRadar Risk Manager with up to 50 standard configuration
sources. If you are entitled to either QRadar Vulnerability Manager or QRadar Risk Manager, you
are automatically entitled to the base license allowance for the other product. You require extra
licenses to integrate with more than 50 configuration sources.
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. If you upgrade to QRadar 7.5.0 Update Package 6,
you cannot scan assets with the base license. For more information, see QRadar Vulnerability Manager: End
of service product notification (https://www.ibm.com/support/pages/node/6853425).
•
Extending the QRadar Vulnerability Manager temporary license period
By default, when you install IBM QRadar SIEM, you can see the Vulnerabilities tab because
a temporary license key is also installed. When the temporary license expires, you can
extend it for an extra four weeks.
Procedure
1. On the navigation menu ( ), click Admin.
2. Click the Vulnerability Manager icon in the Try it out area.
3. To accept the end-user license agreement, click OK.
When the extended license period is finished, you must wait six months before you
can activate the temporary license again. To have permanent access to QRadar
Vulnerability Manager, you must purchase a license.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is used to rate the severity and risk of computer
system security.
In IBM® QRadar®7.5.0, QRadar Vulnerability Manager supports Common Vulnerability Scoring
System (CVSS) 2.0, 3.0, and 3.1. Scores and metric values are returned for the highest version
available in vulnerability data.
CVSS is an open framework that consists of the following metric groups:
•
•
•
Base
Temporal
Environmental
Base
The base score severity range is 0 - 10 and represents the inherent characteristics of the
vulnerability. The base score has the largest bearing on the final CVSS score, and can be further
divided into the following subscores:
•
Impact
The impact subscore represents metrics for confidentiality impact, integrity impact, and the
availability impact of a successfully exploited vulnerability.
•
Exploitability
In CVSS v2, the exploitability subscore represents metrics for Access Vector, Access
Complexity, and Authentication. The subscore measures how the vulnerability is accessed,
the complexity of the attack, and the number of times an attacker must authenticate to
successfully exploit a vulnerability.
In CVSS v3, the exploitability subscore represents metrics for Attack Vector, Attack
Complexity, Privileges Required, User Interaction, and Scope. The subscore measures how
the vulnerability is accessed, the complexity of the attack, any required privileges, the
interaction needed between the attacker and another user, and the impact on resources
beyond the vulnerable component.
Temporal
The temporal score represents the characteristics of a vulnerability threat that change over time, and
consists of the following metrics:
•
Exploitability (CVSS v2) or Exploit Code Maturity (CVSS v3)
The availability of techniques or code that can be used to exploit the vulnerability, which
changes over time.
•
Remediation Level
The level of remediation that is available for a vulnerability.
•
Report Confidence
The level of confidence in the existence of the vulnerability and the credibility of its technical
details.
Environmental
The environmental score represents characteristics of the vulnerability that are impacted by the
user's environment. Configure the following environmental metrics to highlight the vulnerabilities
of important or critical assets by applying higher environmental metrics. Apply the highest scores
to the most important assets because losses that are associated with these assets have greater
consequences for the organization.
•
Collateral Damage Potential (CDP) (CVSS v2 only)
The potential for loss of life or physical assets through the damage or theft of this asset, or
the economic loss of productivity or revenue.
•
Target Distribution (TD) (CVSS v2 only)
The proportion of vulnerable systems in your user's environment.
•
Confidentiality Requirement (CR)
The level of impact to the loss of confidentiality when a vulnerability is exploited on this
asset.
•
Integrity Requirement (IR)
This metric indicates the level of impact to the loss of integrity when a vulnerability is
successfully exploited on this asset.
•
Availability Requirement (AR)
The level of impact to the asset's availability when a vulnerability is successfully exploited
on this asset.
Deploying a dedicated QRadar
Vulnerability Manager processor
appliance
Important: The IBM® QRadar® Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package
6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
You can deploy a dedicated QRadar Vulnerability Manager processor appliance as a managed host.
When you deploy your vulnerability processor to a managed host, all vulnerabilities are processed
on the managed host.
Restriction: After you deploy processing to a dedicated QRadar Vulnerability Manager managed host, any
scan profiles or scan results that are associated with a QRadar console processor are not displayed. You can
continue to search and view vulnerability data on the Manage Vulnerabilities pages.
Before you begin
Ensure that a dedicated QRadar Vulnerability Manager managed host is installed and a valid
processor appliance activation key is applied. For more information, see the Installation Guide for
your product.
Procedure
1. Log in to QRadar Console as an administrator:
https://IP_Address_QRadar
The default user name is admin. The password is the password of the root user account that
was entered during the installation.
2. On the navigation menu ( ), click Admin.
3. In the System Configuration pane, click System and License Management.
4. From the host table, click the QRadar Console host, and click Deployment Actions > Add
Host.
5. Enter the IP address and password for the host.
6. To create an SSH tunnel on port 22, select Encrypt Host Connections.
Important: Do not select Remote Tunnel Initiation for encryption on managed hosts.
7. To enable encryption compression for communications with a host, select Encryption
Compression.
8. To enable NAT for a managed host, select Network Address Translation and add the
following information:
Field Description
If the managed host is on the same subnet as the QRadar Console, select the QRadar
NAT Console that is on the NATed network.
Group
If the managed host is not on the same subnet as the QRadar Console, select the managed
host that is on NATed network.
PublicThe managed host uses this IP address to communicate with other managed hosts in different
IP
networks that use NAT.
Table 1. NAT configuration
9. The NATed network must use static NAT.
10. Click Add.
Note: Don't close the window until the process for adding the host completes.
11. Close the System and License Management window.
12. On the Admin tab toolbar, click Advanced > Deploy Full Configuration.
13. Click OK.
Options for adding scanners to your QRadar
Vulnerability Manager deployment
If you have a large network and require flexible scanning options, you can add more scanners to
your IBM® QRadar® Vulnerability Manager deployment.
Your QRadar Vulnerability Manager processor is automatically deployed with a scanning
component. By deploying more scanners you can increase the flexibility of your scanning
operations. For example, you can scan specific areas of your network with different scanners and at
different scheduled times.
Dynamic vulnerability scans
The vulnerability scanners that you deploy might not have access to all areas of your network.
In QRadar Vulnerability Manager you can assign different scanners to network CIDR ranges. During
a scan, each asset in the CIDR range that you want to scan is dynamically associated with the
correct scanner.
To add more vulnerability scanners, choose any of the following options:
Deploy a dedicated QRadar Vulnerability Manager managed host scanner appliance
You can scan for vulnerabilities by using a dedicated QRadar Vulnerability Manager managed host
scanner appliance.
Important: Do not select Remote Tunnel Initiation for encryption on managed hosts.
To deploy a scanner appliance, you must complete the followings tasks:
1. Install a dedicated QRadar Vulnerability Manager managed host scanner appliance.
2. Add the managed host scanner appliance to your QRadar Console by using
the System and License Management tool on the Admin tab.
Deploy a QRadar Vulnerability Manager scanner to your QRadar console or managed host
If you move your vulnerability processor from your QRadar console to a QRadar Vulnerability
Manager managed host, you can add a scanner to your console.
You can also add a vulnerability scanner to any of the following QRadar managed
hosts: QRadar Console, Event Processor, Flow Processor, Combo Processor, Event Collector, QFlow
Collector, and Data Node.
Note: The vulnerability scanner cannot be added to the App Host, App Node, and QRadar Network
Insights.
Run an automatic update when you add a scanner or other managed host with scanning
capabilities.
Configure access to an IBM hosted scanner and scan your DMZ
You can configure access to an IBM hosted scanner and scan the assets in your DMZ.
•
Deploying a dedicated QRadar Vulnerability Manager scanner appliance
You can deploy a dedicated QRadar Vulnerability Manager managed host scanner appliance.
Before you begin
Ensure that a dedicated QRadar Vulnerability Manager managed host scanner appliance is
installed and a valid appliance activation key is applied.
•
Deploying a vulnerability scanner to a QRadar console or managed host
You can deploy a QRadar Vulnerability Manager scanner to a QRadar console
or QRadar managed host. For example, you can deploy a scanner to a flow collector, flow
processor, event collector, event processor, or data node.
Before you begin
In an All-in-One deployment the controller is used as a built-in scanner. You cannot add a
separate scanner appliance to a QRadar Console when the QRadar Vulnerability
Manager processor is on the QRadar Console. In a non-All-in-One deployment it's a good
practice to move the QRadar Vulnerability Manager processor to a dedicated appliance when
you're scanning more than 50k assets.
To deploy a scanner on your QRadar console, ensure that the vulnerability processor is
moved to a dedicated QRadar Vulnerability Manager managed host appliance.
To deploy scanners on QRadar managed hosts, ensure that you have existing managed hosts
in your deployment
Procedure
1. On the navigation menu ( ), click Admin.
2. Click System and License Management > Deployment Actions > Manage
Vulnerability Deployment.
3. Click Add Additional Vulnerability Scanners.
4. Click the + icon.
5. From the Host list, select the QRadar managed host or console.
Restriction: You cannot add a scanner to a QRadar console when the vulnerability
processor is on the console. You must move the vulnerability processor to a QRadar
Vulnerability Manager managed host.
6. Click Save.
7. Close the System and License Management window.
8. On the Admin tab toolbar, select Advanced > Deploy Full Configuration..
9. Click OK.
10. Check the Scan Server list on the Scan Profiles Configuration page to ensure that the
scanner is added.
For more information, see Creating a scan profile.
What to do next
Run an automatic update after you add the scanner or other managed host with scanning
capabilities. Alternatively, you can scan after the default daily scheduled automatic update
runs. If the automatic updates for other scanners are run earlier, then the automatic updates
for all the scanners might not be fully synchronized until the next daily update.
•
Scanning the assets in your DMZ
In IBM QRadar Vulnerability Manager, you can connect to an external scanner and scan the
assets in your DMZ for vulnerabilities.
If you want to scan the assets in the DMZ for vulnerabilities, you do not need to deploy a
scanner in your DMZ. You must configure QRadar Vulnerability Manager with a
hosted IBM scanner that is located outside your network.
Detected vulnerabilities are processed by the processor on either your QRadar console
or QRadar Vulnerability Manager managed host.
Procedure
1. Configure your network and assets for external scans.
2. Configure QRadar Vulnerability Manager to scan your external assets.
1. Configuring your network and assets for external scans
To scan the assets in a DMZ network, you must configure your network and
inform IBM of the assets that you want to scan.
2. Configuring QRadar Vulnerability Manager to scan your external assets
To scan the assets in your DMZ, you must configure IBM QRadar Vulnerability
Manager by using the System and License Management tool on the Admin tab.
•
Supported web browsers
For the features in IBM QRadar products to work properly, you must use a supported web
browser.
The following table lists the supported web browser versions.
Web
Supported versions
browser
64bit MozillaLatest
Firefox
64-bit
Microsoft Latest
Edge
64bit Google Latest
Chrome
Table 1. Supported web browsers for QRadar products
The Microsoft Internet Explorer web browser is no longer supported on QRadar 7.4.0 or later.
Security exceptions and certificates
If you are using the Mozilla Firefox web browser, you must add an exception to Mozilla
Firefox to log in to QRadar. For more information, see your Mozilla Firefox web browser
documentation.
Navigate the web-based application
When you use QRadar, use the navigation options available in the QRadar Console instead of
your web browser Back button.
Scan configuration
In IBM® QRadar® Vulnerability Manager, all network scanning is controlled by the scan profiles
that you create. You can create multiple scan profiles and configure each profile differently
depending on the specific requirements of your network.
Scan profiles
Use scan profiles to do the following tasks:
•
•
•
•
•
•
•
Specify the network nodes, domains, or virtual domains that you want to scan.
Specify the network assets that you want to exclude from scans.
Create operational windows, which define the times at which scans can run.
Manually run scan profiles or schedule a scan to run at a future date.
Run, pause, resume, cancel, or delete a single or multiple scans.
Use centralized credentials to run Windows, UNIX, or Linux® operating systems.
Scan the assets from a saved asset search.
Creating a scan profile
In IBM QRadar Vulnerability Manager, you configure scan profiles to specify how and when your
network assets are scanned for vulnerabilities.
Procedure
1. Click the Vulnerabilities tab.
2. In the navigation pane, click Administrative > Scan Profiles.
3. On the toolbar, click Add.
When you create a scan profile, the only mandatory fields are Name and IP Addresses on
the Details tab of the Scan Profile Configuration page. In addition, you can also configure the
following optional settings.
o
o
If you added more scanners to your QRadar Vulnerability Manager deployment,
select a scanner from the Scan Server list. This step is unnecessary if you want to use
dynamic scanning.
To enable this profile for on-demand scanning, click the On Demand Scanning
Enabled check box.
By selecting this option, you make the profile available to use if you want to trigger a
scan in response to a custom rule event. It also enables on-demand vulnerability
scanning by using the right-click menu on the Assets page.
o
By selecting the Dynamic Server Selection check box, you can choose the most
appropriate scanner that is available. Ensure that you define the scanners in
the Administrative > Scanners page.
Security profiles must be updated with an associated domain. Domain-level
restrictions are not applied until the security profiles are updated, and the changes
are deployed.
To scan your network by using a predefined set of scanning criteria, select a scan type
from the Scan Policies list.
o If you configured centralized credentials for assets, click the Use Centralized
Credentials check box. For more information, see the IBM QRadar Administration
Guide.
4. Click Save.
o
•
Creating an external scanner scan profile
In IBM QRadar Vulnerability Manager, you can configure scan profiles to use a hosted
scanner to scan assets in your DMZ.
Procedure
1. Click the Vulnerabilities tab.
2. In the navigation pane, click Administrative > Scan Profiles.
3. On the toolbar, click Add.
When you create a scan profile, the only mandatory fields are Name and IP
Addresses on the Details tab of the Scan Profile Configuration page. To create an
external scanner profile, you must also follow the remaining steps in this procedure.
4. To create an external scanner profile, use the following procedure.
a. From the Scan Server list, select IbmExternalScanner.
b. From the Scan Policies list, select Full Scan or Web Scan.
c. Click the Domain and Web App tab. In the Virtual Webs pane, enter the
domain and IP address information for the websites and applications that you
want to scan.
d. Click Save.
Important: Authenticated scans are not conducted from the external scanner.
•
Creating a benchmark profile
To create Center for Internet Security compliance scans, you must configure benchmark
profiles. You use CIS compliance scans to test for Windows and Red Hat Enterprise Linux®
CIS benchmark compliance.
Procedure
1.
2.
3.
4.
Click the Vulnerabilities tab.
In the navigation pane, click Administrative > Scan Profiles.
On the toolbar, click Add Benchmark.
If you want to use pre-defined centralized credentials, select the Use Centralized
Credentials checkbox .
Credentials that are used to scan Linux operating systems must have root privileges.
Credentials that are used to scan Windows operating systems must have
administrator privileges.
5. If you are not using dynamic scanning, select a QRadar® Vulnerability
Manager scanner from the Scan Server list.
6. To enable dynamic scanning, click the Dynamic server selection checkbox.
If you configured domains in the Domain Management window in the Admin tab, you
can select a domain from the Domain list. Only assets within the CIDR ranges and
domains that are configured for your scanners are scanned.
7. In the When To Scan tab, set the run schedule, scan start time, and any pre-defined
operational windows.
8. In the Email tab, define what information to send about this scan and to whom to
send it.
9. If you are not using centralized credentials, add the credentials that the scan requires
in the Additional Credentials tab.
Credentials that are used to scan Linux operating systems must have root privileges.
Credentials that are used to scan Windows operating systems must have
administrator privileges.
10. Click Save.
•
Running scan profiles manually
In IBM QRadar Vulnerability Manager you can run one or more scan profile manually.
You can also schedule scans to run at a future date and time.
Procedure
1. Click the Vulnerabilities tab.
2. In the navigation pane, select Administrative > Scan Profiles.
3. On the Scan Profiles page, select the check box on the row assigned to the scan
profiles that you want to run.
Note: To find the scan profiles you want to run, use the toolbar Name field to filter
scan profiles by name.
4. On the toolbar, click Run.
By default, scans complete a fast scan by using the Transmission Control Protocol
(TCP) and User Datagram Protocol (UDP) protocol. A fast scan includes most ports in
the range 1 - 1024.
•
Rescanning an asset by using the right-click menu option
In IBM QRadar Vulnerability Manager, you can quickly rescan an asset by using the rightclick option.
The right-click scan option is also available on the QRadar Offenses tab, and the QRadar Risk
Manager sub-net asset view.
Procedure
1.
2.
3.
4.
5.
Click the Vulnerabilities tab.
In the navigation pane, select Manage Vulnerabilities > By Asset.
On the By Asset page, identify the asset that you want to rescan.
Right-click the IP Address and select Run Vulnerability Scan.
In the Run Vulnerability Scan window, select the scan profile that you want use when
the asset is rescanned.
The scanning process requires a scan profile. The scan profile determines the
scanning configuration options that are used when the scan runs.
To view a scan profile in the Run Vulnerability Scan window, you must select the On
Demand Scanning Enabled check box in the Details tab on the Scan Profile
Configuration page.
Important: The scan profile that you select might be associated with multiple scan
targets or IP address ranges. However, when you use the right-click option, only the
asset that you select is scanned.
6. Click Scan Now.
7. Click Close Window.
8. To review the progress of your right-click scan, in the navigation pane, click Scan
Results.
Right-click scans are identified by the prefix RC:.
•
•
•
Scan profile details
In IBM QRadar Vulnerability Manager, you can describe your scan, select the scanner that
you want to use, and choose from a number of scan policy options.
Scan profile details are specified in the Details tab, in the Scan Profile Configuration page.
See especially the following options:
Options
Description
Use
Specifies that the profile uses pre-defined credentials. Centralized credentials are defined in
Centralized
the Admin > System Configuration > Centralized Credentials window.
Credentials
Scan
Server
The scanner that you select depends on your network configuration. For example, to scan
DMZ assets, then select a scanner that has access to that area of your network.
Options
Description
The Controller scan server is deployed with the vulnerability processor on
your QRadar console or QRadar Vulnerability Manager managed host.
Restriction: You can have only 1 vulnerability processor in your deployment. However, you can
deploy multiple scanners either on dedicated QRadar Vulnerability Manager managed host
scanner appliances or QRadar managed hosts.
On
Demand
Scanning
Enables on-demand asset scanning for the profile. Use the right-click menu on the Assets page to
run on-demand vulnerability scanning. By selecting this option, you also make the profile
available to use if you want to trigger a scan in response to a custom rule event.
By enabling on-demand scanning, you also enable dynamic scanning.
Specifies whether you want to use a separate vulnerability scanner for each CIDR range
that you scan.
Dynamic
server
selection
Bandwidth
Limit
Scan
Policies
During a scan, QRadar Vulnerability Manager automatically distributes the scanning
activity to the correct scanner for each CIDR range that you specify.
If you configured domains in the Domain Management window of the Admin tab, you
can also select the domain that you want to scan.
The scanning bandwidth. The default setting is medium.
Important: If you select a value greater than 1000 kbps, you can affect network performance.
The pre-configured scanning criteria about ports and protocols. For more information,
see Scan policies.
Table 1. Scan profile details configuration options
Scan scheduling
In IBM QRadar Vulnerability Manager, you can schedule the dates and times to scan your network
assets for known vulnerabilities.
Scan scheduling is controlled by using the When To Scan pane, in the Scan Profile
Configuration page. A scan profile that is configured with a manual setting must be run manually.
However, scan profiles that are not configured as manual scans, can also be run manually. When
you select a scan schedule, you can further refine your schedule by using operational windows to
configure allowed scan times.
Choose one of the following scheduling options:
•
Manual, Run Once, Daily, Weekly, Monthly, Advanced
Use cron expressions to create schedules, for example, 9:00 AM every Monday through
Friday, or 3:30 AM the first Friday of every month. Cron expressions give you the ability to
create irregular scan schedules. Schedule a maximum of one scan per day.
Advanced scan schedules that are configured to run between 1:00 AM and 1:59 AM on the 27th of
March 2016 are skipped and do not run. All subsequent scans run at the scheduled times.
•
Scanning domains monthly
In IBM QRadar Vulnerability Manager, you can configure a scan profile to scan the domains
on your network each month.
Procedure
1. Click the Vulnerabilities tab.
2. In the navigation pane, select Administrative > Scan Profiles.
3. On the toolbar, click Add.
When you create a scan profile, the only mandatory fields are Name and IP
Addresses on the Details tab of the Scan Profile Configuration page. To set up
monthly scans, you must also follow the remaining steps in this procedure.
4. Click the When To Scan pane.
5. In the Run Schedule list, select Monthly.
6. In the Start Time field, select a start date and time for your scan.
7. In the Day of the month field, select a day each month that your scan runs.
8. Click the Domain and Web App tab.
9. In the Domains field, type the URL of the asset that you want to scan and click (> ).
10. Click Save.
11. Optional: During and after the scan, you can monitor scan progress and review
completed scans.
•
Scheduling scans of new unscanned assets
In IBM QRadar Vulnerability Manager, you can configure scheduled scans of newly
discovered, unscanned network assets.
Procedure
1. Click the Assets tab.
2. In the navigation pane, click Asset Profiles, then on the toolbar click Search > New
Search.
3. To specify your newly discovered, unscanned assets, complete the following steps in
the Search Parameters pane:
a. Select Days Since Asset Found, Less than 2 then click Add Filter.
b. Select Days Since Asset Scanned Greater than 2 then click Add Filter.
c. Click Search.
4. On the toolbar, click Save Criteria and complete the following steps:
a. In the Enter the name of this search field, type the name of your asset
search.
b. Click Include in my Quick Searches.
c. Click Share with Everyone.
d. Click OK.
5. Click the Vulnerabilities tab.
6. In the navigation pane, select Administrative > Scan Profiles.
7. On the toolbar, click Add.
When you create a scan profile, the only mandatory fields are Name and IP
Addresses on the Details tab of the Scan Profile Configuration page. To schedule
scans for unscanned assets, you must also follow the remaining steps in this
procedure.
8. In the Include Saved Searches pane, select your saved asset search from
the Available Saved Searches list and click (>).
9. Click the When To Scan pane and in the Run Schedule list, select Weekly.
10. In the Start Time fields, type or select the date and time that you want your scan to
run on each selected day of the week.
11. Select the check boxes for the days of the week that you want your scan to run.
12. Click Save.
•
Reviewing your scheduled scans in calendar format
In IBM QRadar Vulnerability Manager, the scheduled scan calendar provides a central
location where you can review information about scheduled scans.
Procedure
1. Click the Vulnerabilities tab.
2. In the navigation pane, click Administrative > Scheduled Scans.
3. Optional: Hover your mouse on the scheduled scan to display information about the
scheduled scan.
For example, you can show the time that a scan took to complete.
4. Optional: Double-click a scheduled scan to edit the scan profile.
Network scan targets and exclusions
In IBM QRadar Vulnerability Manager, you can provide information about the assets, domains, or
virtual webs on your network that you want to scan.
Use the Details tab on the Scan Profile Configuration page to specify the network assets that you
want to scan.
You can exclude a specific host or range of hosts that must never be scanned. For example, you
might restrict a scan from running on critical servers that are hosting your production applications.
You might also want to configure your scan to target only specific areas of your network.
QRadar Vulnerability Manager integrates with QRadar by providing the option to scan the assets
that form part of a saved asset search.
Scan targets
You can specify your scan targets by defining a CIDR range, IP address, IP address range, or a
combination of all three.
Domain scanning
You can add domains to your scan profile to test for DNS zone transfers on each of the domains that
you specify.
A host can use the DNS zone transfer to request and receive a full zone transfer for a domain. Zone
transfer is a security issue because DNS data is used to decipher the topology of your network. The
data that is contained in a DNS zone transfer is sensitive and therefore any exposure of the data
might be perceived as a vulnerability. The information that is obtained might be used for malicious
exploitation such as DNS poisoning or spoofing.
Scans that used saved asset searches
You can scan the assets and IP addresses that are associated with a QRadar saved asset search.
Any saved searches are displayed in the Asset Saved Search section of the Details tab.
Exclude network scan targets
In Excluded Assets section of the Domain and Web App tab, you can specify the IP addresses, IP
address ranges, or CIDR ranges for assets that must not be scanned. For example, if you want to
avoid scanning a highly loaded, unstable, or sensitive server, exclude these assets.
When you configure a scan exclusion in a scan profile configuration, the exclusion applies only to
the scan profile.
Virtual webs
You can configure a scan profile to scan different URLs that are hosted on the same IP address.
When you scan a virtual web, QRadar Vulnerability Manager checks each web page for SQL
injection and cross site scripting vulnerabilities.
Excluding assets from all scans
In IBM QRadar Vulnerability Manager, scan exclusions specify the assets in your network that are
not scanned.
About this task
Scan exclusions apply to all scan profile configurations and might be used to exclude scanning
activity from unstable or sensitive servers. Use the IP Addresses field on the Scan Exclusion page
to enter the IP addresses, IP address ranges, or CIDR ranges that you want to exclude from all
scanning. To access the Scan Exclusion page:
Procedure
1. Click the Vulnerabilities tab.
2. In the navigation pane, click Administrative > Scan Exclusions.
3. On the toolbar, select Actions > Add.
Note: You can also use the Excluded Assets section of
the Vulnerabilities > Administrative > Scan Profiles > Add > Domain and Web App tab
to exclude assets from an individual scan profile.
Managing scan exclusions
In IBM QRadar Vulnerability Manager you can update, delete, or print scan exclusions.
Procedure
1.
2.
3.
4.
5.
Click the Vulnerabilities tab.
In the navigation pane, click Administrative > Scan Exclusions.
From the list on the Scan Exclusions page, click the Scan Exclusion that you want to modify.
On the toolbar, select an option from the Actions menu.
Depending on your selection, follow the on-screen instructions to complete this task.
Scan protocols and ports
In IBM QRadar Vulnerability Manager, you can choose different scan protocols and scan various
port ranges.
You can configure your scan profile port protocols by using TCP and UDP scan options.
Configure scanning protocols and the ports that you want to scan on the Port Scan tab of an
existing or new scan policy configuration window.
Note: You can also configure port scanning from the How To Scan tab in the Scan Profile
Configuration window but this option is only enabled for backwards compatibility. Do not use the How To
Scan tab to configure new port scans.
•
Scanning a full port range
In IBM QRadar Vulnerability Manager, you can scan the full port range on the assets that you
specify.
About this task
Create a scan policy to specify the ports that you want to scan, and then add this scan policy to a scan
profile, which you use to run the scan.
Procedure
1. Click the Vulnerabilities tab.
2. In the navigation pane, select Administrative > Scan Policies.
3. On the toolbar, click Add to create a new scan policy or Edit to edit an existing policy.
4. Click the Settings tab.
a. Enter a name and description for the scan policy.
b. Select the scan type.
5. Click the Port Scan tab.
6. In the Protocol field, select a protocol. The default values are TCP & UDP.
Note: UDP port scans are much slower than TCP port scans because of the way that
UDP works. A UDP port scan can take up to 24 hours to scan all ports (1-65535) on an
asset.
7. In the Range field, type 1-65535.
Restriction: Port ranges must be configured in dash-separated, comma-delimited,
consecutive, ascending, and non-overlapping order. Multiple port ranges must be
separated by a comma. For example, the following examples show the delimiters that
are used to enter port ranges:(1-1024, 1055, 2000-65535).
8. In the Timeout (m) field, type the time in minutes after which you want the scan to
cancel if no scan results are discovered.
Important: You can type any value in the range 1 - 500. Ensure that you do not enter
too short a time, otherwise the port scan cannot detect all running ports. Scan results
that are discovered before the timeout period are displayed.
9. Optional: Configure more options on the other tabs if you want to use the scan policy
to complete more tasks.
10. Click Save.
11. From the Scan Profiles page, create a new scan profile.
a. Add the scan policy that you saved.
b. Configure the remaining parameters for the scan profile and save.
c. From the Scan Profiles page, select the new scan profile, and then click Run on
the toolbar to run the scan.
For more information about creating a scan profile, see Creating a scan profile.
Note: You can also configure port scanning from the How To Scan tab in the Scan
Profile Configuration window but this option is only enabled for backwards
compatibility. Do not use the How To Scan tab to configure new port scans.
•
Scanning assets with open ports
In IBM QRadar Vulnerability Manager, you can configure a scan profile to scan assets with
open ports.
Procedure
1. Click the Assets tab.
2. In the navigation pane, click Asset Profiles then on the toolbar, click Search > New
Search.
3. To specify assets with open ports, configure the following options in the Search
Parameters pane:
a. Select Assets With Open Port, Equals any of 80 and click Add Filter.
b. Select Assets With Open Port, Equals any of 8080 and click Add Filter.
c. Click Search.
4. On the toolbar, click Save Criteria and configure the following options:
a. In the Enter the name of this search field, type the name of your asset
search.
b. Click Include in my Quick Searches.
c. Click Share with Everyone and click OK.
5. Click the Vulnerabilities tab.
6. In the navigation pane, select Administrative > Scan Profiles.
7. On the toolbar, click Add.
When you create a scan profile, the only mandatory fields are Name and IP
Addresses on the Details tab of the Scan Profile Configuration page. To scan assets
with open ports, you must also follow the remaining steps in this procedure.
8. On the Details tab, select your saved asset search from the Available Saved
Searches list and click >.
When you include a saved asset search in your scan profile, the assets and IP
addresses associated with the saved search are scanned.
9. Click the When To Scan pane and in the Run Schedule list, select Manual.
10. Click the What To Scan pane.
11. Click Save.
For more information about saving an asset search, see the Users Guide for your
product.
Configuring a permitted scan interval
In IBM QRadar Vulnerability Manager, you can create an operational window to specify the times
that a scan can run.
About this task
If a scan does not complete within the operational window, it is paused and continues when the
operational window reopens. To configure an operational window:
Procedure
1.
2.
3.
4.
Click the Vulnerabilities tab.
In the navigation pane, click Administrative > Operational Window.
On the toolbar, click Actions > Add.
Enter a name for the operational window in the Name field.
5.
6.
7.
8.
Choose an operational window schedule from the Schedule list.
Optional: Select the times when scanning is permitted.
Optional: Select your timezone.
If you selected Weekly from the Schedule list, then click the desired days of the week check
boxes in the Weekly area.
9. If you selected Monthly from the Schedule list, then select a day from the Day of the
month list.
10. Click Save.
Operational windows can be associated with scan profiles by using the When To Scan tab
on the Scan Profile Configuration page.
If you assign two overlapping operational windows to a scan profile, the scan profile runs
from the beginning of the earliest operational window to the end of the later operational
window. For example, if you configure two daily operational windows for the periods 1 a.m.
to 6 a.m. and 5 a.m. to 9 a.m., the scan runs between 1 a.m. and 9 a.m.
For operational windows that do not overlap, the scan starts from the earliest operational
window and pauses if there's a gap between the operational windows, and then resumes at
the beginning of the next operational window.
•
Scanning during permitted times
In IBM QRadar Vulnerability Manager, you can schedule a scan of your network assets at
permitted times, by using an operational window.
Scanning during permitted times
In IBM® QRadar® Vulnerability Manager, you can schedule a scan of your network assets at
permitted times, by using an operational window.
About this task
Tip: If you are applying the operational window to an authenticated patch scan, set the minimum
window to 4 hours.
Procedure
1.
2.
3.
4.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative > Operational Window.
On the toolbar, select Actions > Add.
Type a name for your operational window, configure a permitted time interval and
click Save.
5. In the navigation pane, select Administrative > Scan Profiles.
6. On the toolbar, click Add.
When you create a scan profile, the only mandatory fields are Name and IP
Addresses on the Details tab of the Scan Profile Configuration page. To configure
scanning during permitted times, you must also follow the remaining steps in this
procedure.
7. Click the When To Scan tab.
8. In the Run Schedule list, select Daily.
9. In the Start Time fields, type or select the date and time that you want your scan to
run each day.
10. In the Operational Windows pane, select your operational window from the list and
click (>).
11. Click Save.
•
Managing operational windows
In IBM QRadar Vulnerability Manager, you can edit, delete, and print operational windows.
Procedure
1.
2.
3.
4.
5.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative > Operational Window.
Select the operational window that you want to edit.
On the toolbar, select an option from the Actions menu.
Follow the instructions in the user interface.
Restriction: You cannot delete an operational window that is associated with a scan
profile. You must first disconnect the operational window from the scan profile.
•
Disconnecting an operational window
If you want to delete an operational window that is associated with a scan profile, you must
disconnect the operational window from the scan profile.
Procedure
1.
2.
3.
4.
5.
6.
7.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative > Scan Profiles.
Select the scan profile that you want to edit.
On the toolbar, click Edit.
Click the When To Scan pane.
Select the relevant option from the Run Schedule list as required.
In the Name field, select the operational window that you want to disconnect and
click (<).
8. Click Save.
Dynamic vulnerability scans
In IBM QRadar Vulnerability Manager, you can configure a scan to use certain vulnerability
scanners for specific CIDR ranges in your network. For example, your scanners might have access
only to certain areas of your network.
During a scan, QRadar Vulnerability Manager determines which scanner to use for each CIDR, IP
address, or IP range that you specify in your scan profile.
Dynamic scanning and domains
If you configured domains in the Domain Management window on the Admin tab, you can associate
scanners with the domains that you added.
For example, you might associate different scanners each with a different domain, or with different
CIDR ranges within the same domain. QRadar dynamically scans the configured CIDR ranges that
contain the IP addresses you specify on all domains that are associated with the scanners on your
system. Assets with the same IP address on different domains are scanned individually if the CIDR
range for each domain includes that IP address. If an IP address is not within a configured CIDR
range for a scanner domain, QRadar scans the domain that is configured for the Controller scanner
for the asset.
Setting up dynamic scanning
To use dynamic scanning, you must do the following actions:
1. Add vulnerability scanners to your QRadar Vulnerability Manager deployment. For more
information, see Options for adding scanners to your QRadar Vulnerability Manager
deployment.
2. Associate vulnerability scanners with CIDR ranges and domains.
3. Configure a scan of multiple CIDR ranges and enable Dynamic server selection in
the Details tab of the Scan Profile Configuration page.
•
Associating vulnerability scanners with CIDR ranges
In IBM QRadar Vulnerability Manager, to do dynamic scanning, you must associate
vulnerability scanners with different segments of your network.
Before you begin
You must add extra vulnerability scanners to your deployment. For more information,
see Options for adding scanners to your QRadar Vulnerability Manager deployment.
Procedure
1. Click the Vulnerabilities tab.
2. In the navigation pane, select Administrative > Scanners.
Attention: By default, the Controller scanner is displayed. The Controller scanner is
part of the QRadar Vulnerability Manager processor that is deployed on either
your QRadar Console or on a dedicated QRadar Vulnerability Manager processing
appliance. You can assign a CIDR range to the Controller scanner, but you must
deploy extra scanners to use dynamic scanning.
3. Click a scanner on the Scanners page.
4. On the toolbar, click Edit.
Restriction: You cannot edit the name of the scanner. To edit a scanner name,
click Admin > System and License Management > Deployment Actions > Manage
Vulnerability Deployment.
5. In the CIDR field, type a CIDR range or multiple CIDR ranges that are separated by
commas.
6. Click Save.
•
Scanning CIDR ranges with different vulnerability scanners
In IBM QRadar Vulnerability Manager, you can scan areas of your network with different
vulnerability scanners.
Before you begin
You must configure your network CIDR ranges to use the different vulnerability scanners in
your QRadar Vulnerability Manager deployment. For more information, see Options for
adding scanners to your QRadar Vulnerability Manager deployment.
Procedure
1.
2.
3.
4.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative > Scan Profiles.
On the toolbar, click Add.
Click the Dynamic server selection check box.
If you configured domains in the Admin > Domain Management window, you can
select a domain from the Domain list. Only assets within the domain you selected are
scanned.
5. Optional: Add more CIDR ranges.
6. Click Save.
7. Click the check box on the row that is assigned to your scan on the Scan Profiles page
and click Run.
Scan policies
A scan policy provides you with a central location to configure specific scanning requirements.
You can use scan policies to specify scan types, ports to be scanned, vulnerabilities to scan for and
scanning tools to use. In IBM QRadar® Vulnerability Manager, a scan policy is associated with a
scan profile and is used to control a vulnerability scan. You use the Scan Policies list on
the Details tab of the Scan Profile Configuration page to associate a scan policy with a scan profile.
You can create a new scan policy or copy and modify a pre-configured policy that is distributed
with QRadar Vulnerability Manager.
Pre-configured scan policies
The following pre-configured scan policies are distributed with QRadar Vulnerability Manager:
•
Full scan ,Discovery scan, Database scan, Patch scan, PCI scan, Web scan
A description of each pre-configured scan policy is displayed on the Scan Policies page.
•
Scan policy automatic updates for critical vulnerabilities
As part of IBM QRadar Vulnerability Manager daily automatic updates, you receive new scan
policies for tasks such as detecting zero-day vulnerabilities on your assets.
Use scan policies that are delivered by automatic update to create scan profiles to scan for specific
vulnerabilities. To view all scan policies on your system, go to Administrative > Scan Policies on
the Vulnerabilities tab.
You must not edit scan policies that are delivered by automatic update as your changes might be
overwritten by later updates. You can create a copy and edit it.
If you delete a scan policy that is delivered by automatic update, it can be recovered only
by QRadar customer support.
•
Modifying a pre-configured scan policy
In IBM QRadar Vulnerability Manager, you can copy a pre-configured scan policy and modify
the policy to your exact scanning requirements.
Procedure
1.
2.
3.
4.
5.
6.
7.
8.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative > Scan Policies.
On the Scan Policies page, click a pre-configured scan policy.
On the toolbar, click Edit.
Click Copy.
In the Copy scan policy window, type a new name in the Name field and click OK.
Click the copy of your scan policy and on the toolbar, click Edit.
In the Description field, type new information about the scan policy.
Important: If you modify the new scan policy, you must update the information in
the description.
9. To modify your scan policy, use the Port Scan, Vulnerabilities, Tool Groups,
or Tools tabs.
Restriction: Depending on the Scan Type that you select, you cannot use all the tabs
on the Scan Policy window.
•
Configuring a scan policy
In IBM QRadar Vulnerability Manager, you can configure a scan policy to meet any specific
requirements for your vulnerability scans. You can copy and rename a preconfigured scan
policy or you can add a new scan policy. You can't edit a preconfigured scan policy.
Before you begin
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Click the Vulnerabilities tab.
In the navigation pane, select Administrative > Scan Policies.
On the toolbar, click Add.
Type the name and description of your scan policy.
To configure a scan policy, you must at least configure the mandatory fields in the New Scan
Policy window, which are the Name and Description fields.
From the Scan Type list, select the scan type.
To manage and optimize the asset-discovery process, click the Asset Discovery tab.
To manage the ports and protocols that are used for a scan, click the Port Scan tab.
To include specific vulnerabilities in your patch scan policy, click the Vulnerabilities tab.
Note: The Vulnerabilities tab is available only when you select a patch scan.
To include or exclude tool groups from your scan policy, click the Tool Groups tab.
Note: The Tool Groups tab is available only when you select a zero-credentialed full-scan or fullscan plus policy.
To include or exclude tools from a scan policy, click the Tools tab.
Note: The Tools tab is available only when you select a zero-credentialed Full Scan or Full Scan
Plus policy.
Important: If you do not modify the tools or tool groups, and you select the Full option as your
scan type, then all the tools and tool groups that are associated with a full scan are included in
your scan policy.
Click Save.
https://www.ibm.com/docs/en/SS42VS_DSM/pdf/b_vuln.pdf
Overview of QRadar Vulnerability
Manager
Important: The IBM® QRadar® Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package
6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425). In QRadar 7.5.0 Update Package 6 and
later, you can continue to use third-party scanners with your QRadar Vulnerability Manager platform, but
you cannot scan within your DMZ.
IBM QRadar Vulnerability Manager is a third-party scanning platform that detects vulnerabilities
within the applications, systems, and devices on your network.
QRadar Vulnerability Manager uses security intelligence to help you manage and prioritize your
network vulnerabilities. For example, you can use QRadar Vulnerability Manager to continuously
monitor vulnerabilities, improve resource configuration, and identify software patches. You can
also, prioritize security gaps by correlating vulnerability data with network flows, log data, firewall,
and intrusion prevention system (IPS) data.
You can maintain real-time visibility of the vulnerabilities that are detected by third-party scanners.
Third-party scanners are integrated with QRadar and include HCL BigFix®, Guardium®,
AppScan®, Nessus, nCircle, and Rapid 7.
Unless otherwise noted, all references to QRadar Vulnerability Manager refer to IBM QRadar
Vulnerability Manager. All references to QRadar refer to IBM QRadar SIEM and IBM QRadar Log
Manager and all references to SiteProtector refer to IBM Security SiteProtector.
Categories of QRadar Vulnerability Manager vulnerability checks
IBM QRadar Vulnerability Manager checks for multiple types of vulnerabilities in your network.
Vulnerabilities are categorized into the following broad categories:
•
•
•
•
Risky default settings
Software features
Misconfiguration
Vendor flaws
Risky default settings
By leaving some default settings in place, you can make your network vulnerable to attacks. The following
situations are examples that can make your network vulnerable:
•
•
•
•
Leaving sample pages or scripts on an IIS installation
Not changing the default password on a 3Com Hub/Switch
Leaving "public" or "private" as an SNMP community name on an SNMP enabled device
Not setting the sa login password on an MS-SQL server
Software features
Some software settings for systems or applications are designed to aid usability but these settings
can introduce risk to your network. For example, the Microsoft NetBIOS protocol is useful in
internal networks, but if it is exposed to the Internet or an untrusted network segment it introduces
risk to your network.
The following examples are software features or commands that can expose your network to risk:
•
•
•
ICMP time stamp or netmask requests
Sendmail expand or verify commands
Ident protocol services that identify the owner of a running process.
Misconfiguration
In addition to identifying misconfigurations in default settings, QRadar Vulnerability Manager can
identify a broader range of misconfigurations such as in the following cases:
•
•
•
SMTP Relay
Unrestricted NetBios file sharing
DNS zone transfers
•
•
•
FTP World writable directories
Default administration accounts that have no passwords
NFS World exportable directories
Vendor flaws
Vendor flaws is a broad category that includes events such as buffer overflows, string format issues,
directory transversals, and cross-site scripting. Vulnerabilities that require a patch or an upgrade
fix are included in this category.
Checks made by QRadar Vulnerability Manager
QRadar Vulnerability Manager uses a combination of active checks that involves sending packets
and remote probes, and passive correlation checks. The QRadar Vulnerability Manager database
covers approximately 70,000 Network, OS, and Application layer vulnerabilities.
You can search the complete scanning library by CVE, date range, vendor name, product name, product version,
and exposure name from the Research window on the Vulnerabilities tab.
QRadar Vulnerability Manager tests
The following examples are some of the categories that QRadar Vulnerability Manager tests:
•
•
•
•
•
•
•
•
•
•
•
Database checks
Web server checks
Web application server checks
Common web scripts checks
Custom web application checks
DNS server checks
Mail server checks
Application server checks
Wireless access point checks
Common service checks
Obsolete software and systems
The following table describes some checks that are made by QRadar Vulnerability Manager.
Type of
Check
Description
Scans for active hosts and the ports and services that are open on each active host.
Port scan Returns MAC if the host is on the same subnet as the scanner.
Returns OS information.
Checks each web application and web page on a web server by using the following checks:
Web
application File upload
scanning
HTTP directory browsing
Type of
Check
Description
CWE-22 - Improper limitation of a path name to a restricted directory (path traversal)
Interesting file / seen in logs
Auto complete password in Browser
Misconfiguration in default files
Information disclosure
Unencrypted login form
Directory index-able: checks if the server directories can be browsed
HTTP PUT allowed: checks if the PUT option is enabled on server directories
Existence of obsolete files
CGI scanning: common web page checks
Injection (XSS/script/HTML)
Remote file retrieval (server wide)
Command execution from remote shell
SQL injection, including authentication bypass, software identification, and remote
source
Reverse tuning options, except for specified options.
Note: Authenticated web app scanning is not supported. For example, if authentication is
required to access the site, you can't run web app tests.
User name and password disclosure
Access to file systems
Default user names and passwords
OS
Privilege escalation
Denial of service
Remote command execution
Cross site scripting (Microsoft)
Type of
Check
Description
Exploits and open access to databases.
Default passwords
Database Compromised user names and passwords
Denial of service
Admin rights
Known vulnerabilities, exploits, and configuration issues on web servers.
Denial of service
Web serverDefault admin passwords
File system view ability
Cross site scripting
Commonly found web scripts such as CGI
Common E-commerce-related scripts
web scripts
ASP
PHP
Weak password encryption
Denial of service
DNS server
Determine account names
Send emails
Read arbitrary emails and sensitive account information
Get admin access
Default admin account passwords
Wireless
access
point
Default SNMP community names
Plain text password storage
Denial of service
Common
services
Domain name system (DNS)
Type of
Check
Description
File transfer protocol (FTP)
Simple mail transfer protocol (SMTP)
Authentication bypass
Denial of service
ApplicationInformation disclosure
server
Default user names and passwords
Weak file permissions
Cross site scripting
Oval
Client-side vulnerabilities on IE, Chrome, Skype, and others.
