Getting started for administrators
If you're an administrator, the following topics are a good place to get started to learn how to use IBM QRadar in your everyday workflow.
Administration
- Network hierarchy
You can view different areas of your network that is organized by business function and prioritize threat and policy information according to business value risk.
- Defining your network
hierarchy
A default network hierarchy that contains pre-defined network groups is included in QRadar. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.
- IBM Guardium integration
IBM® Guardium® is a database activity and audit tracking tool for system administrators to retrieve detailed auditing events across database platforms.
- AppScan Enterprise
integration
QRadar retrieves HCL AppScan Enterprise reports with the Representational State Transfer (REST) web service to import vulnerability data and generate offenses for your security team.
- IBM BigFix integration
IBM QRadar Vulnerability Manager integrates with IBM BigFix® to help you filter and prioritize the vulnerabilities that can be fixed.
- Adding multiple log sources at the same time
Use the QRadar Log Source Management app to add multiple log sources to QRadar at the same time. You can add as many log sources as you want.
- Editing multiple log sources at the same time
In the QRadar Log Source Management app, view and edit a number of log sources at the same time. You can edit the settings of up to 1000 log sources at one time. Edit multiple log sources at the same time when the log sources have similar settings that you want to change, instead of editing each log source individually.
- Data collection
QRadar accepts information in various formats and from a wide range of devices, including security events, network traffic, and scan results. Collected data is categorized into three major sections: events, flows, and vulnerability assessment (VA) information.
- Adding a managed host
Add managed hosts, such as event and flow collectors, event and flow processors, and data nodes, to distribute data collection and processing activities across your QRadar deployment.
APIs
- Managing authorized
services
You can configure authorized services to authenticate an API call for your QRadar deployment. The QRadar RESTful API uses authorized services to authenticate API calls to the QRadar Console. You can add or revoke an authorized service at any time.
- Creating an authentication token for WinCollect
agents
Third-party or external applications that interact with QRadar require an authentication token. Before you install managed WinCollect agents in your network, you must create an authentication token.
Backup and restore
- Backup and recovery
You can use the backup and recovery feature to back up your event and flow data; however, you must restore event and flow data manually.
- Backup configurations and
data
By default, QRadar creates a backup archive of your configuration information daily at midnight. The backup archive includes your configuration information, data, or both from the previous day. You can customize this nightly backup and create an on-demand configuration backup, as required.
High Availability/Disaster Recovery
- HA overview
If your hardware or network fails, QRadar can continue to collect, store, and process event and flow data by using high-availability (HA) appliances.
- Creating an HA
cluster
Pairing a primary host, secondary high-availability (HA) host, and a virtual IP address creates an HA cluster.
- Setting an HA host
online
You can set the primary or secondary HA host to Online.
- Setting an HA host
offline
You can set the primary or secondary high-availability (HA) host to Offline from the Active or Standby state.
License management
- License management
License keys entitle you to specific QRadar products, and control the event and flow capacity for your QRadar deployment. You can add licenses to your deployment to activate other QRadar products, such as QRadar Vulnerability Manager.
- Burst handling
QRadar uses burst handling to ensure that no data is lost when the system exceeds the allocated events per second (EPS) or flows per minute (FPM) license limits.
- Distributing event and flow
capacity
Use the License Pool Management window to ensure that the events per second (EPS) and flows per minute (FPM) that you are entitled to is fully used. Also, ensure that QRadar is configured to handle periodic bursts of data without dropping events or flows, or having excessive unused EPS and FPM.
Log sources
- Adding log sources
manually
You can manually add log sources that QRadar does not detect automatically.
- Adding a log source
Use the QRadar Log Source Management app to add new log sources to receive events from your network devices or appliances.
- Configuring an OPSEC/LEA log source
To integrate Check Point OPSEC/LEA with QRadar, you must create two Secure Internal Communication (SIC) files and enter the information in to QRadar as a Check Point log source.
- Configuring an Amazon AWS CloudTrail log source by using the Amazon
AWS S3 REST API protocol
If you want to collect AWS CloudTrail logs from Amazon S3 buckets, configure a log source on the QRadar Console so that Amazon AWS CloudTrail can communicate with QRadar by using the Amazon AWS S3 REST API protocol.
- Amazon AWS CloudTrail
The QRadar DSM for Amazon AWS CloudTrail supports audit events that are collected from Amazon S3 buckets, and from a Log group in the AWS CloudWatch Logs.
- Microsoft Azure Platform
The QRadar DSM for Microsoft Azure Platform collects events from Microsoft Azure Event Hubs.
Reference data and building blocks
- Review building blocks
Building blocks are a reusable set of rule tests that can be used within rules when required. Host definition building blocks (BB:HostDefinition) categorize assets and server types into CIDR/IP ranges. By populating host definition building blocks, QRadar can identify the type of appliance that belongs to an address or address range. These building blocks can then be used in rules to exclude or include entire asset categories in rule tests.
Rules
- Configuring an event or flow as false
positive
You might have legitimate network traffic that triggers false positive flows and events that make it difficult to identify true security incidents. You can prevent events and flows from correlating into offenses by configuring them as false positives.
- Creating a custom rule
QRadar includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. You can also create your own rules to detect unusual activity.
Threat intelligence
- IBM Security Threat Content
Extension
The Extension Threat Theme adds rule content and building blocks to QRadar that focus on threat events and detection. This extension enhances the base rule set of QRadar for administrators who have new QRadar installations.
- Enabling X-Force® Threat
Intelligence in QRadar
By enabling X-Force Threat Intelligence in QRadar, you can receive feeds of the X-Force Threat Intelligence information to your console.
Troubleshooting
- Collecting log files
QRadar log files contain detailed information about your deployment, such as hostnames, IP addresses, and email addresses. If you need help with troubleshooting, you can collect the log files and send them to IBM Support.