Best practices for tuning your QRadar system

To get the most out of the QRadar® Advisor with Watson™ app, review the following guidance to tune your QRadar system.

IBM QRadar Use Case Manager

The QRadar Use Case Manager app can help you to tune your QRadar system. For more information, see QRadar Use Case Manager.

System Health

Table 1. Health checks for your QRadar system
QRadar System Description
Platform details QRadar version is 7.3.3 or later.
XFE enabled QRadar must be licensed and enabled for X-Force® Threat Intelligence Premium Admin > System Settings > Enable X-Force Threat Intelligence Feed (Yes)
Support issues No open PMR related to system and hardware stability or performance.
Lifecycle System that is installed and running for at least 3 months.

Offense Management

QRadar should be producing at most 10-15 quality offenses per 1000 EPS per day. Quality offenses produce event and flow data fields in which good external observable information can be data mined and researched by QRadar Advisor with Watson.

Table 2. Quality offenses
Offense checks Considerations
Number of active offenses Go to the Offenses tab and view the number of offenses. Is the number of active offenses excessive?
How many offenses are created each day? Create a search interval and designate a specific 24-hour time range such as 72 hours or 7 days.
Are offenses reviewed and closed on a regular basis by local or services staff? Do you have a process for reviewing, investigating, and closing offenses in a timely manner?
Is tuning of rules necessary or needs to be recommended?

Tuning the top most noisy rules can have a significant impact on reducing false positives. For more information, see Tuning the active rules that generate offenses.

Have Building Blocks been updated?

QRadar uses building blocks to tune the system and allow more correlation rules to be enabled. This reduces the number of false positives that are detected by QRadar and helps to identify business-critical assets.

Reviewing building blocks

For more information, see Reviewing building blocks.

Table 3. Building blocks
Building block checks Considerations
Authorized servers

You can add authorized infrastructure servers to a selected building block. QRadar monitors these servers while it suppresses false positives that are specific to the server category.

Discovering servers The server discovery function uses the QRadar SIEM Asset Profile database to discover different server types based on port definitions. For more information, see Discovering servers.
Has the Network Hierarchy been updated? The QRadar Network Topology should be fully configured and all event/flow time stamps are synchronized to provide proper context for events. Events with “Local to Remote” and “Remote to Local” context are data mined for observable extraction. Fields such as hash and virus name are also used from “Local to Local” context events. For more information, see Reviewing your network hierarchy.

Data Sources

Review raw and normalized events

All data sources that can be ingested by QRadar to meet your use cases are being ingested and are working correctly (including extracting custom properties). Review the raw payload and normalized events to see whether fields that are potential observables can be extracted by using “Extract Property” or the “DSM Editor”. For more information, see DSM Configuration Guide.

Connectivity

The QRadar Console requires internet access to use QRadar Advisor with Watson.

Restricting access with firewall/proxy

Best practice log sources and observables

Priority 1 log sources (Best sources of information)
  • Proxy – Destination IP (external), URL, Domain, user agent
  • Firewall – Source IP (external), Destination IP (external)
  • Anti-Virus – File hash, Anti-virus signature, file name
  • Mail Gateway – Source IP (external), file hash, domain, email address
  • User Logon (RADIUS, LDAP) – Source IP (external), domain
  • Endpoint – File hash, file name, URL
  • DNS – Source IP (external), destination IP (external), domain
Priority 2 log sources
  • DHCP
    • Source IP (External)
    • Domain
  • IDS
    • Source IP (external)
    • Destination IP (external)
    • Domain
    • User agent
    • URL
    • File hash
    • File name
  • Windows
    • Domain
    • File name
    • Source IP (external)
    • Destination IP (external)
Table 4. Property (Observables)
Watson Property (Observables) NGFW/FW Proxy AV/Endpoint HIDS DNS DLP SMTP Gateway QRadar
Public IP X X X X X X X
URL X X X
Domain name X X X
File hash X X X X
QRadar Advisor with Watson app properties (NOT sent to Watson, but the app can use them)
Destination port X
User agent X X
Email address X X
File name X X X
Source port X
Source/destination ASN X X
Source/destination country X
High/low level categories X
Direction/context X
User name X X X X

Suggested "research" for QRadar Advisor with Watson use cases

  1. Offenses that are triggered from Priority 1 or 2 event logs that reference a file hash (malware events).
  2. Offenses that are triggered from events from Priority 1 or 2 that contain a combination of observables (IP, domain, exploit) (Suspicious activity).