Password
Default password testing
testing
Windows
Collects registry key entries, windows services, installed windows applications, and patched
patch
Microsoft bugs.
scanning
UNIX patch
Collects details of installed RPMs
scanning
Table 1. Types of QRadar Vulnerability Manager checks
Web application scanning
QRadar Vulnerability Manager uses unauthenticated scanning for core web application scanning. The
following list describes QRadar Vulnerability Manager web vulnerability checks:
•
SQL Injection Vulnerabilities
SQL injection vulnerabilities occur when poorly written programs accept user-provided data
in a database query without validating the input, which is found on web pages that have
dynamic content. By testing for SQL injection vulnerabilities, QRadar Vulnerability
Manager assures that the required authorization is in place to prevent these exploits from
occurring.
•
Cross-Site Scripting (XSS) Vulnerabilities
Cross-Site Scripting vulnerabilities can allow malicious users to inject code into web pages
that are viewed by other users. HTML and client-side scripts are examples of code that might
be injected into web pages. An exploited cross-site scripting vulnerability can be used by
attackers to bypass access controls such as the same origin policy. QRadar Vulnerability
Manager tests for varieties of persistent and non-persistent cross-site scripting
vulnerabilities to ensure that the web application is not susceptible to this threat.
•
Web Application Infrastructure
QRadar Vulnerability Manager includes thousands of checks that check default
configurations, cgi scripts, installed and supporting application, underlying operating
systems and devices.
•
Web page errors
For in-depth web application scanning, QRadar Vulnerability Manager integrates with IBM®
Security AppScan® to provide greater web application visibility to your vulnerabilities.
Network device scanning
QRadar Vulnerability Manager includes the SNMP plug-in that supports scanning of network
devices. QRadar Vulnerability Manager supports SNMP V1 and SNMP V2. SNMP V3 is not
supported. QRadar Vulnerability Manager uses a dictionary of known community defaults for
various SNMP-enabled devices. You can customize the dictionary.
External scanner checks
The external scanner scans the following OWASP (Open Web Application Security Project) CWEs (Common
Weakness Enumerations):
•
•
•
•
•
•
•
Directory Listing
Path Traversal, Windows File Parameter Alteration, UNIX File Parameter Alteration, Poison
Null Byte Windows Files Retrieval, Poison Null Byte UNIX Files Retrieval
Cross-Site Scripting, DOM-Based Cross-Site Scripting
SQL Injection, Blind SQL Injection, Blind SQL Injection (Time Based)
Autocomplete HTML Attribute Not Disabled for Password Field
Unencrypted Login Request, Unencrypted Password Parameter
Remote Code Execution, Parameter System Call Code Injection, File Parameter Shell
Command Injection, Format String Remote Command Execution
Database scanning
QRadar Vulnerability Manager detects vulnerabilities on major databases by using unauthenticated
scanning of target hosts. In addition, QRadar Vulnerability Manager targets several databases by
using plug-ins.
Operating system checks
Operating system
Vulnerability
scanning
Patch scanning
Configuration
Windows
Yes
Yes
Yes
AIX® UNIX
Yes
Yes
No
CentOS Linux®
Yes
Yes
No
Debian Linux
Yes
Yes
No
Operating system
Vulnerability
scanning
Patch scanning
Configuration
Fedora Linux
Yes
Yes
No
Red Hat Linux
Yes
Yes
No
Sun Solaris
Yes
Yes
No
HP-UX
Yes
Yes
No
Suse Linux
Yes
Yes
No
Ubuntu Linux
Yes
Yes
No
CISCO
No
No
No
AS/400® / iSeries No
No
No
Table 2. Operating system checks
OVALs and operating systems
OVAL definitions are supported on the following operating systems:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Microsoft Windows 10
Microsoft Windows 8.1
Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2016
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008
Microsoft Windows Server 2003
CentOS versions 3 - 7
IBM AIX versions 4-7
RHEL versions 3 - 7
SUSE versions 10 - 11
Ubuntu versions 6-14
Red Hat 9
Solaris versions 2.6, 7 - 10
Vulnerability management dashboard
You can display vulnerability information on your QRadar dashboard.
IBM® QRadar Vulnerability Manager is distributed with a default vulnerability dashboard so that
you can quickly review the risk to your organization.
You can create a new dashboard, manage your existing dashboards, and modify the display settings
of each vulnerability dashboard item.
•
Reviewing vulnerability data on the default vulnerability management dashboard
You can display default vulnerability management information on the QRadar dashboard.
The default vulnerability management dashboard contains risk, vulnerability, and scanning information.
You can configure your own dashboard to contain different elements like saved searches.
Procedure
1. Click the Dashboard tab.
2. On the toolbar, in the Show Dashboard list, select Vulnerability Management.
•
Creating a customized vulnerability management dashboard
In QRadar you can create a vulnerability management dashboard that is customized to your
requirements.
Procedure
1.
2.
3.
4.
5.
•
Click the Dashboard tab.
On the toolbar, click New Dashboard.
Type a name and description for your vulnerability dashboard.
Click OK.
Optional: On the toolbar select Add Item > Vulnerability Management. If you want
to show default saved searches on your dashboard, select Vulnerability Searches.
Creating a dashboard for patch compliance
Create a dashboard that shows the most effective patch to use to remediate vulnerabilities
that are found on the network.
Procedure
1.
2.
3.
4.
5.
6.
7.
8.
9.
Click the Dashboard tab.
On the toolbar, click New Dashboard.
Type a name and description for your vulnerability dashboard.
Click OK.
On the toolbar, select Add Item > Vulnerability Management > Vulnerability
Searches and choose the default saved search that you want to show on your
dashboard.
On the header of the new dashboard item, click the yellow Settings icon.
Select Patch from the Group By list and then select one of the following options from
the Graph By list:
o If you want to see how many assets need to a have the patch applied,
select Asset Count.
o If you want to see the cumulative risk score by patch, select Risk Score.
o If you want to see the number of vulnerabilities that are covered by a patch,
select Vulnerability Count.
Click Save.
To view vulnerability details on the Manage Vulnerabilities > By
Vulnerability page on the Vulnerabilities tab, click the View in By
Vulnerability link at the bottom of the dashboard item.
QRadar Vulnerability
Manager deployments
Locate and manage the vulnerabilities in your network. Enhance your network security by
integrating add-on features such as HCL BigFix® and IBM Security SiteProtector.
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425). In IBM QRadar 7.5.0 Update Package 6
and later, you cannot integrate QRadar Vulnerability Manager with IBM Security SiteProtector.
IBM QRadar Vulnerability Manager discovers vulnerabilities on your network devices, applications,
and software adds context to the vulnerabilities, prioritizes asset risk in your network, and
supports the remediation of discovered vulnerabilities.
You can integrate QRadar Risk Manager for added protection, which provides network topology,
active attack paths and high-risk assets risk-score adjustment on assets based on policy
compliance. QRadar Vulnerability Manager and QRadar Risk Manager are combined into one
offering and both are enabled through a single base license.
Depending on the product that you install, and whether you upgrade IBM QRadar or install a new
system, the Vulnerabilities tab might not be displayed. Access IBM QRadar Vulnerability
Manager by using the Vulnerabilities tab. If you install IBM QRadar SIEM, the Vulnerabilities tab
is enabled by default with a temporary license key. If you install QRadar Log Manager,
the Vulnerabilities tab is not enabled. You can use the Try it Out option to try out QRadar
Vulnerability Manager for 30 days. You can purchase the license for QRadar Vulnerability
Manager separately and enable it by using a license key.
QRadar Vulnerability Manager components
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
The following information describes the QRadar Vulnerability Manager Processor.
•
•
•
•
The scan processor is responsible for the scheduling and managing scans, and delegating
work to the scanners that might be distributed throughout your network.
You can have only one scan processor in a QRadar deployment.
When you install and license QRadar Vulnerability Manager on an All-in-One system, a
vulnerability processor is automatically deployed on your QRadar Console and includes a
scanning component.
The vulnerability processor provides a scanning component by default. If required, you can
move the vulnerability processor to a different managed host in your deployment.
•
•
•
If you add a 600 managed host appliance, and QRadar Vulnerability Manager is used for the
first time, then the scan processor is assigned to the 600 managed host appliance.
The scanning processor is governed by the processing license, which determines the
maximum number of assets that can be processed by QRadar Vulnerability Manager.
The scan processor can run on the QRadar Console or a managed host.
The following information describes the QRadar Vulnerability Manager scanner.
•
•
•
•
You can deploy a scanner on a virtual machine or as software only.
You can deploy a QRadar Vulnerability Manager scanner dedicated scanner appliance, which
is a 610 appliance.
You can deploy a scanner on a QRadar Console or on the following managed hosts: Flow
Collector, Flow Processor Event Collector, Event Processor, or Data Node.
The number of assets that you can scan with a scanner is determined by the scanner
capacity and is not impacted by licensing.
Components and scan process
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
Scan jobs are completed by a processor and a scanner component. The following diagram shows the
scan components and the processes that run.
Figure 1. Scan components and process
The following list describes the steps in the scan process:
1. You create a scan job by specifying parameters such as IP addresses of assets, type of scan,
and required credentials for authenticated scans.
2. The scan job is accepted by the processor, logged, and added to the database along with
scheduling information to determine when the job runs.
3. The scheduler component manages the scheduling of scans. When the scheduler initiates a
scan, it determines the list of tools that are required and queues them for invocation, and
then the tools are assigned to the relevant scanner.
4. Scanners poll the scan processor continuously for scan tools that it must run by sending a
unique scanner ID. When the scheduler has queued tools that are relevant to the specific
scanner the tools are sent to the scanner for invocation.
QRadar Vulnerability Manager uses an attack tree methodology to manage scans and to
determine which tools are launched. The phases are: asset discovery, port/service
discovery, service scan, and patch scan.
5. The dispatcher runs and manages each scan tool in the list. For each tool that is run, the
dispatcher sends a message to the processor that indicates when a scan tool starts and
finishes.
6. The output from the scan tool is read by the result writer, which then passes these results
back to the processor.
7. The result dispatcher processes the raw results from the scan tools and records them into
the Postgres database.
8. The result exporter finds completed scans in the processor database and exports the results
to the QRadar Console.
9. The exported results are added to the QRadar database where users can view and manage
the scan results.
All-in-one deployment
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
You can run QRadar Vulnerability Manager from an All-in-one system, where the scanning and processing
functions are on the Console. The following information describes what you can do with a basic setup:
•
•
•
•
•
•
Scan up to 255 assets.
Unlimited discovery scans.
Use hosted scanner for DMZ scanning.
Manage scan data from third-party scanners that are integrated with QRadar.
Deploy a scanner on any managed host.
Deploy unlimited stand-alone software or virtual scanners.
Expanding a deployment
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
As your deployment grows, you might need to move the processing function off the QRadar
Console to free up resources, and you might want to deploy scanners closer to your assets.
The following list describes reasons to add scanners to your deployment:
•
•
•
To scan assets in a different geographic region than the QRadar Vulnerability
Manager processor.
If you want to scan many assets concurrently within a short time frame.
You might want to add a scanner to avoid scanning through a firewall that is a log source.
You might also consider adding the scanner directly to the network by adding an interface
on the scanner host that by-passes the firewall.
The following diagram shows a scanning deployment with external scanning and scanners
deployed on managed hosts.
Figure 2. Scanning deployment
DMZ hosted scanner
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
A hosted scanner scans your DMZ from the internet by using your public IP address. If you want to
scan the assets in the DMZ for vulnerabilities, you do not need to deploy a scanner in your DMZ. You
must configure QRadar Vulnerability Manager with a hosted IBM scanner that is located outside
your network.
QRadar Vulnerability Manager integrations
IBM QRadar Vulnerability Manager integrates with HCL BigFix to help you filter and prioritize the
vulnerabilities that can be fixed. BigFix provides shared visibility and control between IT
operations and security. BigFix applies Fixlets to high priority vulnerabilities that are identified and
sent by QRadar Vulnerability Manager to BigFix. Fixlets are packages that you deploy to your assets
or endpoints to remediate specific vulnerabilities.
QRadar Vulnerability Manager integrates with IBM Security SiteProtector to help direct intrusion
prevention system (IPS) policy. When you configure IBM Security SiteProtector, the vulnerabilities
that are detected by scans are automatically forwarded to IBM Security SiteProtector. IBM Security
SiteProtector receives vulnerability data from QRadar Vulnerability Manager scans that are run
only after the integration is configured. Connecting to IBM Security SiteProtector.
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425). In IBM QRadar 7.5.0 Update Package 6
and later, you cannot integrate QRadar Vulnerability Manager with IBM Security SiteProtector.
Third-party scanners
QRadar Vulnerability Manager delivers an effective vulnerability management platform, regardless
of the source of the scan data. QRadar Vulnerability Manager integrates seamlessly with third-party
scanners such as Nessus, nCircle, and Rapid 7.
You require QRadar Vulnerability Manager scanning to get the following options:
•
•
•
•
Event driven and on-demand scanning
Asset database and watchlist based scanning
Scanning from existing QRadar appliances and managed hosts
Detection of newly published vulnerabilities that are not present in any scan results
You require QRadar Risk Manager to get the following options:
•
•
Asset, vulnerability, and traffic-based vulnerability management
Adjusted vulnerability scores and context aware risk scoring.
•
QRadar Risk Manager and QRadar Vulnerability Manager
Enhance your network security by integrating IBM QRadar Risk Manager with IBM QRadar
Vulnerability Manager. Data sources, such as scan data, enable QRadar Risk Manager to
identify security, policy, and compliance risks in your network and calculate the probability
of risk exploitation.
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425). In IBM QRadar 7.5.0 Update Package 6
and later, QRadar Risk Manager cannot identify compliance risks or complete compliance assessments.
QRadar Vulnerability Manager and QRadar Risk Manager are combined into one offering and
both are enabled through a single base license.
Add a QRadar Risk Manager 700 appliance to get the following capabilities:
•
•
•
•
•
•
•
Compliance assessment
Risk policies that are based on vulnerability data and risk scores that help you quickly
identify high-risk vulnerabilities.
Visibility into potential exploit paths from potential threats and untrusted networks through
the network topology view.
Risk policy-based filtering.
Topology visualization
False positives reduction in vulnerability assessments.
Visibility into what vulnerabilities are blocked by firewalls and Intrusion Prevention
Systems (IPS).
QRadar Risk Manager appliance
Install QRadar Risk Manager separately on a QRadar Risk Manager 700 appliance.
You must install IBM QRadar Console before you set up and configure the QRadar Risk
Manager appliance. It is a good practice to install QRadar and QRadar Risk Manager on the same
network switch.
You require only one QRadar Risk Manager appliance per deployment.
The following diagram shows a deployment that has a scanner and QRadar Risk Manager.
Figure 1. Scanning deployment with Risk Manager
Use Risk Manager to complete the following tasks:
•
•
•
•
•
•
•
•
•
•
•
•
Centralized risk management.
View and filter your network topology
Import and compare device configurations
View connections between network devices.
Search firewall rules.
View existing rules and the event count for triggered rules.
Search devices and paths
Query network connections
Simulate the possible outcomes of updating device configurations.
Monitor and audit your network to ensure compliance.
Simulate threats or attacks against a virtual model.
Search for vulnerabilities.
TASK: 3.5 Manage custom event and flow properties
SUBTASKS:
3.5.1. Understand custom event and flow properties
3.5.2. Create a custom property
3.5.3. Modify or delete a custom property
3.5.4. Define custom properties using expressions
Custom log source types
Use the DSM Editor to create and configure a custom log source type to parse your events. If you
create a log source type for your custom applications and systems that don't have a supported
DSM, QRadar® analyzes the data in the same way that it does for supported DSMs.
You can select events from the Log Activity tab and send them directly to the DSM Editor to be
parsed. Or you can open the DSM Editor from the Admin tab to create and configure a new log
source type.
Complete the fields in the DSM Editor with the correct structured data to parse relevant
information from the events. QRadar uses the Event Category and Event ID fields to map a
meaning to the event. The Event ID is a mandatory field that defines the event, and the category
breaks down the event further. You can set the Event Category to the Device Type name, or you
can leave it as unknown. If you leave the Event Category as unknown, you must set it to unknown
for any event mappings that you create for this log source type.
Use the DSM Editor to map your Event ID/Event Category combinations that you are parsing from
your events. Enter the Event ID/Event Category combination into the new entry in the Event
Mapping tab. You can choose a categorization of the previously created QID map entry that is
relevant to your event, or click Choose QID to create a new map entry.
Creating a custom log source type to parse events
If you have events that are imported into QRadar, you can select the events on which you want to
base your custom log source type and send them directly to the DSM Editor.
Procedure
1. Click the Log Activity tab.
2. Pause the incoming results and then highlight one or more events.
Important: You can select only a single log source type, and only the events from log activity
that match the selected log source type are automatically added to the workspace.
3. On the navigation menu, select Actions > DSM Editor, and choose one of the following
options:
o If you are parsing known events, select your log source type from the list.
o If you are parsing stored events, click Create New. Enter a name for your log source
type in the Log Source Type Name field and click Save.
4. In the Properties tab, select the Override system properties checkbox for the properties
that you want to edit.
Identity properties for event mappings
Identity data is a special set of system properties that includes Identity Username, Identity
IP, Identity NetBIOS Name, Identity Extended Field, Identity Host
Name, Identity MAC, Identity Group Name.
When identity properties are populated by a DSM, the identity data is forwarded to the asset
profiler service that runs on the IBM® QRadar® console. The asset profiler is used to update the
asset model, either by adding new assets or by updating the information on existing assets,
including the Last User and User Last Seen asset fields when an Identity Username is
provided.
IBM QRadar DSMs can populate identity data for certain events, such as those that establish an
association or disassociation between identity properties. This association or disassociation is for
performance and also for certain events that provide new or useful information that is needed for
asset updates. For example, a login event establishes a new association between a user name and an
asset (an IP address, a MAC address, or a host name, or a combination of them). The DSM generates
identity data for any login events that it parses, but subsequent events of different types that
involve the same user, provide no new association information. Therefore, the DSM does not
generate identity for other event types.
Also, the DSMs for DHCP services can generate identity data for DHCP assigned events because
these events establish an association between an IP address and a MAC address. DSMs for DNS
services generate identity information for events that represents DNS lookups because these events
establish an association between an IP address and a host name or DNS name.
You can configure the DSM Editor to override the behavior of the identity properties. However,
unlike other system properties, overridden identity property has no effect unless it is linked to
specific Event ID or Event Category combinations (event mappings). When identity property
overrides are configured, you can go to the Event Mappings tab and select an event mapping to
configure specific identity properties for that event. Only identity properties that are available and
captured by the configured property regex or json are populated for an event.
Note: The Identity Username property is unique and cannot be independently configured. If
any identity properties are enabled for a particular event mapping, then the Identity
Username property is automatically populated for the event from the
available Username property value.
Referencing capture strings by using format
string fields
Use the Format String field on the Property Configuration tab to reference capture groups
that you defined in the regex. Capture groups are referenced in their order of precedence.
About this task
A capture group is any regex that is enclosed within parenthesis. A capture group is referenced with
an $n notation, where n is a group number that contains a regular expression (regex). You can
define multiple capture groups.
For example, you have a payload with company and host name variables.
"company":"ibm", "hostname":"localhost.com"
"company":"ibm", "hostname":"johndoe.com"
You can customize the host name from the payload to display ibm.hostname.com by using
capture groups.
Procedure
1. In the regex field, enter the following regular
expression: "company":"(.*?)".*"hostname":"(.*?)"
2. In the Format String field, enter the capture group $1.$2 where $1 is the value for the
company variable (in this case ibm) and $2 is the value for the host name in the payload. The
following output is given:
ibm.localhost.com ibm.johndoe.com
Creating a custom log source type to parse
events
If you have events that are imported into QRadar®, you can select the events on which you want to
base your custom log source type and send them directly to the DSM Editor.
Procedure
1. Click the Log Activity tab.
2. Pause the incoming results and then highlight one or more events.
Important: You can select only a single log source type, and only the events from log activity
that match the selected log source type are automatically added to the workspace.
3. On the navigation menu, select Actions > DSM Editor, and choose one of the following
options:
o If you are parsing known events, select your log source type from the list.
o If you are parsing stored events, click Create New. Enter a name for your log source
type in the Log Source Type Name field and click Save.
4. In the Properties tab, select the Override system properties checkbox for the properties
that you want to edit.
TASK: 3.7 Manage data obfuscation
SUBTASKS:
3.7.1. Understand data obfuscation
• profiles
• expressions
3.7.2. Create a data obfuscation profile
3.7.3. Create a data obfuscation expression
3.7.4. View deobfuscated data
3.7.5. Edit or disable obfuscation expressions created in previous releases
Data obfuscation expressions
Data obfuscation expressions identify the data to hide. You can create data obfuscation expressions
that are based on field-based properties or you can use regular expressions.
Field-based properties
Use a field-based property to hide user names, group names, host names, and NetBIOS names.
Expressions that use field-based properties obfuscate all instances of the data string. The data is
hidden regardless of its log source, log source type, event name, or event category.
If the same data value exists in more than one of the fields, the data is obfuscated in all fields that
contain the data even if you configured the profile to obfuscate only one of the four fields. For
example, if you have a host name that is called IBMHost and a group name that is called IBMHost, the
value IBMHost is obfuscated in both the host name field and the group name field even if the data
obfuscation profile is configured to obfuscate only host names.
Regular expressions
Use a regular expression to obfuscate one data string in the payload. The data is hidden only if it
matches the log source, log source type, event name, or category that is defined in the expression.
You can use high-level and low-level categories to create a regular expression that is more specific than a
field-based property. For example, you can use the following regex patterns to parse user names:
Example regex patterns
Matches
[email protected],
usrName=([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([[email protected],
9
a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,20})$ [email protected]
john.smith, John.Smith, john,
usrName=(^([\w]+[^\W])([^\W]\.?)([\w]+[^\W]$))jon_smith
usrName=^([a-zA-Z])[a-zA-Z_-]*[\w_]*[\S]$|^([a
-zA-Z])[0-9_-]*[\S]$|^[a-zA-Z]*[\S]$
johnsmith, Johnsmith123,
john_smith123, john123_smith,
john-smith
usrName=(/S+)
Matches any non-white space after the equal, =,
sign. This regular expression is non-specific
and can lead to system performance issues.
msg=([0-9a-zA-Z]([-.\w]*[0-9a-zAZ]))*@\b(([01]
Matches users with IP address. For
?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-example, [email protected]
4
]\d|25[0-5])\b
src=\b(([01]?\d?\d|2[0-4]\d|25[0Matches IP address formats.
5])\.){3}([01]
?\d?\d|2[0-4]\d|25[0-5])\b
host=^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\]*[a
hostname.example.com,
-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za- hostname.co.uk
z09\-]*[A-Za-z0-9])$
Table 1. Regex user name parsing
Deobfuscating data so that it can be viewed in
the console
When data obfuscation is configured on an IBM® QRadar® system, the masked version of the data
is shown throughout the application. You must have both the corresponding keystore and the
password to deobfuscate the data so that it can be viewed.
Before you begin
You must be an administrator and have the private key and the password for the key before you
can deobfuscate data. The private key must be on your local computer.
About this task
Before you can see the obfuscated data, you must upload the private key. After the key is uploaded,
it remains available on the system for the duration of the current session. The session ends when
you log out of QRadar, when the cache is cleared on the QRadar Console, or when there is an
extended period of inactivity. When the session ends, the private keys that were uploaded in the
previous session are no longer visible.
QRadar can use the keys available in the current session to automatically deobfuscate data. With
auto-deobfuscation enabled, you do not have to repeatedly select the private key on
the Obfuscation Session Key window each time that you want to view the data. Auto-deobfuscate is
automatically disabled when the current session ends.
Procedure
1. On the Event Details page, find the data that you want to deobfuscate.
2. To deobfuscate identity-based data:
a. Click the lock icon next to the data that you want to deobfuscate.
b. In the Upload Key section, click Select File and select the keystore to upload.
c. In the Password box, type the password that matches the keystore.
d. Click Upload.
The Deobfuscation window shows the event payload, the profile names that are
associated with the keystore, the obfuscated text, and the deobfuscated text.
e. Optional: Click Toggle Auto Deobfuscate to enable auto-deobfuscation.
After you toggle the auto-deobfuscation setting, you must refresh the browser
window and reload the event details page for the changes to appear.
3. To deobfuscate payload data that is not identity-based:
a. On the toolbar on the Event Details page, click Obfuscation > Deobfuscation keys.
b. In the Upload Key section, click Select File and select the private key to upload.
c. In the Password box, type the password that matches the private key and
click Upload.
d. In the Payload information box, select and copy the obfuscated text to the clipboard.
e. On the toolbar on the Event Details page, click Obfuscation > Deobfuscation.
f. Paste the obfuscated text in to dialog box.
g. Select the obfuscation profile from the drop-down list and click Deobfuscate.
Editing or disabling obfuscation expressions
created in previous releases
When you upgrade to IBM® QRadar® V7.2.6, data obfuscation expressions that were created in
previous releases are automatically carried forward and continue to obfuscate data. These
expressions appear in a single data obfuscation profile, named AutoGeneratedProperty.
Although you can see the expressions, you cannot edit or disable data obfuscation expressions that
were created in earlier versions. You must manually disable them and create a data obfuscation
profile that contains the revised expressions.
About this task
To disable an old expression, you must edit the xml configuration file that defines the attributes for
the expression. You can then run the obfuscation_updater.sh script to disable it.
Ensure that you disable old expressions before you create new expressions that obfuscate the same
data. Multiple expressions that obfuscate the same data cause the data to be obfuscated twice. To
decrypt data that is obfuscated multiple times, each keystore that is used in the obfuscation process
must be applied in the order that the obfuscation occurred.
Procedure
1. Use SSH to log in to your QRadar Console as the root user.
2. Edit the obfuscation expressions .xml configuration file that you created when you
configured the expressions.
3. For each expression that you want to disable, change the Enabled attribute to false.
4. To disable the expressions, run the obfuscation_updater.sh script by typing the
following command:
<path_to_private_key>] [<path_to_obfuscation_xml_config_file>]
obfuscation_updater.sh [-p
e
The obfuscation_updater.sh script is in the /opt/qradar/bin directory, but you
can run the script from any directory on your QRadar Console.
Sensitive data protection
Configure a data obfuscation profile to prevent unauthorized access to sensitive or personal
identifiable information in IBM® QRadar®.
Data obfuscation is the process of strategically hiding data from QRadar users. You can hide custom
properties, normalized properties such as user names, or you can hide the content of a payload,
such as credit card or social security numbers.
The expressions in the data obfuscation profile are evaluated against the payload and normalized
properties. If the data matches the obfuscation expression, the data is hidden in QRadar. The data
might be hidden to all users, or only to users belonging to particular domains or tenants. Affected
users who try to query the database directly can’t see the sensitive data. The data must be reverted
to the original form by uploading the private key that was generated when the data obfuscation
profile was created.
To ensure that QRadar can still correlate the hidden data values, the obfuscation process is
deterministic. It displays the same set of characters each time the data value is found.
How does data obfuscation work?
Before you configure data obfuscation in your IBM QRadar deployment, you must understand how
it works for new and existing offenses, assets, rules, and log source extensions.
Existing event data
When a data obfuscation profile is enabled, the system masks the data for each event as it is
received by QRadar. Events that are received by the appliance before data obfuscation is configured
remain in the original unobfuscated state. The older event data is not masked and users can see the
information.
Assets
When data obfuscation is configured, the asset model accumulates data that is masked while the
pre-existing asset model data remains unmasked.
To prevent someone from using unmasked data to trace the obfuscated information, purge the
asset model data to remove the unmasked data. QRadar will repopulate the asset database with
obfuscated values.
Offenses
To ensure that offenses do not display data that was previously unmasked, close all existing
offenses by resetting the SIM model. For more information, see Resetting SIM.
Rules
You must update rules that depend on data that was previously unmasked. For example, rules that
are based on a specific user name do not fire when the user name is obfuscated.
Log source extensions
Log source extensions that change the format of the event payload can cause issues with data
obfuscation.
Data obfuscation profiles
The data obfuscation profile contains information about which data to mask. It also tracks the
keystore that is required to decrypt the data.
Enabled profiles
Enable a profile only when you are sure that the expressions correctly target the data
that you want to obfuscate. If you want to test the regular expression before you
enable the data obfuscation profile, you can create a regex-based custom property.
A profile that is enabled immediately begins obfuscating data as defined by the enabled
expressions in the profile. The enabled profile is automatically locked. Only the user who has
the private key can disable or change the profile after it is enabled.
To ensure that obfuscated data can be traced back to an obfuscation profile, you cannot
delete a profile that was enabled, even after you disable it.
Locked profiles
A profile is automatically locked when you enable it, or you can lock it manually.
A locked profile has the following restrictions:
•
•
•
•
You cannot edit it.
You cannot enable or disable it. You must provide the keystore and unlock the profile
before you can change it.
You cannot delete it, even after it is unlocked.
If a keystore is used with a profile that is locked, all other profiles that use that
keystore are automatically locked.
The following table shows examples of profiles that are locked or unlocked:
Scenario
Result
Profile A is locked.
It was created by
using keystore A.
Profile B is automatically locked.
Profile B is also
created by using
keystore A.
Profile A is created
Profile A is automatically locked.
and enabled.
Profile A, Profile B,
and Profile C are
currently locked. All
were created by
using keystore A. Profile A, Profile B, and Profile C are all unlocked.
Profile B is selected
and Lock/Unlock is
clicked.
Table 1. Locked profile examples
Data obfuscation expressions
Data obfuscation expressions identify the data to hide. You can create data obfuscation expressions
that are based on field-based properties or you can use regular expressions.
Field-based properties
Use a field-based property to hide user names, group names, host names, and NetBIOS names.
Expressions that use field-based properties obfuscate all instances of the data string. The data is
hidden regardless of its log source, log source type, event name, or event category.
If the same data value exists in more than one of the fields, the data is obfuscated in all fields that
contain the data even if you configured the profile to obfuscate only one of the four fields. For
example, if you have a host name that is called IBMHost and a group name that is called IBMHost, the
value IBMHost is obfuscated in both the host name field and the group name field even if the data
obfuscation profile is configured to obfuscate only host names.
Regular expressions
Use a regular expression to obfuscate one data string in the payload. The data is hidden only if it
matches the log source, log source type, event name, or category that is defined in the expression.
You can use high-level and low-level categories to create a regular expression that is more specific than a
field-based property. For example, you can use the following regex patterns to parse user names:
Example regex patterns
Matches
[email protected],
usrName=([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([[email protected],
9
a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,20})$ [email protected]
john.smith, John.Smith, john,
usrName=(^([\w]+[^\W])([^\W]\.?)([\w]+[^\W]$))jon_smith
usrName=^([a-zA-Z])[a-zA-Z_-]*[\w_]*[\S]$|^([a
-zA-Z])[0-9_-]*[\S]$|^[a-zA-Z]*[\S]$
johnsmith, Johnsmith123,
john_smith123, john123_smith,
john-smith
usrName=(/S+)
Matches any non-white space after the equal, =,
sign. This regular expression is non-specific
and can lead to system performance issues.
msg=([0-9a-zA-Z]([-.\w]*[0-9a-zAZ]))*@\b(([01]
Matches users with IP address. For
?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-example, [email protected]
4
]\d|25[0-5])\b
src=\b(([01]?\d?\d|2[0-4]\d|25[0Matches IP address formats.
5])\.){3}([01]
?\d?\d|2[0-4]\d|25[0-5])\b
Example regex patterns
Matches
host=^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\]*[a
-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Zaz09\-]*[A-Za-z0-9])$
hostname.example.com,
hostname.co.uk
Table 1. Regex user name parsing
Scenario: Obfuscating user names
You are an IBM QRadar administrator. Your organization has an agreement with the workers union
that all personal identifiable information must be hidden from QRadar users. You want to
configure QRadar to hide all user names.
Use the Data Obfuscation Management feature on the Admin tab to configure QRadar to hide the data:
1. Create a data obfuscation profile and download the system-generated private key. Save the
key in a secure location.
2. Create the data obfuscation expressions to target the data that you want to hide.
3. Enable the profile so that the system begins to obfuscate the data.
4. To read the data in QRadar, upload the private key to deobfuscate the data.
•
Creating a data obfuscation profile
IBM QRadar uses data obfuscation profiles to determine which data to mask, and to ensure
that the correct keystore is used to unmask the data.
About this task
You can create a profile that creates a new keystore or you can use an existing keystore. If
you create a keystore, it must be downloaded and stored in a secure location. Remove the
keystore from the local system and store it in a location that can be accessed only by users
who are authorized to view the unmasked data.
Configuring profiles that use different keystores is useful when you want to limit data access
to different groups of users. For example, create two profiles that use different keystores
when you want one group of users to see user names and another group of users to see host
names.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the Data Sources section, click Data Obfuscation Management.
3. To create a new profile, click Add and type a unique name and description for the
profile.
4. To create a new keystore for the profile, complete these steps:
a. Click System generate keystore.
b. In the Provider list box, select IBMJCE.
c. In the Algorithm list box, select JCE and select whether to generate 512-bit or
1024-bit encryption keys.
In the Keystore Certificate CN box, the fully qualified domain name for
the QRadar server is auto-populated.
d. In the Keystore password box, enter the keystore password.
The keystore password is required to protect the integrity of the keystore. The
password must be at least 8 characters in length.
e. In the Verify keystore password, retype the password.
5. To use an existing keystore with the profile, complete these steps:
a. Click Upload keystore.
b. Click Browse and select the keystore file.
c. In the Keystore password box, type the password for the keystore.
6. Click Submit.
7. Download the keystore.
Remove the keystore from your system and store it in a secure location.
•
Creating data obfuscation expressions
The data obfuscation profile uses expressions to specify which data to hide from IBM
QRadar users. The expressions can use either field-based properties or regular expressions.
About this task
After an expression is created, you cannot change the type. For example, you cannot create a
property-based expression and then later change it to a regular expression.
You cannot hide a normalized numeric field, such as port number or an IP address.
Multiple expressions that hide the same data cause data to be hidden twice. To decrypt data
that is hidden multiple times, each keystore that is used in the obfuscation process must be
applied in the order that the obfuscation occurred.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the Data Sources section, click Data Obfuscation Management.
3. Click the profile that you want to configure, and click View Contents.
You cannot configure profiles that are locked.
4. To create a new data obfuscation expression, click Add and type a unique name and
description for the profile.
5. Select the Enabled check box to enable the profile.
6. Optional: To apply the obfuscation expression to specific domains or tenants, select
them from the Domain field. Or select All Domains to apply the obfuscation
expression to all domains and tenants.
7. To create a field-based expression, click Field Based and select the field type to
obfuscate.
8. To create a regular expression, click RegEx and configure the regex properties.
9. Click Save.
•
Deobfuscating data so that it can be viewed in the console
When data obfuscation is configured on an IBM QRadar system, the masked version of the
data is shown throughout the application. You must have both the corresponding keystore
and the password to deobfuscate the data so that it can be viewed.
Before you begin
You must be an administrator and have the private key and the password for the key before
you can deobfuscate data. The private key must be on your local computer.
About this task
Before you can see the obfuscated data, you must upload the private key. After the key is
uploaded, it remains available on the system for the duration of the current session. The
session ends when you log out of QRadar, when the cache is cleared on the QRadar Console,
or when there is an extended period of inactivity. When the session ends, the private keys
that were uploaded in the previous session are no longer visible.
QRadar can use the keys available in the current session to automatically deobfuscate data.
With auto-deobfuscation enabled, you do not have to repeatedly select the private key on
the Obfuscation Session Key window each time that you want to view the data. Autodeobfuscate is automatically disabled when the current session ends.
Procedure
1. On the Event Details page, find the data that you want to deobfuscate.
2. To deobfuscate identity-based data:
a. Click the lock icon next to the data that you want to deobfuscate.
b. In the Upload Key section, click Select File and select the keystore to upload.
c. In the Password box, type the password that matches the keystore.
d. Click Upload.
The Deobfuscation window shows the event payload, the profile names that
are associated with the keystore, the obfuscated text, and the deobfuscated
text.
e. Optional: Click Toggle Auto Deobfuscate to enable auto-deobfuscation.
After you toggle the auto-deobfuscation setting, you must refresh the browser
window and reload the event details page for the changes to appear.
3. To deobfuscate payload data that is not identity-based:
a. On the toolbar on the Event Details page, click Obfuscation > Deobfuscation
keys.
b. In the Upload Key section, click Select File and select the private key to
upload.
c. In the Password box, type the password that matches the private key and
click Upload.
d. In the Payload information box, select and copy the obfuscated text to the
clipboard.
e. On the toolbar on the Event Details page, click Obfuscation > Deobfuscation.
f. Paste the obfuscated text in to dialog box.
g. Select the obfuscation profile from the drop-down list and click Deobfuscate.
•
Editing or disabling obfuscation expressions created in previous releases
When you upgrade to IBM QRadar V7.2.6, data obfuscation expressions that were created in
previous releases are automatically carried forward and continue to obfuscate data. These
expressions appear in a single data obfuscation profile, named AutoGeneratedProperty.
About this task
To disable an old expression, you must edit the xml configuration file that defines the attributes for the
expression. You can then run the obfuscation_updater.sh script to disable it.
Ensure that you disable old expressions before you create new expressions that obfuscate
the same data. Multiple expressions that obfuscate the same data cause the data to be
obfuscated twice. To decrypt data that is obfuscated multiple times, each keystore that is
used in the obfuscation process must be applied in the order that the obfuscation occurred.
Procedure
1. Use SSH to log in to your QRadar Console as the root user.
2. Edit the obfuscation expressions .xml configuration file that you created when you
configured the expressions.
3. For each expression that you want to disable, change the Enabled attribute to false.
4. To disable the expressions, run the obfuscation_updater.sh script by typing
the following command:
<path_to_private_key>] [<path_to_obfuscation_xml_config_file>]
obfuscation_updater.sh [-p
e
The obfuscation_updater.sh script is in the /opt/qradar/bin directory,
but you can run the script from any directory on your QRadar Console.
Section 4: Accuracy Tuning
This section accounts for 10% of the exam (6 out of 62 questions).
TASK: 4.1 Understand and implement ADE rules
SUBTASKS:
4.1.1. Understand anomaly rules
4.1.2. Understand threshold rules
4.1.3. Understand behavior rules
4.1.4. Create an anomaly detection rule
Anomaly detection rules
Anomaly detection rules test the results of saved flow or events searches to detect when unusual
traffic patterns occur in your network.
Anomaly detection rules require a saved search that is grouped around a common parameter, and a
time series graph that is enabled. Typically the search needs to accumulate data before the anomaly
rule returns any result that identifies patterns for anomalies, thresholds, or behavior changes.
Anomaly rules
Test event and flow traffic for changes in short-term events when you are comparing against a
longer timeframe. For example, new services or applications that appear in a network, a web server
crashes, firewalls that all start to deny traffic.
Example: You want to be notified when one of your firewall devices is reporting more often than it usually
does because your network might be under attack. You want to be notified when you receive twice as many
events in 1 hour. You follow these steps:
1. Create and save a search that groups by log source, and displays only the count column.
2. Apply the saved search to an anomaly rule, and add the rule test, and when the average
value (per interval) of count over the last 1 hour is at least 100% different from the
average value (per interval) of the same property over the last 24 hours.
Threshold rules
Test events or flows for activity that is greater than or less than a specified range. Use these rules to
detect bandwidth usage changes in applications, failed services, the number of users connected to a
VPN, and detecting large outbound transfers.
Example: A user who was involved in a previous incident has large outbound transfer.
When a user is involved in a previous offense, automatically set the Rule response to add to the
Reference set. If you have a watch list of users, add them to the Reference set. Tune acceptable
limits within the Threshold rule.
A reference set, WatchUsers, and Key:username are required for your search.
Complete the following search, and then apply it to a Threshold rule.
select assetuser(sourceip, now()) as 'srcAssetUser',
Applicationname(applicationid)as 'AppName', long(sum(sourcebytes
+destinationbytes)) as 'flowsum' from flows where flowdirection = 'L2R' and
REFERENCESETCONTAINS('Watchusers', username)group by 'srcAssetUser',
applicationid order by 'flowsum' desc last 24 hours
Behavioral rules
Test events or flows for volume changes that occur in regular patterns to detect outliers. For
example, a mail server that has an open relay and suddenly communicates with many hosts, or an
IPS (intrusion protection system) that starts to generate numerous alert activities.
A behavioral rule learns the rate or volume of a property over a pre-defined season. The season
defines the baseline comparison timeline for what you're evaluating. When you set a season of 1
week, the behavior of the property over that 1 week is learned and then you use rule tests to alert
you to any significant changes.
After a behavioral rule is set, the season adjusts automatically. When the data in the season is
learned, it is continually evaluated so that business growth is profiled within the season; you do not
have to change your rules. The longer a behavioral rule runs, the more accurate it becomes. You can
then adjust the rule responses to capture more subtle changes.
The following table describes the behavioral rule test parameter options.
Rule test parameter
Season
Current traffic level
Current traffic trend
Description
The most important value. The season defines the baseline behavior of
the property that you are testing and which the other rule tests use. To
define a season, consider the type of traffic that you are monitoring. For
example, for network traffic or processes that include human interaction,
1 week is a good season timeframe. For tracking automated services
where patterns are consistent, you might want to create a season as
short as 1 day to define that pattern of behavior.
Weight of the original data with seasonal changes and random error
accounted for. This rule test asks the question, "Is the data the same as
yesterday at the same time?"
The weight must be in the range of 1 to 100. A higher value places more
weight on the previously recorded value.
Weight of changes in the data for each time interval. This rule test asks
the question, "How much does the data change when it compares this
minute to the minute before?"
Rule test parameter
Description
Current traffic behavior
The weight must be in the range of 1 to 100. A higher value places more
weight on traffic trends than the calculated behavior.
Weight of the seasonal effect for each period. This rule test asks the
question, "Did the data increase the same amount from week 2 to week 3,
as it did from week 1 to week 2?"
The weight must be in the range of 1 to 100. A higher value places more
weight on the learned behavior.
Use predicted values to scale baselines to make alerting more or less
sensitive.
Predicted value
The sensitivity must be in the range of 1 to 100. A value of 1 indicates
that the measured value cannot be outside the predicted value. A value of
100 indicates that the traffic can be more than four times larger than the
predicted value.
Table 1. Behavioral rule test definitions
The forecast for value from (n+1)th interval is calculated by using the following formula:
Fn+1 = Bn + Tn + Tn+1-s
Where F is the predicted value, B is the base value for interval n, T is the trend value for interval n,
and T is the trend value for season intervals ago and s is the number of intervals within the season.
The base value is calculated by using the following formula:
Bn+1 = (0.2 + 0.3*(<Current traffic level> / 100.0))*(value n+1 – Tn+1-s) + (1 – (0.2 +
0.3*(<Current traffic level> / 100.0)))*T n
The trend value is calculated by using the following formula:
Tn+1 = (0.2 + 0.3*(<Current traffic trend> / 100.0))*(B n+1 - Bn) + (1 - (0.2 +
0.3*(<Current traffic trend> / 100.0)))*T n
Smoothed deviation D is calculated by using the following formula:
Dn+1 = (0.2 + 0.3*(<Current traffic behavior> / 100.0))*|value n+1 – Fn+1| + (1 – (0.2 +
0.3*(<Current traffic behavior> / 100.0)))*D n+1-s
The behavioral rule produces an alert for the interval if the following expression is false:
F – (1 + (sensitivity / 100.0)*3)*D <= value <= F + (1 + ( sensitivity / 100.0)*3)*D
During the first season, the behavioral rule learns for future calculations and doesn't produce any
alerts.
•
Creating an anomaly detection rule
Anomaly detection rules test the result of saved flow or event searches to search for unusual
traffic patterns that occur in your network. Behavioral rules test event and flow traffic
according to "seasonal" traffic levels and trends. Threshold rules test event and flow traffic
for activity less than, equal to, or greater than a configured threshold or within a specified
range.
Before you begin
To create anomaly detection rules on the Log Activity tab, you must have the Log
Activity Maintain Custom Rules role permission.
To create anomaly detection rules on the Network Activity tab, you must have the Network
Activity Maintain Custom Rules role permission.
To manage default and previously created anomaly detection rules, use the Rules page on
the Offenses tab.
About this task
When you create an anomaly detection rule, the rule is populated with a default test stack, based on
your saved search criteria. You can edit the default tests or add tests to the test stack. At least
one Accumulated Property test must be included in the test stack.
By default, the Test the [Selected Accumulated Property] value of each [group]
separately option is selected on the Rule Test Stack Editor page.
