[Music] foreign security curator is a market leading Sim solution that applies automated intelligent analytics to a vast amount of security data to provide to the security analysts curator intelligently correlates and analyzes a variety of data types from a wide range of sources to identify known and unknown threats these data sources ranges from various endpoints like Windows events log carbon black Cisco devices and many more to network activity data which comes from various firewalls gateways routers or sensors QR is capable of capturing and analyzing data activity as well user and identity data sources are ingested from various identity and access Management Solutions like active directory ldap and many more curator is also capable of analyzing data from various threat intelligence feeds configuration information of various systems can also be analyzed by queue radar it also analyzes data from various antivirus tools vulnerability scanners and many other vulnerability data from intrusion detection systems intrusion prevention system and the list goes on various application data sources are also part of the wide range of data sources that can be analyzed by curador cloud data from SAS environments such as Office 365 Amazon web services Google cloud is another section of data sources that curator can analyze it's like you name any Source you want to Monitor and curator analyzes it for you this is a complete 360 degree view of qradar where no data sources is left alone in the dark for the attackers now let's Deep dive into qradar architecture curator is an all-in-one Sim solution which captures processes and displays the data as discussed earlier about various data sources curator first captures data from many from as many data sources as we wish after capturing it will start to process these data collected from different endpoints to provide us with readable insights on the UI as processed data this process data is also stored in qradar for historical correlation and to study the insights of these data Q radar can also use the rapidly assembled Innovative workflows visualizations analytics and use cases that are packaged into apps to address specific security requirements now let's understand the various components that can be integrated with curator to maintain its efficiency as deployment keeps on growing there is a need to scale the deployment to ease the console first component is to add event collector or flow collector which would take away the function of event or flow collection parsing and normalization the event collector collects data from local and remote log sources and normalizes raw log Source events to format them for use by curator when you add a event collector or flow collector to your all-in-one Appliance the capturing function is moved from all-in-one Appliance to the event or flow collector likewise second component is to add EP which would take away the function of processing and correlation the event processor processes events that are collected from one or more event collector or console which means that the processing function of QR all in one is moved to event or flow processor the event processor processes events by using the custom rules engine cre if events are matched to the crd custom rules that are predefined on the console the event processor executes the action that is defined for the rule response the next component is to add data node which would further enhance the capabilities of event processor or flow processor by storing and processing data data nodes enable new and existing Q data deployments to add storage and processing capacity on demand as required data nodes help to increase the search speed in deployment by providing more Hardware resources to run search queries on the other component is app host which takes away the function of apps an app host is dedicated for running apps app host provide extra storage memory and CPU resources for apps without impacting the processing capacity of qradar console let's walk through QR UI the first thing that would see that we would see in Q radar is dashboard these dashboards provide high level overview in form of various charts they are number of predefined dashboards like risk monitoring compliance overview system monitoring and many more these dashboards can be customized where different widgets can be added new custom dashboards can also be created as per requirement next tab is log activity tab that displays event information as records from a log Source such as firewall or router device log activity tab is used for investigating event data that are sent to qradar in real time it it is all search events and also to monitor log activity by configuring time series charts the next tab is network activity tab that displays information about how Network traffic is communicated and what was communicated using the network activity tab we can investigate the flows that are sent to qradar in real time we can also search for particular Network flows and monitor network activity by using configurable time series charts offense tab is the next one which is used to view all the offenses that occur in the network using this tab we can get to investigate offenses source and destination IP addresses Network behaviors and anomalies on the network we can also correlate events and flows that are sourced from multiple networks to the same destination IP address and also to determine the unique events that caused an offense next tab is asset profiles which provides information about each known asset in the network asset profile information is used for correlation purposes which helps to reduce false positives it makes use of passive flow data and vulnerability data to discover our network servers and hosts next tab is reports tab where we can see various reports that are scheduled or manually queue data provides default report templates that we can customize Rebrand and distribute to curate our users report templates are grouped into report types such as compliance device executive and network reports next is admin tab here as an administrator a variety of tools are available to help configure and manage curator deployment starting with system configuration we get to see lot many settings that can be applied first starting with auto updates where we don't have to worry about the system getting updated to the latest RPMs or jar files that is taken care by the auto update where we can perform some configuration changes as an administrator next is backup and Recovery where a backup of data as well as configuration can be modified and made another important aspect provided to us in admin tab is system and license management where we get the capability to deploy and manage curator hosts and their licenses furthermore there are extensions management where we get to install different applications on QR apart from system configuration we do have user management where as an administrator we can Define user roles security profiles and also authorize different services for qradar to connect with cured on thereafter there are some forensic related configuration settings that can be done like server management case management and also we can schedule actions as part of our forensics as we talked about assets we also get as an administrator to Define custom asset properties and also do an asset profiler configuration next sub part is the data sources here we can create different log sources we can also make use of different log Source extensions and also we can group log sources next is flow R is the flows where we can configure flow sources we can provide them with their own retention policy and other customizable actions next is defining actions so whenever an offense is triggered certain actions can also be defined that can be taken up to the alert that has been generated this can be done through this part in admin tab thereafter we have vulnerability scanners where we can schedule when the scan should be run and other related configurations further as we scroll down we do see lot of application related purposes we do see risk management we do see lot many apps and how we can do their configurations and different settings that was about admin tab IBM curator will guide you to monitor alerts and mitigate risk in your environment you can now leverage the capabilities from IBM qradar to strengthen your organization