Getting started for security analysts
If you're a security analyst, the following topics are a good place to get started to learn how to use IBM QRadar in your everyday workflow.
Offense Workflow
- Offense prioritization
The magnitude rating of an offense is a measure of the importance of the offense in your environment.QRadar uses the magnitude rating to prioritize offenses and help you to determine which offenses to investigate first.
- Managed hosts
For greater flexibility over data collection and event and flow processing, build a distributed QRadar deployment by adding non-console managed hosts, such as collectors, processors, and data nodes.
- Assigning offenses to users
By default, all new offenses are unassigned. You can assign an offense to a QRadar user for investigation.
- Offense
investigations
QRadar uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria that is defined in the rules, an offense is created to show that a security attack or policy breach is suspected.
- Network activity
monitoring
Visually monitor and investigate flow data in real time, or conduct advanced searches to filter the displayed flows. A flow is a communication session between two hosts.
- Log activity monitoring
QRadar displays events in streaming mode so that you to view events in real time.
Searching and filtering
- Creating a customized
search
You can search for data that matches your criteria by using more specific search options. For example, you can specify columns for your search, which you can group and reorder to more efficiently browse your search results.
- Quick filter search
options
Search event and flow payloads by typing a text search string that uses simple words or phrases.
- Enabling quick
filtering
You can enable the Quick Filter property to optimize event and flow search times. You can use the Quick Filter option to search event and flow payloads by typing free text search criteria.
- Saving search
criteria
You can save configured search criteria so that you can reuse the criteria and use the saved search criteria in other components, such as reports. Saved search criteria does not expire.
- Creating a customized
search
You can search for data that matches your criteria by using more specific search options. For example, you can specify columns for your search, which you can group and reorder to more efficiently browse your search results.
- Creating a time series chart in QRadar Pulse dashboard
app
Time series charts in the QRadar Pulse dashboard app illustrate data points at successive intervals of time. You use a time series chart to show trending or comparisons.
- Configuring a time series chart in
QRadar
You can display interactive time series charts that represent the records that are matched by a specific time interval search.
Reporting and dashboards
- Manually generating a report
A report can be configured to generate automatically; however, you can manually generate a report at any time.
- Creating custom reports
Use the Report wizard to create and customize a new report. The Report wizard provides a step-by-step guide on how to design, schedule, and generate reports.
- Creating Pulse dashboard items from an AQL data source
You can use Ariel Query Language (AQL) statements to create dashboard items. AQL is a structured query language that you use to extract, filter, and manipulate event and flow data that you extract from the Ariel database in QRadar.
- Creating a custom
dashboard
You can create a custom dashboard to view a group of dashboard items that meet a particular requirement.
Rules
- Investigating threats in QRadar
QRadar uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria that is defined in the rules, an offense is created to show that a security attack or policy breach is suspected. But knowing that an offense occurred is only the first step; identifying how it happened, where it happened, and who did it, requires some investigation.
- Investigating rules with the QRadar Use Case Manager
app
Tune your rules by filtering different properties to ensure that the rules are defined and working as intended, including log source coverage. Determine which rules you might need to edit in QRadar or investigate further in QRadar Use Case Manager.
DSMs and uDSMs
- Viewing raw events
An event is a record from a log source, such as a firewall or router device, that describes an action on a network or host. You can view raw event data, which is the unparsed event data from the log source.
- Viewing normalized
events
Events are collected in raw format, and then normalized for display. Normalization involves parsing raw event data and preparing the data to display readable information about the tab. When events are normalized, the system normalizes the names as well.