Getting started for administrators

If you're an administrator, the following topics are a good place to get started to learn how to use IBM QRadar in your everyday workflow.

Administration

Do you know how the Network Hierarchy impacts the QRadar deployment?
  • Network hierarchy

    You can view different areas of your network that is organized by business function and prioritize threat and policy information according to business value risk.

  • Defining your network hierarchy

    A default network hierarchy that contains pre-defined network groups is included in QRadar. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.

Do you know how to create integrations with IBM® solutions such as Guardium®, AppScan, BigFix?
  • IBM Guardium integration

    IBM® Guardium® is a database activity and audit tracking tool for system administrators to retrieve detailed auditing events across database platforms.

  • AppScan Enterprise integration

    QRadar retrieves HCL AppScan Enterprise reports with the Representational State Transfer (REST) web service to import vulnerability data and generate offenses for your security team.

  • IBM BigFix integration

    IBM QRadar Vulnerability Manager integrates with IBM BigFix® to help you filter and prioritize the vulnerabilities that can be fixed.

Do you know how to configure multiple log source groups for filtering, rules, and reporting?
  • Adding multiple log sources at the same time

    Use the QRadar Log Source Management app to add multiple log sources to QRadar at the same time. You can add as many log sources as you want.

  • Editing multiple log sources at the same time

    In the QRadar Log Source Management app, view and edit a number of log sources at the same time. You can edit the settings of up to 1000 log sources at one time. Edit multiple log sources at the same time when the log sources have similar settings that you want to change, instead of editing each log source individually.

Do you know how to quantify and prioritize data sources in your environment to ensure adequate data collection?
  • Data collection

    QRadar accepts information in various formats and from a wide range of devices, including security events, network traffic, and scan results. Collected data is categorized into three major sections: events, flows, and vulnerability assessment (VA) information.

  • Adding a managed host

    Add managed hosts, such as event and flow collectors, event and flow processors, and data nodes, to distribute data collection and processing activities across your QRadar deployment.

APIs

Do you know how to create an authorization token for services to be used for remote access?
  • Managing authorized services

    You can configure authorized services to authenticate an API call for your QRadar deployment. The QRadar RESTful API uses authorized services to authenticate API calls to the QRadar Console. You can add or revoke an authorized service at any time.

  • Creating an authentication token for WinCollect agents

    Third-party or external applications that interact with QRadar require an authentication token. Before you install managed WinCollect agents in your network, you must create an authentication token.

Backup and restore

Do you know how the backup and recovery functions are configured?
  • Backup and recovery

    You can use the backup and recovery feature to back up your event and flow data; however, you must restore event and flow data manually.

  • Backup configurations and data

    By default, QRadar creates a backup archive of your configuration information daily at midnight. The backup archive includes your configuration information, data, or both from the previous day. You can customize this nightly backup and create an on-demand configuration backup, as required.

High Availability/Disaster Recovery

Do you know how to create an HA cluster, and how to implement HA nodes in QRadar®, including moving online/offline?
  • HA overview

    If your hardware or network fails, QRadar can continue to collect, store, and process event and flow data by using high-availability (HA) appliances.

  • Creating an HA cluster

    Pairing a primary host, secondary high-availability (HA) host, and a virtual IP address creates an HA cluster.

  • Setting an HA host online

    You can set the primary or secondary HA host to Online.

  • Setting an HA host offline

    You can set the primary or secondary high-availability (HA) host to Offline from the Active or Standby state.

License management

Do you know how to measure license allocation vs. usage and ensure adequate coverage?
  • License management

    License keys entitle you to specific QRadar products, and control the event and flow capacity for your QRadar deployment. You can add licenses to your deployment to activate other QRadar products, such as QRadar Vulnerability Manager.

  • Burst handling

    QRadar uses burst handling to ensure that no data is lost when the system exceeds the allocated events per second (EPS) or flows per minute (FPM) license limits.

  • Distributing event and flow capacity

    Use the License Pool Management window to ensure that the events per second (EPS) and flows per minute (FPM) that you are entitled to is fully used. Also, ensure that QRadar is configured to handle periodic bursts of data without dropping events or flows, or having excessive unused EPS and FPM.

Log sources

Do you know how to create a new log source?
  • Adding log sources manually

    You can manually add log sources that QRadar does not detect automatically.

  • Adding a log source

    Use the QRadar Log Source Management app to add new log sources to receive events from your network devices or appliances.

Do you know how to add Log Sources by using non-Syslog protocols, such as OpSec LEA and AWS S3?
Do you know how to get logs from various cloud providers such as Amazon AWS or Microsoft Azure?
  • Amazon AWS CloudTrail

    The QRadar DSM for Amazon AWS CloudTrail supports audit events that are collected from Amazon S3 buckets, and from a Log group in the AWS CloudWatch Logs.

  • Microsoft Azure Platform

    The QRadar DSM for Microsoft Azure Platform collects events from Microsoft Azure Event Hubs.

Reference data and building blocks

Do you know how to adjust building block and reference set content to effectively tune QRadar rules?
  • Review building blocks

    Building blocks are a reusable set of rule tests that can be used within rules when required. Host definition building blocks (BB:HostDefinition) categorize assets and server types into CIDR/IP ranges. By populating host definition building blocks, QRadar can identify the type of appliance that belongs to an address or address range. These building blocks can then be used in rules to exclude or include entire asset categories in rule tests.

Rules

Do you know how to run correlation rules in "test mode" to avoid excessive offense generation?
  • Configuring an event or flow as false positive

    You might have legitimate network traffic that triggers false positive flows and events that make it difficult to identify true security incidents. You can prevent events and flows from correlating into offenses by configuring them as false positives.

  • Creating a custom rule

    QRadar includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. You can also create your own rules to detect unusual activity.

Threat intelligence

Do you know how to use native X-Force threat feed data to enhance corporate security and visibility?
  • IBM Security Threat Content Extension

    The Extension Threat Theme adds rule content and building blocks to QRadar that focus on threat events and detection. This extension enhances the base rule set of QRadar for administrators who have new QRadar installations.

  • Enabling X-Force® Threat Intelligence in QRadar

    By enabling X-Force Threat Intelligence in QRadar, you can receive feeds of the X-Force Threat Intelligence information to your console.

Troubleshooting

Do you know how to collect logs from the QRadar deployment to help support troubleshoot issues?
  • Collecting log files

    QRadar log files contain detailed information about your deployment, such as hostnames, IP addresses, and email addresses. If you need help with troubleshooting, you can collect the log files and send them to IBM Support.