IBM Security QRadar Community Edition provides many of the same capabilities as QRadar with a license for 50 events per second and 5,000 flows per minute.

Community Edition is a fully featured free version of IBM Security QRadar that requires low memory and low EPS. QRadar is a market-leading security information and event management (SIEM) solution.

When downloaded, QRadar Community Edition empowers users, students, security professionals and application developers to learn and experience the latest features of QRadar with no expiration or time limit.

Before you begin

Procedure

1. Register and download the QRadar Community Edition OVA file (PDF, 55 KB).
2. Create a virtual machine with the OVA file that meets the following requirements:
   Minimum: 8 GB RAM
   Note

   You need 10 GB or more if you use IBM X-Force® tests or Ariel queries. Some applications require more RAM. Applications get 10% of available RAM, divided between all applications.

   • Minimum 250 GB disk space
   • Minimum 2 CPU cores

   Note

   For optimal performance, you need a minimum of 6 CPU cores if you use X-Force tests and a minimum of 8 CPU cores if you use Ariel queries with X-Force data.

   • You need at least one network adapter with access to the internet. Your system must have internet access for QRadar Community Edition installation.

   Note

   If you use a locally hosted virtual machine with a local IP address, you must forward port 8444 to port 443 to access QRadar in a web browser. Forward port 2222 to port 22 to use SSH to connect to QRadar.

   • You need static public and private IP addresses for QRadar Community Edition.
   • The hostname must be a fully qualified domain name with a maximum of 63 characters.
3. Log in as the root user and enter your password.
4. Start the setup process by typing the following command:
   ./setup
5. Press Enter to accept the CentOS end user license agreement (EULA).
6. Accept the QRadar Community Edition EULA.
   1. Press Space to advance through the EULA screen.
   2. Press Q to be prompted to accept the EULA.
   3. Press Enter to accept the EULA.
7. Press Y to continue setup.
8. Enter a password for the administrative account. Set a strong password that meets the following criteria:
   1. Contains at least 5 characters
   2. Contains no spaces
   3. Can include the following special characters: @, #, ^ and *
9. Apply the command documented in this flash notice.
10. Restart the appliance by typing the following command:
    reboot
11. Log in to the QRadar Community Edition user interface as the admin user and accept the EULA. Access QRadar Community Edition in a web browser at https://<ip_address>/console. If you use a locally hosted virtual machine with a local IP address, access QRadar Community Edition in a web browser on your host system at https://<ip_address>:8444/console.

Install QRadar Community Edition in a virtual machine. Community Edition is based on QRadar V7.3.3 or later.

What to do next

Explore by role

For more information:

Read about one user’s experience setting up QRadar Community Edition.

For help with installation issues, please watch this webinar.

Download the QRadar Community Edition Getting Started Guide (518 KB).

QRadar can collect events from your security solutions using a Device Support Module (DSM) plug-in file. Select DSMs are included in the base OVA image.

You must install a DSM to monitor events from software, devices or appliances that aren’t supported by the default installation of IBM Security QRadar Community Edition.

About this task

A DSM is a code module that parses and converts received events from multiple log sources into a standard taxonomy format that can be displayed as output. Each type of log source has a corresponding DSM.

Procedure

1. Mount the QRadar Community Edition ISO using the following command:
   sudo mount -o loop /opt/ibm/cloud/iso/
   QRadarCE2019.14.0
   .20191031163225.GA.iso /media/cdrom
2. Go to the /media/cdrom/post/dsmrpms directory using the following command:
   cd /media/cdrom/post/dsmrpms
3. Type the following command, where <rpm_filename> is the name of a DSM that you want to install:
   yum -y install <rpm_filename>
4. Log in to the QRadar Community Edition user interface.
5. On the Admin tab, click Deploy Changes and select Advanced > Restart Web Server.

QRadar Community Edition includes more than 20 DSMs by default.