An anomaly detection rule tests the selected accumulated property for each event or flow group
separately. For example, if the selected accumulated value is UniqueCount(sourceIP), the rule
tests each unique source IP address for each event or flow group.
The Test the [Selected Accumulated Property] value of each [group] separately option is
dynamic. The [Selected Accumulated Property] value depends on the option that you select for
the this accumulated property test field of the default test stack. The [group] value depends on
the grouping options that are specified in the saved search criteria. If multiple grouping options are
included, the text might be truncated. Move your mouse pointer over the text to view all groups.
Procedure
1. Click the Log Activity or Network Activity tab.
2. Perform an aggregated search.
You can add a property to the group by in a new historical search or select a property from
the Display list on the current search page.
3. On the search result page, click Configure , and then configure the following options:
a. Select a property from the Value to Graph list.
b. Select time series as the chart type from the Value to Graph list
c.
d.
e.
f.
Enable the Capture Time Series Data check box.
Click Save, and then enter a name for your search.
Click OK.
Select last 5 minutes from the Time Range list, while you wait for the time series
graph to load.
You must have time series data for the property that you selected in the Value to Graph list
to run a rule test on that accumulated property.
4. From the Rules menu, select the rule type that you want to create.
a. Add Anomaly Rule
b. Add Threshold Rule
c. Add Behavioral Rule
5. On the Rule Test Stack Editor page, in the enter rule name here field, type a unique name
that you want to assign to this rule.
6. To apply your rule by using the default test, select the first rule in the anomaly Test
Group list.
You might need to set the accumulated property parameter to the property that you selected
from the Value to Graph list that you saved in the search criteria. If you want to see the
result sooner, set the percentage to a lower value, such as 10%. Change last 24 hours to a
lesser time period, such as 1 hour. Because an anomaly detection tests on aggregated fields
in real time to alert you of anomalous network activity, you might want to increase or
decrease events or flows in your network traffic.
7. Add a test to a rule.
a. To filter the options in the Test Group list, type the text that you want to filter for in
the Type to filter field.
b. From the Test Group list, select the type of test that you want to add to this rule.
c. Optional: To identify a test as an excluded test, click and at the beginning of the test
in the Rule pane. The and is displayed as and not.
d. Click the underlined configurable parameters to customize the variables of the test.
e. From the dialog box, select values for the variable, and then click Submit.
8. To test the total selected accumulated properties for each event or flow group, disable Test
the [Selected Accumulated Property] value of each [group] separately.
9. In the groups pane, enable the groups you want to assign this rule to.
10. In the Notes field, type any notes that you want to include for this rule, and then Click Next.
11. On the Rule Responses page, configure the responses that you want this rule to generate.
Learn more about rule response page parameters for anomaly detection rules:
The following table provides the Rule Response page parameters if the rule type is Anomaly.
Parameter
Description
Dispatch New
Event
Specifies that this rule dispatches a new event with the original event or flow,
which is processed like all other events in the system. By default, this check box is
selected and cannot be cleared.
Parameter
Description
If you want the Event Name information to contribute to the name of the
offense, select the This information should contribute to the name of
the associated offense(s) option.
Offense Naming
If you want the configured Event Name to contribute to the offense, select the This
information should set or replace the name of the associated offense(s).
Note: After you replace the name of the offense, the name won't change until the
offense is closed. For example, if an offense is associated with more than one rule,
and the last event doesn't trigger the rule that is configured to override the name
of the offense, the offense's name won't be updated by the last event. Instead, the
offense name remains the name that is set by the override rule.
Severity
The severity level that you want to assign to the event. The range is 0 (lowest) to
10 (highest) and the default is 5. The Severity is displayed in the Annotations
pane of the event details.
Credibility
The credibility that you want to assign to the log source. For example, is the log
source noisy or expensive? Using the list boxes, select the credibility of the event.
The range is 0 (lowest) to 10 (highest) and the default is 5. Credibility is
displayed in the Annotations pane of the event details.
Relevance
The relevance that you want to assign to the weight of the asset. For example,
how much do you care about the asset? Using the list boxes, select the relevance
of the event. The range is 0 (lowest) to 10 (highest) and the default is 5.
Relevance is displayed in the Annotations pane of the event details.
Ensure that the
As a result of this rule, the event is forwarded to the magistrate. If an
dispatched event is offense exists, this event is added. If no offense was created on the
part of an offense Offenses tab, a new offense is created.
Notify
Send to Local
SysLog
Events that generate as a result of this rule are displayed in the System
Notifications item in the Dashboard tab. If you enable notifications, configure
the Response Limiter parameter.
Select this check box if you want to log the event or flow locally. By default, the
check box is clear.
Note: Only normalized events can be logged locally on a QRadar® appliance. If
you want to send raw event data, you must use the Send to Forwarding
Destinations option to send the data to a remote syslog host.
Adds events that are generated as a result of this rule to a reference set.
You must be an administrator to add data to a reference set.
Add to Reference
Set
To add data to a reference set, follow these steps:
a. From the first list, select the property of the event or flow that you
want to add.
b. From the second list, select the reference set to which you want to
add the specified data.
Parameter
Description
Add to Reference
To use this rule response, you must create the reference data collection.
Data
If you want this rule to remove data from a reference set, select this check box.
To remove data from a reference set, follow these steps:
Remove from
Reference Set
Remove from
Reference Data
a. From the first list, select the property of the event or flow that you
want to remove.
b. From the second list, select the reference set from which you want
to remove the specified data.
To use this rule response, you must have a reference data collection.
You can write scripts that do specific actions in response to network events. For
example, you might write a script to create a firewall rule that blocks a particular
source IP address from your network in response to repeated login failures.
Execute Custom
Action
Select this check box and select a custom action from the Custom action
to execute list.
You add and configure custom actions by using the Define Actions icon on
the Admin tab.
Publish on the IF- If the IF-MAP parameters are configured and deployed in the system settings,
MAP Server
select this option to publish the offense information about the IF-MAP server.
Response Limiter
Select this check box and use the list boxes to configure the frequency with which
you want this rule to respond
Enable Rule
Select this check box to enable this rule. By default, the check box is selected.
Table 1. Anomaly Detection Rule Response page parameters
An SNMP notification might resemble:
"Wed Sep 28 12:20:57 GMT 2005, Custom Rule Engine Notification Rule 'SNMPTRAPTst' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name:
ICMP Destination Unreachable Communication with Destination Host is
Administratively Prohibited, QID: 1000156, Category: 1014, Notes:
Offense description"
A syslog output might resemble:
Sep 28 12:39:01 localhost.localdomain ECS:
Rule 'Name of Rule' Fired: 172.16.60.219:12642
-> 172.16.210.126:6666 6, Event Name: SCAN SYN FIN, QID:
1000398, Category: 1011, Notes: Event description
2. Click Next.
3. Click Finish.
TASK: 4.2 Manage and use building blocks
SUBTASKS:
4.2.1. Tune building blocks
4.2.2. Review the building blocks in the use case manager
4.2.3. Add servers to building blocks
Tuning building blocks
You can edit building blocks to reduce the number of false positives that are generated by IBM®
QRadar®.
About this task
To edit building blocks, you must add the IP address or IP addresses of the server or servers into
the appropriate building blocks.
Procedure
1.
2.
3.
4.
5.
6.
Click the Offenses tab.
On the navigation menu, click Rules.
From the Display list, select Building Blocks.
Double-click the building block that you want to edit.
Update the building block.
Click Finish.
The following table describes editable building blocks.
Building Block
BB:NetworkDefinition:
NAT Address Range
BB:HostDefinition:
Network Management
Servers
Description
Edit the and where either the source or destination IP is one of the
following test to include the IP addresses of the Network Address
Translation (NAT) servers.
Edit this building block only if you have a detection in the nonNATd address space. Editing this building block means that offenses are
not created for attacks that are targeted or sourced from this IP address
range.
Network management systems create traffic, such as ICMP (Internet
Control Message Protocol) sweeps to discover hosts. QRadar SIEM might
consider this threatening traffic. To ignore this behavior and define
network management systems, edit the and when either the source or
destination IP is one of the following test to include the IP addresses of
the Network Management Servers (NMS), and other hosts that normally
perform network discovery or monitoring.
Building Block
Description
Edit the and when either the source or destination IP is one of the
following test to include the IP addresses of the proxy servers.
BB:HostDefinition: Proxy Edit this building block if you have sufficient detection on the proxy
Servers
server. Editing this building block prevents offense creation for attacks
BB:HostDefinition: VA
Scanner Source IP
that are targeted or sourced from the proxy server. This adjustment is
useful when hundreds of hosts use a single proxy server and that single IP
address of the proxy server might be infected with spyware.
Vulnerability assessment products launch attacks that can result in
offense creation. To avoid this behavior and define vulnerability
assessment products or any server that you want to ignore as a source,
edit the and when the source IP is one of the following test to include
the IP addresses of the following scanners:
o
o
VA Scanners
Authorized Scanners
BB:HostDefinition: Virus Edit the and when either the source or destination IP is one of the
Definition and Other
following test to include the IP addresses of virus protection and update
Update Servers
function servers.
Edit the and when the source is located in test to include geographic
BB:Category Definition: locations that you want to prevent from accessing your network. This
Countries with no Remote change enables the use of rules, such as anomaly: Remote Access from
Access
Foreign Country to create an offense when successful logins are detected
from remote locations.
Edit the and when either the source or destination IP is one of the
following test to include the IP addresses of servers that are used for
BB:ComplianceDefinition:Gramm-Leach-Bliley Act (GLBA) compliance. By populating this building
GLBA Servers
block, you can use rules such as Compliance: Excessive Failed Logins to
Compliance IS, which create offenses for compliance and regulationbased situations.
Edit the and when either the source or destination IP is one of the
following test to include the IP addresses of servers that are used for
BB:ComplianceDefinition:Health Insurance Portability and Accountability Act (HIPAA) compliance.
HIPAA Servers
By populating this building block, you can use rules, such as Compliance:
Excessive Failed Logins to Compliance IS, which create offenses for
compliance and regulation-based situations.
Edit the and when either the source or destination IP is one of the
following test to include the IP addresses of servers that are used for SOX
BB:ComplianceDefinition:(Sarbanes-Oxley Act) compliance. By populating this building block, you
SOX Servers
can use rules, such as Compliance: Excessive Failed Logins to
Compliance IS, which create offenses for compliance and regulationbased situations.
Edit the and when either the source or destination IP is one of the
BB:ComplianceDefinition:following test to include the IP addresses of servers that are used for PCI
PCI DSS Servers
DSS (Payment Card Industry Data Security Standards) compliance. By
populating this building block, you can use rules such as Compliance:
Building Block
BB:NetworkDefinition:
Broadcast Address Space
Description
Excessive Failed Logins to Compliance IS, which creates offenses for
compliance and regulation-based situations.
Edit the and when either the source or destination IP is one of the
following test to include the broadcast addresses of your network. This
change removes false positive events that might be caused by the use of
broadcast messages.
BB:NetworkDefinition:
Client Networks
Edit the and when the local network is test to include workstation
networks that users are operating.
BB:NetworkDefinition:
Server Networks
Edit the when the local network is test to include any server networks.
Edit the and when the local network is test to include the IP addresses
that are considered to be a dark net. Any traffic or events that are directed
towards a dark net is considered suspicious.
Edit the and when the any IP is a part of any of the following test to
BB:NetworkDefinition: include the remote services that might be used to obtain information from
DLP Addresses
the network. This change can include services, such as WebMail hosts or
file sharing sites.
BB:NetworkDefinition:
Darknet Addresses
BB:NetworkDefinition:
DMZ Addresses
Edit the and when the local network test to include networks that are
considered to be part of the network’s DMZ.
BB:PortDefinition:
Authorized L2R Ports
Edit the and when the destination port is one of the following test to
include common outbound ports that are allowed on the network.
BB:NetworkDefinition:
Watch List Addresses
Edit the and when the local network is to include the remote networks
that are on a watch list. This change helps to identify events from hosts
that are on a watch list.
BB:FalsePositive: User
Edit this building block to include any categories that you want to
Defined Server Type False consider as false positives for hosts that are defined in
Positive Category
the BB:HostDefinition: User Defined Server Type building block.
BB:FalsePositive: User
Edit this building block to include any events that you want to consider as
Defined Server Type False false positives for hosts that are defined in the BB:HostDefinition: User
Positive Events
Defined Server Type building block.
Edit this building block to include the IP address of your custom server
type. After you add the servers, you must add any events or categories
BB:HostDefinition: User that you want to consider as false positives to this server, as defined in
Defined Server Type
the BB:FalsePositives: User Defined Server Type False Positive Category
or the BB:False Positives: User Defined Server Type False Positive
Events building blocks.
Table 1. Building blocks to edit.
You can include a CIDR range or subnet in any of the building blocks instead of listing the IP
addresses. For example, 192.168.1/24 includes addresses 192.168.1.0 to 192.168.1.255. You
can also include CIDR ranges in any of the BB:HostDefinition building blocks.
QRadar Use Case Manager app
Use the guided tips in the IBM® QRadar® Use Case Manager app to help you ensure that IBM
QRadar is optimally configured to accurately detect threats throughout the attack chain.
QRadar Use Case Manager includes a use case explorer that offers flexible reports that are related
to your rules. QRadar Use Case Manager also exposes pre-defined mappings to system rules and
helps you map your own custom rules to MITRE ATT&CK tactics and techniques.
Explore rules through visualization and generated reports
•
•
•
Explore the rules through different filters to ensure that they work as intended.
Generate reports from predefined templates, such as searches based on rule response and
actions, log source coverage, and many others.
Customize reports to see only the information that is critical to your analysis.
Tune your environment based on built-in analysis
•
•
•
Gain tuning recommendations unique to your environment right within the app.
Identify the topmost offense-generating or CRE-generating rules, and then follow the guide
to tune them.
Reduce the number of false positives by reviewing the most common configuration steps.
Easily update network hierarchy, building blocks, and server discovery based on
recommendations.
Visualize threat coverage across the MITRE ATT&CK framework
•
•
•
Visually understand your ability to detect threats based on ATT&CK tactics and techniques.
View predefined QRadar tactic and technique mappings and add your own custom mappings
to help ensure complete coverage.
Use new insights to prioritize the rollout of new use cases and apps to effectively strengthen
your security posture.
What's new and changed in QRadar Use Case Manager
Stay up to date with the new features that are available in the IBM QRadar Use Case
Manager app so that you get the most out of your use case management experience.
Version 3.8.0
•
Added support for MITRE ATT&CK v13.1, which updates Techniques, Groups,
Campaigns and Software for Enterprise, Mobile, and ICS. The biggest changes in
ATT&CK v13 are the addition of detailed detection guidance to some Techniques in
ATT&CK for Enterprise, Mobile Data Sources, and two new types of changelogs to
help identify more precisely what has changed in ATT&CK. For more information,
see https://attack.mitre.org/resources/updates/updates-april-2023/index.html.
•
•
Improved the rule offense contribution API performance to reduce out of memory
issues.
Added a condition to set the number of reference set elements that trigger a finding if
the number is exceeded. For more information, see Configuring QRadar Use Case
Manager.
Version 3.7.0
•
•
•
•
Added support for MITRE ATT&CK v12.1, which updates techniques, groups, and
software for Enterprise. For more information,
see https://attack.mitre.org/resources/updates/updates-october-2022/index.html.
Enabled the Empty reference set tuning finding after product fix.
In the Rule details page, changed the coloring of the diagram arrows to make it
clearer when the AND and AND NOT operators are used for test definitions.
Defect and performance fixes.
Known issues
The IBM QRadar Use Case Manager app has required information for known issues.
The IBM® QRadar® Use Case Manager app has required information for known issues.
The following table lists the known issues.
Important: When an issue is resolved, the table is updated to reflect which version contains the fix.
Video demonstrations
Watch video tutorials to learn how to use the workflows and features in IBM QRadar Use Case
Manager.
Watch video tutorials to learn how to use the workflows and features in IBM® QRadar® Use Case
Manager.
Video demonstrations on YouTube
Tutorials and general overview of QRadar Use Case Manager.
Version 3.0.0
•
•
•
•
•
•
•
•
•
Version 3 Overview (https://youtube.com/watch?v=4ZpEPzLnN-o)
Tutorial: Intro and Navigation (https://youtu.be/ndnhNacHrkk)
Tutorial: Recommended Apps and Log Sources (https://youtu.be/6N9zeUJ2wCk)
Tutorial: Improving my QRadar without spending a penny (https://youtu.be/Ux_0cHIstsg)
Tutorial: Making the case for additional log sources (https://youtu.be/H2HjxTGmC28)
Tutorial: Log sources per Rule (https://youtu.be/C36nALRfxOI)
Tutorial: Using filters (https://youtu.be/IbJLvXQuw2M)
Tutorial: MITRE Part One (https://youtu.be/iTVOhYpp7Dc)
Tutorial: MITRE Part Two (https://youtu.be/WwywPCFN4wo)
Version 2.1 - 2.3
•
•
QRadar Use Case Manager v2.2 + 2.3
updates (https://www.securitylearningacademy.com/enrol/index.php?id=5675)
MITRE ATT&CK Framework (https://youtu.be/933JZ262OVU)
Version 2.0.0
•
•
QRadar Use Case Manager
Overview (https://www.securitylearningacademy.com/enrol/index.php?id=5143)
2.0 Overview (https://www.youtube.com/watch?v=VOVZ6Rm6M)
Version 1.0.0
•
•
•
•
•
Part One: Tune the most active rules (https://youtu.be/GzgY4_bcHyw)
Part Two: Tune the active rules that generate CRE events (https://youtu.be/aiUEhQJE5qc)
Part Three: Review network hierarchy (https://youtu.be/ot5FdH80yH0)
Part Four: Review building blocks (https://youtu.be/6GeXj0IZXdM)
Part Five: Installation script (https://youtu.be/7KFiGH5SFbU)
Videos within the app
Learn how to investigate rules and tune them to prevent false positive offenses. Watch a short video
before you begin investigating rules in the rule wizard. For more information about accessing the
video, see Tuning the active rules that generate offenses.
A well-defined and maintained network hierarchy can help prevent the generation of false positive
offenses. Watch tuning videos to learn more about your network hierarchy and how to keep it up to
date. For more information about accessing the video, see Reviewing your network hierarchy.
Supported environments for QRadar Use Case Manager
For the features in IBM QRadar products to work properly, you must use the supported
environments.
Supported versions of
QRadar
QRadar
Use Case QRadar
Manager
3.4.1
7.3.3 Fix Pack 6 or later
7.4.2 Fix Pack 3 or later
7.3.3 Fix Pack 6 or later
3.2.0 to 7.4.1 Fix Pack 2 or later
3.4.0
7.4.2 or later
QRadar
Use Case QRadar
Manager
Important: QRadar Use Case Manager 3.2.0 or later is not supported on QRadar 7.4.0.
3.1.0 or
7.3.2 or later
earlier
QRadar on Cloud
1.1.0 or
Important: You must use a SaaS Admin token during configuration, and assign the Security
later
Administrator role to your administrative users.
Supported browsers
The QRadar Use Case Manager app is supported on Google Chrome and Mozilla Firefox.
Supported languages
The following languages are supported based on QRadar user preferences: English, Simplified
Chinese, Traditional Chinese, French, German, Korean, Portuguese, Russian, Spanish, Italian, and
Japanese.
Installation and configuration checklist for QRadar Use Case Manager
As you install the IBM QRadar Use Case Manager app, review and complete all of the necessary
tasks on the installation checklist.
Installation and configuration checklist
for QRadar Use Case Manager
As you install the IBM® QRadar® Use Case Manager app, review and complete all of the necessary
tasks on the installation checklist.
•
•
•
•
•
•
•
•
Review the supported environments. See Supported environments for QRadar Use Case
Manager.
Ensure that you have an IBM ID. If you don't have one, you can sign up on the IBM
Security App Exchange (https://exchange.xforce.ibmcloud.com/hub).
Install the QRadar Use Case Manager app. See Installing QRadar Use Case Manager.
Create an authorized service token. See Creating an authorized service token.
Configure the use case explorer page. See Configuring QRadar Use Case Manager.
Assign user permissions. See Assigning user permissions for QRadar Use Case Manager.
Create custom report content templates. See Customizing report content templates
Create custom rule attributes. See Creating custom rule attributes.
•
•
•
•
•
•
•
•
•
•
•
•
Installing QRadar Use Case Manager
Use the IBM QRadar Extensions Management tool or the IBM QRadar Assistant app to install
the IBM QRadar Use Case Manager app on your QRadar Console.
Creating an authorized service token
Before you can configure the IBM QRadar Use Case Manager app, you must create an
authorized service token.
Configuring QRadar Use Case Manager
The Use Case Explorer uses QID records and DSM event-mapping information to help
determine rule coverage by log source type. The Use Case Explorer loads automatically, but
you can refresh the settings at any time. If required, configure a proxy connection, app
performance related to offenses, and tuning findings.
Assigning user permissions for QRadar Use Case Manager
After you install the IBM QRadar Use Case Manager app, you can share the app with nonadministrative users by adding it to a user role.
Customizing user preferences
Customizable user preferences include color themes, table row height options, and MITRE
ATT&CK platform support. Themes control the background color display for the IBM QRadar
Use Case Manager app. Table row height options reduce empty white space to control the
amount of data you can display in a table. Platform support affects MITRE ATT&CK
visualizations, and the contents of related filter controls.
Predefined report content templates
Predefined content templates define the filters and columns of the rule reports, including
column order and sorting options.
Customizing report content templates
The IBM QRadar Use Case Manager app includes several predefined content templates that
define the filters and columns of the rule reports, including column order and sorting
options. You can also create custom templates by using an existing template and modify it as
necessary, or create new ones.
Custom rule attributes
A custom rule attribute represents a specific piece of information that you can attach to a
rule that doesn't fit into existing rule attributes. For example, the use case the rule belongs
to, the team who is responsible for creating or maintaining the rule, or who reviewed the
rule.
Creating custom rule attributes
Create, edit, or delete custom rule attributes and their values. Then, you can assign the
custom attribute values to a rule and add the custom attribute as a report column on the Use
Case Explorer page. An attribute can be any string, and can have one or more values on the
rule.
Exporting and importing custom rule attributes
Export or import custom rule attribute data, including rule mappings, in a JSON file. Sharing
the data between colleagues or QRadar deployments helps to streamline your workflow by
eliminating work effort.
Upgrading QRadar Use Case Manager
To take advantage of new capabilities, defect fixes, and updated workflows, upgrade to new
versions of the IBM® QRadar® Use Case Manager app. Use either the Extensions
Management tool in IBM QRadar or the IBM QRadar Assistant app to upgrade the app.
Uninstalling QRadar Use Case Manager
Use the IBM QRadar Extensions Management tool to uninstall the IBM QRadar Use Case
Manager app from your QRadar Console.
MITRE ATT&CK mapping and visualization
The MITRE ATT&CK framework represents adversary tactics that are used in a security attack. It
documents common tactics, techniques, and procedures that can be used in advanced persistent
threats against enterprise networks.
The following phases of an attack are represented in the MITRE ATT&CK framework:
MITRE
ATT&CK
Tactic
Description
Collection
Gather data.
Command and Contact controlled systems.
Control
Credential
Access
Steal login and password information.
Defense
Evasion
Avoid detection.
Discovery
Figure out your environment.
Execution
Run malicious code.
Exfiltration
Steal data.
Impact
Tries to manipulate, interrupt, or destroy systems and data.
Initial Access
Gain entry to your environment.
Lateral
Movement
Move through your environment.
Persistence
Maintain foothold.
Privilege
Escalation
Gain higher-level permissions.
ReconnaissanceGather information to use in future malicious operations.
This tactic displays in the MITRE reports only when the PRE platform is selected in
your user preferences.
Resource
Development
Establish resources to support malicious operations.
This tactic displays in the MITRE reports only when the PRE platform is selected in
your user preferences.
Tactics, techniques, and sub-techniques
Tactics represent the goal of an ATT&CK technique or sub-technique. For example, an adversary
might want to get credential access to your network.
Techniques represent how an adversary achieves their goal. For example, an adversary might dump
credentials to get credential access to your network.
Sub-techniques provide a more specific description of the behavior an adversary uses to achieve
their goal. For example, an adversary might dump credentials by accessing the Local Security
Authority (LSA) Secrets.
Workflow for MITRE ATT&CK mapping and visualization
Create your own rule and building block mappings in IBM® QRadar® Use Case Manager, or
modify IBM QRadar default mappings to map your custom rules and building blocks to specific
tactics and techniques.
Save time and effort by editing multiple rules or building blocks at the same time, and by sharing
rule-mapping files between QRadar instances. Export your MITRE mappings (custom and IBM
default) as a backup of custom MITRE mappings in case you uninstall the app and then decide later
to reinstall it. For more information, see Uninstalling QRadar Use Case Manager.
After you finish mapping your rules and building blocks, organize the rule report and then visualize
the data through diagrams and heat maps. Current® and potential MITRE coverage data is available
in the following reports: Detected in timeframe report, Coverage map and report, and Coverage
summary and trend.
•
•
•
•
•
•
•
Editing MITRE mappings in a rule or building block
Create your own rule and building block mappings or modify IBM QRadar default mappings
to map your custom rules and building blocks to specific tactics and techniques.
Editing MITRE mappings in multiple rules or building blocks
Save time and effort by editing multiple rules or building blocks at the same time. Export
your mappings to a JSON file to share with other colleagues.
Sharing MITRE-mapping files
Save time and effort when mapping rules and building blocks to tactics and techniques by
sharing rule-mapping files between QRadar instances.
Visualizing MITRE tactic and technique coverage in your environment
Visualize the coverage of MITRE ATT&CK tactics and techniques that the rules provide
in IBM QRadar. After you organize the rule report, you can visualize the data through
diagrams and heat maps and export the data to share with others.
Visualizing MITRE coverage summary and trends
The MITRE summary and trend reports provide an overview of the different tactics that are
covered by QRadar Use Case Manager. You can analyze the summary data in table, bar, and
radar charts. Only the number of enabled mappings to enabled rules are counted in the
charts because disabled mappings don't contribute to your security posture.
Visualizing MITRE tactics and techniques that are detected in a specific timeframe
See which MITRE ATT&CK tactics and techniques were detected in your environment based
on the offenses that were updated within a specific timeframe. QRadar Use Case
Manager displays a list of the offenses and their related rules that were found within that
timeframe, along with the tactics and techniques that are mapped to those rules.
MITRE heat map calculations
The colors in the MITRE heat maps are calculated based on the number of rule mappings to a
tactic or technique plus the level of mapping confidence (low, medium, or high).
Investigating tuning findings
Sometimes, rules or building blocks might be incorrectly defined. Use the Tuning Finding report to
investigate whether the rule or building block needs to be edited for more robust information, or if
the rule is working as designed. Then, you can hide the finding if it’s not relevant (for example you
set the rule up that way) or is a false positive.
Sometimes, rules or building blocks might be incorrectly defined. Use the Tuning Finding
report to investigate whether the rule or building block needs to be edited for more robust
information, or if the rule is working as designed. Then, you can hide the finding if it’s not
relevant (for example you set the rule up that way) or is a false positive.
About this task
IBM® QRadar® Use Case Manager detects the following findings and displays them in the report:
Disabled custom property
The rule references a disabled custom property. A custom property expression is disabled if the
custom property expression has performance problems. Rules, reports, or searches that use this
property, and which rely on the disabled expression to populate it, stop working properly.
Disabled dependency
Disabled rules prevent all the data from being detected, and stop the rest of the rule-dependent chain
from triggering properly.
Empty reference set
A reference set contains unique values that you can use in searches, filters, rule test conditions, and
rule responses. An empty reference set doesn’t have the criteria to trigger the rule properly.
Host definition uses only the default IP value
The host definition linked to the rule should not be the default value; otherwise, the rule won't work,
because incoming logs use the IP addresses and host information that aren't the default value
(127.0.0.1).
Host definition uses only the default value for destination IP
The destination IP that is linked to the rule should not be the default IP. If a content pack update
changes any of the IP addresses in the rules, some dependent rules might not work. Go to the
BB's Host Definition page to check each dependent.
Host definition uses only the default value for source IP
The source IP that is linked to the rule should not be the default IP. If a content pack update changes
any of the IP addresses in the rules, some dependent rules might not work. Go to the BB's Host
Definition page to check each dependent.
No original system rule
The rule has an Override origin but no linked original System rule, which can occur if the System rule
is deleted by mistake. QRadar Use Case Manager cannot open the rule.
Orphaned building block
The building block has no dependents. Building blocks group commonly used tests and can contain
important information about your organization. For example, you might create a building block that
includes the IP addresses of all mail servers in your network, then use that building block in another
rule to exclude those hosts. An orphaned BB is not referenced by any rules, which can result in
important information that is excluded from searches. Delete the building block or reference it by
another rule.
Rule uses performance-intensive tests that are not at the end of the test list.
Rule performance might not be optimal because the rule contains regex, payload, counter or
sequence tests that are not at the end of the list. Make sure that these definitions are at the end of the
test list so that they run only if all other tests in the list pass.
Rule performance may not be best when reference sets have too many elements.
On the Configuration page, set the number of reference set elements that trigger a finding if
the number is exceeded. The default is 5000.
Procedure
1. From the QRadar Use Case Manager main menu, click Tuning Finding Report.
2. To scan for updated rule findings from IBM QRadar, click the Refresh findings report icon.
It might take a few minutes to update the report.
Tip: The scan results automatically update overnight. Update the rules manually when you
make changes and you want to verify that they updated correctly in QRadar Use Case
Manager.
3. Sort the Tuning Finding column to investigate similar finding types together.
4. To hide findings in the report, select the checkboxes for the relevant findings and click Hide
findings.
The selected tuning findings are flagged as hidden. When you hide a finding, the tuning
findings don't appear in the rule details for the rule when you access it from any other
report. Any warning icons for the rule are also hidden in other reports the rule might appear
in.
5. Fine-tune the view by showing or hiding the selected findings.
Click Show hidden findings to see all the findings in the report.
6. To clear the hidden flags from a finding so that you always see it in the report, click Show
hidden findings. Select the checkboxes for the relevant findings, and then click Remove
hidden flag.
The hidden findings are updated to display in the report.
7. Click the rule name to further investigate and edit if necessary on the Rule Details page. Full
details appear in the Tuning Finding section.
a. Click Edit in rule wizard to make your changes. For example, if a rule is enabled but
a rule in its dependency tree is disabled, you can enable it in the rule wizard.
b. Select the finding and click Hide findings.
c. In the Tuning Finding report, click the refresh icon to update the report display.
8. After you make your changes, refresh the report to see that your changes are implemented.
Accessing report data by using APIs
As an alternative to using the interface in IBM QRadar Use Case Manager, you can use APIs to
interact with the data. Use the interactive API documentation interface to test the APIs before you
use them.
About this task
The following public APIs are available for use:
•
•
•
Use Case Explorer: Generate and download report data in CSV or JSON formats.
Log Source Coverage: Get information about rule-log source type activity and coverage.
MITRE Endpoints: Get information about rule mappings. Create custom adversary groups
and map them to existing tactics and techniques. Upload custom MITRE group-technique
files.
Tip: Make sure that the mapping file is in JSON format and contains the following data
format:
{ "Technique_ID_1": ["group1"], "Technique_ID_2": ["group1", "group2"] }
Each time you upload a custom mapping file, the previous file is replaced.
•
Tuning Findings: Get information about tuning findings.
Procedure
1. From the Admin tab, click Apps > QRadar Use Case Manager > API Docs.
2. Select an endpoint and click Try it out.
3. Click Execute to send the API request to your console and receive a properly formatted
HTTPS response.
4. Review and gather the information that you need to integrate with QRadar.
•
•
•
Public API endpoints
IBM QRadar Use Case Manager provides APIs that you can use to interact with the data.
Public Use Case Manager API workflows
Use these workflows to download report data to CSV or JSON files. For JSON format, you can
choose to generate a paginated format or a full report. Paginated files are useful for places
where you need JSON, like the user interface, and you need to paginate through the results.
You can request page by page and not the whole result set. Full report files are faster to
download than the JSON body, but pagination is not available in the file download format.
Downloading report data
•
•
•
Example API workflow script
Use the script in this example to download a Use Case Explorer report in CSV format.
Use Case Explorer filters
Use these filters in the example script to download a Use Case Explorer report in CSV format.
Report column codes for report APIs
Use the report column codes in the tables in the following APIs: POST
/api/use_case_explorer/{reportId}/download_csv, POST
/api/use_case_explorer/{reportId}/download_json, or GET
/api/use_case_explorer/{reportId}/result.
Servers and building blocks
IBM® QRadar® automatically discovers and classifies servers in your network, providing a faster
initial deployment and easier tuning when network changes occur.
To ensure that the appropriate rules are applied to the server type, you can add individual devices or
entire address ranges of devices. You can manually enter server types that do not conform to unique
protocols into their respective Host Definition Building Block. For example, adding the following server
types to building blocks reduces the need for further false positive tuning:
•
•
•
•
Add network management servers to the BB:HostDefinition: Network Management
Servers building block.
Add proxy servers to the BB:HostDefinition: Proxy Servers building block.
Add virus and Windows update servers to the BB:HostDefinition: Virus Definition and
Other Update Servers building block.
Add vulnerability assessment (VA) scanners to the BB-HostDefinition: VA Scanner Source
IP building block.
The Server Discovery function uses the asset profile database to discover several types of servers
on your network. The Server Discovery function lists automatically discovered servers and you can
select which servers you want to include in building blocks.
Using Building blocks, you can reuse specific rule tests in other rules. You can reduce the number of
false positives by using building blocks to tune QRadar and enable extra correlation rules.
•
Adding servers to building blocks automatically
The Server Discovery function uses the asset profile database to discover different server
types that are based on port definitions. Then, you can select the servers to add to a servertype building block for rules.
Procedure
1. Click Assets > Server Discovery.
2. In the Server Type list, select the server type that you want to discover.
Keep the remaining parameters as default.
3. Click Discover Servers.
4. In the Matching Servers pane, select the checkbox of all servers you want to assign to
the server role.
5. Click Approve Selected Servers.
Remember: You can right-click any IP address or host name to display DNS
resolution information.
•
Adding servers to building blocks manually
If a server is not automatically detected, you can manually add the server to its
corresponding Host Definition Building Block.
Procedure
1.
2.
3.
4.
Click the Offenses tab.
In the navigation pane, click Rules.
In the Display list, select Building Blocks.
In the Group list, select Host Definitions.
The name of the building block corresponds with the server type. For
example, BB:HostDefinition: Proxy Servers applies to all proxy servers in your
environment.
5. To manually add a host or network, double-click the corresponding Host Definition Building
Block appropriate to your environment.
6. In the Building Block field, click the underlined value for the source or destination IP
address.
7. In the Enter an IP address or CIDR field, type the host names or IP address ranges that you
want to assign to the building block.
8. Click Add > Submit.
9. Click Finish.
10. Repeat these steps for each server type that you want to add.
TASK: 4.3 Manage content packs
SUBTASKS:
4.3.1. Understand the types of security content
4.3.2. Install extensions using extensions management
4.3.3. Synchronize dashboard templates from content extensions
4.3.4. Uninstall a content extension
4.3.5. Install Threat Monitoring extensión
QRadar Assistant app
Use the IBM® QRadar® Assistant app to manage your app and content extension inventory, view
app and content extension recommendations, follow the QRadar Twitter feed, and get links to
useful information.
Tip: After upgrading the QRadar Assistant app, you may need to clear your browser cache to see the new
Assistant app icon and application content.
Attention: Use Extensions Management rather than the QRadar® Assistant app to manage extensions that
have dependencies.
The QRadar Assistant app consists of the following sections:
Guide Center
The QRadar Assistant Guide Center is a central point that links to a wide collection
of QRadar information resources. From the Guide Center, you can view tuning and use cases videos
that are recorded by QRadar experts, watch previously recorded open mic sessions, access a wide
variety of QRadar technical tips, view IBM Security Community information, and watch video
tutorials provided by IBM Learning Academy.
Featured Applications
Featured applications are the most recently recommended applications that are featured by IBM.
Twitter and Support
View the IBM QRadar Twitter feed from IBMSecurity (https://twitter.com/IBMSecurity).
Support Forum
View the latest QRadar related questions from IBM developerWorks forums.
Applications page
Search, sort, and filter available apps by various categories. You can see a quick view of the app,
then expand to see the full description and download the app. See which apps have updates
available.
When you select an app to download, it appears in the download drawer.
Open the drawer to see a list of apps that are queued for download or installation. You can
place up to five apps in the download queue at one time. To keep the download drawer open,
click the pin icon.
From Version 2.3.0, you can also view the list of currently installed QRadar extensions and
contents.
Watson Integration
On the Watson Integration page, you can learn how the IBM QRadar Advisor with Watson works
with QRadar to investigate and respond to threats. You can review requirements for
your QRadar system to install and run the Advisor app. You can also download and
install QRadar Advisor with Watson directly from the Assistant app.
For more information about QRadar Advisor with Watson, see the Advisor documentation
here: https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-advisor-watsonapp
•
•
•
•
•
•
•
•
Configuring the QRadar Assistant app
The QRadar Assistant app is included in QRadar installations of version 7.3.1 and later. You
can download the app from the IBM Security App
Exchange (https://exchange.xforce.ibmcloud.com/) for those versions. An Admin user must
configure certain options to enable the Assistant app in your QRadar environment.
Managing installed extensions
You can use the Installed section on the Applications page to view and manage currently
installed QRadar extensions and contents.
Managing multitenant apps
IBM QRadar Assistant app 3.0.0 supports multitenant environments in QRadar 7.4.0 Fix Pack
1 or later.
Downloading apps with the QRadar Assistant app
On the Applications page, you can download and install apps from the IBM X-Force®
Exchange.
Phone Home
QRadar Assistant app V 1.1.5 and later include a new Phone Home feature, which
anonymously shares data with the IBM X-Force Exchange to monitor QRadar and detect
issues early.
Configure URL access on firewalls
If your IBM QRadar Console is behind a restricted firewall, you must allow traffic to specific
URLs to use the full features of the Assistant app.
Running the Assistant app in offline mode
Admin can run the QRadar Assistant app V3.1.0 or later in offline mode to manage installed
extensions.
Installing extensions by using an admin level authorized service token
Administrators can create an admin level authorized service token that enables IBM QRadar
Assistant to install extensions in the background.
Types of security content
IBM® QRadar® content is bundled into two types: content packs and extensions.
Content packs
Security content packs contain enhancements to specific types of security content. Often,
they include content for third-party integrations or operating systems. For example, a
security content pack for a third-party integration might contain new custom event
properties that make information in the event payload searchable for the log source and
available for reporting.
Extensions
IBM and other vendors write security extensions that enhance or extend QRadar capabilities.
An extension can contain apps, content items, such as custom rules, report templates, saved
searches, or contain updates to existing content items. For example, an extension might
include an app to add a tab in QRadar that provides visualizations for an offense.
On IBM Security App Exchange, extensions are known as apps. You can
download QRadar apps from IBM Security App Exchange and use the Extensions
Management tool to install them. Apps are not available as part of an auto-update.
Sources of security content
QRadar content is available from the following sources:
IBM Security App Exchange
IBM Security App Exchange (https://apps.xforce.ibmcloud.com) is an app store and portal where
you can browse and download QRadar extensions. It is a new way to share code, visualizations,
reports, rules, and applications.
IBM Fix Central
IBM Fix Central (www.ibm.com/support/fixcentral) provides fixes and updates to your system
software, hardware, and operating system. You can download security content packs and
extensions from IBM Fix Central.
QRadar deployments
You export custom content from a QRadar deployment as an extension and then import it into
another system when you want to reuse the content. For example, you can export content from
your development environment to your production environment. You can use the content
management script to export all content, or you can choose to export only some custom content.
Installing extensions by using Extensions
Management
Use the Extensions Management tool to add security extensions to IBM® QRadar®. The Extensions
Management tool allows you to view the content items in the extension and specify the method of
handling content updates before you install the extension.
Before you begin
Extensions must be on your local computer before you install them in QRadar.
You can download QRadar extensions from the IBM Security App
Exchange (https://apps.xforce.ibmcloud.com/) and from IBM Fix
Central (www.ibm.com/support/fixcentral/).
About this task
An extension is a bundle of QRadar functions. An extension can include content such as rules,
reports, searches, reference sets, and dashboards. It can also include applications that enhance
QRadar functions.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Extensions Management.
3. To upload a new extension to the QRadar console, follow these steps:
a. Click Add.
b. Click Browse and navigate to find the extension.
c. Optional: Click Install immediately to install the extension without viewing the
contents. Go to 5.b.
d. Click Add.
4. To view the contents of the extension, select it from the extensions list and click More
Details.
5. To install the extension, follow these steps:
a. Select the extension from the list and click Install.
b. To assign a user to the app, select the User Selection menu, and select a user.
For example, you might want to associate the app with a specified user that is listed
in the User Selection menu who has the defined permissions.
Note:
This screen appears only if any of the apps in the extension that you are installing are
configured to request authentication for background processes.
c. If the extension does not include a digital signature, or it is signed but the signature is
not associated with the IBM Security Certificate Authority (CA), you must confirm
that you still want to install it. Click Install to proceed with the installation.
d. Review the changes that the installation makes to the system.
e. Select Preserve Existing Items or Replace Existing Items to specify how to handle
existing content items.
Note: If the extension contains overridden system rules, select Replace Existing
Items to ensure that the rules are imported correctly.
f. Click Install.
g. Review the installation summary and click OK.
IBM QRadar Security Threat
Monitoring Content Extension
The IBM® QRadar® Security Threat Monitoring Content Extension on the IBM Security App
Exchange (https://exchange.xforce.ibmcloud.com/hub) contains rules, building blocks, and custom
properties that are intended for use with X-Force® feed data.
The X-Force data includes a list of potentially malicious IP addresses and URLs with a
corresponding threat score. You use the X-Force rules to automatically flag any security event or
network activity data that involves the addresses, and to prioritize the incidents before you begin to
investigate them.
The following list shows examples of the types of incidents that you can identify using the X-Force rules:
•
•
•
when the [source IP|destinationIP|anyIP] is part of any of the
following [remote network locations]
when [this host property] is categorized by X-Force as [Anonymization
Servers|Botnet C&C|DynamicIPs|Malware|ScanningIPs|Spam] with
confidence value [equal to] [this amount]
when [this URL property] is categorized by X-Force
as [Gambling|Auctions|Job Search|Alcohol|Social Networking|Dating]
QRadar downloads approximately 30 MB of IP reputation data per day when you enable the XForce Threat Intelligence feed for use with the IBM QRadar Security Threat Monitoring Content
Extension.
Installing the IBM QRadar Security Threat Monitoring Content Extension application
The IBM QRadar Security Threat Monitoring Content Extension application contains IBM
QRadar content, such as rules, building blocks, and custom properties, that are designed specifically
for use with X-Force data. The enhanced content can help you to identify and to remediate
undesirable activity in your environment before it threatens the stability of your network.
Before you begin
Download the IBM QRadar Security Threat Monitoring Content Extension application from the IBM Security
App
Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:IBMContentPackageInternalThreat
).
About this task
To use X-Force data in QRadar rules, offenses, and events, you must configure IBM QRadar to
automatically load data from the X-Force servers to your QRadar appliance.
To load X-Force data locally, enable the X-Force Threat Intelligence feed in the system settings. If
new information is available when X-Force starts, the IP address reputation or URL database is
updated. These updates are merged into their own databases and the content is replicated from
the QRadar Console to all managed hosts in the deployment.
The X-Force rules are visible in the product even if the application is later uninstalled.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Extensions Management.
3. Upload the application to the QRadar console by following these steps:
a. Click Add.
b. Click Browse to find the extension.
c. Optional: Click Install immediately to install the extension without viewing the
contents.
d. Click Add.
4. To view the contents of the extension, select it from the extensions list and click More
Details.
5. To install the extension, follow these steps:
a. Select the extension from the list and click Install.
b. If the extension does not include a digital signature, or it is signed but the signature is
not associated with the IBM Security certificate authority (CA), you must confirm that
you still want to install it. Click Install to proceed with the installation.
c. Review the changes that the installation makes to the system.
d. Select Overwrite or Keep existing data to specify how to handle existing content
items.
e. Click Install.
f. Review the installation summary and click OK.
The rules appear under the Threats group in the Rules List window. They must be
enabled before they are used.
Synchronizing dashboard templates from
content extensions
Administrators synchronize dashboard templates that are included in content extensions or apps.
For example, the QRadar® DNS Analyzer app contains a dashboard that helps SOC analysts identify
DNS trends and investigate suspicious activities such as squatting attempts. After the dashboard
templates are synchronized, users can use the dashboards in their own workspace.
Before you begin
A content extension with a QRadar Pulse dashboard must be installed. For more information,
see Installing content extensions to use in QRadar Pulse.
Procedure
1. On the Admin tab, go to Apps > Pulse - Dashboard and click the Pulse - Dashboard app
icon.
