[IBM Security QRadar Trial]

Try the market leading SIEM to experience threat simulations and explore your own security data free for 14 days.


QRadar® provides centralized visibility into enterprise-wide security data and provides actionable insight into the highest priority threats. When a threat is detected, AI can provide rapid insights into the root cause and scope, enabling analysts to make better, faster triage decisions and accomplish more in less time.

Cloud Value

See everything

Gain comprehensive visibility into enterprise data across on-premise and cloud-environments from behind a single pane of glass.


QRadar on Cloud DevOps teams manage your deployment and allow you to focus on the important security data in your organization.


Detect known and unknown threats, go beyond individual alerts to identify and prioritize potential incidents, and apply AI to accelerate investigation processes by 50 percent.

Getting Started

The QRadar trial walks users through security use cases to understand more about how security events can be chained to detect network compromise, exfiltrated data, compliance issues and more. In these use cases, users can understand how analytics and searches can help quickly locate issues and perform these tasks:

  1. Run threat simulations in QRadar.
  2. View incoming offenses for each use case, such as AWS Cloud Attacks, phishing attacks, and more.
  3. Drill down to view the threat details and data points.
  4. One network adapter with access to the Internet is required
  5. Leverage dashboard and searches.
  6. Experience data exposures and threats from the viewpoint of your SOC team.

Use Cases

AWS Cloud Attack

The AWS Cloud attack use case shows how QRadar detects a suspicious login to Amazon Web Services (AWS), followed by the creation of a high volume of Amazon Elastic Compute Cloud (EC2) instances, and the potential data exfiltration from an Amazon Simple Storage Service (S3) bucket.

The simulated attack starts with the mail server info message indicating a potential spam email with a suspicious attachment. Shortly after the attachment is opened, QRadar detects a series of events that contribute to a single offense, which might indicate that an active threat is occurring.

AWS event exposure path:

  • Mail Server Info Message
  • Process Create
  • Console Login
  • Run Instances
  • List Buckets
  • Run Instances
  • Get Object

Targeted Attack

In the targeted attack use case, a file that is downloaded from an email results in malware that infects an employee’s workstation. The attacker uses the infected workstation to move laterally within the network infrastructure, searching to find critical company assets.

Targeted attack event exposure path:

  • Misc GET Request
  • Firewall Drop
  • Databse connection ESTABLISH
  • SFTP Session Open
  • SFTP Session Closed

Sysmon – Powershell

The Sysmon use case displays how QRadar detects suspicious behavior when a user downloads a file and runs the file on a Windows workstation. When the user clicks the downloaded file, the file starts a command shell that runs a PowerShell script to download and run a file from an external location and compromises the workstation.

The attacker escalates their privileges to system-level access permissions and downloads the usernames and passwords for the network. By logging in to peer computers, the attacker can move laterally and run PowerShell scripts to execute processes on multiple computers across the network.

Powershell attack exposure path:

  • Process Create
  • A service was installed in a system
  • CreateRemoteThread
  • ProcessAccess
  • FileCreate

Threats from multiple hosts

The Threat from multiple hosts simulation shows how QRadar detects a threat by correlating events that are identified as repetitive malicious behavior. You can see the events generated from different hosts in the same network with potentially malicious URL addresses and attachments.

In this simulation, the custom rules engine (CRE) processes incoming events and determines that a potentially threatening activity is occurring on multiple hosts in your network. To warn you about the potential threat, the CRE creates a new event that provides more context for the activity that was found.

For example, if the incoming event is URL Detection – Spam/Graymail and the CRE generated event is Same Threat Detected on Same Network Different Hosts, you can very quickly see which area of your network might be under attack.

Phishing attack

For example, an email which purportedly appears to be from a company’s human resources department may trick users into inadvertently revealing their passwords, possibly by opening a malicious attachment.

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.

Contact Support

Find your regional support contact