• DSM-IBMHealthMetrics
• DSM-IBMSense
• DSM-GNULinuxServer
• DSM-McAfeeIntrushield
• DSM-MicrosoftWindows
• DSM-OracleDbAudit
• DSM-PaloAltoPaSeries
• DSM-SearchResults
• DSM-SIMNotification
• DSM-SIMAudit
• DSM-SIMGenericLog
• DSM-SIMUniversal
• DSM-SourceFireSnort
• DSM-STEALTHbitsStealthINTERCEPT
• DSM-SymantecEndpointProtection
• DSM-UniversalCEF
• DSM-UniversalLEEF
• PROTOCOL-IBMSIMJDBC
• PROTOCOL-JDBC
• PROTOCOL-JdbcSophos
• PROTOCOL-LEA
• PROTOCOL-LogFileProtocol
• PROTOCOL-TCPSyslog

See the QRadar DSM Configuration Guide for help adding a log source. (8.8 MB)

Explore hundreds of validated applications through the IBM Security App Exchange to help you extract greater value from your existing security solutions.

The IBM Security App Exchange is a community-based sharing hub used to share applications across IBM Security products. By participating in App Exchange, you can use the rapidly assembled, innovative workflows, visualizations, analytics and use cases that are packaged into applications to address specific security requirements.

Partners, consultants and developers have created easy-to-use solutions to address key security challenges. To detect and remediate threats, use these shared security components, from real-time correlation and behavioral modeling to custom responses and reference data.

The QRadar Assistant app helps you to manage and update your application and content extension inventory, view application and content extension recommendations, follow the QRadar Twitter feed and get links to useful information. QRadar V7.3.2 and later automatically installs the QRadar Assistant application.

Explore the IBM Security App Exchange.

Use these guided tips to help you ensure QRadar is optimally configured to accurately detect threats throughout the attack chain.

QRadar Use Case Manager includes a use case explorer that offers flexible reports related to your rules. The application also exposes predefined MITRE mappings to system rules and helps you map your own custom rules to MITRE ATT&CK tactics and techniques.

QRadar Use Case Manager includes the following key features:

Explore rules through visualization and generated reports

• Explore the rules through different filters to ensure the rules work as intended.
• Generate reports from predefined templates, such as searches based on rule response and actions, log source coverage and more.
• Customize reports to only see the critical information for your analysis.

Tune your environment based on built-in analysis

• Gain tuning recommendations unique to your environment right within the application.
• Identify top offense-generating or custom rule event (CRE)-generating rules, then follow the guide to tune these rules.
• Reduce the number of false positives by reviewing the most common configuration steps. Easily update network hierarchy, building blocks and server discovery based on recommendations.

Visualize threat coverage across the MITRE ATT&CK framework

• Visually understand your ability to detect threats based on ATT&CK tactics and techniques.
• View predefined QRadar tactic and technique mappings and add your own custom mappings to help complete coverage.
• Use new insights to prioritize the rollout of new use cases and applications to effectively strengthen your security posture.

Explore content extensions from the IBM Security App Exchange that are available to you to install and review currently installed content extensions

• Filter by content extensions for installed rules and rules that are available in content extensions on IBM Security App Exchange.
• Visually explore how potential log source type and MITRE mapping coverage can increase.
• View predefined reports on recommended content extensions and see how non-installed content extensions can help increase coverage.

Download the QRadar Use Case Manager application.

Create your own rules and building block mappings in QRadar Use Case Manager or modify QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.

Edit MITRE mappings in multiple rules or building blocks

Save time and effort by editing multiple rules or building blocks at the same time. Export your mappings to a JSON file to share with other colleagues. On the Use Case Explorer page, click the Toggle table view icon to ungroup the report’s table columns. Select the relevant rules or building blocks that you want to edit, and then click Edit MITRE mappings.

See the full procedure

Share MITRE-mapping files

Save time and effort when mapping rules and building blocks to tactics and techniques by sharing rule-mapping files between QRadar instances. The export capability provides MITRE mappings directly to rules only, not their dependencies. If you use the default MITRE-related templates on the Use Case Explorer page, you can see the direct mappings to the rules and their dependencies.