2. On the Pulse Dashboard Templates page, click Synchronize to set the new or updated
dashboard content in QRadar Pulse, and then close the page.
Uninstalling a content extension
Remove a content extension that isn't useful anymore or that adversely impacts the system. You
can remove rules, custom properties, reference data, and saved searches. You might not be able to
remove some content if another content item depends on it.
About this task
When you uninstall a content extension, any rules, custom properties, and reference data that were
installed by the content extension are removed or reverted to their previous state. Saved searches
can't be reverted. They can only be removed.
For example, if you've edited custom rules in an app that you now want to uninstall, you can
preserve the changes you made for each customized rule. If the custom rule previously existed on
the system, you can revert the rule to its previous state. If the custom rule didn't previously exist,
you can remove it.
Note:
If you have introduced an outside dependency on a content extension that is installed by the
app, QRadar® doesn't remove that piece of content when you uninstall the app. For example, if you
create a custom rule that uses one of the app's custom properties, that custom property isn't
removed when you uninstall the app.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Extensions Management.
3. Select the extension that you want to uninstall and click Uninstall.
QRadar checks for any applications, rules, custom properties, reference data, and saved
searches that are installed by the content extension that can be removed.
4. If you have manually altered any rules, custom properties, or reference data after you
installed the app, choose whether to Preserve or Remove/Revert that content extension.
5. Click Uninstall, and then click OK.
TASK: 4.4 Distinguish native information sources
SUBTASKS:
4.4.1. Manage remote networks and remote services
4.4.2. Install and manage the QRadar Threat Intelligence app
4.4.3. Configure a threat feed to populate a reference set
4.4.4. Review network hierarchy
4.4.5. Understand building blocks role
Threat intelligence feeds
Threat intelligence feeds are a continuous stream of threat data that is sent to a SIEM. Security
analysts then analyze them for potential global threats and attacks and plan remediation actions.
Adding threat intelligence feeds
You can add and configure the threat intelligence feeds you want to add to QRadar.
Before you begin
You must configure an authorized service token before you can configure a TAXII feed. See Configuring the
Threat Feeds Downloader.
Procedure
1. From the navigation menu on the Threat Intelligence dashboard, click the Feeds
Downloader icon (
).
2. Click
Add Threat Feed, and then click Add TAXII Feed.
3. On the Add TAXII Feed window, click the Connection tab, and configure the following
options:
Option
Description
TAXII
Endpoint
Type the URL of the TAXII server you want to use.
Existing TAXII endpoints in your deployment appear in a list. If you choose an
existing endpoint, the corresponding options are prepopulated.
Note: For getting collections from TAXII 2.0 servers, see TAXII™ API - Collections.
Option
Description
Version
Select either TAXII 1.x orTAXII 2.0.
AuthenticationSelect the authentication that you want to use and complete the corresponding
Method
options based on your choice.
The available authentication method varies depending on the TAXII version you
select.
o
o
Client
Certificate
Client Key
TAXII 1.x: None, HTTP Basic, JSON Web Token.
TAXII 2.0: None, HTTP Basic.
If you want to use a client certificate with the TAXII server, click Choose file in
the Client Certificate area to select the file you want to upload. Only the .pem file
type is supported.
If your client certificate requires a key file, click Choose file in the Client Key area
to browse to the file's location and upload it.
4. Click Discover.
5. On the Add TAXII Feed window, click the Parameter tab, and configure the following
options:
Option
Description
Collections
Observable
Type
Polling
Intervals
Poll Initial
Date
Reference
Set
The TAXII data collection set you want use.
An observable is a STIX schema component that specifies a suspicious object.
Only observables of this type are used. All others are ignored.
How often QRadar Threat Intelligence polls the TAXII server. The default
polling interval is hourly.
The time period that is covered by the initial poll. You can choose to poll data
in increments of minutes, hours, or daily.
If you want to add elements that are based on a new TAXII feed to a dedicated
reference set, you must set it up in advance. For more information about
reference sets, see the IBM QRadar Administration Guide.
6. Click Add. You can add unlimited multiple collections to the same TAXII endpoint, or you can
continue to create this feed.
7. When you finish creating the feeds, click Next.
8. On the Add TAXII Feed window, click the Summary tab to check your configuration
parameters before you implement the threat intelligence feed, and then click Save.
Results
The threat feed collections display on the Threat Feeds Downloader page. The Am I Affected feature
compares STIX/TAXII feed indicators that are stored in the reference set with QRadar logs. Matches are
displayed on the event list. Click the View Result icon
to see the events.
Editing threat intelligence feeds
You can edit the threat intelligence feeds that exist in the IBM QRadar UI.
Procedure
1. On the Threat Intelligence page, click Edit for the feed you want to change.
2. On the Edit a TAXII Feed page, enter your Password. Make your changes, such as
uploading a client certificate or client key, and click Discover.
3. On the Parameters tab, make your changes and click Next through each configuration page
until you get to the end of the wizard.
Note: If you plan to change the reference set or the collection in the Parameters tab, these
changes affect only polling that is run going forward from the date of the edit. Data from
previous polling isn't affected. In this case, create a new threat feed instead.
4. Click Save, and close the Threat Intelligence page.
5. On the Admin tab, click Deploy Changes.
Creating rule actions
You can create rule actions that post information on threats on your system to a TAXII inbox
service.
Procedure
1. From the Admin tab, click Apps > Threat Intelligence, and click the STIX/TAXII
Configuration icon.
2. Click Create Rule Action > Create A TAXII Rule Action.
3. On the Connection tab of the Create TAXII Rule Action window, enter the URL of the TAXII
Endpoint you want to upload to.
Existing TAXII Endpoints in your deployment appear in a list. When you choose an existing
endpoint, the corresponding Authentication Method, Client Certificate, and Ignore
Certificate options are prepopulated.
4. Select the relevant Authentication Method and add the Username and Password for basic
HTTP authentication or a token string for JSON Web Token authentication.
5. If you want to use a client certificate with the TAXII inbox service, click Choose File to locate
the certificate on your system, and upload it to QRadar®. Only the .pem file type is
supported.
6. If you want to add a key file, click Choose File to locate the key on your system, and upload
it to QRadar.
7. On the Parameters tab, use the following guidelines to define the rule action parameters.
o Enter the name of the TAXII inbox service that you want to post event data to in
the Collection field.
o Enter values for the Indicator Source Name and the Action Name.
o Select a network event property from the Property lists.
Network event properties are dynamic Ariel properties that are generated by events.
For example, the network event property sourceip provides a parameter that
matches the source IP address of the triggered event. Parameters are passed to the
rule in the order in which you added them.
For more information about Ariel properties, see the IBM® QRadar Ariel Query
Language Guide.
o
Select the STIX observable type and indicator type relevant to the threat from
the Indicator type lists.
Select the observable type appropriate to the event you want post to the TAXII
server. No validation is done on the custom response by QRadar.
8. Click Save.
9. On the Admin tab main toolbar, click Deploy Changes.
The rule actions that you create are added to the QRadar Custom Actions window.
Click Define Actions on the Admin tab to view. You can edit or delete a rule action from
the Custom Actions window and the changes are reflected in the Threat Intelligence app.
Editing configured rule actions
You edit rule actions that post information on threats on your system to a TAXII inbox service.
Procedure
1. In the Configured Rule Actions section of the page, click Edit for the rule action you want
to modify.
2. On the Connection tab in the Edit a TAXII Rule Action window, enter your Password, and
click Discover.
3. Make your changes and click Next through each configuration window until you get to the
end of the wizard.
4. Click Save, and close the Threat Intelligence page.
5. On the Admin tab, click Deploy Changes.
Polling TAXII feeds
To maximize performance, TAXII feeds can poll only one feed at a time, but you can override the
polling interval if necessary.
1. From the navigation menu on the Threat Intelligence dashboard, click the Feeds
Downloader icon (
).
2. In the Configured Threat Intelligence Feeds section, click Poll Now on the relevant feed to
override the predefined polling interval.
The polling start time, date, and status displays during polling. The end date displays after
the polling is finished.
Refetching data from TAXII data collections
If you recently started to follow a new XFE Public Collections I follow collection, you
can refetch all its previous data. Without refetching, you get only the data added to the collection
from the time you started to follow it.
About this task
If you choose to refetch the data from a specific date, the following conditions apply:
•
•
•
That date is set as the new start date for the feed.
The signature counts are reset to 0.
Data that is already collected by this feed remains intact in the reference set.
Procedure
1.
2.
3.
4.
Click the Admin tab.
Click Plug-ins > Threat Intelligence > STIX/TAXII Configuration.
In the Configured Threat Intelligence Feeds section, click Refetch on the relevant feed.
On the Refetch data page, select the timeframe for refetching the data, and click Refetch.
QRadar Threat Intelligence app
IBM® QRadar® Threat Intelligence pulls in threat intelligence feeds by using the open standard
STIX and TAXII formats, and to deploy the data to create custom rules for correlation, searching,
and reporting. For example, you can use the app to import public collections of dangerous IP
addresses from IBM X-Force Exchange and create a rule to raise the magnitude of any offense that
includes IP addresses from that watch list.
Beginning with version 2.0.0 of the app, you can search for and browse Recent Collections, EarlyWarning Collections, Public Collections, and view IBM Advanced Threat Protection Feeds in the
Threat Intelligence dashboard on the QRadar Console. You can also configure settings to conduct
scanning in your QRadar environment to see whether any threats that are identified in X-Force
Exchange collections can affect your environment.
Note:
•
You must have IBM Advanced Threat Protection Feed license to use associated
capabilities such as the Am I Affected scan.
For more information about the Trusted Automated Exchange of Intelligence Information (TAXII™),
see the Introduction to TAXII website (https://oasis-open.github.io/ctidocumentation/taxii/intro).
For more information about the Structured Threat Information Expression (STIX™) language that is
used by TAXII, see the Introduction to STIX website (https://oasis-open.github.io/ctidocumentation/stix/intro).
•
•
•
What's new in QRadar Threat Intelligence
Learn about the new features in each IBM QRadar Threat Intelligence app release.
Known issues
Learn about the known issues in each QRadar Threat Intelligence app release.
Supported threat languages and specifications
IBM QRadar Threat Intelligence supports different methods for sharing threat intelligence
information.
QRadar Threat Intelligence is supported on QRadar 7.4.3 or later.
The following table lists the supported versions of threat languages and specifications.
Threat
language or Supported version
specification
STIX
1.2
TAXII
1.1
Table 1. Supported threat languages and specifications
Note:
IBM QRadar Threat Intelligence does not support SWIFT feeds due to the extra
authentication process required by the SWIFT feeds compared to normal feeds.
•
•
•
•
QRadar Threat Intelligence installation checklist
As you install IBM QRadar Threat Intelligence, review and complete all of the necessary
tasks on the installation checklist.
Threat Intelligence dashboard
Use the IBM QRadar Threat Intelligence dashboard to pull the IBM Advanced Threat
Protection Feed from IBM X-Force Exchange through the HTTPS protocol. The encryption is
used for the HTTPS communication between the app and X-Force Exchange.
Threat intelligence feeds
Threat intelligence feeds are a continuous stream of threat data that is sent to a SIEM.
Security analysts then analyze them for potential global threats and attacks and plan
remediation actions.
Troubleshooting QRadar Threat Intelligence
Use the troubleshooting and support information to isolate and resolve problems with IBM
QRadar Threat Intelligence.
Reviewing your network hierarchy
A well-defined and maintained network hierarchy can help prevent the generation of false positive
offenses. The network hierarchy is used to define which IP addresses and subnets are part of your
network. Ensure that all internal address spaces, both routable and non-routable, are defined
within your IBM® QRadar® network hierarchy. QRadar can then distinguish your local network
from the remote network. Event and flow context is based on whether the source and destination
IPs are local or remote. Event and flow context, and data from your network hierarchy are used in
rule tests.
Procedure
1. From the navigation menu, click Network Hierarchy.
2. Optional: Watch tuning videos to learn more about your network hierarchy and how to keep
it up to date.
3. Check the network hierarchy list to see which parts of your network hierarchy are not yet
updated.
4. Check for R2R (Remote to Remote) events. The report identifies events with R2R direction
or context. When an event has R2R direction, both its source and destination IPs are remote
and aren’t part of your local network. It means that there’s external traffic from a remote
network to another remote network, and indicates a possible network hierarchy
misconfiguration.
a. Consider whether either one or both of the event IPs are local and add them to the
network hierarchy.
b. Use the Source IP, Source Company, Destination IP, and Destination
Company columns in the report to identify IPs that are local to your network.
c. After you identify the local IP addresses, either add them from the Network
Hierarchy page from the Admin tab or select them in the report to add them in the
app.
d. On the Admin tab, click Deploy changes.
5. Explore the rules that use your network hierarchy either directly or indirectly. Review and
update any rules or building blocks that are out of date.
a. To review rules in detail, select one from the list and then zoom in on the diagram.
Drag the rule and BB icons on the pane.
b. In the right pane of the window, click List view and then toggle between filtered BBs
and non-filtered BBs to fine-tune the list. "Filtered BBs" displays the dependencies for
the selected rule that have network tests. "All BBs" displays all the BBs that are used
by the selected rule.
c. Click Show dependency tree to see the dependencies and the dependents of the
selected BB.
Dependencies are referenced by the selected building block either directly or
indirectly. If you update any of the dependencies, the building block is affected.
Dependents reference the selected BB either directly or indirectly. If you update the
building block, its dependents are affected.
Remote networks and services configuration
Use remote network and service groups to represent traffic activity on your network for a specific
profile. Remote networks groups display user traffic that originates from named remote networks.
All remote network and service groups have group levels and leaf object levels. You can edit remote
network and service groups by adding objects to existing groups or changing preexisting properties
to suit your environment.
If you move an existing object to another group, the object name moves from the existing group to
the newly selected group. However, when the configuration changes are deployed, the object data
that is stored in the database is lost and the object ceases to function. To resolve this issue, create a
new view and re-create the object that exists with another group.
You can group remote networks and services for use in the custom rules engine, flow, and event
searches. You can also group networks and services in IBM® QRadar® Risk Manager, if it is
available.
Default remote network groups
IBM QRadar includes default remote network groups.
Group
Description
Specifies traffic that originates from BOT applications.
BOT
Bogon
HostileNets
Neighbours
For more information, see Botnet Command and Control drop rules on the
Emerging Threats
website (http://rules.emergingthreats.net/blockrules/emerging-botcc.rules)
Specifies traffic that originates from unassigned IP addresses.
For more information, see bogon reference on the Team CYMRU
website (http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt).
Specifies traffic that originates from known hostile networks.
HostileNets has a set of 20 (rank 1 - 20 inclusive) configurable CIDR ranges.
For more information, see HostileNets reference on the DShield
website (http://www.dshield.org/ipsascii.html?limit=20)
Specifies traffic that originates from nearby networks that your organization has
network peering agreements with.
This group is blank by default. You must configure this group to classify traffic that
originates from neighboring networks.
Specifies traffic that originates from smurf attacks.
Smurfs
Superflows
A smurf attack is a type of denial-of-service attack that floods a destination system
with spoofed broadcast ping messages.
This group is non-configurable.
A superflow is a flow that is an aggregate of a number of flows that have a similar
predetermined set of elements.
Group
Description
Specifies traffic from trusted networks, including business partners that have
remote access to your critical applications and services.
TrustedNetworksThis group is blank by default.
Watchlists
You must configure this group to classify traffic that originates from trusted
networks.
Classifies traffic that originates from networks that you want to monitor.
This group is blank by default.
Table 1. Default remote network groups
Groups and objects that include superflows are only for informational purposes and cannot be
edited. Groups and objects that include bogons are configured by the automatic update
function.
Note: You can use reference sets instead of remote networks to provide some of this functionality. Although
you can assign a confidence level to an IP value in a reference table, reference sets are used only with single
IPs and cannot be used with CIDR ranges. You can use a CIDR value after a remote network update, but not
with weight or confidence levels.
Default remote service groups
IBM QRadar includes the default remote service groups.
The following table describes the default remote service groups.
Parameter
IRC_Servers
Description
Specifies traffic that originates from addresses commonly known as chat servers.
Specifies traffic that originates from addresses commonly known online services
Online_Services
that might involve data loss.
Specifies traffic that originates from addresses commonly known to contain explicit
Porn
pornographic material.
Proxies
Specifies traffic that originates from commonly known open proxy servers.
Reserved_IP_
Specifies traffic that originates from reserved IP address ranges.
Ranges
Specifies traffic that originates from addresses commonly known to produce SPAM
Spam
or unwanted email.
Specifies traffic that originates from addresses commonly known to contain
Spy_Adware
spyware or adware.
Specifies traffic that originates from addresses commonly known to produce
Superflows
superflows.
Specifies traffic that originates from addresses commonly known to contain pirated
Warez
software.
Table 1. Default remote network groups
Guidelines for network resources
Given the complexities and network resources that are required for IBM QRadar SIEM in large
structured networks, follow the suggested guidelines.
The following list describes some of the suggested practices that you can follow:
•
Bundle objects and use the Network Activity and Log Activity tabs to analyze your network
data.
Fewer objects create less input and output to your disk.
•
Typically, for standard system requirements, do not exceed more than 200 objects per
group.
More objects might impact your processing power when you investigate your traffic.
Managing remote networks objects
After you create remote network groups, you can aggregate flow and event search results on
remote network groups. You can also create rules that test for activity on remote network groups.
Use the Remote Networks window, you can add or edit a remote networks object.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the Remote Networks and Services Configuration section, click Remote Networks
and Services.
3. To add a remote networks object, click Add and enter values for the parameters.
4. To edit a remote networks object, follow these steps:
a. Double-click the group name.
b. Select the profile and click the edit icon ( ) to edit the remote profile.
5. Click Save.
6. Click the previous icon ( ) to go back to the Remote Networks and Services window .
7. On the Admin tab, click Deploy Changes.
Managing remote services objects
Remote services groups organize traffic that originates from user-defined network ranges or
the IBM automatic update server. After you create remote service groups, you can aggregate flow
and event search results, and create rules that test for activity on remote service groups.
Use the Remote Services window to add or edit a remote services object.
Procedure
1. On the navigation menu (
), click Admin.
2. In the Remote Networks and Services Configuration section, click Remote Networks
and Services.
3. To add a remote services object, click Add and enter the parameter values.
4. To edit a remote services object, click the group that you want displayed, click the Edit icon
and change the values.
5. Click Save.
6. Click Return.
7. Close the Remote Services window.
8. On the Admin tab menu, click Deploy Changes.
TASK: 4.5 Configure integrations
SUBTASKS:
4.5.1. Configure MaxMind
4.5.2. Manage X-Force integration
4.5.3. Install and configure IBM X-Force Exchange plug-in for QRadar
4.5.4. Enable the X-Force Threat Intelligence feed
IBM X-Force integration
IBM®X-Force® security experts use a series of international data centers to collect tens of thousands of
malware samples, analyze web pages and URLs, and run analysis to categorize potentially malicious IP
addresses and URLs. IBM X-Force Exchange is the platform for sharing this data, which can be used in IBM
QRadar®.
X-Force Threat Intelligence feed
You can integrate IBM X-Force Exchange data into IBM QRadar to help your organization stay ahead
of emerging threats by identifying and remediating undesirable activity in your environment before
it threatens the stability of your network.
For example, you can identify and prioritize these types of incidents:
•
•
•
•
A series of attempted logins for a dynamic range of IP addresses
An anonymous proxy connection to a Business Partner portal
A connection between an internal endpoint and a known botnet command and control
Communication between an endpoint and a known malware distribution site
Note: IBM X-Force integration allows you to use the X-Force Threat Intelligence data in QRadar correlation
rules and AQL queries. Access to the IBM X-Force Exchange REST API is not included.
•
Enabling the X-Force Threat Intelligence feed
You must enable the X-Force Threat Intelligence feed before you can use the enhanced
content that is installed with the IBM QRadar Security Threat Monitoring Content
Extension application.
About this task
QRadar downloads approximately 30 MB of IP reputation data per day when you enable
the X-Force Threat Intelligence feed.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click System Settings.
3. Ensure that Yes is selected in the Enable X-Force Threat Intelligence Feed field.
•
Updating X-Force data in a proxy server
IBM QRadar uses a reverse proxy lookup through an Apache server to collect data directly
from IBM Security X-Force Threat Intelligence servers on the Internet.
About this task
All QRadar appliances in a deployment contact the Apache server to send cached requests.
After the data is received by the IBM QRadar Console, the result is cached and replayed for
all other managed hosts that make a request for new IP reputation data.
If a proxy is configured in your network, you must update the configuration to receive the XForce data.
Restriction: NTLM authentication is not supported.
Procedure
1. Use SSH to log in to the QRadar Console.
2. Open the /etc/httpd/conf.d/ssl.conf file in a text editor.
3. Add the following lines before </VirtualHost>:
ProxyRemote https://license.xforce-security.com/
http://PROXY_IP:PROXY_PORT
ProxyRemote https://update.xforce-security.com/
http://PROXY_IP:PROXY_PORT
4. Update the IP address and port of the corporate proxy server to allow an anonymous
connection to the X-Force security servers.
5. Save the changes to the ssl.conf file.
6. Restart the Apache server by typing the following command:
apachectl restart
Restarting the Apache server on the QRadar Console logs out all users and the
managed hosts might produce error messages. Restart the Apache server during
scheduled maintenance windows.
•
Preventing X-Force data from downloading data locally
QRadar downloads approximately 30 MB of IP reputation data per day. To stop QRadar from
downloading the X-Force data to your local system, disable the X-Force Threat
Intelligence feed.
Before you begin
Before you disable the X-Force feed, ensure that the X-Force rules are disabled, and that you
are not using X-Force functions in saved searches.
About this task
After the X-Force Threat Intelligence feed is disabled, the X-Force content is still visible
in QRadar, but you cannot use the X-Force rules or add X-Force functions to AQL searches.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click System Settings.
3. Select No in the Enable X-Force Threat Intelligence Feed field.
IBM QRadar Security Threat Monitoring Content Extension
The IBM QRadar Security Threat Monitoring Content Extension on the IBM Security App
Exchange (https://exchange.xforce.ibmcloud.com/hub) contains rules, building blocks, and custom
properties that are intended for use with X-Force feed data.
The X-Force data includes a list of potentially malicious IP addresses and URLs with a
corresponding threat score. You use the X-Force rules to automatically flag any security event or
network activity data that involves the addresses, and to prioritize the incidents before you begin to
investigate them.
The following list shows examples of the types of incidents that you can identify using the X-Force rules:
•
•
•
when the [source IP|destinationIP|anyIP] is part of any of the
following [remote network locations]
when [this host property] is categorized by X-Force as [Anonymization
Servers|Botnet C&C|DynamicIPs|Malware|ScanningIPs|Spam] with
confidence value [equal to] [this amount]
when [this URL property] is categorized by X-Force
as [Gambling|Auctions|Job Search|Alcohol|Social Networking|Dating]
QRadar downloads approximately 30 MB of IP reputation data per day when you enable the XForce Threat Intelligence feed for use with the IBM QRadar Security Threat Monitoring Content
Extension.
•
Installing the IBM QRadar Security Threat Monitoring Content Extension application
The IBM QRadar Security Threat Monitoring Content Extension application contains IBM
QRadar content, such as rules, building blocks, and custom properties, that are designed
specifically for use with X-Force data. The enhanced content can help you to identify and to
remediate undesirable activity in your environment before it threatens the stability of your
network.
Before you begin
Download the IBM QRadar Security Threat Monitoring Content Extension application from the IBM
Security App
Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:IBMContentPackageIntern
alThreat).
About this task
To use X-Force data in QRadar rules, offenses, and events, you must configure IBM QRadar to
automatically load data from the X-Force servers to your QRadar appliance.
To load X-Force data locally, enable the X-Force Threat Intelligence feed in the system
settings. If new information is available when X-Force starts, the IP address reputation or
URL database is updated. These updates are merged into their own databases and the
content is replicated from the QRadar Console to all managed hosts in the deployment.
The X-Force rules are visible in the product even if the application is later uninstalled.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Extensions Management.
3. Upload the application to the QRadar console by following these steps:
a. Click Add.
b. Click Browse to find the extension.
c. Optional: Click Install immediately to install the extension without viewing
the contents.
d. Click Add.
4. To view the contents of the extension, select it from the extensions list and click More
Details.
5. To install the extension, follow these steps:
a. Select the extension from the list and click Install.
b. If the extension does not include a digital signature, or it is signed but the
signature is not associated with the IBM Security certificate authority (CA),
you must confirm that you still want to install it. Click Install to proceed with
the installation.
c. Review the changes that the installation makes to the system.
d. Select Overwrite or Keep existing data to specify how to handle existing
content items.
e. Click Install.
f. Review the installation summary and click OK.
The rules appear under the Threats group in the Rules List window. They
must be enabled before they are used.
IBM X-Force Exchange plug-in for QRadar
IBM® X-Force® Exchange is a sharing platform for threat intelligence that is used by security
analysts, network security specialists, and security operations center teams.
The IBM X-Force Exchange (XFE) plug-in provides the option to search the information on the IBM
X-Force Exchange website for IP addresses, URLs, CVEs, and web applications that are found
in QRadar®.
For example, you can right-click a URL from a QRadar event to see what data the X-Force Exchange
contains about the URL.
You can also use the right-click lookup option to submit IP addresses or URL data
from QRadar searches, offenses, and rules to a public or private collection. The collection stores the
information in one place as you use the data for more research.
Collections also contain a section that serves as a wiki-style notepad, where you can add comments
or any free text that is relevant. You can use the collection to save X-Force reports, text comments,
or any other content. An X-Force report has both a version of the report from the time that it was
saved and a link to the current version of the report.
•
Installing the IBM X-Force Exchange plug-in
Install the IBM X-Force Exchange plug-in on your QRadar Console so that you have rightclick functionality to access data in IBM X-Force Exchange.
Before you begin
This procedure requires a web server restart from the Admin tab to load the plug-in after the RPM is
installed. Restarting the web server logs out all QRadar users, so it is advised that you install this plug-in
during scheduled maintenance.
About this task
If your QRadar system is version 7.2.3 or later, the plug-in is already installed.
Administrators can verify that the plug-in is installed by right-clicking on any IP address
in QRadar, and selecting More Options > Plugin options. If the IBM X-Force
Exchange lookup is displayed, then the plug-in is installed.
Procedure
1. Download the X-Force Exchange right-click plug-in from IBM Fix
Central (https://ibm.biz/BdX4BW).
a. Copy the RPM file to the QRadar Console.
b. Type the following command to install the plug-in: rpm -Uvh RightClickXFE-7.2.<version>.x86_64.rpm
2. Log in to the QRadar Console as an admin user.
3. On the navigation menu ( ), click Admin.
4. Select Advanced > Restart Web Server.
After the web server restarts, the X-Force right-click plug-in is enabled for IP
addresses in QRadar for URL fields in the Log Activity tab.
5. Log in to the pop-up window for the X-Force Exchange website by using your IBMid,
or continue as a guest.
Guest users are not able to use all features on the X-Force Exchange website.
6. Close the browser window after the initial login to the IBM X-Force Exchange website.
QRadar: Configuring a MaxMind account for
geographic data updates (APAR IJ21884)
Troubleshooting
Problem
GeoLite2 data is required to resolve geographic locations from IP addresses in QRadar. As
of 30 December 2019, a MaxMind account must be configured by the administrator in
QRadar System Settings. The default userid and license key values can no longer be used
to receive geographic data updates.
Symptom
Administrators who use the default userid and license value receive a '401 Unauthorized'
error in QRadar when geographic data attempts to update. When this issue occurs,
the geodata_update.sh utility displays the following error message:
[Example-console-lab#/]/opt/qradar/bin/geodata_update.sh
Result: 401 Unauthorized at /opt/qradar/bin/geoipupdate-pureperl.pl line 222, <$fh>
line 37
Cause
The default geographic account included in QRadar requires a unique userid and license
key to allow updates after 30 December 2019. Administrators must create a MaxMind
account and update Admin > System Settings > Geographic Settings to continue to
receive geographic location lookup data for IP addresses.
Environment
QRadar V7.3.1 and later.
Resolving The Problem
This procedure requires an Admin user to create a MaxMind account and update System
Settings to ensure that geographic location data updates can complete successfully.
1. Create a free MaxMind account: https://www.maxmind.com/en/geolite2/signup
2. After your account is created, an email is provided by MaxMind.
3. Create a password for your account.
4. After you assign an account password, use the credentials you created to sign in.
5. Click Manage License Keys.
6. Click Generate new license key.
7. Configure the following values:
o In the License key description, type: QRadar License Key.
o For QRadar 7.5.0 UP4 or newer versions, select Generate a license key and
config file for geoipupdate versions 3.1.1 or newer.
o For QRadar 7.5.0 UP3 or earlier versions, Maxmind no longer
issuing license key for geoipupdate version 3.1.0 or older since 2023
March 27th.
Open a case with QRadar Support to get your system upgraded to use license
version 3.1.1. Include this documentation in the case.
o
o
Click Confirm.
Record the Account and User ID and License Key information.
Important: If you exit the license key screen without recording the
information, you must generate a new license key from Step 4.
8. Configure in QRadar
o Log in to QRadar as an administrator.
o Click the Admin tab.
o Click the System Settings icon.
o Navigate to Geographic Settings.
o Update the User ID and License Key values from Step 5.
o
Click Save.
o
From the Admin tab, click Deploy Changes.
Results
After the deploy changes completes, geographic data settings are updated for the QRadar
deployment. Administrators can confirm their MaxMind geographic settings from the
command line of the QRadar Console.
IBM X-Force Exchange plug-in
for QRadar
The IBM X-Force Exchange (XFE) plug-in provides the option to search the information on the IBM
X-Force Exchange website for IP addresses, URLs, CVEs, and web applications that are found
in QRadar®.
For example, you can right-click a URL from a QRadar event to see what data the X-Force Exchange
contains about the URL.
You can also use the right-click lookup option to submit IP addresses or URL data
from QRadar searches, offenses, and rules to a public or private collection. The collection stores the
information in one place as you use the data for more research.
Collections also contain a section that serves as a wiki-style notepad, where you can add comments
or any free text that is relevant. You can use the collection to save X-Force reports, text comments,
or any other content. An X-Force report has both a version of the report from the time that it was
saved and a link to the current version of the report.
Installing the IBM X-Force Exchange plug-in
Install the IBM X-Force Exchange plug-in on your QRadar Console so that you have right-click
functionality to access data in IBM X-Force Exchange.
Before you begin
This procedure requires a web server restart from the Admin tab to load the plug-in after the RPM is
installed. Restarting the web server logs out all QRadar users, so it is advised that you install this
plug-in during scheduled maintenance.
About this task
If your QRadar system is version 7.2.3 or later, the plug-in is already installed. Administrators can
verify that the plug-in is installed by right-clicking on any IP address in QRadar, and selecting More
Options > Plugin options. If the IBM X-Force Exchange lookup is displayed, then the plug-in is
installed.
Procedure
1. Download the X-Force Exchange right-click plug-in from IBM Fix
Central (https://ibm.biz/BdX4BW).
a. Copy the RPM file to the QRadar Console.
b. Type the following command to install the plug-in: rpm -Uvh RightClick-XFE7.2.<version>.x86_64.rpm
2. Log in to the QRadar Console as an admin user.
3. On the navigation menu ( ), click Admin.
4. Select Advanced > Restart Web Server.
After the web server restarts, the X-Force right-click plug-in is enabled for IP addresses
in QRadar for URL fields in the Log Activity tab.
5. Log in to the pop-up window for the X-Force Exchange website by using your IBMid, or
continue as a guest.
Guest users are not able to use all features on the X-Force Exchange website.
6. Close the browser window after the initial login to the IBM X-Force Exchange website.
Section 5: User Management
TASK: 5.1 Manage users
SUBTASKS:
5.1.1. Understand how to create a user account
• Understand different parameters:
o User role
o Security profile
o Override system inactivity timeout
5.1.2. Validate user account creation requirements
• Deploy after user creation
5.1.3. Understand how to edit a user account
• User Management window
• Use of the Advanced Filter to search by user role or security profile when editing
5.1.4. Validate user account edition requirements
• Deploy after user edit
5.1.5. Disable a user account
5.1.6. Delete a user account
5.1.7. Delete saved searches of a deleted user
Configuring inactivity timeout for a user
If you have users who require longer periods of inactivity before they are logged out of the system,
you can configure their inactivity timeout threshold individually.
Procedure
1.
2.
3.
4.
On the Admin tab, click Users.
Select a user from the list and click Edit.
In the User Details pane, enable the Override System Inactivity Timeout setting.
Enter the number of minutes of inactivity before the user is logged out, and click Save.
Deleting saved searches of a deleted user
If the saved searches of a deleted user are no longer necessary, you can delete the searches.
About this task
Saved searches that were created by a deleted user remain associated with the user until you delete
the searches.
Procedure
1. On the Log Activity or Network Activity tab, click Search > Manage Search Results.
2. Click the Status column to sort the saved searches.
3. Select the saved searches with a status of “ERROR!”, then click Delete.
Editing a user account
You can edit account information for the current user through the main product interface. To
quickly locate the user account you want to edit on the User Management window, type the user
name in the Search User text box on the toolbar.
Procedure
1. On the Admin tab, click Users.
2. In the User Management window, select the user that you want to edit.
You can use the Advanced Filter to search by User Role or Security Profile.
3.
4.
5.
6.
7.
In the User Details window, click Edit.
Edit the account information for the user.
Click Save.
Close the User Management window.
On the Admin tab, click Deploy Changes.
Creating a user account
When you create a new user account, you must assign access credentials, a user role, and a security
profile to the user. User roles define what actions the user has permission to perform. Security
profiles define what data the user has permission to access.
Before you begin
Before you can create a user account, you must ensure that the required user role and security
profile are created.
About this task
You can create multiple user accounts that include administrative privileges; however, any user
role with Administrator Manager privileges can create other administrative user accounts.
Procedure
1. On the Admin tab, click Users.
The User Management window opens.
2. Click Add.
3. Enter values for the following parameters:
Parameter Description
User Name Enter a unique username for the new user. The username must contain 1 - 60 characters.
User
Enter a description for the user. The description cannot contain more than 2048 characters.
Description
Email
Enter an email address to be associated with this user. The address cannot contain more than
255 characters, and cannot contain spaces.
New
Enter a new password for the user to gain access. The password must meet the minimum length
Password and complexity requirements that are enforced by the password policy.
Parameter Description
Confirm
New
Enter the new password again.
Password
User Role Select a role for this user from the list.
Security
Profile
Select a security profile for this user from the list.
Override
System
Enable this setting to configure the inactivity timeout threshold for the user account.
Inactivity
Timeout
4. Click Save.
5. Close the User Management window.
6. On the Admin tab, click Deploy Changes.
Deleting a user account
If a user account is no longer necessary, you can delete the user account. After you delete a user, the
user no longer has access to the user interface. If the user attempts to log in, a message is displayed
to inform the user that the username and password is no longer valid.
About this task
To quickly locate the user account you want to delete on the User Management window, type the
username in the Search text box.
Procedure
1. On the Admin tab, click Users.
2. In the User Management window, select the user that you want to delete.
You can use the Advanced Filter to search by User Role or Security Profile.
3. In the User Details window, click Delete.
A search for dependents begins.
4.
5.
6.
7.
8.
9.
In the Found Dependents window, click Delete or Re-Assign dependents.
When the user has no dependents, click Delete User.
In the Confirm Delete window, click Delete > OK.
Click Delete.
Close the User Management window.
On the Admin tab, click Deploy Changes.
Disabling a user account
You can disable a user account to restrict a user from accessing QRadar. The option to disable a
user account temporarily revokes a user's access without deleting the account.
About this task
If the user with the disabled account attempts to log in, a message informs them that the user name
and password are no longer valid. Items that they created, such as saved searches and reports,
remain associated with the user.
Procedure
1. On the Admin tab, click Users.
2. In the User Management window, select the user account that you want to disable.
You can use the Advanced Filter to search by User Role or Security Profile.
3.
4.
5.
6.
7.
Click Edit.
From the User Details window, select Disabled from the User Role list.
Click Save.
Close the User Management window.
On the Admin tab, click Deploy Changes.
TASK: 5.2 Create and update security profiles
SUBTASKS:
5.2.1. Understand security profiles
• Domains
• Permission precedence
5.2.2. Create a security profile
5.2.3. Edit a security profile
5.2.4. Duplicate a security profile
5.2.5. Delete a security profile
Security profiles
Security profiles define which networks, log sources, and domains that a user can access.
QRadar® includes one default security profile for administrative users. The Admin security profile
includes access to all networks, log sources, and domains.
Before you add user accounts, you must create more security profiles to meet the specific access
requirements of your users.
Domains
Security profiles must be updated with an associated domain. You must define domains on
the Domain Management window before the Domains tab is shown on the Security Profile
Management window. Domain-level restrictions are not applied until the security profiles are
updated, and the changes are deployed.
Domain assignments take precedence over all settings on the Permission Precedence, Networks,
and Log Sources tabs.
If the domain is assigned to a tenant, the tenant name appears in brackets beside the domain name
in the Assigned Domains window.
Permission precedence
Permission precedence determines which security profile components to consider when the system
displays events in the Log Activity tab and flows in the Network Activity tab.
Choose from the following restrictions when you create a security profile:
•
•
•
•
No Restrictions - This option does not place restrictions on which events are displayed in
the Log Activity tab, and which flows are displayed in the Network Activity tab.
Network Only - This option restricts the user to view only events and flows that are
associated with the networks that are specified in this security profile.
Log Sources Only - This option restricts the user to view only events that are associated
with the log sources that are specified in this security profile.
Networks AND Log Sources - This option allows the user to view only events and flows that
are associated with the log sources and networks that are specified in this security profile.
For example, if the security profile allows access to events from a log source but the
destination network is restricted, the event is not displayed in the Log Activity tab. The
event must match both requirements.
•
Networks OR Log Sources - This option allows the user to view events and flows that are
associated with either the log sources or networks that are specified in this security profile.
For example, if a security profile allows access to events from a log source but the destination
network is restricted, the event is displayed on the Log Activity tab if the permission
precedence is set to Networks OR Log Sources. If the permission precedence is set
to Networks AND Log Sources, the event is not displayed on the Log Activity tab.
Permission precedence for offense data
Security profiles automatically use the Networks OR Log Sources permission when offense data is
shown. For example, if an offense has a destination IP address that your security profile permits
you to see, but the security profile does not grant permissions to the source IP address, the Offense
Summary window shows both the destination and source IP addresses.
Creating a security profile
To add user accounts, you must first create security profiles to meet the specific access
requirements of your users.
About this task
IBM® QRadar® SIEM includes one default security profile for administrative users. The Admin
security profile includes access to all networks, log sources, and domains.
To select multiple items on the Security Profile Management window, hold the Control key while
you select each network or network group that you want to add.
If after you add networks, log sources or domains you want to remove one or more before you save
the configuration, you can select the item and click the Remove (<) icon. To remove all items,
click Remove All.
Procedure
1. On the Admin tab, click Security Profiles.
2. On the Security Profile Management window toolbar, click New.
3. Configure the following parameters:
a. In the Security Profile Name field, type a unique name for the security profile. The
security profile name must meet the following requirements: minimum of 3
characters and maximum of 30 characters.
b. OptionalType a description of the security profile. The maximum number of
characters is 255.
4. Click the Permission Precedence tab.
5. In the Permission Precedence Setting pane, select a permission precedence option.
See Permission precedence.
6. Configure the networks that you want to assign to the security profile:
a. Click the Networks tab.
b. From the navigation tree in the left pane of the Networks tab, select the network that
you want this security profile to have access to.
c. Click the Add (>) icon to add the network to the Assigned Networks pane.
d. Repeat for each network you want to add.
7. Configure the log sources that you want to assign to the security profile:
a. Click the Log Sources tab.
b. From the navigation tree in the left pane, select the log source group or log source
you want this security profile to have access to.
c. Click the Add (>) icon to add the log source to the Assigned Log Sources pane.
d. Repeat for each log source you want to add.
8. Configure the domains that you want to assign to the security profile:
Domains must be configured before the Domains tab appears.
a. Click the Domains tab.
b. From the navigation tree in the left pane, select the domain that you want this
security profile to have access to.
c. Click the Add (>) icon to add the domain to the Assigned Domains pane.
d. Repeat for each domain that you want to add.
9. Click Save.
Note: The log sources and domains that are assigned to the security profile must match. If
the log sources and domains do not match, you cannot save the security profile .
10. Close the Security Profile Management window.
11. On the Admin tab, click Deploy Changes.
Editing a security profile
You can edit an existing security profile to update which networks and log sources a user can access
and the permission precedence.
About this task
To quickly locate the security profile you want to edit on the Security Profile Management window,
type the security profile name in the Type to filter text box.
Procedure
1.
2.
3.
4.
5.
6.
Option
On the Admin tab, click Security Profiles.
In the left pane, select the security profile that you want to edit.
On the toolbar, click Edit.
Update the parameters as necessary.
Click Save.
If the Security Profile Has Time Series Data window opens, select one of the following
options:
Description
Keep Old Data and Select this option to keep previously accumulated time series data. If you choose this
option, users with this security profile might see previous data that they no longer have
Save
permission to see when they view time series charts.
Hide Old Data and Select this option to hide the time series data. If you choose this option, time series data
Save
accumulation restarts after you deploy your configuration changes.
7. Close the Security Profile Management window.
8. On the Admin tab, click Deploy Changes.
Duplicating a security profile
If you want to create a new security profile that closely matches an existing security profile, you can
duplicate the existing security profile and then modify the parameters.
About this task
To quickly locate the security profile you want to duplicate on the Security Profile
Management window, type the security profile name in the Type to filter text box.
Procedure
1.
2.
3.
4.
5.
6.
7.
8.
On the Admin tab, click Security Profiles.
In the left pane, select the security profile that you want to duplicate.
On the toolbar, click Duplicate.
In the Confirmation window, type a unique name for the duplicated security profile.
Click OK.
Update the parameters as necessary.
Close the Security Profile Management window.
On the Admin tab, click Deploy Changes.
Deleting a security profile
If a security profile is no longer required, you can delete the security profile.
About this task
If user accounts are assigned to the security profiles you want to delete, you must reassign the user
accounts to another security profile. IBM® QRadar® automatically detects this condition and
prompts you to update the user accounts.
To quickly locate the security profile you want to delete on the Security Profile
Management window, type the security profile name in the Type to filter text box.
Procedure
1.
2.
3.
4.
On the Admin tab, click Security Profiles.
In the left pane, select the security profile that you want to delete.
On the toolbar, click Delete.
Click OK.
o If user accounts are assigned to this security profile, the Users are Assigned to this
Security Profile window opens. Go to Deleting a user role.
o If no user accounts are assigned to this security profile, the security profile is
successfully deleted. Go to Deleting a user role.
5. Reassign the listed user accounts to another security profile:
o From the User Security Profile to assign list box, select a security profile.
o Click Confirm.
6. Close the Security Profile Management window.
7. On the Admin tab, click Deploy Changes.
TASK: 5.3 Create and update user roles
SUBTASKS:
5.3.1. Understand user roles
• QRadar functions that the user can access
5.3.2. Create a user role
5.3.3. Edit a user role
5.3.4. Delete a user role
User roles
A user role defines the functions that a user can access in IBM® QRadar®.
During the installation, four default user roles are defined: Admin, All, WinCollect, and Disabled.
Before you add user accounts, you must create the user roles to meet the permission requirements
of your users.
Creating a user role
Create user roles to manage the functions that a user can access in IBM QRadar. By default, your
system provides a default administrative user role, which provides access to all areas of QRadar.
About this task
Users who are assigned an administrative user role cannot edit their own account. This restriction
applies to the default Admin user role. Another administrative user must make any account
changes.
Procedure
1.
2.
3.
4.
Click the Admin tab.
In the User Management section, click User Roles and then click New.
In the User Role Name field, type a unique name.
Select the permissions that you want to assign to the user role.
The permissions that are visible on the User Role Management window depend on
which QRadar components are installed.
Important: If you select a user role that has Admin privileges, you must also grant that user
role the Admin security profile. See Creating a security profile.
Permission
Description
Grants administrative access to the user interface. You can grant specific Admin
permissions.
Users with System Administrator permission can access all areas of the user interface.
Users who have this access cannot edit other administrator accounts.
Administrator Manager
Grants users permission to create and edit other administrative user accounts.
Remote Networks and Services Configuration
Admin
Grants users access to the Remote Networks and Services icon on the Admin tab.
System Administrator
Grants users permission to access all areas of user interface. Users with this access
are not able to edit other administrator accounts.
Manage Local Only
Grants permission to assign and manage Local Only authentication. For more
information about Local Only authentication, see Assigning Local Only
authentication.
Grant users permissions to perform limited administrative functions. In a multi-tenant
Delegated
environment, tenant users with Delegated Administration permissions can see only data
Administration for their own tenant environment. If you assign other administrative permissions that are
not part of Delegated Administration, tenant users can see data for all tenants.
