🔍

Overview of IBM QRadar and Its Features

Sep 24, 2024

Lecture Notes on IBM QRadar

Introduction to QRadar

  • QRadar: A market-leading Security Information and Event Management (SIEM) solution.
  • Functionality: Applies automated intelligent analytics to a vast amount of security data.
  • Objective: To assist security analysts in identifying known and unknown threats.

Data Sources for QRadar

  • Variety of Sources: Captures and analyzes data from various endpoints including:
    • Windows events log
    • Carbon Black
    • Cisco devices
    • Network activity data from firewalls, gateways, routers, sensors.
  • User and Identity Data: From Identity and Access Management solutions like Active Directory and LDAP.
  • Threat Intelligence Feeds: Incorporates data from multiple threat intelligence feeds.
  • Configuration Information: Analyzes data from various systems and security tools:
    • Antivirus tools
    • Vulnerability scanners
    • Intrusion Detection Systems (IDS)
    • Intrusion Prevention Systems (IPS)
  • Cloud Data: Analyzes data from SaaS environments (Office 365, AWS, Google Cloud).

QRadar Architecture

  • All-in-One SIEM Solution: Processes and displays data from multiple sources.
    • Data Capturing: Collects data from numerous sources for processing.
    • Data Processing: Converts raw data into readable insights.
    • Storage: Stores processed data for historical correlation.

Components of QRadar

  1. Event Collector/Flow Collector:
    • Handles event/flow collection, parsing, and normalization.
    • Normalizes raw log source events for QRadar.
  2. Event Processor:
    • Manages event processing and correlation.
    • Uses a custom rules engine to execute actions based on predefined rules.
  3. Data Node:
    • Enhances storage and processing capabilities.
    • Increases search speed by providing additional hardware resources.
  4. App Host:
    • Dedicated for running apps, providing extra storage, memory, and CPU resources.

QRadar User Interface (UI)

  • Dashboard:
    • Provides a high-level overview using various charts.
    • Customizable with widgets and new dashboards.
  • Log Activity Tab:
    • Displays real-time event data from log sources.
    • Used for investigating event data.
  • Network Activity Tab:
    • Displays information about network communications.
    • Investigates network flows in real-time.
  • Offense Tab:
    • Views all network offenses.
    • Correlates events and flows from multiple networks.
  • Asset Profiles Tab:
    • Provides information about known assets in the network.
    • Helps reduce false positives using passive flow and vulnerability data.
  • Reports Tab:
    • Displays scheduled or manually queued reports.
    • Provides customizable report templates.
  • Admin Tab:
    • Configuration and management tools for QRadar deployment:
      • System Configuration: Auto updates, backup and recovery.
      • User Management: Define roles and security profiles.
      • Data Sources: Create and manage log sources and flow sources.
      • Vulnerability Scanners: Schedule scans and configurations.

Conclusion

  • IBM QRadar: A robust solution for monitoring alerts and mitigating risks in security environments.
  • Goal: Leverage QRadar's capabilities to strengthen organizational security.

Full transcript