Find out more

Visualize MITRE tactic and technique coverage in your environment

Visualize the coverage of MITRE ATT&CK tactics and techniques that the rules provide in QRadar. After you organize the rule report, you can visualize the data through diagrams and heat maps then export the data to share with others. If you want to filter by MITRE ATT&CK tactics, you must first map your rules to MITRE tactics and techniques. Then click ATT&CK Actions > Coverage map and report in the upper right of the report visualization.

Follow the next steps

Visualize MITRE coverage summary and trends

The MITRE summary and trend reports provide an overview of the different tactics that are covered by QRadar Use Case Manager. You can analyze the summary data in table, bar and radar charts. Only the number of enabled mappings to enabled rules are counted in the charts because disabled mappings don’t contribute to your security posture.

When you’ve mapped your rules to MITRE tactics and techniques, click ATT&CK Actions > Coverage summary and trend in the upper right of the visualization pane. Edit the MITRE Coverage Summary table to change the planned number and percentage to see where you’re lacking in coverage.

See the full procedure

Visualize MITRE tactics and techniques that are detected in a specific timeframe

See which MITRE ATT&CK tactics and techniques were detected in your environment based on the offenses that were updated within a specific timeframe. QRadar Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe along with the tactics and techniques that are mapped to those rules. The more filters that you apply to the rules, the more fine-tuned the list of results you get. QRadar Use Case Manager uses the OR condition with the options of one filter group and uses the AND condition across multiple groups of filters. Any column that you can filter can also be added to the rule report through the column selection procedure (gear icon).

See the full procedure

Use MITRE heat map calculations

The colors in the MITRE heat maps are calculated based on the number of rule mappings to a tactic or technique plus the level of mapping confidence—from low, medium and high. The more rules that map to the technique, the darker the hue of color. Only enabled rules are included in the calculation. Disabled rules don’t contribute to the colors in the heat map. For each technique, all mappings to its sub-techniques are counted as if they are mappings to that technique.

For more information

QRadar includes rules that detect excessive firewall denials, multiple failed login attempts and potential botnet activity. You can also create your own rules to detect unusual activity.

Before you begin

Before you create a new rule, you need Offenses > Maintain Custom Rules permission.

About this task

When you define rule tests, test against the smallest data set possible to help rule test performance and avoid creating expensive rules. To optimize performance, start with broad categories that narrow the data being evaluated by the rule test. For example, start with a rule test for a specific log source type, network location, flow source or context (R2L, L2R, L2L). Any mid-level tests might include IP addresses, port traffic or any other associated test. The rule should test payload and regular expressions last.

Categories group similar rules, such as Audit, Exploit, DDoS, Recon and more. When you delete an item from a group, the rule or building block is only deleted from the group. The item remains available on the Rules page. When you delete a group, the rules or building blocks of that group remain available on the Rules page.

Procedure

1. From the Offenses, Log Activity or Network Activity tabs, click Rules.
2. From the Display list, select Rules to create a new rule.
3. Optional: From the Display list, select Building Blocks to create a new rule using building blocks.
4. From the Actions list, select a rule type. Each rule type tests against incoming data from different sources in real time. For example, event rules test incoming log source data, and offense rules test the parameters of an offense to trigger more responses.
5. On the Rule Test Stack Editor page, in the Rule pane, type a unique name that you want to assign to this rule in the Apply text box.
6. From the list box, select Local or Global.
   1. In Local, the Event Processor handles all rules as received in order, and offenses occur only for the events that are processed locally.
   2. In Global, the QRadar Console processes all matching events and uses more bandwidth and processing resources.
7. From the Test Group list, select one or more tests that you want to add to this rule. The custom rule event (CRE) evaluates rule tests line by line in order until reaching the final test.

   If you select the “when the event matches this AQL filter query” test for a new event rule, enter an AQL WHERE clause query in the “Enter an AQL filter query” text box.

8. To export the configured rule as a building block to use with other rules, click Export as Building Block.
9. On the Rule Responses page, configure the responses that you want this rule to generate.

What to do next

To test your rules, run Historical correlation.

To verify that the event triggers the rule test based on your building block, you can create an email response. See sending email notifications.