Grants administrative access to all functions on the Offenses tab.
Offenses
Users must have administrative access to create or edit a search group on
the Offenses tab.
User roles must have the Maintain Custom Rules permission to create and edit
custom rules.
Grants access to functions in the Log Activity tab. You can also grant specific permissions:
Maintain Custom Rules
Grants permission to create or edit rules that are displayed on the Log Activity tab.
Log Activity
Manage Time Series
Grants permission to configure and view time series data charts.
User Defined Event Properties
Grants permission to create custom event properties.
View Custom Rules
Permission
Description
Grants permission to view custom rules. If granted to a user role that does not also
have the Maintain Custom Rules permission, the user role cannot create or edit
custom rules.
Grants access to all the functions in the Network Activity tab. You can grant specific access
to the following permissions:
Maintain Custom Rules
Grants permission to create or edit rules that are displayed on the Network
Activity tab.
Manage Time Series
Grants permission to configure and view time series data charts.
Network
Activity
User Defined Flow Properties
Grants permission to create custom flow properties.
View Custom Rules
Grants permission to view custom rules. If the user role does not also have
the Maintain Custom Rules permission, the user role cannot create or edit custom
rules.
View Flow Content
Grants permission to view source payload and destination payload in the flow data
details.
This permission is displayed only if IBM QRadar Vulnerability Manager is installed on your
system.
Grants access to the function in the Assets tab. You can grant specific permissions:
Perform VA Scans
Grants permission to complete vulnerability assessment scans. For more
information about vulnerability assessment, see the Managing Vulnerability
Assessment Guide.
Assets
Remove Vulnerabilities
Grants permission to remove vulnerabilities from assets.
Server Discovery
Grants permission to discover servers.
View VA Data
Grants permission to vulnerability assessment data. For more information about
vulnerability assessment, see the Managing Vulnerability Assessment guide.
Reports
Grants permission to access all of the functions on the Reports tab.
Permission
Description
Distribute Reports via Email
Grants permission to distribute reports through email.
Maintain Templates
Grants permission to edit report templates.
Risk Manager
Grants users permission to access QRadar Risk Manager functions. QRadar Risk
Manager must be activated.
Grants permission to QRadar Vulnerability Manager function. QRadar Vulnerability
Manager must be activated.
Vulnerability
Manager
For more information, see the IBM QRadar Vulnerability
Manager (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_qvm_
vm_ov.html).
Grants permission to QRadar Incident Forensics capabilities.
Forensics
Create cases in Incident Forensics
Grants permission to create cases for collections of imported document and pcap
files.
IP Right Click
Menu
Grants permission to options added to the right-click menu.
Extensions
Grants permission to Platform Configuration services.
Dismiss System Notifications
Grants permission to hide system notifications from the Messages tab.
Platform
View Reference Data
Configuration
Grants permission to view reference data when it is available in search results.
View System Notifications
Grants permission to view system notifications from the Messages tab.
QRadar Log
Source
Management
Grants permission to the QRadar Log Source Management app.
Pulse Dashboard
Grants permission to dashboards in the IBM QRadar Pulse app.
Pulse - Threat
Grants permission to Threat Globe dashboard in the IBM QRadar Pulse app.
Globe
QRadar
Assistant
Grants permission to the IBM QRadar Assistant app.
Permission
Description
QRadar Use
Grants permission to the QRadar Use Case Manager app.
Case Manager
Table 1. User Role Management window permissions
5. In the Dashboards section of the User Role Management page, select the dashboards that you
want the user role to access, and click Add.
Tip: A dashboard displays no information when the user role does not have permission to
view dashboard data. If a user modifies the displayed dashboards, the defined dashboards
for the user role appear at the next login.
6. Click Save and close the User Role Management window.
7. On the Admin tab menu, click Deploy Changes.
Editing a user role
You can edit an existing role to change the permissions that are assigned to the role.
About this task
To quickly locate the user role you want to edit on the User Role Management window, you can
type a role name in the Type to filter text box.
Procedure
1. On the Admin tab, click User Roles.
2. In the left pane of the User Role Management window, select the user role that you want to
edit.
3. In the right pane, update the permissions as necessary.
4. Modify the Dashboards options for the user role as necessary.
5. Click Save.
6. Close the User Role Management window.
7. On the Admin tab, click Deploy Changes.
Deleting a user role
If a user role is no longer required, you can delete the user role.
About this task
If user accounts are assigned to the user role you want to delete, you must reassign the user
accounts to another user role. The system automatically detects this condition and prompts you to
update the user accounts.
You can quickly locate the user role that you want to delete on the User Role Management window.
Type a role name in the Type to filter text box, which is located above the left pane.
Procedure
1.
2.
3.
4.
On the Admin tab, click User Roles.
In the left pane of the User Role Management window, select the role that you want to delete.
On the toolbar, click Delete.
Click OK.
o If user accounts are assigned to this user role, the Users are Assigned to this User
Role window opens. Go to Step 7.
o If no user accounts are assigned to this role, the user role is successfully deleted. Go
to Step 8.
5. Reassign the listed user accounts to another user role:
o From the User Role to assign list box, select a user role.
o Click Confirm.
6. Close the User Role Management window.
7. On the Admin tab, click Deploy Changes.
TASK: 5.4 Manage user authentication and authorization
SUBTASKS:
5.4.1. User authentication
5.4.2. System authentication
5.4.3. RADIUS authentication
5.4.4. TACACS authentication
5.4.5. LDAP
5.4.6. SAML single sign-on authentication
User authentication
When authentication is configured and a user enters an invalid username and password
combination, a message is displayed to indicate that the login was invalid.
If the user attempts to access the system multiple times with invalid information, the user must
wait the configured amount of time before they can attempt to access the system again. You can
configure console settings to determine the maximum number of failed logins and other related
settings.
IBM® QRadar® supports the following authentication types:
•
•
•
System authentication - Users are authenticated locally. System authentication is the
default authentication type.
RADIUS authentication - Users are authenticated by a Remote Authentication Dial-in User
Service (RADIUS) server. When a user attempts to log in, QRadar encrypts the password
only, and forwards the username and password to the RADIUS server for authentication.
TACACS authentication - Users are authenticated by a Terminal Access Controller Access
Control System (TACACS) server. When a user attempts to log in, QRadar encrypts the
username and password, and forwards this information to the TACACS server for
•
•
•
authentication. TACACS Authentication uses Cisco Secure ACS Express as a TACACS
server. QRadar supports up to Cisco Secure ACS Express 4.3.
Removed in 7.4.2 Microsoft Active Directory - Users are authenticated by a Lightweight
Directory Access Protocol (LDAP) server that uses Kerberos.
LDAP - Users are authenticated by an LDAP server.
SAML single sign-on authentication - Users can easily integrate QRadar with your
corporate identity server to provide single sign-on, and eliminate the need to
maintain QRadar local users. Users who are authenticated to your identity server can
automatically authenticate to QRadar. They don't need to remember separate passwords or
type in credentials every time they access QRadar.
Prerequisite checklist for external authentication providers
Before you can configure an external authentication type, you must complete the following tasks:
•
•
•
•
Configure the authentication server before you configure authentication in QRadar.
Ensure that the server has the appropriate user accounts and privilege levels to
communicate with QRadar..
Ensure that the time of the authentication server is synchronized with the time of
the QRadar server.
Ensure that all users have appropriate user accounts and roles to allow authentication
with the vendor servers.
Changing QRadar user passwords
IBM QRadar occasionally changes the password policy to align with current security standards.
When the password policy is updated, users who have local passwords are prompted to update
their password the first time that they log in after the upgrade. In very few situations, some
users may not be prompted to change their password after the upgrade, and you will have to
change it for them.
To change SIEM user passwords, complete the following steps:
1. On the Admin tab, click Users.
2. Select a user from the list and click Edit.
3. In the User Details pane, enter the new password for the user, and click Save.
To change PCAP user passwords, complete the following steps:
1.
2.
3.
4.
5.
6.
On the Admin tab, click System and License Management.
Select Systems View from the Display list.
Highlight your QRadar Incident Forensics device.
On the Deployment Actions menu, click Edit Host.
Select the Component Management icon.
In the PCAP Device Management window, reenter or change the login password for the user
and click Save.
7. On the Admin tab, click Advanced > Deploy Full Configuration for the changes to take
effect.
To change FTP user passwords, complete the following steps:
1.
2.
3.
4.
5.
On the Admin tab, click Forensics User Permissions.
Select a user from the Users list on the left side of the window.
In the Edit User pane, check the Enable FTP access box.
Reenter or change the password for the user.
Under Assigned Cases, click Save User.
Configuring inactivity timeout for a user
If you have users who require longer periods of inactivity before they are logged out of the system,
you can configure their inactivity timeout threshold individually.
Procedure
1.
2.
3.
4.
On the Admin tab, click Users.
Select a user from the list and click Edit.
In the User Details pane, enable the Override System Inactivity Timeout setting.
Enter the number of minutes of inactivity before the user is logged out, and click Save.
External authentication guidelines
You can configure an external authentication provider to allow IBM QRadar to authenticate users
without QRadar storing passwords locally for those users.
Warning: You cannot configure more than one external authentication provider for QRadar at a time. If you
have set up one external authentication provider and you set up another external authentication provider,
the configuration for the first external authentication provider is deleted.
When you choose to use an external authentication provider, consider these points:
•
•
•
•
•
•
Ensure that your external provider is trustworthy because you are delegating an important
security decision to this external provider. A compromised provider might allow access to
your QRadar system to unintended parties.
Ensure that the connection to the external provider is secure. Choose only secure
communications protocols, by using LDAPS instead of LDAP, for example.
Consider whether you want to enable a local authentication fallback in case the external
provider is unavailable. If the external provider is compromised, it might be used as a denial
of access attack.
The decision to configure an external authentication provider applies to all administrator
and non-administrator QRadar users.
If you enable auto-provisioning of QRadar accounts, a compromised provider might be used
to force the creation of a rogue QRadar account, so use caution when you are combining
these features.
QRadar users that do not have an entry in the external provider are relying on the fallback
feature to check the local password. A compromised external authentication provider might
be used to create a “shadow” for an existing QRadar account, providing an alternative
password for authentication.
Local authentication fallback
Each non-administrator user can be configured for local authentication fallback. Local
authentication fallback is turned off by default. If enabled, a non-administrator QRadar user can
access the system by using the locally stored password even if the external provider is unavailable,
or if the password in the external provider is locked out or is unknown to the user. This also means
that a rogue QRadar administrator might change the locally stored password and log in as that user,
so ensure that your QRadar administrators are trustworthy. This is also the case if an external
authentication provider is not configured.
The default administrator account, named admin, is always configured for local authentication
fallback by default. This prevents the administrative user from being locked out of the system, but
also means you must ensure that the configured external authentication provider has the correct
entry for the admin user, and that the password is known only to the
authorized QRadar administrator. If you cannot maintain control of the admin entry in the external
authentication provider, disable the admin account within QRadar to prevent unauthorized users
from logging in to QRadar as admin. When you enable auto-provisioning, such as when you use
LDAP group authentication, any user account that matches the LDAP query are created or
reactivated with the appropriate roles as mapped. To prevent this from happening, disable autoprovisioning by using LDAP local.
For other privileged QRadar users (users with the admin role), you can choose on a user-by-user
basis whether to enable local authentication fallback. The ENABLE_FALLBACK_ALL_ADMINS setting
(disabled by default) can be used to force all privileged users to use local authentication fallback. If
local authentication fallback is configured, the same considerations apply as for the admin account.
When you configure an external authentication provider and create a new user, that user doesn't
automatically have a local password set for QRadar. If a user needs a local password, then you must
configure local authentication fallback for that user. Local authentication fallback allows a user to
authenticate locally if external authentication fails for any reason, including invalid passwords.
Fallback users can then access QRadar regardless of the state of the external authentication.
Even if local authentication fallback is enabled for a user account, QRadar first attempts to
authenticate the user to the external authentication module before it attempts local authentication.
When external authentication fails, QRadar automatically attempts to authenticate locally if local
authentication fallback is enabled for that user. User accounts cannot be configured only to
authenticate locally when an external authentication provider is configured. For this reason, it is
important that all QRadar user accounts correspond to an external authentication provider account
of the same name associated with the same authorized user.
Ensure that the external authentication provider is trustworthy, as this configuration outsources a
security decision and a rogue authentication admin can allow unauthorized access to
your QRadar system. Make this connection in a secure way, by using the secure version of protocols
(for example by using LDAPS rather than LDAP).
Local authentication fallback is not available with SAML authentication. No users are able to
authenticate locally when you use SAML authentication.
When offboarding users, disable local authentication fallback for that user before you remove their
authentication access from the external authentication provider.
Local Only authentication
The Administration Manager or a System Manager with the Manage Local Only authentication role
can assign Local Only authentication. Setting Local Only authentication to true ensures that the user
authenticates to QRadar locally rather than through external authentication.
Assigning Local Only authentication
Local Only authentication is a setting that is used when external authentication is enabled on
IBM QRadar. Setting Local Only authentication to true for a user ensures that the user authenticates
to QRadar locally rather than through external authentication. Local Only authentication prevents
unintended access to QRadar from the accounts that are configured in the external authentication
repository.
Before you begin
Only an Administration Manager or a System Manager with the Manage Local Only authentication role can
manage Local Only authentication.
About this task
When you upgrade to QRadar 7.5.0 Update Package 2 or later, the Manage Local Only
Authentication role is added to manage the Local Only authentication for users. Any user or
authorized service that has the Administration Manager user role inherits this new capability. To
add the Manage Local Only Authentication role, see Creating a user role.
The following table shows the different permissions for when the Local Only authentication is
enabled or disabled.
Manage Local
Only
AuthenticationUser
Setting
capability
•
•
Enabled
•
•
Authorized Service
Create and modify users with
any local only setting
Create or delete a user or
authorized service with any
user role
Modify a user or
authenticated service role to
assign or remove the Manage
Local Only Authentication
setting capability
Assign user roles to any user
when their original role is
deleted
•
•
•
•
Create users without the Local Only
setting enabled
Create or delete users or authorized
services with any user role
Modify a user or authenticated service
role to assign or remove the Manage
Local Only Authentication setting
capability
Cannot modify a user's Local Only setting
Manage Local
Only
AuthenticationUser
Setting
capability
Authorized Service
•
Delete user roles with any
capability
•
Can create new users with
the same Local Only setting
as their own
Can create or delete users or
authorized services with
user roles that do not contain
the Manage Local Only
Authentication setting
capability
Cannot modify a user's Local
Only setting
Cannot modify a user or
authenticated service role to
assign or remove the Manage
Local Only Authentication
setting capability
Cannot assign user roles
with the Manage Local Only
Authentication setting
capability when their
original role is deleted
Cannot delete user roles with
the Manage Local Only
Authentication setting
capability
•
•
•
Not enabled
•
•
•
•
•
•
Create users without the Local Only
setting enabled
Can create or delete users or authorized
services with user roles that do not
contain the Manage Local Only
Authentication setting capability
Cannot modify a user's Local Only setting
Cannot modify a user or authenticated
service role to assign or remove the
Manage Local Only Authentication
setting capability
Table 1. Managing Local Only Authentication permission
Important:
•
•
•
If users or authorized services must not inherit Manage Local Only authentication role, then
a new user role must be assigned.
The default administration account is automatically set to Manage Local Only authentication.
Only an Administration manager or a System manager with the Manage Local Only
authentication role can create or delete a user role with Manage Local Only authentication.
Procedure
1. On the Admin tab, click Users.
2. Locate the user to be assigned Local Only authentication and switch the Local Only
authentication to On.
The user can use only Local Only authentication to log in.
Configuring system authentication
You can configure local authentication on your IBM QRadar system. You can specify length,
complexity, and expiry requirements for local passwords.
About this task
The local authentication password policy applies to local passwords for administrative users. The
policy also applies to non-administrative users if no external authentication is configured.
When the local authentication password policy is updated, users are prompted to change their
password if they log in with a password that does not meet the new requirements.
Procedure
1. On the Admin tab, click Authentication.
2. Click Authentication Module Settings.
3. Optional: From the Authentication Module list, select System Authentication.
System authentication is the default authentication module. If you change from another
authentication module, then you must deploy QRadar before you do the next steps.
4.
5.
6.
7.
Click Save Authentication Module.
Click Home.
Click Local Password Policy Configuration.
Select the password complexity settings for local authentication.
Learn more about password complexity settings:
Password
complexity Description
setting
Minimum Specifies the minimum number of characters that must be in a password.
Password
Length
Important: To provide adequate security, passwords should contain at least 8 characters.
Use
Requires that passwords meet a number of complexity rules, such as containing uppercase
Complexity
characters, lowercase characters, special characters, or numbers.
Rules
Number of The number of complexity rules that individual passwords must meet. Must be between
rules
one and the number of enabled complexity rules. For example, if all four complexity
required rules are enabled and individual passwords must meet any three of them, then enter 3.
Password
complexity Description
setting
Contain an
uppercase Requires that passwords contain at least one uppercase character.
character
Contain a
lowercase Requires that passwords contain at least one lowercase character.
character
Contain a
Requires that passwords contain at least one number.
digit
Contain a
Requires that passwords contain at least one space or other character that is not a letter
special
character or number (for example, "$%&'()*,-./:;<=>?@[\]_`|~).
Not
contain
Disallows more than two repeating characters. For example, abbc is allowed but abbbc is
repeating not allowed.
characters
Password Prevents passwords from being reused for a number of days. The number of days is
calculated by Unique password count multiplied by Days before password will
History
expire.
Unique
password This parameter displays when Password History is selected. The number of password
changes before a previous password can be reused.
count
Days
before
This parameter displays when Password History is selected. The number of days
password before a password must be changed.
will expire
Table 1. Password Complexity settings
8. Click Update Password Policy.
Configuring RADIUS authentication
You can configure RADIUS authentication on your IBM QRadar system.
Procedure
1.
2.
3.
4.
On the Admin tab, click Authentication.
Click Authentication Module Settings.
From the Authentication Module list, select RADIUS Authentication.
Configure the parameters:
a. In the RADIUS Server field, type the host name or IP address of the RADIUS server.
b. In the RADIUS Port field, type the port of the RADIUS server.
c. From the Authentication Type list box, select the type of authentication you want to
perform.
Choose from the following options:
CHAP
Challenge Handshake Authentication Protocol (CHAP) establishes a Point-to-Point Protocol
(PPP) connection between the user and the server.
MSCHAP
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authenticates remote
Windows workstations.
PAP
Password Authentication Protocol (PAP) sends clear text between the user and the server.
d. In the Shared Secret field, type the shared secret that QRadar uses to encrypt
RADIUS passwords for transmission to the RADIUS server.
5. Click Save Authentication Module.
Configuring TACACS authentication
You can configure TACACS authentication on your IBM QRadar system.
Procedure
1.
2.
3.
4.
On the Admin tab, click Authentication.
Click Authentication Module Settings.
From the Authentication Module list, select TACACS Authentication.
Configure the parameters:
a. In the TACACS Server field, type the host name or IP address of the TACACS server.
b. In the TACACS Port field, type the port of the TACACS server.
c. From the Authentication Type list box, select the type of authentication you want to
perform.
Choose from the following options:
Option Description
ASCII
American Standard Code for Information Interchange (ASCII) sends the user name and password in
clear text.
PAP
Password Authentication Protocol (PAP) sends clear text between the user and the server. PAP is
the default authentication type.
CHAP
Challenge Handshake Authentication Protocol (CHAP) establishes a Point-to-Point Protocol (PPP)
connection between the user and the server.
MSCHAPMicrosoft Challenge Handshake Authentication Protocol (MSCHAP) authenticates remote Windows
workstations.
d. In the Shared Secret field, type the shared secret that QRadar uses to encrypt
TACACS passwords for transmission to the TACACS server.
5. Click Save Authentication Module.
What to do next
For TACACS user authentication, you must create a local QRadar user account that is the same as
the TACACS account on the authentication server.
Configuring Active Directory authentication
Removed in 7.4.2 You can configure Microsoft Active Directory authentication on your IBM
QRadar system.
About this task
Important: As of QRadar 7.4.2, you can no longer use Kerberos-based Active Directory (AD) authentication.
For more information, see https://www.ibm.com/support/pages/node/6253911.
Procedure
1.
2.
3.
4.
On the Admin tab, click Authentication.
Click Authentication Module Settings.
From the Authentication Module list, select Active Directory.
Click Add, and configure parameters for the Active Directory Repository.
The following table describes the parameters to configure:
Parameter Description
Repository The Repository ID is an identifier or alias that uniquely represents the server
ID
that is entered in the Server URL field and the domain from the Domain field.
Use the Repository ID when you enter your login details.
For example, you might use AD_1 to represent server_A on Domain_A in one
Active Directory Repository, and AD_2 to represent server_B on Domain_A in
your second repository.
Server URL The URL that is used to connect to the LDAP server. For example,
type ldaps://host_name:port.
Note: If you specify a secure LDAP connection, the password is secure but the username
is passed in clear text.
Context
Context that you want to use; for example, DC=QRADAR,DC=INC.
Domain
Domain that you want to use, for example; qradar.inc.
5. Enter the user name and password that you use to authenticate with the repository.
6. To test connectivity to the repository, click Test Connection.
Note: When you enable Active Directory, ensure that port 88 is open to allow Kerberos
connections from the QRadar Console.
7. To edit or remove a repository, select the repository, and then click Edit or Remove.
8. Click Save.
Users can log in by using the Domain\user or Repository_ID\user login formats.
The login request that uses Repository_ID\user is attempted on a specific server that is
linked to a specific domain. For example, Server A on Domain A, which is more specific
than the Domain\user login request format.
The login request that uses the Domain\user format is attempted on servers that are
linked to the specified domain until a successful login is achieved. For example, there might
be more that one server on a specific domain.
Note: For Active Directory user authentication, you must create a local QRadar user account
that is the same as the Active Directory (AD) account on the authentication server.
9. On the Admin page, click Deploy Changes.
LDAP authentication
You can configure IBM QRadar to use supported Lightweight Directory Access Protocol (LDAP)
providers for user authentication and authorization.
In geographically dispersed environments, performance can be negatively impacted if the LDAP
server and the QRadar Console are not geographically close to each other. For example, user
attributes can take a long time to populate if the QRadar Console is in North America and the LDAP
server is in Europe.
You can use the LDAP authentication with an Active Directory server.
•
Configuring LDAP authentication
You can configure LDAP authentication on your IBM QRadar system.
Before you begin
If you plan to use SSL encryption or use TLS authentication with your LDAP server, you must
import the SSL or TLS certificate from the LDAP server to
the /opt/qradar/conf/trusted_certificates directory on your QRadar Console.
If you are using group authorization, you must configure a QRadar user role or security
profile on the QRadar console for each LDAP group that is used by QRadar.
Every QRadar user role or security profile must have at least one Accept group. The
mapping of group names to user roles and security profiles is case-sensitive.
About this task
Authentication establishes proof of identity for any user who attempts to log in to
the QRadar server. When a user logs in, the username and password are sent to the LDAP
directory to verify whether the credentials are correct. To send this information securely,
configure the LDAP server connection to use Secure Socket Layer (SSL) or Transport Layer
Security (TLS) encryption.
Authorization is the process of determining what access permissions a user has. Users are
authorized to perform tasks based on their role assignments. You must have a valid bind
connection to the LDAP server before you can select authorization settings.
The user base DN is where QRadar queries and finds users. Enable query permissions to
allow your users to query against the user base DN.
User attribute values are case-sensitive. The mapping of group names to user roles and
security profiles is also case-sensitive.
Procedure
1.
2.
3.
4.
On the Admin tab, click Authentication.
Click Authentication Module Settings.
From the Authentication Module list, select LDAP.
Click Add and complete the basic configuration parameters.
There are three configuration types and each has specific requirements for
the Server URL, SSL Connection, and TLS Authentication parameters:
Secure LDAP (LDAPS)
The Server URL parameter must use ldaps:// as the protocol, and specify an LDAP
over SSL encrypted port (typically 636). For
example ldaps://ldap1.example.com:636
If you are using Global Catalog because you're using multiple domains, use port 3269.
For example ldaps://ldap1.example.com:3269
The SSL Connection parameter must be set to “True” and the TLS
Authentication parameter must be set to “False”.
LDAP with StartTLS
The Server URL parameter must use ldap:// as the protocol, and specify an LDAP
unencrypted port that supports the StartTLS option (typically 389). For
example ldap://ldap1.example.com:389
The SSL Connection parameter must be set to “False” and the TLS
Authentication must be set to “True”.
TLS 1.2 using StartTLS is not the same as the LDAP SSL port.
TLS Authentication does not support referrals, so referrals must be set to “ignore”,
and the LDAP server must include a complete structure to search.
Unencrypted
An unencrypted LDAP configuration is not recommended.
The Server URL parameter must use the ldap:// protocol and specify an unencrypted
port (typically 389). For example ldap://ldap1.example.com:389
The SSL Connection parameter and the TLS Authentication parameter must both be
set to “False”.
Parameter Description
The Repository ID is an alias for the User Base DN (distinguished name)
that you use when you enter your login details to avoid having to type a
long string. When you have more than one repository in your network, you
can place the User Base DN before the user name or you can use the
shorter Repository ID.
For example, the User Base DN is: CN=Users,DC=IBM,DC=com. You create a
repository ID such as UsersIBM that is an alias for the user base DN.
You can type the short repository ID UsersIBM instead of typing the
following example of a complete User Base DN CN=Users,DC=IBM,DC=com
Here's an example where you configure the repository ID to use as an alias for the
User Base DN.Figure 1. LDAP repository
Repository
ID
When you enter your user name on the login page, you can enter the
Repository ID UsersIBM\<username>, instead of typing the full User Base
DN.
Note: The Repository ID and User Base DN must be unique.
Select True to search all subdirectories of the specified Directory Name
(DN).
Search
entire base Select False to search only the immediate contents of the Base DN. The
subdirectories are not searched. This search is faster than one which
searches all directories.
The user field identifier that you want to search on.
LDAP User
Field
You can specify multiple user fields in a comma-separated list to allow
users to authenticate against multiple fields. For example, if you
Parameter Description
specify uid,mailid, a user can be authenticated by providing either their
user ID or their mail ID.
The Distinguished Name (DN) of the node where the search for a user would
start. The User Base DN becomes the start location for loading users. For
User Base performance reasons, ensure that the User Base DN is as specific as possible.
DN
For example, if all of your user accounts are on the directory server in the
Users folder, and your domain name is ibm.com, the User Base DN value
would be cn=Users,dc=ibm,dc=com.
Referral
Select Ignore or Follow to specify how referrals are handled.
Table 1. LDAP Basic Configuration parameters
5. Under Connection Settings, select the type of bind connection.
Bind
connection
type
Description
Anonymous
bind
Use anonymous bind to create a session with the LDAP directory server that
doesn't require that you provide authentication information.
Use authenticated bind when you want the session to require a valid user
name and password combination. A successful authenticated bind authorizes
the authenticated user to read the list of users and roles from the LDAP
directory during the session. For increased security, ensure that the user ID
Authenticated that is used for the bind connection does not have permissions to do anything
bind
other than reading the LDAP directory.
Provide the Login DN and Password. For example, if the login name
is admin and the domain is ibm.com, the Login DN would
be cn=admin,dc=ibm,dc=com.
Table 2. LDAP bind connections
6. Click Test connection to test the connection information.
You must provide user information to authenticate against the user attributes that
you specified in the LDAP User Field. If you specified multiple values in the LDAP
User Field, you must provide user information to authenticate against the first
attribute that is specified.
Note: The Test connection function tests the ability of QRadar to read the LDAP
directory, not whether you can log in to the directory.
7. Select the authorization method to use.
Authorization
method
parameter
Description
Local
The user name and password combination is verified for each user that logs in,
but no authorization information is exchanged between the LDAP server
and QRadar server. If you chose Local authorization, you must create each user on
the QRadar console.
Choose User Attributes when you want to specify which user role and security
profile attributes can be used to determine authorization levels.
User attributes
You must specify both a user role attribute and a security profile attribute.
The attributes that you can use are retrieved from the LDAP server, based
on your connection settings. User attribute values are case-sensitive.
Choose Group Based when you want users to inherit role-based access
permissions after they authenticate with the LDAP server. The mapping of group
names to user roles and security profiles is case-sensitive.
Important: If you map an Active Directory group to the Admin user role, you
must map the same Active Directory group to the Admin security profile, or the
user will not be able to log in.
Group base DN
Specifies the start node in the LDAP directory for loading groups.
For example, if all of your groups are on the directory server in
the Groups folder, and your domain name is ibm.com, the Group Base
DN value might be cn=Groups,dc=ibm,dc=com.
Query limit enabled
Group based
Sets a limit on the number of groups that are returned.
Query result limit
The maximum number of groups that are returned by the query. By
default, the query results are limited to show only the first 1000 query
results.
By member
Select By Member to search for groups based on the group members. In
the Group Member Field box, specify the LDAP attribute that is used to
define the users group membership.
For example, if the group uses the memberUid attribute to determine
group membership, type memberUid in the Group Member Field box.
By query
Authorization
method
parameter
Description
Select By Query to search for groups by running a query. You provide the
query information in the Group Member Field and Group Query
Field text boxes.
For example, to search for all groups that have at least
one memberUid attribute and that have a cn value that starts with the
letter “s”, type memberUid in Group Member Field and
type cn=s* in Group Query Field.
Table 3. LDAP authorization methods
8. If you specified Group Based authorization, click Load Groups and click the plus (+)
or minus (-) icon to add or remove privilege groups.
The user role privilege options control which QRadar components the user has access
to. The security profile privilege options control the QRadar data that each user has
access to.
Note: Query limits can be set by selecting the Query Limit Enabled checkbox or the
limits can be set on the LDAP server. If query limits are set on the LDAP server, you
might receive a message that indicates that the query limit is enabled even if you did
not select the Query Limit Enabled checkbox.
9. Click Save.
10. Click Manage synchronization to exchange authentication and authorization
information between the LDAP server and the QRadar console.
a. If you are configuring the LDAP connection for the first time, click Run
Synchronization Now to synchronize the data.
b. Specify the frequency for automatic synchronization.
c. Click Close.
11. Repeat the steps to add more LDAP servers, and click Save Authentication
Module when complete.
•
•
•
•
•
Configuring an unencrypted connection to the LDAP server
Configure a Lightweight Directory Access Protocol (LDAP) repository in IBM QRadar.
Configuring an SSL certificate
Configure a Secure Sockets Layer (SSL) certificate to build a chain of trust.
Configuring LDAPS authentication
Configure a Server LDAP (LDAPS) authentication repository for your IBM QRadar system.
Synchronizing data with an LDAP server
You can manually synchronize data between the IBM QRadar server and the LDAP
authentication server.
Configuring SSL or TLS certificates
If you use an LDAP directory server for user authentication and you want to enable SSL
•
•
•
encryption or TLS authentication, you must configure your SSL or TLS certificate. QRadar
LDAP authentication uses TLS 1.2.
Displaying hover text for LDAP information
You create an LDAP properties configuration file to display LDAP user information as hover
text. This configuration file queries the LDAP database for LDAP user information that is
associated with events, offenses, or assets (if available).
Multiple LDAP repositories
You can configure IBM QRadar to map entries from multiple LDAP repositories into a single
virtual repository.
Example: Least privileged access configuration and set up
Grant users only the minimum amount of access that they require to do their day-to-day
tasks.
SAML single sign-on authentication
Security Assertion Markup Language (SAML) is a framework for authentication and authorization
between a service provider (SP) and an identity provider (IDP) where authentication is exchanged
using digitally signed XML documents. The service provider agrees to trust the identity provider to
authenticate users. In return, the identity provider generates an authentication assertion, which
indicates that a user has been authenticated.
By using the SAML authentication feature, you can easily integrate QRadar® with your corporate
identity server to provide single sign-on, and eliminate the need to maintain QRadar local users.
Users who are authenticated to your identity server can automatically authenticate to QRadar. They
don't need to remember separate passwords or type in credentials every time they access QRadar.
QRadar is fully compatible with SAML 2.0 web SSO profile as a service provider. It supports both SP
and IDP initiated single sign-on and single logout.
Configuring SAML authentication
You can configure IBM® QRadar to use the Security Assertion Markup Language (SAML) 2.0 single
sign-on framework for user authentication and authorization.
Importing a new certificate for signing and decrypting
The QRadar SAML 2.0 feature has options to use an x509 certificate other than the
provided QRadar_SAML certificate for signing and encryption.
Setting up SAML with Microsoft Active Directory Federation Services
After you configure SAML in QRadar, you can configure your Identity Provider by using the XML
metadata file that you created during that process. This example includes instructions for
configuring Microsoft Active Directory Federation Services (AD FS) to communicate
with QRadar using the SAML 2.0 single sign-on framework.
Troubleshooting SAML authentication
Use the following information to troubleshoot errors and issues when using SAML 2.0 with QRadar.
SAML single sign-on authentication
Security Assertion Markup Language (SAML) is a framework for authentication and authorization
between a service provider (SP) and an identity provider (IDP) where authentication is exchanged
using digitally signed XML documents. The service provider agrees to trust the identity provider to
authenticate users. In return, the identity provider generates an authentication assertion, which
indicates that a user has been authenticated.
By using the SAML authentication feature, you can easily integrate QRadar® with your corporate
identity server to provide single sign-on, and eliminate the need to maintain QRadar local users.
Users who are authenticated to your identity server can automatically authenticate to QRadar. They
don't need to remember separate passwords or type in credentials every time they access QRadar.
QRadar is fully compatible with SAML 2.0 web SSO profile as a service provider. It supports both SP
and IDP initiated single sign-on and single logout.
•
•
•
•
Configuring SAML authentication
You can configure IBM® QRadar to use the Security Assertion Markup Language (SAML) 2.0
single sign-on framework for user authentication and authorization.
Importing a new certificate for signing and decrypting
The QRadar SAML 2.0 feature has options to use an x509 certificate other than the
provided QRadar_SAML certificate for signing and encryption.
Setting up SAML with Microsoft Active Directory Federation Services
After you configure SAML in QRadar, you can configure your Identity Provider by using the
XML metadata file that you created during that process. This example includes instructions
for configuring Microsoft Active Directory Federation Services (AD FS) to communicate
with QRadar using the SAML 2.0 single sign-on framework.
Troubleshooting SAML authentication
Use the following information to troubleshoot errors and issues when using SAML 2.0
with QRadar.
Configuring TACACS authentication
You can configure TACACS authentication on your IBM® QRadar® system.
Procedure
1.
2.
3.
4.
On the Admin tab, click Authentication.
Click Authentication Module Settings.
From the Authentication Module list, select TACACS Authentication.
Configure the parameters:
a. In the TACACS Server field, type the host name or IP address of the TACACS server.
b. In the TACACS Port field, type the port of the TACACS server.
c. From the Authentication Type list box, select the type of authentication you want to
perform.
Choose from the following options:
Option Description
ASCII
American Standard Code for Information Interchange (ASCII) sends the user name
and password in clear text.
PAP
Password Authentication Protocol (PAP) sends clear text between the user and the
server. PAP is the default authentication type.
CHAP
Challenge Handshake Authentication Protocol (CHAP) establishes a Point-to-Point
Protocol (PPP) connection between the user and the server.
MSCHAPMicrosoft Challenge Handshake Authentication Protocol (MSCHAP) authenticates
remote Windows workstations.
d. In the Shared Secret field, type the shared secret that QRadar uses to encrypt
TACACS passwords for transmission to the TACACS server.
5. Click Save Authentication Module.
What to do next
For TACACS user authentication, you must create a local QRadar user account that is the same as
the TACACS account on the authentication server.
Section 6: Reporting, Searching, and Offense Management
This section accounts for 13% of the exam (8 out of 62 questions).
TASK: 6.1 Manage reports
SUBTASKS:
6.1.1. Create reports with different chart types
• Chart types - data types
6.1.2. Create custom reports
• Selecting frequency of report generation
• Options for different distribution channels
6.1.3. Explain difference between scheduled reports and reports run on raw data
Chart types
When you create a report, you must choose a chart type for each chart you include in your report.
The chart type determines how the data and network objects appear in your report.
You can use any of the following types of charts:
Chart Type
Description
None
Use this option if you need white space in your report. If you select the None option for any
container, no further configuration is required for that container.
Use this chart to view vulnerability data for each defined asset in your deployment. You can
Asset
generate Asset Vulnerability charts when vulnerabilities have been detected by a VA scan.
Vulnerabilities
This chart is available after you install IBM® QRadar® Vulnerability Manager.
Connections
This chart option is only displayed if you purchased and licensed IBM QRadar Risk
Manager. For more information, see the IBM QRadar Risk Manager User Guide.
Device Rules
This chart option is only displayed if you purchased and licensed IBM QRadar Risk
Manager. For more information, see the IBM QRadar Risk Manager User Guide.
Device Unused This chart option is only displayed if you purchased and licensed IBM QRadar Risk
Objects
Manager. For more information, see the IBM QRadar Risk Manager User Guide.
Events/Logs
Use this chart to view event information. You can base a chart on data from saved searches
on the Log Activity tab. You can configure the chart to plot data over a configurable period
of time to detect event trends. For more information about saved searches, see Event and
flow searches.
Log Sources
Use this chart to export or report on log sources. Select the log sources and log source
groups that you want to appear in the report. Sort log sources by report columns. Include
log sources that are not reported for a defined time period. Include log sources that were
created in a specified time period.
Flows
Use this chart to view flow information. You can base a chart on data from saved searches
on the Network Activity tab. You can configure the chart to plot flow data over a
configurable period of time to detect flow trends. For more information about saved
searches, see Event and flow searches.
Top Destination
Use this chart to display the top destination IPs in the network locations you select.
IPs
Top Offenses
Use this chart to display the top offenses that occur at present time for the network
locations you select.
Offenses Over
Time
Use this chart to display all offenses that have a start time within a defined time span for the
network locations you select.
Top Source IPs
Use this chart to display and sort the top offense sources (IP addresses) that attack your
network or business assets.
The Vulnerabilities option is only displayed when the IBM QRadar Vulnerability
Vulnerabilities Manager was purchased and licensed. For more information, see the IBM QRadar
Vulnerability Manager User Guide.
Table 1. Chart Types
Chart Type
Description
None
Use this option if you need white space in your report. If you select the None option for any
container, no further configuration is required for that container.
Chart Type
Description
Use this chart to view vulnerability data for each defined asset in your deployment. You can
Asset
generate Asset Vulnerability charts when vulnerabilities have been detected by a VA scan.
Vulnerabilities
This chart is available after you install IBM QRadar Vulnerability Manager.
The Vulnerabilities option is only displayed when the IBM QRadar Vulnerability
Vulnerabilities Manager was purchased and licensed. For more information, see the IBM QRadar
Vulnerability Manager User Guide.
Table 2. Chart Types
Report tab toolbar
You can use the toolbar to perform a number of actions on reports.
The following table identifies and describes the Reports toolbar options.
Option
Description
Group
Manage
Groups
Click Manage Groups to manage report groups. Using the Manage Groups feature, you can
organize your reports into functional groups. You can share report groups with other users.
Click Actions to perform the following actions:
•
•
•
•
•
Actions
•
•
•
•
Create - Select this option to create a new report.
Edit - Select this option to edit the selected report. You can also double-click a
report to edit the content.
Duplicate - Select this option to duplicate or rename the selected report.
Assign Groups - Select this option to assign the selected report to a report
group.
Share - Select this option to share the selected report with other users. You
must have administrative privileges to share reports.
Toggle Scheduling - Select this option to toggle the selected report to the
Active or Inactive state.
Run Report - Select this option to generate the selected report. To generate
multiple reports, hold the Control key and click on the reports you want to
generate.
Run Report on Raw Data - Select this option to generate the selected report
using raw data. This option is useful when you want to generate a report before
the required accumulated data is available. For example, if you want to run a
weekly report before a full week has elapsed since you created the report, you
can generate the report using this option.
Delete Report - Select this option to delete the selected report. To delete
multiple reports, hold the Control key and click on the reports you want to
delete.
Option
Description
•
Hide
Interactive
Reports
Delete Generated Content - Select this option to delete all generated content
for the selected rows. To delete multiple generated reports, hold the Control
key and click on the generate reports you want to delete.
Select this check box to hide inactive report templates. The Reports tab automatically
refreshes and displays only active reports. Clear the check box to show the hidden inactive
reports.
Type your search criteria in the Search Reports field and click the Search
Reports icon. A search is run on the following parameters to determine which match
your specified criteria:
Search
Reports
•
•
•
•
•
Report Title
Report Description
Report Group
Report Groups
Report Author User Name
Table 1. Report toolbar options
Creating custom reports
Use the Report wizard to create and customize a new report.
Before you begin
You must have appropriate network permissions to share a generated report with other users.
For more information about permissions, see the IBM® QRadar® Administration Guide.
About this task
The Report wizard provides a step-by-step guide on how to design, schedule, and generate reports.
The wizard uses the following key elements to help you create a report:
•
•
•
Layout - Position and size of each container
Container - Placeholder for the featured content
Content - Definition of the chart that is placed in the container
After you create a report that generates weekly or monthly, the scheduled time must elapse before
the generated report returns results. For a scheduled report, you must wait the scheduled time
period for the results to build. For example, a weekly search requires seven days to build the data.
This search will return results after 7 days.
When you specify the output format for the report, consider that the file size of generated reports
can be one to 2 megabytes, depending on the selected output format. PDF format is smaller in size
and does not use a large quantity of disk storage space.
Procedure
1.
2.
3.
4.
Click the Reports tab.
From the Actions list box, select Create.
On the Welcome to the Report wizard! window, click Next.
Select one of the following options:
Option
Description
ManuallyBy default, the report generates 1 time. You can generate the report as often as you
Hourly
Daily
want.
Schedules the report to generate at the end of each hour. The data from the
previous hour is used.
From the list boxes, select a time frame to begin and end the reporting cycle. A
report is generated for each hour within this time frame. Time is available in halfhour increments. The default is 1:00 a.m for both the From and To fields.
Schedules the report to generate at the end of each day. The data from the previous
day is used.
From the list boxes, select the time and the days of the week that you want the
report to run.
Weekly Schedules the report to generate weekly using the data from the previous calendar
week, from Monday to Sunday.
Select the day that you want to generate the report. The default is Monday. From
the list box, select a time to begin the reporting cycle. Time is available in half-hour
increments. The default is 1:00 a.m.
Monthly Schedules the report to generate monthly using the data from the previous
calendar month.
From the list box, select the date that you want to generate the report. The default
is the first day of the month. Select a time to begin the reporting cycle. Time is
available in half-hour increments. The default is 1:00 a.m.
5. In the Allow this report to generate manually pane, Yes or No.
6. Configure the layout of your report:
a. From the Orientation list box, select Portrait or Landscape for the page orientation.
b. Select one of the six layout options that are displayed on the Report wizard.
c. Click Next .
7. Specify values for the following parameters:
Parameter
Values
Report Title
The title can be up to 60 characters in length. Do not use special characters.
Parameter
Values
Logo
From the list box, select a logo.
Pagination
Options
From the list box, select a location for page numbers to display on the report. You can
choose not to have page numbers display.
Report
Type a classification for this report. You can type up to 75 characters in length. You
Classification can use leading spaces, special characters, and double byte characters. The report
classification displays in the header and footer of the report. You might want to
classify your report as confidential, highly
confidential, sensitive, or internal.
8. Configure each container in the report:
a. From the Chart Type list box, select a chart type.
b. On the Container Details window, configure the chart parameters.
Note: You can also create asset saved searches. From the Search to use list box,
select your saved search.
c. Click Save Container Details.
d. If you selected more than one container, repeat steps a to c.
e. Click Next .
9. Preview the Layout Preview page, and then click Next.
10. Select the check boxes for the report formats you want to generate, and then click Next.
Important: Extensible Markup Language is only available for tables.
11. Select the distribution channels for your report, and then click Next. Options include the
following distribution channels:
Option
Description
Report Console
Select this check box to send the generated report to
the Reports tab. Report Console is the default distribution channel.
Select the users that
This option displays after you select the Report Console check
should be able to view the box.
generated report.
Select all users
Email
From the list of users, select the users that you want to grant
permission to view the generated reports.
This option is only displayed after you select the Report
Console check box. Select this check box if you want to grant
permission to all users to view the generated reports.
You must have appropriate network permissions to share the
generated report with other users.
Select this check box if you want to distribute the generated
report by email.
Option
Description
Enter the report
distribution email
address(es)
This option is only displayed after you select the Email check box.
Type the email address for each generated report recipient;
separate a list of email addresses with commas. The maximum
characters for this parameter are 255.
Email recipients receive this email from
no_reply_reports@qradar.
Include Report as
attachment (non-HTML
only)
This option is only displayed after you select the Email check box. Select
this check box to send the generated report as an attachment.
Include link to Report
Console
This option is only displayed after you select the Email check box.
