Getting started for architects
If you're an architect, the following topics are a good place to get started to learn how to use IBM QRadar in your everyday workflow.
Architecture
- QRadar architecture
overview
QRadar is a modular architecture that provides real-time visibility of your IT infrastructure, which you can use for threat detection and prioritization. You can scale QRadar to meet your log and flow collection, and analysis needs. You can add integrated modules to your QRadar platform, such as QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Incident Forensics.
- QRadar components
Use QRadar components to scale a deployment, and to manage data collection and processing in distributed networks.
- QRadar events and
flows
The core functions of QRadar are managing network security by monitoring flows and events. A significant difference between event and flow data is that an event, which typically is a log of a specific action such as a user login, or a VPN connection, occurs at a specific time and the event is logged then. A flow is a record of network activity that can last for seconds, minutes, hours, or days, depending on the activity within the session.
- Data retention
Retention buckets define how long event and flow data is retained in QRadar. As QRadar receives events and flows, each one is compared against the retention bucket filter criteria. When an event or flow matches a retention bucket filter, it is stored in that retention bucket until the deletion policy time period is reached. The default retention period is 30 days; then, the data is immediately deleted.
- Distributing event and flow
capacity
Use the License Pool Management window to ensure that the events per second (EPS) and flows per minute (FPM) that you are entitled to is fully used. Also, ensure that QRadar is configured to handle periodic bursts of data without dropping events or flows, or having excessive unused EPS and FPM.
Flow sources
- Forensics and full packet
collection
Use IBM QRadar Incident Forensics in your deployment to retrace the step-by-step actions of a potential attacker, and conduct an in-depth forensics investigation of suspected malicious network security incidents.
- Guidelines for defining your
network hierarchy
Building a network hierarchy in QRadar is an essential first step in configuring your deployment. Without a configured network hierarchy, QRadar cannot determine flow directions, build a reliable asset database, or benefit from useful building blocks in rules.
- Defining your network
hierarchy
A default network hierarchy that contains pre-defined network groups is included in QRadar. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.