Getting started for architects

If you're an architect, the following topics are a good place to get started to learn how to use IBM QRadar in your everyday workflow.

Architecture

Do you understand the distributed architecture and the roles of various components of QRadar®?
  • QRadar architecture overview

    QRadar is a modular architecture that provides real-time visibility of your IT infrastructure, which you can use for threat detection and prioritization. You can scale QRadar to meet your log and flow collection, and analysis needs. You can add integrated modules to your QRadar platform, such as QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Incident Forensics.

  • QRadar components

    Use QRadar components to scale a deployment, and to manage data collection and processing in distributed networks.

  • QRadar events and flows

    The core functions of QRadar are managing network security by monitoring flows and events. A significant difference between event and flow data is that an event, which typically is a log of a specific action such as a user login, or a VPN connection, occurs at a specific time and the event is logged then. A flow is a record of network activity that can last for seconds, minutes, hours, or days, depending on the activity within the session.

Do you know how to scope an environment for architectural requirements, data rates, and retention policies to optimally build a QRadar deployment?
  • Data retention

    Retention buckets define how long event and flow data is retained in QRadar. As QRadar receives events and flows, each one is compared against the retention bucket filter criteria. When an event or flow matches a retention bucket filter, it is stored in that retention bucket until the deletion policy time period is reached. The default retention period is 30 days; then, the data is immediately deleted.

  • Distributing event and flow capacity

    Use the License Pool Management window to ensure that the events per second (EPS) and flows per minute (FPM) that you are entitled to is fully used. Also, ensure that QRadar is configured to handle periodic bursts of data without dropping events or flows, or having excessive unused EPS and FPM.

Flow sources

Do you know how to instrument network segments to enhance visibility and security?
  • Forensics and full packet collection

    Use IBM QRadar Incident Forensics in your deployment to retrace the step-by-step actions of a potential attacker, and conduct an in-depth forensics investigation of suspected malicious network security incidents.

Do you know how to determine which network segments are reporting to QRadar?
  • Guidelines for defining your network hierarchy

    Building a network hierarchy in QRadar is an essential first step in configuring your deployment. Without a configured network hierarchy, QRadar cannot determine flow directions, build a reliable asset database, or benefit from useful building blocks in rules.

  • Defining your network hierarchy

    A default network hierarchy that contains pre-defined network groups is included in QRadar. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.