Select this check box to include a link to the Report Console in the
email.
12. On the Finishing Up page, enter values for the following parameters.
Option
Description
Report Description
Type a description for this report. The description is displayed
on the Report Summary page and in the generated report
distribution email.
Please select any groups you
would like this report to be a
member of
Select the groups to which you want to assign this report. For
more information about groups, see Report groups.
Would you like to run the report Select this check box if you want to generate the report when
now?
the wizard is complete. By default, the check box is selected.
13. Click Next to view the report summary.
14. On the Report Summary page, select the tabs available on the summary report to preview
your report configuration.
Results
The report immediately generates. If you cleared the Would you like to run the report now check
box on the final page of the wizard, the report is saved and generates at the scheduled time. The
report title is the default title for the generated report. If you reconfigure a report to enter a new
report title, the report is saved as a new report with the new name; however, the original report
remains the same.
Deleting generated content
When you delete generated content, all reports that have generated from the report template are
deleted, but the report template is retained.
Procedure
1. Click the Reports tab.
2. Select the reports for which you want to delete the generated content.
3. From the Actions list box, click Delete Generated Content.
Manually generating a report
A report can be configured to generate automatically, however, you can manually generate a report
at any time.
About this task
While a report generates, the Next Run Time column displays one of the three following messages:
•
•
•
Generating - The report is generating.
Queued (position in the queue) - The report is queued for generation. The message
indicates the position that the report is in the queue. For example, 1 of 3.
(x hour(s) x min(s) y sec(s)) - The report is scheduled to run. The message is a count-down
timer that specifies when the report will run next.
You can select the Refresh icon to refresh the view, including the information in the Next Run
Time column.
Procedure
1. Click the Reports tab.
2. Select the report that you want to generate.
3. Click Run Report.
What to do next
After the report generates, you can view the generated report from the Generated Reports column.
TASK: 6.2 Utilize different search types
SUBTASKS:
6.2.1. Save search criteria for further use
6.2.2. Use AQL for searches
6.2.3. When to use quick search
6.2.4. Query with dynamic search
Querying with dynamic search
Use the dynamic search API to search for data that involves aggregated functions, such
as COUNT, SUM, MAX, and AVG. For example, you can count the number of asset IDs per asset
hostname by using the COUNT_PER function.
About this task
You can build your query on the following data sources:
•
•
•
Assets
Offenses
Vulninstances
You can add a field without a function as a simple field, or you can add a field with a function as a
complex field to build columns. You can also add conditions to filter your data.
Procedure
1.
2.
3.
4.
5.
Click the Admin tab.
In the Dynamic Search section, click Dynamic Search.
Select a Data Source.
Complete the Available Columns and Available Filters sections.
To add a name, description, range of the search, retention period, or search type to your
query, enable one or more Extra Search Properties.
6. To copy your JSON script, click Generate JSON.
Your results appear in the JSON generated by your query section. Click Copy to
Clipboard to copy your JSON script.
7. To reset your selections, click Reset.
8. Click Run Query.
Results
The results of your query are listed in plain text or link format. For example, if you chose to query
the ASSET_ID field, you can click the results to view the Asset Summary window for each asset ID.
Converting a saved search to an AQL string
Convert a saved search to an AQL string and modify it to create your own searches to quickly find
the data you want. Now you can create searches faster than by typing the search criteria. You can
also save the search for future use.
Procedure
1. Click the Log Activity or Network Activity tab.
2.
3.
4.
5.
6.
7.
8.
9.
From the Search list, select New Search or Edit Search.
Select a previously saved search.
Click Show AQL.
From the AQL window, click Copy to Clipboard.
In the Search Mode section, click Advanced Search.
Paste the AQL string text into the Advanced Search text box.
Modify the string to include the data you want to find.
Click Search to display the results.
What to do next
Save the search criteria so that the search appears in your list of saved searches and can be reused.
AQL search string examples
Use the Ariel Query Language (AQL) to retrieve specific fields from the events, flows, and simarc
tables in the Ariel database.
Note: When you build an AQL query, if you copy text that contains single quotation marks from any
document and paste the text into IBM® QRadar®, your query will not parse. As a workaround, you can paste
the text into QRadar and retype the single quotation marks, or you can copy and paste the text from the IBM
Knowledge Center.
Reporting account usage
Different user communities can have different threat and usage indicators.
Use reference data to report on several user properties, for example, department, location, or
manager. You can use external reference data.
The following query returns metadata information about the user from their login events.
SELECT
REFERENCETABLE('user_data','FullName',username) as 'Full Name',
REFERENCETABLE('user_data','Location',username) as 'Location',
REFERENCETABLE('user_data','Manager',username) as 'Manager',
DISTINCTCOUNT(username) as 'Userid Count',
DISTINCTCOUNT(sourceip) as 'Source IP Count',
COUNT(*) as 'Event Count'
FROM events
WHERE qidname(qid) ILIKE '%logon%'
GROUP BY 'Full Name', 'Location', 'Manager'
LAST 1 days
Insight across multiple account identifiers
In this example, individual users have multiple accounts across the network. The organization
requires a single view of a users activity.
Use reference data to map local user IDs to a global ID.
The following query returns the user accounts that are used by a global ID on events that are
flagged as suspicious.
SELECT
REFERENCEMAP('GlobalID Mapping',username) as 'Global ID',
REFERENCETABLE('user_data','FullName', 'Global ID') as 'Full Name',
DISTINCTCOUNT(username),
COUNT(*) as 'Event count'
FROM events
WHERE RULENAME(creEventlist) ILIKE '%suspicious%'
GROUP BY 'Global ID'
LAST 1 days
The following query shows the activities that are completed by a global ID.
SELECT
QIDNAME(qid) as 'Event name',
starttime as 'Time',
sourceip as 'Source IP', destinationip as 'Destination IP',
username as 'Event Username',
REFERENCEMAP('GlobalID_Mapping', username)as 'Global User'
FROM events
WHERE 'Global User' = 'John Doe'
LAST 1 days
Identify suspicious long-term beaconing
Many threats use command and control to communicate periodically over days, weeks, and months.
Advanced searches can identify connection patterns over time. For example, you can query
consistent, short, low volume, number of connections per day/week/month between IP addresses,
or an IP address and geographical location.
The following query detects potential instances of hourly beaconing.
SELECT sourceip, destinationip,
DISTINCTCOUNT(DATEFORMAT(starttime,'HH')) as 'different hours',
COUNT(*) as 'total flows'
FROM flows
WHERE flowdirection = 'L2R'
GROUP BY sourceip, destinationip
HAVING "different hours" > 20
AND "total flows" < 25
LAST 24 hours
Tip: You can modify this query to work on proxy logs and other event types.
The following query detects potential instances of daily beaconing.
SELECT sourceip, destinationip,
DISTINCTCOUNT(DATEFORMAT(starttime,'dd'))as 'different days',
COUNT(*) as 'total flows'
FROM flows
WHERE flowdirection='L2R'
GROUP BY sourceip, destinationip
HAVING "different days" > 4
AND "total flows" < 14
LAST 7 days
The following query detects daily beaconing between a source IP and a destination IP. The
beaconing times are not at the same time each day. The time lapse between beacons is short.
SELECT
sourceip,
LONG(DATEFORMAT(starttime,'hh')) as hourofday,
(AVG( hourofday*hourofday) - (AVG(hourofday)^2))as variance,
COUNT(*) as 'total flows'
FROM flows
GROUP BY sourceip, destinationip
HAVING variance < 01 and "total flows" < 10
LAST 7 days
The following query detects daily beaconing to a domain by using proxy log events. The beaconing
times are not at the same time each day. The time lapse between beacons is short.
SELECT sourceip,
LONG(DATEFORMAT(starttime,'hh')) as hourofday,
(AVG(hourofday*hourofday) - (AVG(hourofday)^2)) as variance,
COUNT(*) as 'total events'
FROM events
WHERE LOGSOURCEGROUPNAME(devicegrouplist) ILIKE '%proxy%'
GROUP BY url_domain
HAVING variance < 0.1 and "total events" < 10
LAST 7 days
The url_domain property is a custom property from proxy logs.
External threat intelligence
Usage and security data that is correlated with external threat intelligence data can provide
important threat indicators.
Advanced searches can cross-reference external threat intelligence indicators with other security
events and usage data.
This query shows how you can profile external threat data over many days, weeks, or months to
identify and prioritize the risk level of assets and accounts.
Select
REFERENCETABLE('ip_threat_data','Category',destinationip) as 'Category',
REFERENCETABLE('ip_threat_data','Rating', destinationip) as 'Threat Rating',
DISTINCTCOUNT(sourceip) as 'Source IP Count',
DISTINCTCOUNT(destinationip) as 'Destination IP Count'
FROM events
GROUP BY 'Category', 'Threat Rating'
LAST 1 days
Asset intelligence and configuration
Threat and usage indicators vary by asset type, operating system, vulnerability posture, server
type, classification, and other parameters.
In this query, advanced searches and the asset model provide operational insight into a location.
The Assetproperty function retrieves property values from assets, which enables you to include
asset data in the results.
SELECT
ASSETPROPERTY('Location',sourceip) as location,
COUNT(*) as 'event count'
FROM events
GROUP BY location
LAST 1 days
The following query shows how you can use advanced searches and user identity tracking in the
asset model.
The AssetUser function retrieves the user name from the asset database.
SELECT
APPLICATIONNAME(applicationid) as App,
ASSETUSER(sourceip, now()) as srcAssetUser,
COUNT(*) as 'Total Flows'
FROM flows
WHERE srcAssetUser IS NOT NULL
GROUP BY App, srcAssetUser
ORDER BY "Total Flows" DESC
LAST 3 HOURS
Network LOOKUP function
You can use the Network LOOKUP function to retrieve the network name that is associated with
an IP address.
SELECT NETWORKNAME(sourceip) as srcnet,
NETWORKNAME(destinationip) as dstnet
FROM events
Rule LOOKUP function
You can use the Rule LOOKUP function to retrieve the name of a rule by its ID.
SELECT RULENAME(123) FROM events
The following query returns events that triggered a specific rule name.
SELECT * FROM events
WHERE RULENAME(creEventList) ILIKE '%my rule name%'
Full TEXT SEARCH
You can use the TEXT SEARCH operator to do full text searches by using the Advanced
search option.
In this example, there are a number of events that contain the word "firewall" in the payload. You
can search for these events by using the Quick filter option and the Advanced search option on
the Log Activity tab.
•
•
To use the Quick filter option, type the following text in the Quick filter box: 'firewall'
To use the Advanced search option, type the following query in the Advanced search box:
SELECT QIDNAME(qid) AS EventName, * from events where TEXT SEARCH
'firewall'
Custom property
You can access custom properties for events and flows when you use the Advanced search option.
The following query uses the custom property "MyWebsiteUrl" to sort events by a particular web URL:
SELECT "MyWebsiteUrl", * FROM events ORDER BY "MyWebsiteUrl"
TASK: 6.3 Manage offenses
SUBTASKS:
6.3.1. Understand how offense renaming works
• Hot and Cold rules
6.3.2. Demonstrate how offense indexing Works
6.3.3. Demonstrate how offense indexing is related to offense chaining
6.3.4. Set offense prioritization with rule action options
6.3.5. Implement Soft Clean SIM data clean
6.3.6. Understand how and why to protect offenses
Offense chaining
IBM® QRadar® chains offenses together to reduce the number of offenses that you need to review,
which reduces the time to investigate and remediate the threat.
Offense chaining helps you find the root cause of a problem by connecting multiple symptoms
together and showing them in a single offense. By understanding how an offense changed over
time, you can see things that might be overlooked during your analysis. Some events that would not
be worth investigating on their own might suddenly be of interest when they are correlated with
other events to show a pattern.
Offense chaining is based on the offense index field that is specified on the rule. For example, if your
rule is configured to use the source IP address as the offense index field, there is only one offense
that has that source IP address for while the offense is active.
You can identify a chained offense by looking for preceded by in the Description field on
the Offense Summary page. In the following example, QRadar combined all of the events that
fired for each of the three rules into one offense, and appended the rule names to
the Description field:
Exploit Followed By Suspicious Host Activity - Chained
preceded by Local UDP Scanner Detected
preceded by XForce Communication to a known Bot Command and Control
Offense indexing
Offense indexing provides the capability to group events or flows from different rules indexed on
the same property together in a single offense.
IBM® QRadar® uses the offense index parameter to determine which offenses to chain together.
For example, an offense that has only one source IP address and multiple destination IP addresses
indicates that the threat has a single attacker and multiple victims. If you index this type of offense
by the source IP address, all events and flows that originate from the same IP address are added to
the same offense.
You can configure rules to index an offense based on any piece of information. QRadar includes a
set of predefined, normalized fields that you can use to index your offenses. If the field that you
want to index on is not included in the normalized fields, create a custom event or a custom flow
property to extract the data from the payload and use it as the offense indexing field in your rule.
The custom property that you index on can be based on a regular expression, a calculation, or an
AQL-based expression.
Offense indexing considerations
It is important to understand how offense indexing impacts your IBM QRadar deployment.
System performance
Ensure that you optimize and enable all custom properties that are used for offense indexing. Using
properties that are not optimized can have a negative impact on performance.
When you create a rule, you cannot select non-optimized properties in the Index offense based
on field. However, if an existing rule is indexed on a custom property, and then the custom property
is de-optimized, the property is still available in the offense index list. Do not de-optimize custom
properties that are used in rules.
Rule action and response
When the indexed property value is null, an offense is not created, even when you select the Ensure
the detected event is part of an offense check box in the rule action. For example, if a rule is
configured to create an offense that is indexed by host name, but the host name in the event is
empty, an offense is not created even though all of the conditions in the rule tests are met.
When the response limiter uses a custom property, and the custom property value is null, the limit
is applied to the null value. For example, if the response is Email, and the limiter says Respond no
more than 1 time per 1 hour per custom property, if the rule fires a second time with a null
property within 1 hour, an email will not be sent.
When you index using a custom property, the properties that you can use in the rule index and
response limiter field depends on the type of rule that you are creating. An event rule accepts
custom event properties in the rule index and response limiter fields, while a flow rule accepts only
custom flow properties. A common rule accepts either custom event or custom flow properties in
the rule index and response limiter fields.
You cannot use custom properties to index an offense that is created by a dispatched event.
Payload contents
Offenses that are indexed by the Ariel Query Language (AQL), a regular expression (regex), or by a
calculated property include the same payload as the initial event that generated the offense.
Offenses that are indexed by a normalized event field, such as Source IP or Destination IP, include
the event name and description as the custom rules engine (CRE) payload.
Example: Detecting malware outbreaks based on the MD5 signature
As a network security analyst for a large organization, you use QRadar to detect when a malware
outbreak occurs. You set the criteria for an outbreak as a threat that occurs across 10 hosts within 4
hours. You want to use the MD5 signature as the basis for this threat detection.
You configure IBM® QRadar to evaluate the incoming logs to determine whether a threat exists, and
then you group all of the fired rules that contain the same MD5 signature into a single offense.
1. Create a custom property to extract the MD5 signature from the logs. Ensure that the custom
property is optimized and enabled.
2. Create a rule and configure the rule to create an offense that uses the MD5 signature custom
property as the offense index field. When the rule fires, an offense is created. All fired rules
that have the same MD5 signature are grouped into one offense.
3. You can search by offense type to find the offenses that are indexed by the MD5 signature
custom property.
TASK: 6.4 Sharing content among users
SUBTASKS:
6.4.1. Share reports with other users
• Understand the available sharing options
6.4.2. Sharing dashboard items with other users
• Requirement to share a dashboard
• Available Parameters
6.4.3. How to share a search criterio
Sharing report groups
You can share report groups with other users.
Before you begin
You must have administrative permissions to share a report group with other users.
For more information about permissions, see the IBM® QRadar® Administration Guide.
You cannot use the Content Management Tool (CMT) to share report groups.
For more information about the CMT, see the IBM QRadar Administration Guide
About this task
On the Report Groups window, shared users can see the report group in the report list.
To view a generated report, the user must have permission to view the report.
Procedure
1. Click the Reports tab.
2. On the Reports window, click Manage Groups.
3. On the Report Groups window, select the report group that you want to share and
click Share.
4. On the Sharing Options window, select one of the following options.
Option
Description
Default (inherit from parent)
The report group is not shared.
Any copied report group or generated report remains in the
users report list.
Share with Everyone
Each report in the group is assigned any parent report
sharing option that was configured.
The report group is shared with all users.
Restriction: You must have the Admin security profile to share
search requirements.
Share with users matching the
following criteria...
The report group is shared with specific users.
User Roles
Select from the list of user roles and press the add icon
(+).
Option
Description
Security Profiles
Select from the list of security profiles and press the add
icon (+).
5. Click Save.
Results
On the Report Groups window, shared users see the report group in the report list. Generated reports
display content based on security profile setting.
QRadar: Sharing Dashboard Items
Question & Answer
Question
How do I create and share a custom Dashboard Item that can be shared with other users?
Answer
To create a Dashboard Item that can be shared with other users, there are three main
steps that need to be taken:
1. Create and share the Search Criteria, that the Dashboard Item will use.
2. Have Users modify the shared Search Criteria for use on their Dashboards.
3. Have Users add the shared Search Criteria as a Dashboard Item.
Create and share the Search Criteria, that the Dashboard Item will use
The following steps can be used to create a search that can be used as a Dashboard Item
for all users:
Note: The user account initiating this process must be in the Admin User Role. Only users
in the Admin User Role have the ability to share saved Search Criteria.
Parameter
Description
Search Name
Type the unique name that you want to assign to this search criteria. You will provide
this Search Name to other users that might want to use the search for their Dashboard
Item.
Select the check box for the group you want to assign this saved search. If you do not
Assign Search to
select a group, this saved search is assigned to the Other group by default. For more
Group(s)
information, see Managing search groups.
Manage Groups
If you want to manage search groups, click Manage Groups. For more information,
see Managing search groups.
Choose one of the following options:
Last Interval (auto refresh) - Select this option to filter your search results
while in auto-refresh mode. The Log Activity and Network Activity tabs
refreshes at one-minute intervals to display the most recent information.
• Recent - Select this option and from this list box, select the time range that you
want to filter for.
• Specific Interval - Select this option and from the calendar, select the date and
time range you want to filter for.
Include in my
If you want to include this search in your Quick Search list box on the toolbar, select this
Quick Searches check box.
•
Timespan
options:
Include in my
Dashboard
This check box must be checked to include the data from your saved search on the
Dashboard tab. For more information about the Dashboard tab, see Dashboard
management.
Note: This parameter is only displayed if the search is grouped.
Set as Default
If you want to set this search as your default search, select this check box.
Share with
Everyone
This check box must be checked to share the search criteria with all users.
1. Choose one of the following options:
o Click the Log Activity tab.
o Click the Network Activity tab.
2. Perform a search that uses at least one Group By option.
3. Click Search.
4. Click Save Criteria.
5. Enter a Search Name.
6. Assign the search to a Group.
7. Click Include in my Dashboard.
8. Click OK.
Have Users modify the shared Search Criteria for use on their Dashboards
The following steps are required by the Users that want to use the previously shared
Search Criteria as a Dashboard Item:
1. Choose one of the following options:
o To add a Flow search Dashboard Item, click the Network Activity tab.
o To add an Event search Dashboard Item, click the Log Activity tab
Note: If the Log Activity, or Network Activity tabs are not visible, the User
does not have proper permissions to view searches assigned to their User
account.
2. Navigate to Search > New Search.
3. Select the Search Name of the shared search that was provided by the User in the
Admin Role, from the Available Saved Searches list.
4. Click the Load icon.
5. Click any of the Search icons. The search results are displayed.
6. Enter a new name for the search.
7. Check the Include in my Dashboard check box.
8. Click Save Criteria.
9. Click OK.
Have Users add the shared Search Criteria as a Dashboard Item
Each user that wants to add the shared search as a Dashboard Item needs to do the
following:
1. Click the Dashboard tab.
2. In the Show Dashboard list, select the Dashboard you want to add the new
Dashboard Item to.
3. Choose one of the following options:
o To add a Log Activity search Dashboard Item, navigate to Add Item > Log
Activity > Event Searches.
o To add a Network Activity search Dashboard Item, navigate to Add Item >
Network Activity > Flow Searches.
4. Select the Search Name of the shared search, that was provided by the User in the
Admin Role, from the list. The new Dashboard Item is now added to the Dashboard
that you are currently on.
Section 7: Tenants and Domains
This section accounts for 8% of the exam (5 out of 62 questions).
TASK: 7.1 Differentiate network hierarchy and domain definition
SUBTASKS:
7.1.1. Assign parts of the network hierarchy to specific domains
7.1.2. Show that an event is assigned to a domain
• A single log source may provide events to multiple domains
7.1.3. Understand constraints for defining the network hierarchy
Domain segmentation
Segmenting your network into different domains helps to ensure that relevant information is available
only to those users that need it.
You can create security profiles to limit the information that is available to a group of users within
that domain. Security profiles provide authorized users access to only the information that is
required to complete their daily tasks. You modify only the security profile of the affected users,
and not each user individually.
You can also use domains to manage overlapping IP address ranges. This method is helpful when
you are using a shared IBM® QRadar® infrastructure to collect data from multiple networks. By
creating domains that represent a particular address space on the network, multiple devices that
are in separate domains can have the same IP address and still be treated as separate devices.
Figure 1. Domain segmentation
Overlapping IP addresses
An overlapping IP address is an IP address that is assigned to more than one device or logical unit,
such as an event source type, on a network. Overlapping IP address ranges can cause significant
problems for companies that merge networks after corporate acquisitions, or for Managed Security
Service Providers (MSSPs) who are bringing on new clients.
IBM® QRadar® must be able to differentiate events and flows that come from different devices and
that have the same IP address. If the same IP address is assigned to more than one event source,
you can create domains to distinguish them.
For example, let's look at a situation where Company A acquires Company B and wants to use
a shared instance of QRadar to monitor the new company's assets. The acquisition has a
similar network structure that results in the same IP address being used for different log
sources in each company. Log sources that have the same IP address cause problems with
correlation, reporting, searching, and asset profiling.
To distinguish the origin of the events and flows that come in to QRadar from the log source,
you can create two domains and assign each log source to a different domain. If required, you
can also assign each event collector and flow collector to the same domain as the log source
that sends events to them.
To view the incoming events by domain, create a search and include the domain information in
the search results.
Domain definition and tagging
Domains are defined based on IBM QRadar input sources. When events and flows come
into QRadar, the domain definitions are evaluated and the events and flows are tagged with the
domain information.
Specifying domains for events
The following diagram shows the precedence order for evaluating domain criteria for events.
Figure 1. Precedence order for events
These are the ways to specify domains for events:
Custom properties
You can apply custom properties to the log messages that come from a log source.
Important: When you create your custom event property, ensure that the Enable for use in Rules,
Forwarding Profiles and Search Indexing check box is selected.
To determine which domain that specific log messages belong to, the value of the custom
property is looked up against a mapping that is defined in the Domain Management editor.
This option is used for multi-address-range or multi-tenant log sources, such as file servers
and document repositories.
Disconnected Log Collector
You can use a Disconnected Log Collector (DLC) for domain mapping. DLCs append their universally
unique identifiers (UUIDs) to the Log Source Identifier value of the events they collect. Appending
the UUID to the Log Source Identifier value ensures that the Log Source Identifier is unique.
Log sources
You can configure specific log sources to belong to a domain.
This method of tagging domains is an option for deployments in which an Event
Collector can receive events from multiple domains.
Log source groups
You can assign log source groups to a specific domain. This option allows broader control over the
log source configuration.
Any new log sources that are added to the log source group automatically get the domain
tagging that is associated with the log source group.
Event collectors
If an event collector is dedicated to a specific network segment, IP address range, tenant, geographic
location, or business unit, you can flag that entire event collector as part of that domain.
All events that arrive at that event collector belong to the domain that the event collector is
assigned to, unless the log source for the event belongs to another domain based on other
tagging methods higher in precedence, such as a custom property.
Important:
If a log source is redirected from one event collector to another in a different domain, you
must add a domain mapping to the log source to ensure that events from that log source are
still assigned to the right domain.
Unless the log source is mapped to the right domain, nonadmin users with domain
restrictions might not see offenses that are associated with the log source.
Specifying domains for flows
The following diagram shows the precedence order for evaluating domain criteria for flows.
Figure 2. Precedence order for flows
These are the ways to specify domains for flows:
Flow collectors
You can assign specific QFlow collectors to a domain.
All flow sources that arrive at that flow collector belong to the domain; therefore, any new
auto-detected flow sources are automatically added to the domain.
Flow sources
You can designate specific flow sources to a domain.
This option is useful when a single QFlow collector is collecting flows from multiple network
segments or routers that contain overlapping IP address ranges.
Flow VLAN ID
You can designate specific VLANs to a domain.
This option is useful when you collect traffic from multiple network segments, often with
overlapping IP ranges. This VLAN definition is based on the Enterprise and Customer VLAN
IDs.
The following information elements are sent from QFlow when flows that contain VLAN information
are analyzed. These two fields can be assigned in a domain definition:
•
•
PEN 2 (IBM), element ID 82: Enterprise VLAN ID
PEN 2 (IBM), element ID 83: Customer VLAN ID
Specifying domains for scan results
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
You can also assign vulnerability scanners to a specific domain so that scan results are properly
flagged as belonging to that domain. A domain definition can consist of all QRadar input sources.
For more information about assigning your network to preconfigured domains, see Network
hierarchy.
Precedence order for evaluating domain criteria
When events and flows come into the QRadar system, the domain criteria is evaluated based on the
granularity of the domain definition.
If the domain definition is based on an event, the incoming event is first checked for any custom
properties that are mapped to the domain definition. If the result of a regular expression that is
defined in a custom property does not match a domain mapping, the event is automatically
assigned to the default domain.
If the event does not match the domain definition for custom properties, the following order of
precedence is applied:
1.
2.
3.
4.
DLC
Log source
Log source group
Event Collector
If the domain is defined based on a flow, the following order of precedence is applied:
1. Flow source
2. Flow Collector
If a scanner has an associated domain, all assets that are discovered by the scanner are
automatically assigned to the same domain as the scanner.
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6,
and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability
Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).
Forwarding data to another
QRadar system
Domain information is removed when data is forwarded to another QRadar system. Events and
flows that contain domain information are automatically assigned to the default domain on the
receiving QRadar system. To identify which events and flows are assigned to the default domain,
you can create a custom search on the receiving system. You might want to reassign these
events and flows to a user-defined domain.
Creating domains
Use the Domain Management window to create domains based on IBM QRadar input sources.
About this task
Use the following guidelines when you create domains:
•
•
•
Everything that is not assigned to a user-defined domain is automatically assigned to the
default domain. Users who have limited domain access should not have administrative
privileges because this privilege grants unlimited access to all domains.
You can map the same custom property to two different domains, however the capture
result must be different for each one.
You cannot assign a log source, log source group, or event collector to two different domains.
When a log source group is assigned to a domain, each of the mapped attributes is visible in
the Domain Management window.
Security profiles must be updated with an associated domain. Domain-level restrictions are not
applied until the security profiles are updated, and the changes deployed.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Domain Management.
3. To add a domain, click Add and type a unique name and description for the domain.
Tip: You can check for unique names by typing the name in the Input domain name search
box.
4. Depending on the domain criteria to be defined, click the appropriate tab.
o To define the domain based on a custom property, log source group, log source, or
event collector, click the Events tab.
o To define the domain based on a flow source, flow collector, or data gateway, click
the Flows tab.
o To define the domain based on a scanner, including IBM QRadar Vulnerability
Manager scanners, click the Scanners tab.
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in
7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For
more information, see QRadar Vulnerability Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425).
5. To assign a custom property to a domain, in the Capture Result box, type the text that
matches the result of the regular expression (regex) filter.
Important: You must select the Optimize parsing for rules, reports, and searches check
box in the Custom Event Properties window to parse and store the custom event property.
Domain segmentation will not occur if this option is not checked.
6. From the list, select the domain criteria and click Add.
7. After you add the source items to the domain, click Create.
What to do next
Create security profiles to define which users have access to the domains. After you create the first domain in
your environment, you must update the security profiles for all non-administrative users to specify the domain
assignment. In domain-aware environments, non-administrative users whose security profile does not specify a
domain assignment will not see any log activity or network activity.
Review the hierarchy configuration for your network, and assign existing IP addresses to the
proper domains. For more information, see Network hierarchy.
Creating domains for VLAN flows
Use the Domain Management window to create domains based on IBM QRadar VLAN flow sources.
Creating domains for VLAN flows
Use the Domain Management window to create domains based on IBM® QRadar® VLAN flow
sources.
About this task
In QRadar, you can assign domains to incoming flows based on the VLAN information that is
contained in the flow. The incoming flows are mapped to domains that contain the same VLAN
definition.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Domain Management.
3. Click Add and type a unique name and description for the domain.
Tip: You can check for unique names by typing the name in the Input domain name search
box.
Figure 1. Input domain name
4. Click the Flows tab, and then select Flow VLAN IDs.
5. Select the enterprise VLAN ID and Customer VLAN ID values that match the values on the
incoming flows, and then click Add.
Notes:
o
o
The Enterprise VLAN ID (IE): 82 is specified by Private Enterprise Number (PEN): 2,
Information Element (IE) on incoming flows.
The Customer VLAN ID is specified by PEN: 2 and IE: 83 on incoming flows.
Figure 2. New Domain
6. In the Name field, type a unique name for the domain and then click Create.
Results
The domain definition is created and incoming flows are mapped. Tenant assignment to a domain
occurs as normal.Figure 3. Domain definition created
Domain privileges that are derived from security profiles
You can use security profiles to grant domain privileges and ensure that domain restrictions are
respected throughout the entire IBM QRadar system. Security profiles also make it easier to manage
privileges for a large group of users when your business requirements suddenly change.
Users can see only data within the domain boundaries that are set up for the security profiles
that are assigned to them. Security profiles include domains as one of the first criteria that is
evaluated to restrict access to the system. When a domain is assigned to a security profile, it
takes priority over other security permissions. After domain restrictions are evaluated,
individual security profiles are assessed to determine network and log permissions for that
particular profile.
For example, a user is given privileges to Domain_2 and access to network 10.0.0.0/8. That
user can see only events, offenses, assets, and flows that come from Domain_2 and contain an
address from the 10.0.0.0/8 network.
As a QRadar administrator, you can see all domains and you can assign domains to nonadministrative users. Do not assign administrative privileges to users whom you want to limit
to a particular domain.
Security profiles must be updated with an associated domain. Domain-level restrictions are
not applied until the security profiles are updated, and the changes are deployed.
When you assign domains to a security profile, you can grant access to the following types of
domains:
User-defined domains
You can create domains that are based on input sources by using the Domain Management tool.
For more information, see Creating domains.
Default domain
Everything that is not assigned to a user-defined domain is automatically assigned to the default
domain. The default domain contains system-wide events.
Note: Users who have access to the default domain can see system-wide events without restriction.
Ensure that this access is acceptable before you assign default domain access to users. All
administrators have access to the default domain.
Any log source that gets auto-discovered on a shared event collector (one that is not
explicitly assigned to a domain), is auto-discovered on the default domain. These log sources
require manual intervention. To identify these log sources, you must periodically run a
search in the default domain that is grouped by log source.
All domains
Users who are assigned to a security profile that has access to All Domains can see all active
domains within the system, the default domain, and any domains that were previously deleted
across the entire system. They can also see all domains that are created in the future.
Important: If you need to assign a user to a security profile which has a different domain profile, delete the
user account and recreate it.
If you delete a domain, it cannot be assigned to a security profile. If the user has the All
domains assignment, or if the domain was assigned to the user before it was deleted, the
deleted domain is returned in historical search results for events, flows, assets, and offenses.
You can't filter by deleted domains when you run a search.
Administrative users can see which domains are assigned to the security profiles on
the Summary tab in the Domain Management window.
Rule modifications in domain-aware environments
Rules can be viewed, modified, or disabled by any user who has both the Maintain Custom
Rules and View Custom Rules permissions, regardless of which domain that user belongs to.
Important: When you add the Log Activity capability to a user role, the Maintain Custom Rules and View
Custom Rules permissions are automatically granted. Users who have these permissions have access to all
log data for all domains, and they can edit rules in all domains, even if their security profile settings have
domain-level restrictions. To prevent domain users from being able to access log data and modify rules in
other domains, edit the user role and remove the Maintain Custom Rules and View Custom
Rules permissions.
Domain-aware searches
You can use domains as search criteria in custom searches. Your security profile controls which
domains you can search against.
System-wide events and events that are not assigned to a user-defined domain are automatically
assigned to the default domain. Administrators, or users who have a security profile that provides
access to the default domain, can create a custom search to see all events that are not assigned to a
user-defined domain.
The default domain administrator can share a saved search with other domain users. When the
domain user runs that saved search, the results are limited to their domain.
Domain-specific rules and offenses
A rule can work in the context of a single domain or in the context of all domains. Domain-aware
rules provide the option of including the And Domain Is test.
The following diagram shows an example using multiple domains.
Figure 1. Domain aware rules
You can restrict a rule so that it is applied only to events that are happening within a specified
domain. An event that has a domain tag that is different from the domain that is set on the rule
does not trigger an event response.
In an IBM® QRadar® system that does not have user-defined domains, a rule creates an
offense and keeps contributing to it each time the rule fires. In a domain-aware environment, a
rule creates a new offense each time the rule is triggered in the context of a different domain.
Rules that work in the context of all domains are referred to as system-wide rules. To create a
system-wide rule that tests conditions across the entire system, select Any Domain in the
domain list for the And Domain Is test. An Any Domain rule creates an Any Domain offense.
Single-domain rule
If the rule is a stateful rule, the states are maintained separately for each domain. The rule
is triggered separately for each domain. When the rule is triggered, offenses are created
separately for each domain that is involved and the offenses are tagged with those
domains.
Single-domain offense
The offense is tagged with the corresponding domain name. It can contain only events that
are tagged with that domain.
System-wide rule
If the rule is a stateful rule, a single state is maintained for the whole system and domain
tags are ignored. When the rule runs, it creates or contributes to a single system-wide
offense.
System-wide offense
The offense is tagged with Any Domain. It contains only events that are tagged with all
domains.
The following table provides examples of domain-aware rules. The examples use a system that
has three domains that are defined: Domain_A, Domain_B, and Domain_C.
The rule examples in the following table may not be applicable in your QRadar environment.
For example, rules that use flows and offenses are not applicable in IBM QRadar Log Manager.
Domain text
domain is one of:
Domain_A
domain is one of:
Domain_A and a
stateful test that is
defined as when
HTTP flow is
detected 10 times
within 1 minute
Explanation
Rule response
Looks only at events that are tagged
Creates or contributes to an
with Domain_A and ignores rules that are offense that is tagged
with Domain_A.
tagged with other domains.
Creates or contributes to an
Looks only at events that are tagged
offense that is tagged
with Domain_A and ignores rules that are with Domain_A. A single state, an
tagged with other domains.
HTTP flow counter, gets
maintained for Domain_A.
For data that is tagged
with Domain_A, it creates or
Looks only at events that are tagged
contributes to a single domain
with Domain_A and Domain_B and ignores
offense that is tagged
events that are tagged with Domain_C.
with Domain_A.
domain is one of:
Domain_A, Domain_B This rule behaves as two independent
instances of a single domain rule, and
creates separate offenses for different
domains.
domain is one of:
Domain_A,
Domain_B and a
stateful test that is
defined as when
HTTP flow is
detected 10 times
within 1 minute
For data that is tagged
with Domain_B, it creates or
contributes to a single domain
offense that is tagged
with Domain_B.
When the rule detects 10 HTTP
flows that are tagged
Looks only at events that are tagged
with Domain_A within a minute, it
with Domain_A and Domain_B and ignores creates or contributes to an
events that are tagged with Domain_C.
offense that is tagged
with Domain_A.
This rule behaves as two independent
instances of a single domain rule, and
When the rule detects 10 HTTP
flows that are tagged
maintains two separate states (HTTP
with Domain_B within a minute, it
flow counters) for two different
domains.
creates or contributes to an
offense that is tagged
with Domain_B.
Domain text
Explanation
Rule response
Each independent domain has
Looks at events that are tagged with all
offenses that are generated for it,
No domain test defineddomains and creates or contributes to
but offenses do not contain
offenses on a per-domain basis.
contributions from other domains.
A rule has a stateful
test that is defined
as when HTTP flow is
Maintains separate states and
Looks at events that are tagged
detected 10 times
creates separate offenses for each
with Domain_A, Domain_B, or Domain_C.
within 1 minute and
domain.
no domain test is
defined
Creates or contributes to a single
domain is one of: Any Looks at all events, regardless of which
system-wide offense that is tagged
Domain
domain it is tagged with.
with Any Domain.
Creates or contributes to a single
system-wide offense that is tagged
with Any Domain.
domain is one of: Any
For example, if it detects 3 events
Domain and a stateful
Looks at all events, regardless of which
that are tagged with Domain_A, 3
test that is defined
domain it is tagged with, and it
as when HTTP flow is
events that are tagged
maintains a single state for all domains.
with Domain_B, and 4 events that
detected 10 times
within 1 minute
are tagged with Domain_C within 1
minute, it creates an offense
because it detected 10 events in
total.
When the domain test includes Any
domain is one of: Any Works the same as a rule that
Domain, any single domains that
Domain, Domain_A has domain is one of: Any Domain.
are listed are ignored.
Table 1. Domain-aware rules
When you view the offense table, you can sort the offenses by clicking the Domain column.
The Default Domain is not included in the sort function so it does not appear in alphabetical
order. However, it appears at the top or bottom of the Domain list, depending on whether the
column is sorted in ascending or descending order. Any Domain does not appear in the list of
offenses.
Example: Domain privilege assignments based on custom properties
If your log files contain information that you want to use in a domain definition, you can expose the
information as a custom event property.
You assign a custom property to a domain based on the capture result. You can assign the
same custom property to multiple domains, but the capture results must be different.
For example, a custom event property, such as userID, might evaluate to a single user or a list
of users. Each user can belong to only one domain.
In the following diagram, the log sources contain user identification information that is
exposed as a custom property, userID. The event collector returns two user files, and each
user is assigned to only one domain. In this case, one user is assigned to Domain: 9 and the
other user is assigned to Domain: 12.
Figure 1. Assigning domains by using custom event property
If the capture results return a user that is not assigned to a specific user-defined domain, that
user is automatically assigned to the default domain. Default domain assignments require
manual intervention. Perform periodic searches to ensure that all entities in the default domain
are correctly assigned.
Important: Before you use a custom property in a domain definition, ensure that Optimize
parsing for rules, reports, and searches is checked on the Custom Event Properties window.
This option ensures that the custom event property is parsed and stored when IBM®
QRadar® receives the event for the first time. Domain segmentation doesn't occur if this option is
not checked.
Guidelines for defining your network hierarchy
Building a network hierarchy in IBM® QRadar® is an essential first step in configuring your
deployment. Without a well configured network hierarchy, QRadar cannot determine flow
directions, build a reliable asset database, or benefit from useful building blocks in rules.
Consider the following guidelines when you define your network hierarchy:
•
Organize your systems and networks by role or similar traffic patterns.
For example, you might organize your network to include groups for mail servers,
departmental users, labs, or development teams. Using this organization, you can
differentiate network behavior and enforce behaviour-based network management security
policies. However, do not group a server that has unique behavior with other servers on
your network. Placing a unique server alone provides the server greater visibility in QRadar,
and makes it easier to create specific security policies for the server.
•
•
Place servers with high volumes of traffic, such as mail servers, at the top of the group. This
hierarchy provides you with a visual representation when a discrepancy occurs.
Avoid having too many elements at the root level.
Large numbers of root level elements can cause the Network hierarchy page to take a long
time to load.
•
Do not configure a network group with more than 15 objects.
Large network groups can cause difficulty when you view detailed information for each
object. If your deployment processes more than 600,000 flows, consider creating multiple
top-level groups.
•
Conserve disk space by combining multiple Classless Inter-Domain Routings (CIDRs) or
subnets into a single network group.
For example, add key servers as individual objects, and group other major but related
servers into multi-CIDR objects.
Group
1
2
Description
Marketing
Sales
IP addresses
10.10.5.0/24
10.10.8.0/21
10.10.1.3/32
3
Database Cluster
10.10.1.4/32
10.10.1.5/32
Table 1. Example of multiple CIDRs and subnets in a single network group
•
Define an all-encompassing group so that when you define new networks, the appropriate
policies and behavior monitors are applied.
In the following example, if you add an HR department network, such as 10.10.50.0/24, to
the Cleveland group, the traffic displays as Cleveland-based and any rules you apply to the
Cleveland group are applied by default.
Group Subgroup
IP address
ClevelandCleveland miscellaneous10.10.0.0/16
ClevelandCleveland Sales
10.10.8.0/21
ClevelandCleveland Marketing
10.10.1.0/24
Table 2. Example of an all-encompassing group
•
In a domain-enabled environment, ensure that each IP address is assigned to the
appropriate domain.
Domains and log sources in multitenant
environments
Use domains to separate overlapping IP addresses, and to assign sources of data, such as events and
flows, into tenant-specific data sets.
When events or flows come into IBM® QRadar®, QRadar evaluates the domain definitions that are
configured, and the events and flows are assigned to a domain. A tenant can have more than one
domain. If no domains are configured, the events and flows are assigned to the default domain.
Domain segmentation
Domains are virtual buckets that you use to segregate data based on the source of the data. They are the
building blocks for multitenant environments. You configure domains from the following input sources:
•
•
•
•
•
Event and flow collectors
Flow sources
Log sources and log source groups
Custom properties
Scanners
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0
Update Package 6, and is no longer supported in any version of IBM QRadar. For more
information, see QRadar Vulnerability Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425).
A multitenant deployment might consist of a basic hardware configuration that includes
one QRadar Console, one centralized event processor, and then one event collector for each
customer. In this configuration, you define domains at the collector level, which then automatically
assigns the data that is received by QRadar to a domain.
To consolidate the hardware configuration even further, you can use one collector for multiple
customers. If log or flow sources are aggregated by the same collector but belong to different
tenants, you can assign the sources to different domains. When you use domain definitions at the
log source level, each log source name must be unique across the entire QRadar deployment.
If you need to separate data from a single log source and assign it to different domains, you can
configure domains from custom properties. QRadar looks for the custom property in the payload,
and assigns it to the correct domain. For example, if you configured QRadar to integrate with a
Check Point Provider-1 device, you can use custom properties to assign the data from that log
source to different domains.
Automatic log source detection
When domains are defined at the collector level and the dedicated event collector is assigned to a
single domain, new log sources that are automatically detected are assigned to that domain. For
example, all log sources that are detected on Event_Collector_1 are assigned to Domain_A. All log
sources that are automatically collected on Event_Collector_2 are assigned to Domain_B.
When domains are defined at the log source or custom property level, log sources that are
automatically detected and are not already assigned to a domain are automatically assigned to the
default domain. The MSSP administrator must review the log sources in the default domain and
allocate them to the correct client domains. In a multitenant environment, assigning log sources to a
specific domain prevents data leakage and enforces data separation across domains.
Network hierarchy updates in a multitenant
deployment
IBM® QRadar® uses the network hierarchy to understand and analyze the network traffic in
your environment. Tenant administrators who have the Define network hierarchy permission
can change the network hierarchy within their own tenant.
Network hierarchy changes require a full configuration deployment to apply the updates in
the QRadar environment. Full configuration deployments restart all QRadar services, and data
collection for events and flows stops until the deployment completes. Tenant administrators must
contact the Managed Security Service Provider (MSSP) administrator to deploy the changes. MSSP
administrators can plan the deployment during a scheduled outage, and notify all tenant
administrators in advance.
In a multitenant environment, the network object name must be unique across the entire
deployment. You cannot use network objects that have the same name, even if they are assigned to
different domains.
https://www.youtube.com/watch?v=Xrn7q9v3vAk
TASK: 7.2 Manage domains and tenants
SUBTASKS:
7.2.1. Understand domains and log sources in multi-tenant environments
• Domain segmentation
• Automatic log source detection
7.2.2. Create domains
7.2.3. Configure Apps in a multi-tenant environment
7.2.4. Manage retention policies in a multi-tenant environment
Creating domains
Use the Domain Management window to create domains based on IBM® QRadar® input sources.
About this task
Use the following guidelines when you create domains:
•
•
•
Everything that is not assigned to a user-defined domain is automatically assigned to the
default domain. Users who have limited domain access should not have administrative
privileges because this privilege grants unlimited access to all domains.
You can map the same custom property to two different domains, however the capture
result must be different for each one.
You cannot assign a log source, log source group, event collector, or data gateway to two
different domains. When a log source group is assigned to a domain, each of the mapped
attributes is visible in the Domain Management window.
Security profiles must be updated with an associated domain. Domain-level restrictions are not
applied until the security profiles are updated, and the changes deployed.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Domain Management.