To protect your data from ransomware, you need to monitor and secure your endpoints.

Differentiate between normal and suspicious endpoint behavior with the QRadar Endpoint Content Extension, available on the IBM X-Force Exchange portal. Use the QRadar Endpoint Content Extension to closely monitor the Linux and Microsoft Windows endpoints in your deployment.

QRadar Endpoint Content Extension includes ransomware detection rules for Bad Rabbit, Maze, Not Petya, Petya, WannaCry and REvil—also known as Sodinokibi or Sodin—as well as more general ransomware behavior.

This content extension includes one or more IBM Pulse® dashboards. For more information, see QRadar Pulse application.

You must configure the Linux and Windows endpoints that you want to monitor for use with this content extension.

• Configure Linux endpoints
• Configure Windows endpoints

The biggest difficulty is to target suspicious behavior without creating large numbers of false positives.

Download the QRadar Endpoint Content Extension

The QRadar Use Case Manager application provides several ways to tune your QRadar environment.

QRadar SIEM tuning

You can tune your QRadar SIEM system to meet the needs of your environment. Before you tune QRadar SIEM, wait one day after installation to enable QRadar SIEM to detect servers on your store events and flows, then create offenses that are based on existing rules.

Administrators can perform the following tuning tasks:

• Optimize event and flow payload searches by enabling a payload index on the Log Activity and Network Activity.
• Provide a faster initial deployment and easier tuning by automatically or manually adding servers to building blocks.
• Configure responses to event, flow and offense conditions by creating or modifying custom rules and anomaly detection rules.
• Ensure that each host in your network creates offenses that are based on the most current rules, discovered servers and network hierarchy. You can tune QRadar SIEM to meet the needs of your environment.

Payload indexing

Use the Quick Filter function available on the Log Activity and Network Activity tabs to search event and flow payloads. To optimize the Quick Filter, you can enable a payload index Quick Filter property.

Enabling payload indexing might decrease system performance. Monitor the index statistics after you enable payload indexing on the Quick Filter property.

Servers and building blocks

QRadar SIEM automatically discovers and classifies servers in your network, providing a faster initial deployment and easier tuning when network changes occur. To ensure that the appropriate rules are applied to the server type, you can add individual devices or entire address ranges of devices. You can manually enter server types that don’t conform to unique protocols into their respective Host Definition Building Block.

The Server Discovery function uses the asset profile database to discover several types of servers on your network. The Server Discovery function lists automatically discovered servers, and you can select which servers you want to include in building blocks.

Using building blocks, you can reuse specific rule tests in other rules. You can reduce the number of false positives by using building blocks to tune QRadar SIEM and enable extra correlation rules.

Configure rules

1. Click the Offenses tab.
2. Double-click the offense that you want to investigate.
3. Click Display > Rules.
4. Double-click a rule.
5. Close the Rules wizard. The Creation Date property changes to the date and time when you last updated a rule.
6. In the Rules page, click Actions.
7. If you want to prevent the offense from being removed from the database after the offense retention period is elapsed, select Protect Offense.
8. If you want to assign the offense to a QRadar SIEM user, select Assign.

Clean the SIM data model

To have a baseline for new offenses, you can clean the SIM data model, which ensures that each host creates offenses based on the most current rules, discovered servers and network hierarchy using the following procedure:

1. Click the Admin tab.
2. On the toolbar, select Advanced > Clean SIM Model.
3. Select an option:
   1. Soft Clean to set the offenses to inactive.
   2. Soft Clean with the optional “Deactivate all offenses” check box to close all offenses.
   3. Hard Clean to erase all offenses.
4. Check the “Are you sure you want to reset the data model?” box.
5. Click Proceed.
6. After the SIM reset process is complete, refresh your browser.

When you clean the SIM model, all existing offenses are closed. Cleaning the SIM model doesn’t affect existing events and flows.

For more information about payload indexes, tuning rules and related activities, see the IBM QRadar Administration Guide (PDF, 2.7 MB).

Investigating QRadar rules and building blocks

For FAQs and detailed instructions, see the IBM QRadar Tuning Guide (462 KB)