Getting started for security analysts

If you're a security analyst, the following topics are a good place to get started to learn how to use IBM QRadar in your everyday workflow.

Offense Workflow

Do you understand offense elements such as magnitude, hosts, users, involved?
  • Offense prioritization

    The magnitude rating of an offense is a measure of the importance of the offense in your environment.QRadar uses the magnitude rating to prioritize offenses and help you to determine which offenses to investigate first.

  • Managed hosts

    For greater flexibility over data collection and event and flow processing, build a distributed QRadar deployment by adding non-console managed hosts, such as collectors, processors, and data nodes.

  • Assigning offenses to users

    By default, all new offenses are unassigned. You can assign an offense to a QRadar user for investigation.

Do you know how to investigate an offense, including viewing related events and flows?
  • Offense investigations

    QRadar uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria that is defined in the rules, an offense is created to show that a security attack or policy breach is suspected.

  • Network activity monitoring

    Visually monitor and investigate flow data in real time, or conduct advanced searches to filter the displayed flows. A flow is a communication session between two hosts.

  • Log activity monitoring

    QRadar displays events in streaming mode so that you to view events in real time.

Searching and filtering

Do you know how to use columns (such as Event Name, Username) to show events grouped by one of those properties?
  • Creating a customized search

    You can search for data that matches your criteria by using more specific search options. For example, you can specify columns for your search, which you can group and reorder to more efficiently browse your search results.

Do you know how to use the Quick Filter to search the events for keywords?
  • Quick filter search options

    Search event and flow payloads by typing a text search string that uses simple words or phrases.

  • Enabling quick filtering

    You can enable the Quick Filter property to optimize event and flow search times. You can use the Quick Filter option to search event and flow payloads by typing free text search criteria.

Do you know how to save search criteria for future use, scheduling, or dashboarding?
  • Saving search criteria

    You can save configured search criteria so that you can reuse the criteria and use the saved search criteria in other components, such as reports. Saved search criteria does not expire.

Do you know how to specify content requirements for searches?
  • Creating a customized search

    You can search for data that matches your criteria by using more specific search options. For example, you can specify columns for your search, which you can group and reorder to more efficiently browse your search results.

Do you know how to create time series charts?

Reporting and dashboards

Do you know how to generate a QRadar published report with preexisting content?
  • Manually generating a report

    A report can be configured to generate automatically; however, you can manually generate a report at any time.

  • Creating custom reports

    Use the Report wizard to create and customize a new report. The Report wizard provides a step-by-step guide on how to design, schedule, and generate reports.

Do you know how to modify a dashboard's properties to what you want to visualize?
  • Creating Pulse dashboard items from an AQL data source

    You can use Ariel Query Language (AQL) statements to create dashboard items. AQL is a structured query language that you use to extract, filter, and manipulate event and flow data that you extract from the Ariel database in QRadar.

Do you know how to use saved search criteria to create custom dashboard items?

Rules

Do you know how to determine which rules are associated with a specific log or flow record?
  • Investigating threats in QRadar

    QRadar uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria that is defined in the rules, an offense is created to show that a security attack or policy breach is suspected. But knowing that an offense occurred is only the first step; identifying how it happened, where it happened, and who did it, requires some investigation.

  • Investigating rules with the QRadar Use Case Manager app

    Tune your rules by filtering different properties to ensure that the rules are defined and working as intended, including log source coverage. Determine which rules you might need to edit in QRadar or investigate further in QRadar Use Case Manager.

DSMs and uDSMs

Do you know how to view raw log data versus normalized metadata in logs and flow records?
  • Viewing raw events

    An event is a record from a log source, such as a firewall or router device, that describes an action on a network or host. You can view raw event data, which is the unparsed event data from the log source.

  • Viewing normalized events

    Events are collected in raw format, and then normalized for display. Normalization involves parsing raw event data and preparing the data to display readable information about the tab. When events are normalized, the system normalizes the names as well.