Threat simulations

While you might have systems in place to collect and store data from a multitude of sources within your business network, it is almost impossible to sift through the data points to identify and resolve the hidden threats.

By eliminating the noise and reducing millions of event records into a manageable, prioritized list of offenses, IBM QRadar can help your security analysts determine exactly what to focus on.

To demonstrate how QRadar can help you protect your network, the IBM QRadar Experience Center app includes threat simulations that are commonly found in enterprise networks.

How the simulations work

A rule is a collection of tests that are run against an incoming event. The rule triggers an action when specific conditions are met.

The Custom Rules Engine (CRE) component of QRadar is responsible for processing incoming events. The CRE compares the events against the defined rules and building blocks, tracks the rule tests and incident counts over time.

Each simulation sends a series of events to QRadar that are designed to mimic the represented use case as it might appear if it occurred in your own network. The CRE processes these events, and for each rule that is triggered, it carries out the actions that are defined in the rule response. Some common rule response actions include creating events, offenses, and adding event properties to reference sets.

The events play in a loop and the same use case repeats multiple times. To stop the simulation, click Stop on the Threat simulator tab.

Use a test environment to run simulations

If you run the simulations in a QRadar production environment, the simulations that send events to QRadar cannot be deleted. These events trigger rules and generate offenses, and they are counted as part of your licensed EPS.

You can run the EC: Experience Center Events saved search to show all of the events that were sent to QRadar by previous runs of any IBM QRadar Experience Center simulation.