3. To add a domain, click Add and type a unique name and description for the domain.
Tip: You can check for unique names by typing the name in the Input domain name search
box.
4. Depending on the domain criteria to be defined, click the appropriate tab.
o To define the domain based on a custom property, log source group, log source, event
collector, or data gateway, click the Events tab.
o To define the domain based on a flow source, click the Flows tab.
o To define the domain based on a scanner, including IBM QRadar Vulnerability
Manager scanners, click the Scanners tab.
5. To assign a custom property to a domain, in the Capture Result box, type the text that
matches the result of the regular expression (regex) filter.
Important: You must select the Optimize parsing for rules, reports, and searches check
box in the Custom Event Properties window to parse and store the custom event property.
Domain segmentation will not occur if this option is not checked.
6. From the list, select the domain criteria and click Add.
7. After you add the source items to the domain, click Create.
What to do next
Create security profiles to define which users have access to the domains. After you create the first
domain in your environment, you must update the security profiles for all non-administrative users to
specify the domain assignment. In domain-aware environments, non-administrative users whose
security profile does not specify a domain assignment will not see any log activity or network activity.
Review the hierarchy configuration for your network, and assign existing IP addresses to the
proper domains. For more information, see Network hierarchy.
Provisioning a new tenant
As a Managed Security Services Provider (MSSP) administrator, you are using a single instance
of IBM® QRadar® to provide multiple customers with a unified architecture for threat detection
and prioritization.
In this scenario, you are onboarding a new client. You provision a new tenant and create a tenant
administrator account that does limited administrative duties within their own tenant. You limit
the access of the tenant administrator so that they can't see or edit information in other tenants.
Before you provision a new tenant, you must create the data sources, such as log sources or flow
collectors, for the customer and assign them to a domain.
Complete the following tasks by using the tools on the Admin tab to provision the new tenant in QRadar:
1. To create the tenant, click Tenant Management.
For information about setting events per second (EPS) and flows per minute (FPM) limits for
each tenant, see Monitoring license usage in multitenant deployments.
2. To assign domains to the tenant, click Domain Management.
3. To create the tenant administrator role and grant the Delegated
Administration permissions, click User Roles.
In a multitenant environment, tenant users with Delegated administration permissions
can see only data for their own tenant environment. If you assign other administrative
permissions that are not part of Delegated Administration, access is no longer restricted to
that domain.
4. To create the tenant security profiles and restrict data access by specifying the tenant
domains, click Security Profiles.
5. To create the tenant users and assign the user role, security profile, and tenant, click Users.
Retention policies for tenants
You can configure up to 10 retention buckets for shared data, and up to 10 retention buckets for
each tenant. The default retention period is 30 days; then, the tenant data is automatically deleted.
To keep tenant data for longer than 30 days, you must configure a retention bucket. Until you
configure a retention bucket, all events or flows are stored in the default retention bucket for each
tenant.
If your QRadar® deployment has more than 10 tenants, you can configure a shared data retention
policy and use the domain filter to create a domain-based retention policy for each of the domains
within the tenant. Adding the domains specifies that the policy applies only to the data for that
tenant.
Creating domains
Use the Domain Management window to create domains based on IBM® QRadar® input sources.
About this task
Use the following guidelines when you create domains:
•
•
•
Everything that is not assigned to a user-defined domain is automatically assigned to the
default domain. Users who have limited domain access should not have administrative
privileges because this privilege grants unlimited access to all domains.
You can map the same custom property to two different domains, however the capture
result must be different for each one.
You cannot assign a log source, log source group, or event collector to two different domains.
When a log source group is assigned to a domain, each of the mapped attributes is visible in
the Domain Management window.
Security profiles must be updated with an associated domain. Domain-level restrictions are not
applied until the security profiles are updated, and the changes deployed.
Procedure
1. On the navigation menu ( ), click Admin.
2. In the System Configuration section, click Domain Management.
3. To add a domain, click Add and type a unique name and description for the domain.
Tip: You can check for unique names by typing the name in the Input domain name search
box.
4. Depending on the domain criteria to be defined, click the appropriate tab.
o To define the domain based on a custom property, log source group, log source, or
event collector, click the Events tab.
o To define the domain based on a flow source, flow collector, or data gateway, click
the Flows tab.
o To define the domain based on a scanner, including IBM QRadar Vulnerability
Manager scanners, click the Scanners tab.
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in
7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For
more information, see QRadar Vulnerability Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425).
5. To assign a custom property to a domain, in the Capture Result box, type the text that
matches the result of the regular expression (regex) filter.
Important: You must select the Optimize parsing for rules, reports, and searches check
box in the Custom Event Properties window to parse and store the custom event property.
Domain segmentation will not occur if this option is not checked.
6. From the list, select the domain criteria and click Add.
7. After you add the source items to the domain, click Create.
What to do next
Create security profiles to define which users have access to the domains. After you create the first
domain in your environment, you must update the security profiles for all non-administrative users to
specify the domain assignment. In domain-aware environments, non-administrative users whose
security profile does not specify a domain assignment will not see any log activity or network activity.
Review the hierarchy configuration for your network, and assign existing IP addresses to the
proper domains. For more information, see Network hierarchy.
QRadar apps overview
Download and install apps that extend QRadar® functionality from the IBM Security App Exchange.
The IBM Security App Exchange is a community-based sharing hub, that you use to share apps across IBM
Security products. By participating in App Exchange, you can use the rapidly assembled, innovative
workflows, visualizations, analytics, and use cases that are packaged into apps to address specific security
requirements. To detect and remediate against threats, you can use the security components from realtime correlation and behavioral modeling to custom responses and reference data. Easy-to-use solutions
are developed by partners, consultants, developers to address key security challenges.
Note: The combined memory requirements of all the apps that are installed on a QRadar Console cannot
exceed 10 per cent of the total available memory. If you install an app that causes the 10 per cent memory
limit to be exceeded, the app does not work.
QRadar apps workflow
IBM® QRadar apps are created by developers. After a developer creates an app, IBM certifies and
publishes it in the IBM Security App Exchange. QRadar administrators can then browse and
download the apps and then install the apps into QRadar to address specific security requirements.
The following diagram shows the workflow for an app and the role who is typically responsible for
the work.
Figure 1. App workflow
Installing apps in a multi-tenant environment
QRadar V7.4.0 and later includes support for multi-tenanted apps. A number of out of the box apps,
such as Pulse, Assistant, and Log Source Management, can be used in a multi-tenant environment.
Developers can also create and test apps that support multi-tenancy. To install apps in a multitenant environment, use the QRadar Assistant App.
FAQs about apps
Find out more about the apps that work with IBM QRadar, such as how to share your app, or find
out how to download apps from the IBM Security App Exchange.
FAQs about apps
Find out more about the apps that work with IBM® QRadar®, such as how to share your app, or
find out how to download apps from the IBM Security App Exchange.
•
•
•
•
•
•
•
•
What is an app?
Who can create an app?
How do I share my app?
How do I get an app that I downloaded into QRadar?
Where do I get help for an app?
How do I contact customer support for an app?
How much memory does an app need?
What is the difference between an app, an extension, and a content extension?
What is an app?
Apps create or add new functionality in QRadar by providing new tabs, API methods,
dashboard items, menus, toolbar buttons, configuration pages, and more within
the QRadar user interface. You download apps from the IBM Security App Exchange. Apps
that are created by using the GUI Application Framework Software Development Kit
integrate with the QRadar user interface to deliver new security intelligence capabilities or
extend the current functionality.
Every downloaded file from the IBM Security App Exchange is known as an extension. An
extension can consist of an app or security product enhancement (content extension) that is
packaged as an archive (.zip) file, which you can deploy on QRadar by using the Extensions
Management tool on the Admin tab.
Who can create an app?
You can use the GUI Application Framework Software Development Kit to create apps. For
more information about the GUI Application Framework Software Development Kit, see
the IBM Security QRadar App Framework Guide.
You download (https://exchange.xforce.ibmcloud.com/hub/extension/517ff786d70b6dfa3
9dde485af6cbc8b) the SDK from IBM developerWorks®.
How do I share my app?
Only certified content is shared in the IBM Security App Exchange, a new platform for
collaborating where you can respond quickly and address your security and platform
enhancement requirements. In the IBM Security App Exchange, you can find available apps,
discover their purpose, and what they look like, and learn what other users say about the
apps.
How do I get an app that I downloaded into QRadar?
A QRadar administrator downloads an extension, imports it into QRadar by using
the Extensions Management tool that is used to upload the downloaded extension from a
local source.
Where do I get help for an app?
You can see information about an app in the overview section when you download the app
from the IBM Security App Exchange. For apps developed solely by IBM, you can find
information in the IBM Knowledge Center.
In the Additional Information section in the IBM Security App Exchange, a link to the
documentation for the app provides you with up-to-date help.
How do I contact customer support for an app?
From the X-Force Application Exchange or from the QRadar Assistant app, select the app. On the
right side of the page, a Support section contains information about how to contact customer
support for apps that are created by IBM or by an IBM Business Partner.
How much memory does an app need?
The combined memory requirements of all the apps that are installed on a QRadar Console cannot
exceed 10 per cent of the total available memory. If you install an app that causes the 10 per cent
memory limit to be exceeded, the app does not work.
If your app requires a minimum memory allocation, you must provide information about it
in your app's documentation.
What is the difference between an app, an extension, and a content extension?
An extension is a term that is used for everything that you download from the IBM Security App
Exchange. Extensions that contain content only, such as rules, reports, searches, reference sets, and
dashboards, are referred to as content extensions. Some extensions contain apps that enhance the
features and functions of QRadar. Extensions that contain apps often include new content that is
designed to help you get the maximum benefit from the app features.
QRadar apps troubleshooting
If an IBM QRadar app is not working as expected, there are a number of troubleshooting techniques
and tools that you can use to help you find and fix issues. You can also use the log files for the app to
help you troubleshoot issues.
QRadar apps troubleshooting
If an IBM® QRadar® app is not working as expected, there are a number of troubleshooting
techniques and tools that you can use to help you find and fix issues. You can also use the log files
for the app to help you troubleshoot issues.
QRadar apps are installed in docker containers, and each app has their own logs, which are
separate from the QRadar logs. The QRadar logs contain messages and errors about the container
infrastructure.
Use the following table to help you find more troubleshooting information about apps:
Title
Link
Basic App Troubleshooting Before Opening
a QRadar Support Ticket
https://www.ibm.com/support/pages/node/716891
App Troubleshooting
https://www.ibm.com/support/pages/qradar-apptroubleshooting
QRadar application error: 'Cannot establish secure
connection to the console. Check if
https://www.ibm.com/support/pages/node/6217361
your QRadar Certificates are setup properly'
•
Running the recon tool
Use the recon tool to help find and fix IBM QRadar app issues, ranging from deployment
problems to the container environment and networking issues. Because it has access to
potentially modify your system, the tool requires root access to run.
Restrictions:
The recon tool is not available for IBM QRadar on Cloud.
The recon tool is available in QRadar V7.3.2 and later.
Before you begin
You need the latest auto updates bundle to run the recon tool. If auto updates are not enabled, follow
these steps:
1. Download the latest auto updates bundle from Fix
Central (https://www.ibm.com/support/fixcentral/).
2. Install the auto updates bundle by following the instructions in QRadar: How to
Manually Install the QRadar Weekly Auto Update
Bundle (https://www.ibm.com/support/docview.wss?uid=swg22003034).
About this task
Run the recon tool on the computer where your apps are running, either on the QRadar
Console or App Host.
Procedure
To run the recon tool, type the following command:
/opt/qradar/support/recon ps
If no issues are detected, the recon command output might look like the following example:
App-ID Name
Managed Host ID Workload ID
Name AB Container Name CDEGH Port IJKL
1001
QRadar Assistant 53
apps
++ qapp-1001
+++++ 5000 ++++
Service
qapp-1001
Legend:
Symbols:
n - Not Applicable
- - Failure
* - Warning
+ - Success
Checks:
Service:
A - Service exists in the workload file
B - Service is set to started
Container:
C - Container
D - Container
E - Container
G - Container
H - Container
is in ConMan workload file
environment file exists
image is in si-registry
Systemd Units are started
exists and is running in Docker
Port:
I - Container
J - Container
K - Container
L - Container
IP are in firewall main filter rules
IP and port is in iptables NAT filter rules
port has routes through Traefik
port is responsive on debug path
If a failure is detected, remediation steps are displayed.
Results
If the results of the recon command show that an app is not started, you must ensure that
the app is set to RUNNING in the API.
You can use the qappmanager support utility. For more information,
see https://www.ibm.com/support/pages/qradar-about-qappmanager-support-utility.
Domains and log sources in multitenant
environments
Use domains to separate overlapping IP addresses, and to assign sources of data, such as events and
flows, into tenant-specific data sets.
When events or flows come into IBM® QRadar®, QRadar evaluates the domain definitions that are
configured, and the events and flows are assigned to a domain. A tenant can have more than one
domain. If no domains are configured, the events and flows are assigned to the default domain.
Domain segmentation
Domains are virtual buckets that you use to segregate data based on the source of the data. They are the
building blocks for multitenant environments. You configure domains from the following input sources:
•
•
•
•
•
Event and flow collectors
Flow sources
Log sources and log source groups
Custom properties
Scanners
Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0
Update Package 6, and is no longer supported in any version of IBM QRadar. For more
information, see QRadar Vulnerability Manager: End of service product
notification (https://www.ibm.com/support/pages/node/6853425).
A multitenant deployment might consist of a basic hardware configuration that includes
one QRadar Console, one centralized event processor, and then one event collector for each
customer. In this configuration, you define domains at the collector level, which then automatically
assigns the data that is received by QRadar to a domain.
To consolidate the hardware configuration even further, you can use one collector for multiple
customers. If log or flow sources are aggregated by the same collector but belong to different
tenants, you can assign the sources to different domains. When you use domain definitions at the
log source level, each log source name must be unique across the entire QRadar deployment.
If you need to separate data from a single log source and assign it to different domains, you can
configure domains from custom properties. QRadar looks for the custom property in the payload,
and assigns it to the correct domain. For example, if you configured QRadar to integrate with a
Check Point Provider-1 device, you can use custom properties to assign the data from that log
source to different domains.
Automatic log source detection
When domains are defined at the collector level and the dedicated event collector is assigned to a
single domain, new log sources that are automatically detected are assigned to that domain. For
example, all log sources that are detected on Event_Collector_1 are assigned to Domain_A. All log
sources that are automatically collected on Event_Collector_2 are assigned to Domain_B.
When domains are defined at the log source or custom property level, log sources that are
automatically detected and are not already assigned to a domain are automatically assigned to the
default domain. The MSSP administrator must review the log sources in the default domain and
allocate them to the correct client domains. In a multitenant environment, assigning log sources to a
specific domain prevents data leakage and enforces data separation across domains.
TASK: 7.3 Allocate licenses for multi-tenant
SUBTASKS:
7.3.1. Monitor license usage in multi-tenant deployments
• How to view EPS rates per log source
• How to view EPS rates per domain
• How to view the EPS rate for an individual log source
• How to view the EPS rate for an individual domain
• Show that there is no spillover handling for per-tenant EPS limits
Monitoring license usage in multitenant
deployments
As the Managed Security Service Provider (MSSP) administrator, you monitor the event and flow
rates across the entire IBM® QRadar® deployment.
When you create a tenant, you can set limits for both events per second (EPS) and flows per minute
(FPM). By setting EPS and FPM limits for each tenant, you can better manage license capacities
across multiple clients. If you have a processor that is collecting events or flows for a single
customer, you do not need to assign tenant EPS and FPM limits. If you have a single processor that
collects events or flows for multiple customers, you can set EPS and FPM limits for each tenant.
If you set the EPS and FPM limits to values that exceed the limits of either your software licenses or
the appliance hardware, the system automatically throttles the events and flows for that tenant to
ensure that the limits are not exceeded. If you do not set EPS and FPM limits for tenants, each
tenant receives events and flows until either the license limits or the appliance limits are reached.
The licensing limits are applied to the managed host. If you regularly exceed the license limitations,
you can get a different license that is more suitable for your deployment.
Viewing the cumulative license limits in your deployment
The EPS and FPM rates that you set for each tenant are not automatically validated against your license
entitlements. To see the cumulative limits for the software licenses that are applied to the system as
compared to the appliance hardware limits, do these steps:
1. On the navigation menu ( ), click Admin to open the admin tab.
2. In the System Configuration section, click System and License Management.
3. Expand Deployment Details and hover your mouse pointer over Event Limit or Flow
Limit.
Viewing EPS rates per log source
Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rates
for log sources.
1. On the Log Activity tab, select Advanced Search from the list on the Search toolbar.
2. To view the EPS per log source, type the following AQL query in the Advanced Search field:
3. select logsourcename(logsourceid) as LogSource, sum(eventcount) /
(24*60*60) as EPS from events
4. group by logsourceid
5. order by EPS desc
last 24 hours
Viewing EPS rates per domain
Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rates
for domains.
1. On the Log Activity tab, select Advanced Search from the drop-down list box on
the Search toolbar.
2. To view the EPS per domain, type the following AQL query in the Advanced Search field:
3. select DOMAINNAME(domainid) as LogSource, sum(eventcount) / (24*60*60) as
EPS from events
4. group by domainid
5. order by EPS desc
last 24 hours
If you want to view average EPS rates for log sources only, click Log Sources in the Data
Sources pane on the Admin tab. You can use this to quickly identify configuration issues with log
sources that are failing to report.
Viewing individual license limits in your deployment
The EPS and FPM rates that you set for each tenant are not automatically validated against your
license entitlements. To see the individual limits for the software licenses that are applied to the
system as compared to the appliance hardware limits, do these steps:
1. On the navigation menu ( ), click Admin to open the admin tab.
2. In the System Configuration section, click System and License Management.
3. Expand Deployment Details and hover your mouse over Event Limit or Flow Limit.
Viewing the EPS rate for an individual log source
Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rate
for an individual log source.
1. On the Log Activity tab, select Advanced Search from the list on the Search toolbar.
2. To get a log source ID, type the following AQL query in the Advanced Search field:
select domainid,logsourceid,LOGSOURCENAME(logsourceid) from events GROUP BY
domainid,logsourceid order by domainid ASC last 1 HOURS
3. To view the EPS rate for your selected log source, type the following AQL query in
the Advanced Search field:
4. select logsourcename(logsourceid) as LogSource, sum(eventcount) /
(24*60*60) as EPS from events
5. where logsourceid= logsourceid
6. group by logsourceid
7. order by EPS desc
last 24 hours
Viewing the EPS rate for an individual domain
Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rate
for an individual domain.
1. On the Log Activity tab, select Advanced Search from the list on the Search toolbar.
2. To to get a domain ID, type the following AQL query in the Advanced Search field:
select domainid, DOMAINNAME(domainid) from events GROUP BY domainid last 1
HOURS
3. To view the EPS rate for your selected domain, type the following AQL query in
the Advanced Search field:
4. select DOMAINNAME(domainid) as LogSource, sum(eventcount) / (24*60*60) as
EPS from events
5. where domainid=domainid
6. group by domainid
7. order by EPS desc
last 24 hours
•
Detecting dropped events and flows
Events and flows are dropped when the IBM QRadar processing pipeline can't handle the
volume of incoming events and flows, or when the number of events and flows exceeds the
license limits for your deployment. You can look at the QRadar log file messages when these
situations occur.
SUBTASKS:
7.4.1. Understand user roles in a multi-tenant environment
• Service provider
• Tenants
7.4.2. Partition data by use of security profiles
User roles
A user role defines the functions that a user can access in IBM® QRadar®.
During the installation, four default user roles are defined: Admin, All, WinCollect, and Disabled.
Before you add user accounts, you must create the user roles to meet the permission requirements
of your users.
Creating a user role
Create user roles to manage the functions that a user can access in IBM QRadar. By default, your
system provides a default administrative user role, which provides access to all areas of QRadar.
About this task
Users who are assigned an administrative user role cannot edit their own account. This restriction
applies to the default Admin user role. Another administrative user must make any account
changes.
Procedure
1.
2.
3.
4.
Click the Admin tab.
In the User Management section, click User Roles and then click New.
In the User Role Name field, type a unique name.
Select the permissions that you want to assign to the user role.
The permissions that are visible on the User Role Management window depend on
which QRadar components are installed.
Important: If you select a user role that has Admin privileges, you must also grant that user
role the Admin security profile. See Creating a security profile.
Permission Description
Grants administrative access to the user interface. You can grant specific Admin
permissions.
Admin
Users with System Administrator permission can access all areas of the user interface.
Users who have this access cannot edit other administrator accounts.
Administrator Manager
Permission Description
Grants users permission to create and edit other administrative user accounts.
Remote Networks and Services Configuration
Grants users access to the Remote Networks and Services icon on
the Admin tab.
System Administrator
Grants users permission to access all areas of user interface. Users with this
access are not able to edit other administrator accounts.
Manage Local Only
Grants permission to assign and manage Local Only authentication. For more
information about Local Only authentication, see Assigning Local Only
authentication.
Grant users permissions to perform limited administrative functions. In a multi-tenant
Delegated environment, tenant users with Delegated Administration permissions can see only
Administrat data for their own tenant environment. If you assign other administrative permissions
that are not part of Delegated Administration, tenant users can see data for all
ion
tenants.
Grants administrative access to all functions on the Offenses tab.
Offenses
Users must have administrative access to create or edit a search group on
the Offenses tab.
User roles must have the Maintain Custom Rules permission to create and edit
custom rules.
Grants access to functions in the Log Activity tab. You can also grant specific
permissions:
Maintain Custom Rules
Grants permission to create or edit rules that are displayed on the Log
Activity tab.
Manage Time Series
Log Activity
Grants permission to configure and view time series data charts.
User Defined Event Properties
Grants permission to create custom event properties.
View Custom Rules
Grants permission to view custom rules. If granted to a user role that does not
also have the Maintain Custom Rules permission, the user role cannot create
or edit custom rules.
Network
Activity
Grants access to all the functions in the Network Activity tab. You can grant specific
access to the following permissions:
Permission Description
Maintain Custom Rules
Grants permission to create or edit rules that are displayed on the Network
Activity tab.
Manage Time Series
Grants permission to configure and view time series data charts.
User Defined Flow Properties
Grants permission to create custom flow properties.
View Custom Rules
Grants permission to view custom rules. If the user role does not also have
the Maintain Custom Rules permission, the user role cannot create or edit
custom rules.
View Flow Content
Grants permission to view source payload and destination payload in the flow
data details.
This permission is displayed only if IBM QRadar Vulnerability Manager is installed on
your system.
Grants access to the function in the Assets tab. You can grant specific permissions:
Perform VA Scans
Grants permission to complete vulnerability assessment scans. For more
information about vulnerability assessment, see the Managing Vulnerability
Assessment Guide.
Assets
Remove Vulnerabilities
Grants permission to remove vulnerabilities from assets.
Server Discovery
Grants permission to discover servers.
View VA Data
Grants permission to vulnerability assessment data. For more information
about vulnerability assessment, see the Managing Vulnerability Assessment
guide.
Grants permission to access all of the functions on the Reports tab.
Distribute Reports via Email
Reports
Grants permission to distribute reports through email.
Maintain Templates
Grants permission to edit report templates.
Permission Description
Risk
Manager
Grants users permission to access QRadar Risk Manager functions. QRadar Risk
Manager must be activated.
Grants permission to QRadar Vulnerability Manager function. QRadar
Vulnerability Manager must be activated.
Vulnerabilit
y Manager For more information, see the IBM QRadar Vulnerability
Manager (https://www.ibm.com/docs/en/SS42VS_7.5/com.ibm.qradar.doc/c_
qvm_vm_ov.html).
Grants permission to QRadar Incident Forensics capabilities.
Forensics
Create cases in Incident Forensics
Grants permission to create cases for collections of imported document and
pcap files.
IP Right
Click Menu Grants permission to options added to the right-click menu.
Extensions
Grants permission to Platform Configuration services.
Dismiss System Notifications
Grants permission to hide system notifications from the Messages tab.
Platform
Configuratio View Reference Data
n
Grants permission to view reference data when it is available in search results.
View System Notifications
Grants permission to view system notifications from the Messages tab.
QRadar Log
Source
Grants permission to the QRadar Log Source Management app.
Managemen
t
Pulse Grants permission to dashboards in the IBM QRadar Pulse app.
Dashboard
Pulse Threat
Globe
Grants permission to Threat Globe dashboard in the IBM QRadar Pulse app.
QRadar
Assistant
Grants permission to the IBM QRadar Assistant app.
QRadar Use
Case
Grants permission to the QRadar Use Case Manager app.
Manager
Table 1. User Role Management window permissions
5. In the Dashboards section of the User Role Management page, select the dashboards that you
want the user role to access, and click Add.
Tip: A dashboard displays no information when the user role does not have permission to
view dashboard data. If a user modifies the displayed dashboards, the defined dashboards
for the user role appear at the next login.
6. Click Save and close the User Role Management window.
7. On the Admin tab menu, click Deploy Changes.
Editing a user role
You can edit an existing role to change the permissions that are assigned to the role.
Editing a user role
You can edit an existing role to change the permissions that are assigned to the role.
About this task
To quickly locate the user role you want to edit on the User Role Management window, you can
type a role name in the Type to filter text box.
Procedure
1. On the Admin tab, click User Roles.
2. In the left pane of the User Role Management window, select the user role that you want to
edit.
3. In the right pane, update the permissions as necessary.
4. Modify the Dashboards options for the user role as necessary.
5. Click Save.
6. Close the User Role Management window.
7. On the Admin tab, click Deploy Changes.
Deleting a user role
If a user role is no longer required, you can delete the user role.
Deleting a user role
If a user role is no longer required, you can delete the user role.
About this task
If user accounts are assigned to the user role you want to delete, you must reassign the user
accounts to another user role. The system automatically detects this condition and prompts you to
update the user accounts.
You can quickly locate the user role that you want to delete on the User Role Management window.
Type a role name in the Type to filter text box, which is located above the left pane.
Procedure
1.
2.
3.
4.
On the Admin tab, click User Roles.
In the left pane of the User Role Management window, select the role that you want to delete.
On the toolbar, click Delete.
Click OK.
o If user accounts are assigned to this user role, the Users are Assigned to this User
Role window opens. Go to Step 7.
o If no user accounts are assigned to this role, the user role is successfully deleted. Go
to Step 8.
5. Reassign the listed user accounts to another user role:
o From the User Role to assign list box, select a user role.
o Click Confirm.
6. Close the User Role Management window.
7. On the Admin tab, click Deploy Changes.
Security profiles
Security profiles define which networks, log sources, and domains that a user can access.
QRadar® includes one default security profile for administrative users. The Admin security profile
includes access to all networks, log sources, and domains.
Before you add user accounts, you must create more security profiles to meet the specific access
requirements of your users.
Domains
Security profiles must be updated with an associated domain. You must define domains on
the Domain Management window before the Domains tab is shown on the Security Profile
Management window. Domain-level restrictions are not applied until the security profiles are
updated, and the changes are deployed.
Domain assignments take precedence over all settings on the Permission Precedence, Networks,
and Log Sources tabs.
If the domain is assigned to a tenant, the tenant name appears in brackets beside the domain name
in the Assigned Domains window.
Permission precedence
Permission precedence determines which security profile components to consider when the system
displays events in the Log Activity tab and flows in the Network Activity tab.
Choose from the following restrictions when you create a security profile:
•
•
•
•
No Restrictions - This option does not place restrictions on which events are displayed in
the Log Activity tab, and which flows are displayed in the Network Activity tab.
Network Only - This option restricts the user to view only events and flows that are
associated with the networks that are specified in this security profile.
Log Sources Only - This option restricts the user to view only events that are associated
with the log sources that are specified in this security profile.
Networks AND Log Sources - This option allows the user to view only events and flows that
are associated with the log sources and networks that are specified in this security profile.
For example, if the security profile allows access to events from a log source but the
destination network is restricted, the event is not displayed in the Log Activity tab. The
event must match both requirements.
•
Networks OR Log Sources - This option allows the user to view events and flows that are
associated with either the log sources or networks that are specified in this security profile.
For example, if a security profile allows access to events from a log source but the destination
network is restricted, the event is displayed on the Log Activity tab if the permission
precedence is set to Networks OR Log Sources. If the permission precedence is set
to Networks AND Log Sources, the event is not displayed on the Log Activity tab.
Permission precedence for offense data
Security profiles automatically use the Networks OR Log Sources permission when offense data is
shown. For example, if an offense has a destination IP address that your security profile permits
you to see, but the security profile does not grant permissions to the source IP address, the Offense
Summary window shows both the destination and source IP addresses.
Creating a security profile
To add user accounts, you must first create security profiles to meet the specific access
requirements of your users.
About this task
IBM® QRadar® SIEM includes one default security profile for administrative users. The Admin
security profile includes access to all networks, log sources, and domains.
To select multiple items on the Security Profile Management window, hold the Control key while
you select each network or network group that you want to add.
If after you add networks, log sources or domains you want to remove one or more before you save
the configuration, you can select the item and click the Remove (<) icon. To remove all items,
click Remove All.
Procedure
1. On the Admin tab, click Security Profiles.
2. On the Security Profile Management window toolbar, click New.
3. Configure the following parameters:
a. In the Security Profile Name field, type a unique name for the security profile. The
security profile name must meet the following requirements: minimum of 3
characters and maximum of 30 characters.
b. OptionalType a description of the security profile. The maximum number of
characters is 255.
4. Click the Permission Precedence tab.
5. In the Permission Precedence Setting pane, select a permission precedence option.
See Permission precedence.
6. Configure the networks that you want to assign to the security profile:
a. Click the Networks tab.
b. From the navigation tree in the left pane of the Networks tab, select the network that
you want this security profile to have access to.
c. Click the Add (>) icon to add the network to the Assigned Networks pane.
d. Repeat for each network you want to add.
7. Configure the log sources that you want to assign to the security profile:
a. Click the Log Sources tab.
b. From the navigation tree in the left pane, select the log source group or log source
you want this security profile to have access to.
c. Click the Add (>) icon to add the log source to the Assigned Log Sources pane.
d. Repeat for each log source you want to add.
8. Configure the domains that you want to assign to the security profile:
Domains must be configured before the Domains tab appears.
a. Click the Domains tab.
b. From the navigation tree in the left pane, select the domain that you want this
security profile to have access to.
c. Click the Add (>) icon to add the domain to the Assigned Domains pane.
d. Repeat for each domain that you want to add.
9. Click Save.
Note: The log sources and domains that are assigned to the security profile must match. If
the log sources and domains do not match, you cannot save the security profile .
10. Close the Security Profile Management window.
11. On the Admin tab, click Deploy Changes.
Editing a security profile
You can edit an existing security profile to update which networks and log sources a user can access
and the permission precedence.
Editing a security profile
You can edit an existing security profile to update which networks and log sources a user can access
and the permission precedence.
About this task
To quickly locate the security profile you want to edit on the Security Profile Management window,
type the security profile name in the Type to filter text box.
Procedure
1.
2.
3.
4.
5.
6.
On the Admin tab, click Security Profiles.
In the left pane, select the security profile that you want to edit.
On the toolbar, click Edit.
Update the parameters as necessary.
Click Save.
If the Security Profile Has Time Series Data window opens, select one of the following
options:
Option
Description
Keep Old
Data and
Save
Select this option to keep previously accumulated time series data. If you choose this
option, users with this security profile might see previous data that they no longer have
permission to see when they view time series charts.
Hide Old
Data and
Save
Select this option to hide the time series data. If you choose this option, time series data
accumulation restarts after you deploy your configuration changes.
7. Close the Security Profile Management window.
8. On the Admin tab, click Deploy Changes.
Duplicating a security profile
If you want to create a new security profile that closely matches an existing security profile, you can
duplicate the existing security profile and then modify the parameters.
About this task
To quickly locate the security profile you want to duplicate on the Security Profile
Management window, type the security profile name in the Type to filter text box.
Procedure
1.
2.
3.
4.
5.
6.
7.
8.
On the Admin tab, click Security Profiles.
In the left pane, select the security profile that you want to duplicate.
On the toolbar, click Duplicate.
In the Confirmation window, type a unique name for the duplicated security profile.
Click OK.
Update the parameters as necessary.
Close the Security Profile Management window.
On the Admin tab, click Deploy Changes.
Deleting a security profile
If a security profile is no longer required, you can delete the security profile.
About this task
If user accounts are assigned to the security profiles you want to delete, you must reassign the user
accounts to another security profile. IBM® QRadar® automatically detects this condition and
prompts you to update the user accounts.
To quickly locate the security profile you want to delete on the Security Profile
Management window, type the security profile name in the Type to filter text box.
Procedure
1.
2.
3.
4.
On the Admin tab, click Security Profiles.
In the left pane, select the security profile that you want to delete.
On the toolbar, click Delete.
Click OK.
o If user accounts are assigned to this security profile, the Users are Assigned to this
Security Profile window opens. Go to Deleting a user role.
If no user accounts are assigned to this security profile, the security profile is
successfully deleted. Go to Deleting a user role.
5. Reassign the listed user accounts to another security profile:
o From the User Security Profile to assign list box, select a security profile.
o Click Confirm.
6. Close the Security Profile Management window.
7. On the Admin tab, click Deploy Changes.
o
Section 8: Troubleshooting
This section accounts for 16% of the exam (10 out of 62 questions).
TASK: 8.1 Review and respond to system notifications
SUBTASKS:
8.1.1. Create system notifications
• System Notification Rule (or any rule with 'Notification' Response)
8.1.2. Locate system notifications
• Under the bell icon on GUI
• Custom Rule is System: Notification events in Log Activity
8.1.3. React to system notifications
License expired
38750123 - An allocated license has expired and is no longer valid.
Explanation
When a license expires on the console, a new license must be applied. When a license expires on a
managed host, the appliance continues to process events and flows up to the rate that is allocated
from the shared license pool.
When the license contributes EPS and FPM capacity to the shared license pool, the expiry might
force the shared license pool into a deficit where it does not have enough capacity to meet the
requirements of the deployment. In a deficit situation, functionality on the Network
Activity and Log Activity tabs is blocked.
User response
1. Determine which appliance has the expired license.
a. On the Admin tab, click System and License Management.
b. In the Display box, select Licenses.
Expired licenses are shown in the License Information Messages section.
2. If the expired license is on the console, replace it.
3. If the expired license is on a managed host, review the shared license pool to ensure that the
system has enough EPS and FPM capacity.
a. If the shared license pool is over-allocated, replace the expired license with a new
license that has enough EPS and FPM to meet the system capacity requirements.
b. If the license pool has enough capacity, delete the expired license. In
the License table, select the row for the expired license (shown nested beneath the
managed host summary row), and select Actions > Delete License.
Accumulator is falling behind
38750099 - The accumulator was unable to aggregate all events/flows for this
interval.
Explanation
This message appears when the system is unable to accumulate data aggregations within a 60second interval.
Every minute, the system creates data aggregations for each aggregated search. The data
aggregations are used in time-series graphs and reports and must be completed within a 60-second
interval. If the count of searches and unique values in the searches are too large, the time that is
required to process the aggregations might exceed 60 seconds. Time-series graphs and reports
might be missing columns for the time period when the problem occurred.
You do not lose data when this problem occurs. All raw data, events, and flows are still written to
disk. Only the accumulations, which are data sets that are generated from stored data, are
incomplete.
User response
The following factors might contribute to the increased workload that is causing the accumulator to fall
behind:
Frequency of the incomplete accumulations
If the accumulation fails only once or twice a day, the drops might be caused by increased system
load due to large searches, data compression cycles, or data backup.
Infrequent failures can be ignored. If the failures occur multiple times per day, during all
hours, you might want to investigate further.
High system load
If other processes use many system resources, the increased system load can cause the
aggregations to be slow. Review the cause of the increased system load and address the cause, if
possible.
For example, if the failed accumulations occur during a large data search that takes a long
time to complete, you might prevent the accumulator drops by reducing the size of the saved
search.
Large accumulator demands
If the accumulator intervals are dropped regularly, you might need to reduce the workload.
The workload of the accumulator is driven by the number of aggregations and the number of
unique objects in those aggregations. The number of unique objects in an aggregation
depends on the group-by parameters and the filters that are applied to the search.
For example, a search that aggregates for services filters the data by using a local network
hierarchy item, such as DMZ area. Grouping by IP address might result in a search that
contains up to 200 unique objects. If you add destination ports to the search, and each server
hosts 5 - 10 services on different ports, the new aggregate of destination.ip +
destination.port can increase the number of unique objects to 2000. If you add the source
IP address to the aggregate and you have thousands of remote IP addresses that hit each
service, the aggregated view might have hundreds of thousands of unique values. This
search creates a heavy demand on the accumulator.
To review the aggregated views that put the highest demand on the accumulator:
1. On the Admin tab, click Aggregated Data Management.
2. Click the Data Written column to sort in descending order and show the largest
views.
3. Review the business case for each of the largest aggregations to see whether they are
still required.
Maximum active offenses reached
38750050 - MPC: Unable to create new offense. The maximum number of
active offenses has been reached.
Explanation
The system is unable to create offenses or change a dormant offense to an active offense. The
default number of active offenses that can be open on your system is limited to 2500. An active
offense is any offense that continues to receive updated event counts in the past five days or less.
User response
Select one of the following options:
•
•
Change low security offenses from open or active to closed, or to closed and protected.
Tune your system to reduce the number of events that generate offenses.
To prevent a closed offense from being removed by your data retention policy, protect the
closed offense.
Disk usage system notifications
IBM® QRadar® disk sentry monitors the /, /store, /storetmp, /transient,
and /var/log partitions before the partitions reach a pre-defined usage threshold.
The following topics can help you identify and resolve common problems in your IBM
QRadar deployment. The following table displays the host context system notifications that depend
on the disk usage of each monitored partition.
Notification
Disk Sentry:
Disk Usage
exceeded
warning
threshold.
Disk Sentry:
Disk Usage
exceeded max
threshold.
Disk sentry:
System disk
usage back to
normal
levels.
Description
Suggested action
Disk usage is at 90% for a monitored
partition. QRadar is not affected when the partition
reaches this threshold. Continue to monitor your
partition levels.
See Disk usage exceeded warning
threshold.
Disk usage is at 95% for a monitored
partition. QRadar data collection and search processes See Disk usage exceeded max
are shut down to protect the file system from reaching threshold.
100%.
After disk usage reaches a threshold of 95%, it must
return to 92% before QRadar automatically restarts
data collection and search processes.
To lower the disk usage
threshold, manually remove data
from the affected partitions.
See Disk usage returned to
normal.
Table 1. Disk usage notifications
Backup unable to complete a request
38750033 - Backup: Not enough free disk space to perform the backup.
Explanation
Disk Sentry is responsible for monitoring system disk and storage issues. Before a backup begins,
Disk Sentry checks the available disk space to determine whether the backup can complete
successfully. If the free disk space is less than two times the size of the last backup, the backup is
canceled. By default, backups are stored in /store/backup.
User response
To resolve this issue, select one of the following options:
•
•
•
Free up disk space on your appliance to allow enough space for a backup to complete
in /store/backup.
Configure your existing backups to use a partition with free disk space.
Configure more storage for your appliance. For more information, see the Offboard Storage
Guide.
QRadar: How to deal with unwanted system
notifications
Question & Answer
Question
Is it possible to suppress QRadar system notifications?
Answer
How to edit the system notification rule to add a response limiter
System notifications are generated based on a primary System Notification rule in QRadar.
Administrators who want to prevent a system notification from ever displaying in QRadar
can edit the primary rule to remove a value, which prevents the system from ever creating
the notification. Disabling a notification is not recommended as several important system
notifications are generated by QRadar. To prevent unwanted or repetitive system
notifications is to copy the system notification rule and modify it with a rule response
limiter to generate a system notification on a specific interval by minutes or hours when an
issue occurs. The response limiter can be used to postpone system notifications for several
days, when nuisance notifications occur.
Procedure
1. Click the Offenses tab
2. Click the Rules icon.
3. In the list of rules, select the System: Notification rule.
4. Click Actions > Duplicate.
5. Type a name for the new rule and click OK.
6. Double-click the rule you duplicated to start the Rule Wizard.
7. Click the list of event QIDs in the rule.
8. Edit the rule to include the QIDs that you want to limit responses on. In this
example, we are going to limit 'License Nearing Expiration' notifications.
9. Click Next.
10. In the Response Limiter field, set a time frame for the rule.
11. Click the Enable Rule check box.
12. Click Next to view a summary of the rule.
13. Click Finish.
Now that the new rule is created, we must edit the original System Notification rule
to remove the License Nearing Expiration QID to ensure that the original rule is
updated.
14. Double-click the original System: Notification rule.
15. Click the list of event QIDs in the rule.
16. Edit the rule to remove the value (38750124) License Nearing Expiration, which
is the event QID we are limiting the response for in our other rule.
17. Click Finish.
Results
A new rule is enabled with a response limiter for 48 hours. The original system
notification is updated to remove the QID for the license message as it is a repetitive
system notification.
QRadar system notifications
Use the system notifications that are generated by IBM® QRadar® to monitor the status and health
of your system. Software and hardware tools and processes continually monitor
the QRadar appliances and deliver information, warning, and error messages to users and
administrators.
System notifications are displayed on the QRadar dashboard or in the notification window when
unexpected system behavior occurs. You can troubleshoot the most common QRadar notifications.
Disk usage system notifications
IBM QRadar disk sentry monitors the /, /store, /storetmp, /transient,
and /var/log partitions before the partitions reach a pre-defined usage threshold.
Asset notifications for QRadar appliances
•
Asset change discarded
38750106 - Asset Changes Aborted.
Explanation
An asset change exceeded the change threshold and the asset profile manager ignores the
asset change request.
The asset profile manager includes an asset persistence process that updates the profile
information for assets. The process collects new asset data and then queues the information
before the asset model is updated. When a user attempts to add or edit an asset, the data is
stored in temporary storage and added to the end of the change queue. If the change queue
is large, the asset change can time out and the temporary storage is deleted.
User response
Select one of the following options:
•
•
•
Add or edit the asset a second time.
Adjust or stagger the start time for your vulnerability scans or reduce the size of your
scans.
Asset growth deviations detected
38750137 - The system detected asset profiles that exceed the normal
size threshold.
Explanation
The system detected one or more asset profiles in the asset database that show deviating or
abnormal growth. Deviating growth occurs when a single asset accumulates more IP
addresses, DNS host names, NetBIOS names, or MAC addresses than the system thresholds
allow. When growth deviations are detected, the system suspends all subsequent incoming
updates to these asset profiles.
User response
Determine the cause of the asset growth deviations:
•
•
•
Hover your mouse over the notification description to review the notification
payload. The payload shows a list of the top five most frequently deviating assets. It
also provides information about why the system marked each asset as a growth
deviation and the number of times that the asset attempted to grow beyond the asset
size threshold.
In the notification description, click Review a report of these assets to see a
complete report of asset growth deviations over the last 24 hours.
Review Updates to asset
data (https://www.ibm.com/docs/en/qsip/7.4?topic=management-updates-assetdata).
•
•
Blocklist notification
38750136 - The Asset Reconciliation Exclusion rules added new asset
data to the asset blocklists.
External scan of an unauthorized IP address or range
38750126 - An external scan execution tried to scan an unauthorized
IP address or address range.
Automatic update notifications for QRadar appliances
•
•
•
•
•
Auto update installed with errors
38750067 - Automatic updates installed with errors. See the Auto
Update Log for details.
Automatic update error
38750066 - Automatic updates could not complete installation. See
the Auto Update Log for details.
Automatic update successful
38750070 - Automatic updates completed successfully.
Automatic updates successfully downloaded
38750068 - Automatic updates successfully downloaded. See the Auto
Updates log for details.
Deployment of an automatic update
38750069 - Automatic updates installed successfully. In the Admin
tab, click Deploy Changes.
Custom rules notifications for QRadar appliances
Disk notifications for QRadar appliances
Event and flow notifications for QRadar appliances
Failure notifications for QRadar appliances
Failure notifications for QRadar apps
High Availability notifications for QRadar appliances
License notifications for QRadar appliances
Limit notifications for QRadar appliances
These limit notifications are related to thresholds, usage, maximums, stability, and reaching and
returning to normal limits.
Log and log source notifications for QRadar appliances
Memory and backup notifications for QRadar appliances
Offense notifications for QRadar appliances
Repair notifications for QRadar appliances
Vulnerability scan notifications for QRadar appliances
TASK: 8.2 Troubleshoot common documented issues
SUBTASKS:
8.2.1. Scenarios from the "Technical Notes 101" page
Cleaning the SIM data model
Cleaning the SIM data model ensures that offenses are based on the most current rules, discovered
servers, and network hierarchy. When the tuning process is complete, clean the SIM data model to
ensure that IBM® QRadar® displays only recent offenses.
About this task
When you clean the SIM data model, all existing offenses are closed. Cleaning the SIM data model
does not affect existing events and flows.
False positive offenses might occur before you complete the tuning tasks. Clean the SIM data model
to ensure that each host on the network creates new offenses based on the current configuration.
The SIM data model can be cleaned by both of the following methods:
Soft Clean
Closes all offenses, but does not remove them from the system.
Hard Clean
Closes all offenses, and completely erases them from the system.
Note:
Don't do a Hard Clean of your SIM Model unless SupportQRadar directs you to.
After a hard clean or a soft clean, the console web server restarts.
Procedure
1.
2.
3.
4.
5.
On the navigation menu ( ), click Admin.
From the Admin toolbar, click Advanced > Clean SIM Model.
Click Soft Clean.
Select the Are you sure you want to reset the data model? check box.
Click Proceed.
Depending on the volume of data in your system, this process might take several minutes.
6. When the SIM reset process is complete, refresh your browser.
If you attempt to go to other areas of the console during the SIM reset process, an error
message is displayed.
https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_qradar_system_notifications.pdf
Getting Help: What information should be
submitted with a QRadar service request?
Question & Answer
Question
QRadar support cases often require logs to investigate and resolve issues. This technical
note explains how users can collect and submit information for IBM support cases for
QRadar software issues depending on the nature of the issue they are facing.
Cause
Quick links
1. What information do I need to submit to QRadar support for software issues?
o 1a. How to collect log files for QRadar support from the user interface
o 1b. How to collect log files for QRadar from the command-line interface
(get_logs.sh)
o 1c. How to collect log files for QRadar on Cloud
2. What information do I submit for event parsing issues?
o 2a. How to verify what DSM is version installed
o 2b. How to export events for review by support
3. What information do I submit to QRadar support for hardware issues?
o 3a. How to determine whether an appliance is IBM xSeries or Dell?
o 3b. IBM xSeries appliances: How to run a Dynamic System Analysis (DSA)
report
o 3c. IBM xSeries appliances: How to run a Dynamic System Analysis (DSA)
report for a nonbooting appliance
o 3d. How to run an IMM log for non-hard disk issues
o 3e. Dell appliances: How to open a Dell Hardware Case and Generate logs by
using the iDRAC.
4. What information do I submit for WinCollect agent issues?
5. What information do I submit for Event Pipeline issues?
Answer
1. What information do I submit to QRadar support for software issues?
The following information can be submitted with customer service requests when you
report software issues in QRadar:
•
•
•
•
•
A detailed description of the issue, including the steps taken or changes made
before the issue occurred.
A screen captures showing the issue or on-screen error message.
The steps taken by the user or administrator to try to resolve the problem.
Logs exported from QRadar (see 1a).
Product version and build number. To view your version, from the
QRadar Dashboard, open the hamburger menu then click About. Example:
Related article: In my case, do I need to submit logs from multiple hosts when
an error occurs?
1a. How to collect log files for QRadar support from the user interface
Procedure
1.
2.
3.
4.
Log in to your QRadar console as an admin.
Click the Admin tab.
Click System & License Management.
Select the QRadar appliances that you want to collect logs from in the user interface.
Note: You can use Shift + click or Ctrl + click to get logs from multiple appliances.
If you do not select any appliance, the default action is to collect logs from the
QRadar Console. If you are troubleshooting application issues on an App Host
appliance, select both the App Host and Console appliance then collect logs for your
case.
5. Select Actions > Collect Log Files.
6. In most cases, unless you are experiencing application or extension issues, the
default options can be used. If you are troubleshooting an issue with an application,
such as an installation issue or apps that fail to start, you must open the Advanced
Options and check the box Include Application Extension Logs.
Advanced Options
o Unless advised by QRadar Support, there is no need to enable the Include
Debug Logs check box.
o If you are having issues with a QRadar extension or installing an application,
select the Include Application Extension Logs check box.
o If you recently upgraded your appliance, installed software updates, or are
having issues with managed hosts, select the Include Setup Logs (Current
Version) check box.
o Most administrators can leave the Collect Logs for this Many Days to the
default of 1 day, but if you know the issue occurred before then, adjust the
period accordingly. Be aware that if you have many hosts and select many
days, it takes longer to collect the logs.
Encryption of log files now prompts for a user-defined password. If this
option is selected the password must be passed onto IBM Support to
facilitate decryption of the log files.
7. Click Collect Log Files.
o
The log collection process starts and the status bar updates when log collection is
complete.
8. Click Download and save the file.
Results
Attach the log to your support ticket. Administrators who experience issues
downloading the file from the user interface can attempt to download the file by
using WinSCP or another secure copy utility to move the backup from
the /var/log directory. Root access is required for the appliance to use
the get_logs.sh utility or secure copy files from an appliance.
1b. How to collect log files for QRadar from the command-line interface (get_logs.sh)
To collect logs from the command-line, root access is required. The get_logs.sh utility
is available on every version of QRadar and can be run on each appliance individually to
collect logs. If you are having user interface issues, use this utility as a backup when the
QRadar Console to submit logs for your appliance.
Procedure
1. SSH in to the Console appliance as the root user.
2. Type the following command:
/opt/qradar/support/get_logs.sh
The script informs you that the log was created and provides the name and the
location, which is always the /store/LOGS/ directory.
Note: For administrators having application or extension issues, use the -a option
to collect application logs with your Console log information.
3. Copy the tar.bz2 file to a system that has access to an external network to upload
your log file.
4. For DLC appliances, compress the files from /var/log/dlc/* by using the
command:
tar -zcvf DLC_logs.tar.gz /var/log/dlc/*
5. Copy the tar.gz file to a system that has access to an external network to upload
your log file.
Results
Attach the log files and provide an explanation of which events appear to be parsing
incorrectly in your ticket.
1c. How to collect log files for QRadar on Cloud
To collect logs from Data Gateways or QRadar Network Insights that you have access,
follow 1b. How to collect log files for QRadar from the command-line interface
(get_logs.sh)
For any other appliance that you do not have access, follow the steps for Requesting a log
bundle for QRadar on Cloud.
2. What information do I submit for DSM parsing issues?
To receive support for DSM parsing issues submit the following information:
• The name of the appliance or software that generated the unknown, stored event,
or incorrectly categorized event.
• A screen capture of the log source configuration. Double-click the log source to open
the edit screen and take a screen capture.
• A screen capture of the incorrect event. Double-click an event in the Log Activity tab
to view the Event Summary and submit a screen capture.
•
•
•
The version of the software that is generating the events. If multiple appliances
versions are in your network, list all versions.
The DSM version installed on the customer's QRadar Console (see the following
instructions).
A Full XML export from the Log Activity tab on the Console (see the following
instructions).
2a. How to verify what DSM is version installed
1. SSH into the QRadar Console as the root user.
2. To find the installed version enter the following command:
yum info| grep -i nameofDSM
Result
Example output:
yum info| grep -i 3Com
Name
: DSM-3ComSwitch
From repo
: /DSM-3ComSwitch-7.4-20200303185634.noarch
Summary
: DSM 3Com 8800 Series Switch Install
Description : This program installs a 3Com 8800 Series Switch DSM plugin.
This version information can be compared to what is posted on IBM Fix Central,
but included it in your support request.
2b. How to export events for review by support
1. Log in to the QRadar UI.
2. Click the Log Activity tab.
3. Click Add Filter.
4. For the Parameter, select Log Source [Indexed] > Equals > Name of the log
source with the parsing issue.
Note: If your log source is not assigned to a group yet, select Other, which displays
all ungrouped log sources.
5. Click Add Filter.
6. Click the View drop-down and select a time interval. For example, 7 hours.
7. Review the filtered events to ensure that it contains your issue or concern.
8. From the navigation menu, select Actions > Export to XML > Full Export (All
Columns).
Note: XML is the preferred format for event reviews.
Results
Attach the XML event export and provide an explanation of the events that appear
to be parsing incorrectly in the description of your service request.
3. What information do I submit to QRadar support for hardware issues?
3a. How to determine whether an appliance is IBM xSeries or Dell?
Some administrators have a mix of appliance types in their network. When hardware
issues occur, it is helpful to understand what type of appliance you are working with to
determine whether you need to provide QRadar Support with a DSA file (xSeries
hardware). Dell hardware might not display a result.
To verify your hardware manufacturer:
1. Log in to the appliance as the root user directly or by using SSH.
2. To determine the hardware manufacturer, type the following command:
dmidecode -t system
Result
Example output:
# dmidecode 2.12
# SMBIOS entry point at 0x7f6be000
SMBIOS 2.5 present.
Handle 0x0030, DMI type 1, 27 bytes
System Information
Manufacturer: IBM
Product Name: System x3650 M3 -[7945AC1]Version: 00
Serial Number: KQ35RWH
UUID: 09E10B2B-16C9-3B91-888B-73C34F82FC1D
Wake-up Type: Other
SKU Number:
Family: System x
Review the output on screen for the manufacturer information. See
the Manufacturer value to determine whether it is IBM or Dell.
3b. IBM xSeries appliances: How to run a Dynamic System Analysis (DSA) report
Administrators who experience hardware issues on xSeries appliances can run the DSA
utility and submit a report with the hardware support request.
Before you begin
The QRadar Appliance ships with the DSA utility installed. If you see a message "This
system is not supported by this version of DSA", an updated build of the DSA might be
required for your appliance. Refer to this link for the correct update of the DSA utility for
your Appliance.
Versions of the DSA utility required for my QRadar Appliance
Procedure
1. Using SSH, log in to the remote QRadar appliance that is experiencing the hardware
error.
Note: You must first SSH to the Console, then open another SSH session to a
managed host in the deployment.
2. To change directory to the support folder, type:
cd /opt/qradar/support
3. To verify the permissions on the DSA utility, type:
ls -l *dsa*
4. If the permissions are rw-r-r-, you must change the permissions to be able to run
the DSA utility. To change permissions, type:
chmod 755 <DSA_build>_x86-64.bin
5. To run a DSA report for your appliance, type:
./<DSA_build>_x86-64.bin
Result
The DSA utility creates a .gz file in /var/log/IBM_Support with the machine
type, serial number, and date.xml.gz. For
example: /var/log/IBM_Support/7944AC1_KQ97NYC_20150927-163515.xml.gz
Copy this file from the remote host and upload it to your support case.
Note: If your system will not boot, follow the instructions in the next section (3c)
for non-booting appliances.
3c. How to run a Dynamic System Analysis (DSA) report for a nonbooting appliance
Administrators who experience hardware issues on xSeries appliances can run the DSA
utility and submit a report with the hardware support request. The following procedure
outlines how an administrator can collect a hardware report for an appliance that does
not boot properly. This hardware report is required and must be submitted with the
service request. This procedure can be followed for appliances that are suspended or
frozen due to a hardware or software issue.
Procedure
1.
2.
3.
4.
Restart the QRadar Appliance.
Select F2 to enter diagnostics.
Hit ESC to stop memory test if it starts.
After a menu appears, arrow over to Quit, then select Quit to DSA.
5. Choose command-line option CMD.
6. Insert a Fat 32 formatted USB flash drive. The output file is typically under 1 MB.
7. Choose to collect DSA with no other options needed. Choose option 1 to collect DSA
diagnostics.
8. After 2 passes complete, exit back to the previous menu.
9. Choose the option copy to local media.
10. If USB flash drive is not seen, reseat and try again. If the USB flash drive is still not
seen, try a different USB device.
Note: The DSA can sometimes take a long time to start and run, which might appear to
administrators that the DSA program is not functioning. However, do not interrupt this
process as it can take up to 5 minutes between steps to collect the information and
complete the report before writing data to the USB flash drive.
Results
After the data is collected on the appliance, the files are saved to the USB flash device. The
process of writing the files to the USB drive takes a few seconds.
3d. How to run a Dynamic System Analysis (DSA) report for a nonbooting appliance
Administrators who experience non-hard disk hardware issues on xSeries appliances can
run the Download Service option from the IMMDSA utility and submit a report with the
hardware support request in addition to the DSA For this procedure, refer to the following
Lenovo link: Download service data option.
3e. Dell appliances: How to open a Dell Hardware Case and Generate logs by using the
iDRAC
Administrators who experience hardware issues on Dell appliances use the integrated Dell
Remote Access Controller (iDRAC) card to generate a system report. The administrator
can submit the system report to QRadar Support for review. The following content is
required in your case for QRadar Support to review a Dell hardware issue:
1. A description of the hardware issue.
2. A screen cap or provide the text of the error message.
If we require logs or additional information, your ticket is updated to include further
details and the status is set to Awaiting your Feedback. If you have questions about this
procedure, you can always ask in our forums: ibm.biz/qradarforums.
To generate logs by using the integrated Dell Remote Access Controller (iDRAC) refer to
these Dell links:
•
PowerEdge - How to generate servers logs with the iDRAC?
•
How to export a SupportAssist Collection and the RAID Controller Log from iDRAC 7
and 8?
4. What information do I submit for WinCollect agent issues?
Administrators who experience issues with WinCollect agents can submit the following
information with the support ticket:
•
•
A .zip file that contains the /config and /logs directory for the WinCollect agent.
A description of the issue, Windows operating systems, and any hostnames or IP
addresses that are affected. Reference these example support queries:
o I'm having an issue collecting events from 4 Hyper-V computers with Windows
Server 2008 R2. The WinCollect agent name is _____ and the hostnames I'm
trying to collect events from are hostA (198.51.100.1), hostB (198.51.100.2),
hostC (198.51.100.3), and hostD (198.51.100.4). These Windows systems are in
our DMZ.
o I added 250 log sources by using the log source bulk add feature with
WinCollect, and they recently stopped sending events. The last event time is The
WinCollect agent name is ____ and the log sources that I want investigated are
hostA (198.51.100.1), hostB (198.51.100.2), hostC (198.51.100.3), and hostD
(198.51.100.4). Here is a screen capture of the log source configuration.
o I installed a new WinCollect agent on hostnameX with the command
prompt installer, but it did not work. I tried several more times, but the
WinCollect agent does not automatically create my log source. Attached is a
text file with the installation command I used, see WC_install.txt.
Collect WinCollect 7 configs and logs
1. Log in to the Windows operating system that hosts the WinCollect agent.
2. Click Start > All Programs > Administrative tools > Services.
3. Select the WinCollect service.
4. Click Stop.
5. Click Start > All Programs > Accessories > Windows Explorer.
6. Navigate to the WinCollect installation directory. The default path is C:\Program
Files\IBM\WinCollect
7. To select multiple folders, press Ctrl and select the config and logs folders.
8. Right-click on one of the selected folders and select Send to >
Compressed (zipped) folder.
Results
Attach the log files and provide an explanation of your issue.
Collect WinCollect 10 configs and logs
1. Log in to the Windows operating system that hosts the WinCollect agent.
2. Open the WinCollect 10 console.
3. Click the gear icon to open the settings window.
4. Enable the Advanced UI.
5. Click Collect Support Files.
6. Click Collect and compress files.
7. Open the file path provided and copy them.
Results
Attach the log files and provide an explanation of your issue.
5. What information do I submit for Event Pipeline agent issues?
QRadar Support offers two tools that can be run from the Console appliance:
the findExpensiveCustomProperties.sh and findExpensiveCustomRules.sh
tools.
Procedure
1. SSH into the QRadar console.
2. Enter one or both of the following commands depending on whether you are having
issues with custom properties, rules, or both. If you are unsure, run both.
3. /opt/qradar/support/findExpensiveCustomProperties.sh
/opt/qradar/support/findExpensiveCustomRules.sh
Result
The output of the tools is generated in the directory where you ran the tool. A file is
output as Custom(Properties|Rules)-{date}-(..).tar.gz. Upload the
results of the find expensive tools to your support case.
TASK: 8.3 Configure, manage and troubleshoot applications
SUBTASKS:
8.3.1. Use "recon" to troubleshoot apps
8.3.2. Configure Use Case Manager
8.3.3. Configure QDI
REFERENCES:
QRadar Deployment Intelligence app
The IBM® QRadar® Deployment Intelligence app monitors the health of your QRadar
deployment. QRadar Deployment Intelligence consolidates historical data on a per-host basis,
including status, up-time, notifications, event and flow rates, system performance metrics,
and QRadar specific metrics. Investigate specific hosts and see detailed health and status
information at the application, middleware, and system level.
•
•
•
•
•
•
•
•
•
What's new in QRadar Deployment Intelligence
Stay up to date with the new features that are available in each QRadar Deployment
Intelligence app release so that you get the most out of your QRadar health monitoring
experience.
Use cases for QRadar Deployment Intelligence
Use IBM QRadar Deployment Intelligence to monitor the health of your deployment, prevent
and troubleshoot performance problems, and size your QRadar deployment.
Supported environments for QRadar Deployment Intelligence
For the features in IBM® QRadar® products to work properly, you must use the supported
environments.
Installing QRadar Deployment Intelligence
Use the IBM QRadar Assistant app to install the IBM QRadar Deployment Intelligence app
archive on your QRadar Console.
Customizing your charts and dashboard
You can customize how you view dashboards by arranging charts and adding or removing
charts as you need them. You can also customize each chart on the dashboard and download
the information from each chart as a CSV file.
Overview dashboard
The Overview page in QRadar Deployment Intelligence shows the cumulative health details
of the entire deployment and can be used as a starting point for detailed analysis.
Visualization of the status of QRadar hosts
The Hosts dashboard helps you visualize the health and status of each host and the overall
health and status of your deployment.
Visualizing deployment health
Use the Advanced Health Query page in QRadar Deployment Intelligence to access health
metrics of your deployment during a time interval that you select. Multiple charts can be
loaded, stacked, closed, and added. The data from these charts can be exported as a CSV file.
You can generate more than one chart to appear on the page so that you can compare the
results of your query.
Tuning QRadar Deployment Intelligence to improve performance
Improve the performance of your IBM QRadar Deployment Intelligence app by creating
indexes in QRadar based on Health Metrics log source properties.
•
•
Generating a QRadar Deployment Intelligence report
IBM QRadar Deployment Intelligence can generate a report of your deployment that you can
download to maintain performance records and share with colleagues who don't have
access to the app. These reports are auto generated by the app once per day at 11:00 PM.
Troubleshooting QRadar Deployment Intelligence
A common issue in QRadar Deployment Intelligence is that the app does not show any
health-related data. This issue can occur for several reasons:
https://www.ibm.com/support/pages/qradar-how-use-recon-troubleshoot-qradar-applications
Configuring QRadar Use Case Manager
The Use Case Explorer uses QID records and DSM event-mapping information to help determine
rule coverage by log source type. The Use Case Explorer loads automatically, but you can refresh
the settings at any time. If required, configure a proxy connection, app performance related to
offenses, and tuning findings.
Procedure
1. On the Admin tab, click QRadar Use Case Manager > Configuration.
2. To sync with the data in QRadar®, click Sync QID Records. This process might take
approximately 30 minutes to complete. You can still use the app while the records are
syncing, but the data you work with might not be accurate.
3. To manually refresh event mappings, click Sync DSM event mappings.
When you install the app for the first time, it automatically syncs after installation. If you
upgrade to QRadar Use Case Manager 2.0.0 or later, you don't need to sync.
4. To back up your MITRE mappings (custom and IBM default), click Export MITRE mappings.
You can then import this backup file later on the Use Case Explorer page.
Only the custom mappings are imported from the file.
5. If you're upgrading to QRadar Use Case Manager 3.1.0 or later, you might see a section that
is called Report on migration from MITRE v6.3 to vx.x. This report appears if there were
MITRE mappings in the previous version of the app that are now deprecated with the
support for MITRE v8.1 or later. All custom mappings that were created in previous versions
of the app are automatically migrated to the new version. Mappings to techniques that are
now deprecated or don't exist under a particular tactic are deleted and included in the
migration report. Consider creating new mappings to these rules.
When you've noted the mappings that are affected, you can click Clear migration report to
permanently remove the report notification. Nonadministrative users can see the report
migration notification on the Use Case Explorer page.
6. To configure a proxy server, expand the Proxy configuration section and enter the
following information for your proxy server:
o Protocol
o Address or hostname
o Port
o Username
o Password
7. To configure offense contributions, expand the Performance configuration section, modify
the following options, and then click Submit.
Offense contribution
The default is enabled. When this option is disabled, the following features are disabled:
o
o
o
Inactive reports in Use Case Explorer are disabled, including the access point to the
'Tune inactive rules' card on the Tuning home page.
Rule offense contribution trend on the Active Rules page is not visible.
Event count column on the Active Rules page report table is removed.
Offense contribution in days
The default is 90 days. This setting takes effect only when the Offense contribution option
is enabled. The rule offense contribution trend and event count trend charts on the Active
Rules page are visible, but you can see only the data for the past (number of) days. Data that
is already stored in the database is not cleared when you change the number of days. Only
new data is affected by an update to this setting.
8. If you experience unexpected performance problems that are caused by generating the
tuning findings, such as a long time to load QRadar Use Case Manager or the app stops
responding, complete the following steps:
o Disable individual tuning findings in the Tuning findings configuration section.
o Set the number of reference set elements that trigger a finding if the number is
exceeded. The default is 5000.
o Click Submit and then refresh the Tuning Finding report or restart the app to
implement the updated changes.
9. Click Submit and then close the Settings pag
TASK: 8.4 Perform healthchecks
SUBTASKS:
8.4.1. Perform Daily Tasks
8.4.2. Perform Weekly Tasks
chromeextension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.ibm.com/support/pages/system/files/inlin
e-files/$FILE/OpenMic_MaintainingQRadar101_updated2.pdf
https://www.securitylearningacademy.com/course/view.php?id=4159
QRadar: Using ThreadTop to determine QRadar
process load
Troubleshooting
Problem
How to determine what QRadar processes are using the most resources.
Symptom
The system is running a little slower than usual, and you need to determine which process
is taking up the most resources.
Resolving The Problem
If you need to determine which QRadar process is consuming the most resources, there is
a Top like tool that specifically works with QRadar processes called theadTop. This tool
monitors QRadar processes, and can give an indication of performance issues.
To initiate threadTop
1. SSH into the QRadar Console as the root user.
2. Type the following command:
/opt/qradar/support/threadTop.sh
Example:
Results
Processes that are over 1700 milliseconds for more than a few intervals, might be
an indicator of an issue.
3. If you need more specific results, try watching the output for the single service only
on the specific port.
4. For example, if you are interested more in the ecs-ep service you can use the
following syntax:
/opt/qradar/support/threadTop.sh -p 7799
Where -p is the port on which a particular service is running.
5. The list of ports and services available for the appliance (it depends on the
component in the deployment) you can retrieve by using this command:
grep JMXPORT /opt/qradar/systemd/env/*
Wincollect Agent error message: 'configuration
file fingerprints don't match'
Troubleshooting
Problem
The error message: 'WinCollect Agent mismatch. RetrieveConfigurationUpdate
succeeded, but the configuration file fingerprints don't match' is generated when a
version mismatch exists between the QRadar Console and a managed WinCollect agent.
Administrators who experience this error message can confirm software versions are
identical between their QRadar appliance and managed WinCollect agents.
Cause
The WinCollect version on the QRadar Console displays a different version than what is
installed on the Windows host and generates an error. In most cases, this is due to the
Windows hosts being updated using the EXE. There are two methods to confirm the error
message:
1. To view error messages from an individual agent, administrators can select the
QRadar Admin tab and click the WinCollect icon. Select your agent and click Show
Events to display all log activity search for all status messages from the WinCollect
agent sorted by newest event. Status messages from the WinCollect agent will
include information, warning, and error messages from the selected WinCollect
agent.
2. Administrators who have access to the remote Windows host should verify the
following message in C:\Program Files\IBM\WinCollect\WinCollect.log
INFO SRV.System.WinCollectSvc.Service : Config change (or patch) detected on
configuration server. Attempting to download and extract...
INFO SRV.Code.ConfigurationPatchStrategy : Retrieving Configuration Update
ERROR SRV.Code.ConfigurationPatchStrategy : RetrieveConfigurationUpdate succeeded,
but the configuration file fingerprints don't match, exp:[FINGERPRINT
INFORMATION] act:[FINGERPRINT INFORMATION]
WARN SRV.System.WinCollectSvc.Service : Config change (or patch) download
failed validation. Not applying.
Diagnosing The Problem
To verify the version of WinCollect is installed in QRadar, use one of the following
procedures based on your installation type:
For Managed WinCollect agents
1. From the Console command line as root user
type: /opt/qradar/support/WinCollectHealthCheck.sh -d
Figure 1: Output displays information on the WinCollect software installed on the
Console. AgentCore is the WinCollect application in QRadar.
2. Compare this to the version list for all managed WinCollect Agents from the
WinCollectHealthSummary utility or to the version list in the user interface:
Agent Name
of Config File
LAPTOP-N1002211
14:34:53.102
LAPTOP-A9354424
14:34:52.912
LAPTOP-LALM1223
14:34:54.932
LAPTOP-GAL22392
14:34:53.906
Version
7.2.9.72
192.168.0.80
7.2.9.72
192.168.0.80
7.2.9.72
192.168.0.80
7.2.9.72
192.168.0.80
Time of last heartbeat
Location
2019-05-29
2019-05-29
2019-05-29
2019-05-29
3. Optional. Administrators can use the agent list from the user interface to verify their
WinCollect agent versions (Admin tab > WinCollect).
Figure 2: Review the Version column to determine the software version for a
WinCollect agent to determine if it differs from the AgentCore version listed.
Results
Administrators should note the version difference between the Console install 7.2.8-
145 and the version on the Windows hosts 7.2.9-72. If there are version differences,
fingerprint error messages can be displayed in logs and status events. The
administrator will need to ensure that the software versions match is resolved to
prevent future errors.
Resolving The Problem
To resolve this issue, download the latest WinCollect Agent SFS package and install it on
the QRadar Console. A maintenance window should be scheduled before you begin a
WinCollect upgrade. Depending on your version, services might be required to restart to
complete the install, which will interrupt event collection from all event sources.
1. Download the latest WinCollect SFS file from IBM Fix Central.
2. Using SSH, log in to your Console as the root user. The SFS file is only installed on
the QRadar Console. There is no need to install the WinCollect SFS on non-Console
appliances.
3. Copy the WinCollect SFS file to the /tmp directory on the QRadar Console. If space
in the /tmp directory is limited, copy the SFS to another location that has sufficient
space, such as the /storetmp directory on QRadar 7.3.x Consoles.
4. To verify that the mount point /media/updates exists, type: mkdir -p /media/updates
5. To mount the SFS file, type the command for your QRadar version:
o QRadar 7.2.x: mount -o loop -t squashfs 720_QRadar_wincollectupdate-<version>.sfs
/media/updates
o
QRadar 7.3.x: mount -o loop -t squashfs 730_QRadar_wincollectupdate-<version>.sfs
/media/updates
6. Install the WinCollect SFS file: /media/updates/installer
NOTE: To proceed with the WinCollect Agent update services need to be restarted
on QRadar to apply protocol updates. The following message is displayed:
WARNING: Services need to be shutdown in order to apply patches. This will
cause an interruption to data collection and correlation.
Do you wish to continue (Y/N)?
7. To continue with the update, type Y to continue.
8. When the update completes, remove the mounted SFS file with the following
command: umount /media/updates
Results
Administrators should verify if any agents have automatic updates disabled.
WinCollect agents that have the Automatic Updates Enabled column as 'False' will
need to click the Enable/Disable Automatic Updates button in the WinCollect
user interface to set the Automatic Update Enabled status to 'True'. Software
updates for managed agents are only allowed to send software updates to remote
Windows hosts when Automatic Updates Enabled displays 'True'.
https://www.ibm.com/support/pages/node/6590417
QRadar: User interface inaccessible due to httpd
service failure. Error "Multiple RSA server
certificates not allowed"
Troubleshooting
Problem
QRadar user interface (UI) is inaccessible because of httpd service failure.
Cause
httpd service failure due to:
•
•
Multiple certificates present under /etc/httpd/conf/certs directory.
Multiple certificates present in /opt/qradar/conf/ssl.cert.conf file.
Diagnosing The Problem
Multiple certificates present under /etc/httpd/conf/certs directory
Multiple certificates present in /opt/qradar/conf/ssl.cert.conf file
If httpd service is in a failed state, search for log entries as:
less -i /var/log/httpd/error.log | grep -i "Multiple RSA server certificates not
allowed"
[Fri May 26 20:36:26.799179 2023] [ssl:emerg] [pid 25186] AH02242: Init: Multiple
RSA server certificates not allowed
less /var/log/httpd/error.log | grep -i "Fatal error initialising mod_ssl"
[Fri May 26 20:36:26.799211 2023] [ssl:emerg] [pid 25186] AH02312: Fatal error
initialising mod_ssl, exiting.
cat /opt/qradar/conf/ssl.cert.conf | grep -i "SSLCertificate"
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
Steps to resolve issue:
• Create backup of /opt/qradar/conf/ssl.cert.conf
mkdir -p /store/ibm_support/httpd_service_issue
cp -p /opt/qradar/conf/ssl.cert.conf /store/ibm_support/httpd_service_issue/
• Open a vim editor and removed the duplicate line for cert.cert and cert.key
Before:
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
After:
SSLCertificateFile /etc/httpd/conf/certs/cert.cert
SSLCertificateKeyFile /etc/httpd/conf/certs/cert.key
• Restart the tomcat service:
systemctl restart tomcat
Note: Restarting Tomcat on the QRadar Console logs out users, halts event exports in
progress. Also, scheduled reports wont run until the service is running. Administrators
with change control might need a maintenance window before you restart Tomcat.
• Validate tomcat and
systemctl status tomcat
systemctl status httpd
httpd service status:
● tomcat.service - Apache Tomcat
Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset:
disabled)
Drop-In: /etc/systemd/system/tomcat.service.d
└─ulimit.conf
Active: active (running) since Fri 2023-05-26 20:57:48 IST; 4min 9s ago
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset:
disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─qradar.conf
Active: active (running) since Fri 2023-05-26 20:57:49 IST; 4min 45s ago
• Test tomcat connection status:
/opt/qradar/bin/test_tomcat_connection.sh
Starting up...
Connected to tomcat
Note: Tomcat takes some time to start. After the command shows the status as connected,
you can connect to the QRadar GUI and verify whether other functions are working as,
expected. This procedure does not apply to QRadar on Cloud.
Results
After the connection test completes successfully, you can log back in to QRadar.
Administrators might need to manually run reports that were scheduled to start during
the tomcat outage. Users can export events, execute the searches and export the results
from the user interface.
QRadar: General Health checklist
Question & Answer
Question
How can I verify that my deployment is healthy?
Answer
To assess the general health of your deployment, it is helpful to have standard checks to
follow in order to verify core functionality on your QRadar Console and Managed Hosts.
Is the QRadar Console UI accessible?
•
•
If you cannot access the UI and cannot access the system via SSH:
o Use a IMM or Hypervisor session to log in to the console to confirm that the
QRadar Console host is running and responsive. If you can connect here and
the console is running, there might be a network infrastructure problem
blocking your access. Contact your network administrator.
If you cannot access the UI but can access the Console system via SSH:
o Check systemctl status tomcat. If status is active or activating, the service is
still initializing. In some cases, you may need to wait for 10 - 15 minutes after
starting tomcat for the GUI to become accessible.
Are all Managed Hosts showing the expected Status?
•
If any of the Managed Hosts are not in Active status, check the following
o
o
o
From the Console command-line interface (CLI), try establishing an SSH
connection to each non-Active Managed Host (MH). If the connection fails or
times out:
▪ Establish a local console connection to the MH via IMM Remote
Console or some other local Console connection such as hypervisor if
the system is a VM.
▪ Verify whether the system is responsive and accepts login as
'root'.
▪ If the system is unresponsive but you can access the system's
local console, this may indicate a network issue. For more
information, see Technote 1997106- Using Linux Networking
Tools to troubleshoot Interfaces.
▪ If the MH is responsive via the local console connection, more
troubleshooting will need to be done to check network
connectivity between the Console and MH. For more
information, see Technote 1981436 - QRadar: Troubleshooting
tunnels and SSH issues in QRadar 7.2.5 and later.
Does a Full Deploy task complete successfully for all Managed Hosts?
▪ After the Deploy task completes and returns status for all hosts, review
any Managed Hosts that report Timed Out or otherwise fail to deploy:
▪ Check for the file /opt/qradar/conf/hostcontext.NODOWNLOAD on
the MH. For more information on how to resolve this issue,
see Technote 10744001 - Deploy Changes Does Not complete or
Times out.
Check that all partitions have sufficient free disk space:
▪ From the Console CLI, run /opt/qradar/support/all_servers.sh -C 'df
-h' to view the current disk space usage on all Managed Hosts'
partitions
▪ Connect to the MH via SSH as 'root' and type: df -h. If the disk
space usage ('Use%') for any partitions (other than /recovery)
are above 85% free up space on the relevant partitions and
check again. For more information on how to resolve space disk
issues, please see our Support 101 page on Troubleshooting disk
space issues.
Do all Dashboards populate?
Dashboards largely rely on ariel queries against accumulated data (also referred to as
Global Views (GV) or Aggregated Data Views (ADV).
•
•
If some Dashboards are failing to populate, but others are working, we're likely
seeing a problem with the individual Global Views. To troubleshoot corrupted
Global Views, please note which Dashboards are affected.
If all Dashboards are failing to populate, check the statuses of these services:
o
On all hosts the accumulator service should be Active. From the Console CLI,
run
/opt/qradar/support/all_servers.sh -C 'systemctl is-active accumulator'
▪ For any hosts where accumulator is not Active, try manually
o
restarting
the service with the command systemctl restart accumulator
The Console and all EP, FP, EP/FP, and Data node hosts should also have a
running ariel service. On the Console ariel runs as ariel_proxy_server. All
other relevant hosts will have ariel as ariel_query_server.
▪ On the Console run:
systemctl is-active ariel_proxy_server
▪
To check ariel on the remaining Managed Hosts. Run this command
from the Console CLI:
/opt/qradar/support/all_servers.sh -a '16%,17%,18%,21%'
'systemctl is-active ariel_query_server'
▪
If the ariel* service is stopped, try starting the relevant service
manually with systemctl restart <service> on the affected systems.
▪ If ariel fails on any system, you may not be able to retrieve event
or flow data from that Managed Host, accumulated or otherwise.
Are Offenses generating and updating?
•
In the 'Last Event/Flow Seen' for the most recently updated Offenses, is the
date/time fairly recent?
o Confirm whether ecs-ep is running on all 31xx, 18xx, 17xx, and 16xx hosts:
▪ On 7.3.0 and above: /opt/qradar/support/all_server.sh -C -a
'31%,18%,17%,16%,software' "systemctl is-active ecs-ep"
▪
If the service state is 'failed', try restarting the service:
▪ on 7.3.0 and above: /opt/qradar/support/all_servers.sh
"systemctl restart ecs-ep"
If ecs-ep fails to start on any of systems, collect the logs for the Console
system and any affected Managed Host.
▪ Getting Help: What information should be submitted with a
QRadar service request?
If ecs-ep is running on all Managed Hosts (where expected):
▪ Rule out the possibility that the system is working correctly and there
are simply no events or flows that are triggering Rules for Offense
creation or updates by creating a test rule to test Offense generation:
▪ In the QRadar UI, click the Offenses tab, then select Rules.
▪ Once the Rules display loads select Actions > New Event Rule.
▪ Identify a Source IP (or IP range) in your environment that is
consistently generating events
▪ Configure the new event rule with this criteria, using the address
or range identified above as the value for:
▪ Apply Dummy Test Rule on events which are detected by
the local system and when the source IP is one of the
following IP addresses: Click next.
▪
o
Set the Responses page with the following options:
1. Check: Ensure the detected event is part of an
offense.
2. Check: Respond no more than 1 per 1 minute per
source IP.
3. Click Finish.
4. Make sure the Rule is enabled.
5. In the Log Activity tab, add a filter for the Source IP
or range you configured in the Rule, and watch for
incoming events.
When events show up for this IP or range, you should see that a
new Offense is created and the events for the source IP or range
are associated with that Offense. Disable the Rule once testing is
complete.
▪
▪
Can you search and view events and flows?
•
•
•
Do you see new events and flows (if present in your environment) in Log Activity
and Network Activity tabs while the View is set to Real Time?
Are your Console, Event Processors, and Event and Flow Processors receiving
events?
o In Log Activity, select Quick Searches and choose Event Processor
Distribution.
▪ Make sure all of your Console, Event Processors, and Event and Flow
Processors are represented on the resulting search.
Can I run normal searches?
o Try running a simple 5 minute search filtering on 'Source IP is
127.0.0.1'. Does it complete without errors?
▪ If you receive IO errors, try using this information to troubleshoot:
▪ QRadar: Understanding IO Errors while searching
Is your Assets tab populated as expected?
•
•
Is the Assets page loading and populating as expected?
Is the Last Modified Time for the most recently modified asset relatively recent?
Can all users log in to the Console UI?
•
•
•
Can the local 'admin' account log in to the UI?
Can local non-admin Users log in to the UI?
o QRadar: Unable to log in with local user accounts
Can non-local users (LDAP, etc; where applicable) log in to the UI?
o QRadar: Cannot Log in to QRadar with a Valid Active Directory Account
Are my apps all loaded and running?
•
Basic App Troubleshooting Before Opening a QRadar Support Ticket
Additional checks
•
•
•
•
The checks described above should cover most core functionality. You can also
check to make sure all expected QRadar processes are running on any QRadar
system:
o Run /opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh . Wait for
at least 3 iterations (in case the system is still initializing) to see if all listed
processes show up as Running. If any show as ' stopped' after a few iterations,
break out of the utility (using ctrl-c) and note which processes were not
running.
If using HA, check the state of your HA pairs:
o Troubleshooting QRadar® HA deployments
Check Notifications in UI for any messages about Predictive Disk Failure
o QRadar: Troubleshooting Disk Failure or Predictive Disk Failure Notifications
If SSH or HTTPS connectivity is lost to your QRadar Console, local console access
might be needed to further troubleshoot system health. As a best practice, make
sure that this access is available in case of future problems:
o If running on IBM hardware, is IMM accessible?
▪ Can you connect with the IMM Remote Console?
o If running as a virtual machine, can you reach local console through your
hypervisor?
o If running on non-IBM hardware, do you have provision for local console
access.
You've experienced an issue with one of the troubleshooting steps, what should you do?
1. Record all troubleshooting steps from any procedure that failed.
2. If possible collect logs from the Console and the affected systems. Refer to the link
below on how to collect logs.
Getting logs from a QRadar deployment
3. Open a case with IBM QRadar Support. Include logs and all information from
troubleshooting step in the case.
4. If your appliances are unavailable or not functional, you can indicate that you have a 'System down'
issue.
5. A QRadar Support representative will contact you using your preferred method of communication
TASK: 8.5 Basic GUI REST-API usage
SUBTASKS:
8.5.1. Use the REST-API via the GUI on the console
• Pick an endpoint and show how to access it
API error messages
When an API request fails due to request errors or server errors, an error response message is
returned in JSON format.
An error response message is returned in JSON format even for endpoints that support other MIME
types. The error response message includes error message itself, a description of the error, a
unique error code for the endpoint, an HTTP response message, and an HTTP response code.
The error response includes following fields:
•
•
•
•
•
message: the error message
details: a field for additional information, which may or may not be populated
description: description of the specific error
code: Unique error response code
http_response:
o message: HTTP response message
o code: HTTP response status code
For example, the following API request attempts to get information about a non-existent reference
set that is called "test-set":
https://<host_ip>/api/reference_data/sets/test_set
An HTTP 404 response code and the following JSON error response message are returned:
{
"message": "test_set does not exist",
"details": {},
"description": "The reference set does not exist.",
"code": 1002,
"http_response": {
"message": "We could not find the resource you requested.",
"code": 404
}
}
The following table provides more information about the HTTP response error categories returned
by the IBM® QRadar® REST API:
HTTP
responseHTTP response message
Code
The requested resource corresponds to any one of a
MULTIPLE
300
set of representations, each with its own specific
CHOICES
location.
The resource has moved permanently. Please refer
MOVED
301
PERMANENTLY
to the documentation.
The resource has moved temporarily. Please refer
FOUND
302
to the documentation.
SEE OTHER
303
The resource can be found under a different URI.
NOT MODIFIED 304
The resource is available and not modified.
The requested resource must be accessed through
USE PROXY
305
the proxy given by the Location field.
The resource resides temporarily under a different
TEMPORARY
307
REDIRECT
URI.
BAD REQUEST
400
Invalid syntax for this request was provided.
You are unauthorized to access the requested
UNAUTHORIZED 401
resource. Please log in.
Your account is not authorized to access the
FORBIDDEN
403
requested resource.
We could not find the resource you requested.
NOT FOUND
404
Please refer to the documentation for the list of
resources.
METHOD NOT
405
This method type is not currently supported.
ALLOWED
Acceptance header is invalid for this endpoint
NOT ACCEPTABLE 406
resource.
PROXY
AUTHENTICATION407
Authentication with proxy is required.
REQUIRED
Client did not produce a request within the time
REQUEST
408
TIMEOUT
that the server was prepared to wait.
The request could not be completed due to a
CONFLICT
409
conflict with the current state of the resource.
The requested resource is no longer available and
GONE
410
has been permanently removed.
Length of the content is required, please include
LENGTH
411
REQUIRED
it with the request.
The request did not match the pre-conditions of
PRECONDITION
412
FAILED
the requested resource.
The request entity is larger than the server is
REQUEST ENTITY
413
TOO LARGE
willing or able to process.
HTTP error
category
HTTP error
category
REQUEST-URI
TOO LONG
UNSUPPORTED
MEDIA TYPE
REQUESTED
RANGE NOT
SATISFIABLE
EXPECTATION
FAILED
MISSING
ARGUMENTS
INVALID
ARGUMENTS
UNPROCESSABLE
ENTITY
INTERNAL
SERVER ERROR
NOT
IMPLEMENTED
BAD GATEWAY
SERVICE
UNAVAILABLE
GATEWAY
TIMEOUT
HTTP VERSION
NOT SUPPORTED
INITIALIZATION
FAILURE
HTTP
responseHTTP response message
Code
The request URI is longer than the server is
414
willing to interpret.
The requested resource does not support the media
415
type provided.
416
417
419
420
422
500
501
502
503
504
505
550
The requested range for the resource is not
available.
Unable to meet the expectation given in the Expect
request header.
The requested resource is missing required
arguments.
The requested resource does not support one or
more of the given parameters.
The request was well-formed but was unable to be
followed due to semantic errors.
Unexpected internal server error.
The requested resource is recognized but not
implemented.
Invalid response received when acting as a proxy
or gateway.
The server is currently unavailable.
Did not receive a timely response from upstream
server while acting as a gateway or proxy.
The HTTP protocol version used in the request
message is not supported.
A failure occurred during initialization of
services. API will be unavailable.
Accessing the interactive API documentation
page
Last Updated: 2023-03-02
Use the interactive API documentation page to access technical details for the RESTful APIs and
experiment with making API requests to your server.
The API documentation user interface provides descriptions and the ability to use the following
REST API interfaces:
REST API
Description
/api/analytics
Create, update, and remove custom actions for rules.
View event and flow properties, create event and flow searches, and
/api/ariel
manage searches.
Returns a list of all assets in the model. You can also list all available
/api/asset_model
asset property types and saved searches, and update an asset.
/api/auth
Log out and invalidate the current session.
/api/config
View and manage tenants, domains, and QRadar® extensions.
View all high and low-level categories, QRadar Identifier (QID) records,
/api/data_classificationand event mappings. You can also create or edit QID records and
mappings.
/api/forensics
Manage capture recoveries and cases.
Install and manage applications that are created by using the GUI
/api/gui_app_framework
Application Framework Software Development Kit.
/api/help
Returns a list of API capabilities.
Manage QRM saved search groups, question groups, simulation groups,
/api/qrm
topology saved search groups, and model groups.
Retrieves assets, vulnerabilities, networks, open services, networks,
/api/qvm
and filters. You can also create or update remediation tickets.
/api/reference_data
View and manage reference data collections.
/api/scanner
View, create, or start a remote scan that is related to a scan profile.
Perform tasks such as WHOIS lookups, port scan lookups, DNS lookups,
/api/services
and DIG lookups. You can also retrieve geolocation data for an IP or set
of IP addresses.
View, update, and close offenses. You can also add notes and manage
/api/siem
offense closing reasons.
Retrieve staged configuration for users, hosts, notifications, remote
/api/staged_config
networks, and remote services. You can also initiate or see the state of
a deploy action, and update and delete Yara rules.
/api/system
Manage server hosts, network interfaces, and firewall rules.
Table 1. REST API interfaces
1. To access the interactive API documentation interface, enter the following URL in your web
browser: https://ConsoleIPaddress/api_doc/.
2. Select the API version that you want to use from the list.
3. Go to the endpoint that you want to access.
4. Read the endpoint documentation and complete the request parameters.
5. Click Try it out to send the API request to your console and receive a properly formatted
HTTPS response.
Note: When you click Try it out, the action is performed on the QRadar system. Not all
actions can be reversed, for example, you cannot reopen an offense after you close it.
6. Review and gather the information that you need to integrate with QRadar.
https://www.youtube.com/watch?v=swGI5QWB29g
