You are on page 1of 155

QRadar SIEM 7.

QRadar SIEM 7.2


_____________________________________________________________________

_____________________________________________________________________
2
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

1. .......................................................... 7
1. ........................................ 7
2. ....................................... 8

2. QRadar SIEM Dashboard ........................... 9


1. dashboard ............................................................ 9

3. ........................ 11
1. DNS ............................. 11

4. ............................ 16
1. , ............................. 16
2. ............................. 20
3. ................................................. 22

5. ........................... 25
1. ,
................................................................................................................................... 25

6. ..... 30
1. ............................................................. 30
2. ................................................................................ 38
3. ................................................... 39
4. .................................................. 40

7. ................................................................ 43
1. ................................................ 43
2. ................................................................ 46
3. ......... 50

8. ...... 56
1. Deployment Editor............................................................................ 56
2. soft clean hard clean ................................... 60
3. ................................. 61
_____________________________________________________________________
QRadar SIEM 7.2

3
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

9. .............................................. 62
1. ........................................... 62

10.
........................................................................... 65
1. .......................................... 65
2. .............................................. 68
3. ............................................................. 74
4. .................................... 75
5. ............................... 76
6. .................................................................. 82

11. .......................................... 87
1. .......................................................... 87
2. ........................................................ 91
3. ................. 95
4. ......................................... 97

12. ....................................................... 99
1. ........................ 99
2. ................................................................... 101

13. .............................................. 103


1. ....................... 103
2. .................................... 105

14. Windows ................................................ 108


1. .................................... 108
2. WinCollect ....................................................... 109
3. WinCollect .................. 111

15.
................................................................................................... 114
1. QRadar SIEM ................................................... 114
2. .................................... 117

_____________________________________________________________________
4
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
3. DSM
............................................................................................................... 119
4. Log Source Event ID PostgreSQL dsmevent
................................................................................................................... 126

16. ................................................... 128


1. RPC ........................................................ 128

17. ............................................................. 133


1. .................................................. 133
2. ........................................................................ 140

18. ..................... 142


1. ............ 142

19. ................. 144


1. ............................................................... 144
2. ....................................... 145
3. ........................................................ 146
4. ADE ............................................................... 148
5. ADE ........................................................ 149
6. ADE ........................................... 150
7. ADE................ 153

_____________________________________________________________________
QRadar SIEM 7.2

5
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

_____________________________________________________________________
6
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

1.
1.

1. Windows
:

: Administrator
: object00

2. QRadar SIEM .
Windows web- Firefox.
QRadar SIEM.

_____________________________________________________________________
QRadar SIEM 7.2

7
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
3. :

: admin
: object00

2.

1. RHEL
:
Putty .
. :

: root
: object00

_____________________________________________________________________
8
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

2. QRadar SIEM
Dashboard
1. dashboard
1.
:
cd /labfiles
./sendCheckpoint.sh 1>/dev/null 2>&1 &
2. QRadar SIEM.
3. New Dashboard.

4. Name My Own Dashboard.

5. Description .
6. OK. dashboard
.

_____________________________________________________________________
QRadar SIEM 7.2

9
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
7. dashboard Add Item
:

Offenses > Offenses > Most Severe Offense

Log Activity > Event Searches > Top Services Denied Through Firewalls
Log Activity > Event Searches > Event Rate (EPS)

8. , .
9. Refresh .
10. , dashboard
.

_____________________________________________________________________
10
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

3.

1.
DNS
1. QRadar SIEM Offenses.
2. : Local DNS Scanner containing Invalid DNS.
.
Search New Search.

_____________________________________________________________________
QRadar SIEM 7.2

11
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
3. Description Local DNS Scanner. ,
.

4. Search. , .

5. , .
?
_____________________________________________________________________
?
_____________________________________________________________________
? ,
.
_____________________________________________________________________
IP (Source IP) ? ,
Offense Source.
_____________________________________________________________________

_____________________________________________________________________
12
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
6. Local DNS Scanner Invalid DNS,
.
.

7. .
?
_____________________________________________________________________
?
_____________________________________________________________________
IP (Source IP) ?
_____________________________________________________________________
IP (Destination IP) ?
_____________________________________________________________________

_____________________________________________________________________
QRadar SIEM 7.2

13
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
. Display
Categories. ?

_____________________________________________________________________
_____________________________________________________________________
? ,
, Display Annotations.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
, (Destination Port)
Last 10 Events? , Summary
.
_____________________________________________________________________
?
_____________________________________________________________________

_____________________________________________________________________
14
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
8. . Actions
Add Note. Add Note.

9. Actions
Protect Offense. Protected
.

?
_____________________________________________________________________
_____________________________________________________________________

_____________________________________________________________________
QRadar SIEM 7.2

15
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

4.

1. ,

1. QRadar SIEM Offenses.


2. Local DNS Scanner containing
invalid DNS.
3. , ,
Categories Display.

_____________________________________________________________________
16
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
4.
DNS Protocol Anomaly,
DNS Protocol Anomaly Events.
.

5. , IP ,
Local DNS Scanner. ,
Filter on Source IP is not 10.152.247.69.

6. ?
_____________________________________________________________________
7. ?
_____________________________________________________________________
_____________________________________________________________________

_____________________________________________________________________
QRadar SIEM 7.2

17
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
8. , ,
Clear Filter Offense is Local DNS Scanner.

9. ? ?
10. 24 , View
Last 24 Hours.

_____________________________________________________________________
18
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
11. 24 ,
7 . DNS
.

_____________________________________________________________________
QRadar SIEM 7.2

19
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

2.

1. . Save Criteria.
.

2.
:

Search Name
Assign Search to Group(s)
Timespan options
Include in my Quick Searches
Set as Default
Share with Everyone

My DNS Protocol Anomaly


CheckPoint
Recent Last 24 Hours

_____________________________________________________________________
20
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
3. , , OK.

4. .
Save Results. .
5. My DNS Protocol Anomaly Search Results. OK.

6. .
Search Manage Search Results.

_____________________________________________________________________
QRadar SIEM 7.2

21
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
7.
Delete.

3.
1. QRadar SIEM Log Activity.
2. Quick Searches.

_____________________________________________________________________
22
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
3. .
, :
Log Activity Quick Searches.

4. ,
. .
.

_____________________________________________________________________
QRadar SIEM 7.2

23
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
5. , ,
( Payload Information),
DNS .
Previous Next.

6. , Return to Event List.

_____________________________________________________________________
24
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

5.

1. ,

1.
:
cd /labfiles
./startRdp.sh

2. QRadar SIEM Network Activity.


3. , .
.
, .

_____________________________________________________________________
QRadar SIEM 7.2

25
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
4. .
. ,
!

5. Firefox . ,

Firefox: Tools > Options > Content > Disable block pop-up windows > OK.
6.
.

?
_____________________________________________________________________
?
_____________________________________________________________________
IP (Destination IP) ?
_____________________________________________________________________
_____________________________________________________________________
26
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
?
_____________________________________________________________________
?
_____________________________________________________________________
?
Display Rules.

_____________________________________________________________________
7. , , Flows
.
.

_____________________________________________________________________
QRadar SIEM 7.2

27
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
8. ,
.

9. .
?
_____________________________________________________________________
?
_____________________________________________________________________
, ,
.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
10. , , .
False Positive.

_____________________________________________________________________
28
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
11. Tune, Close.

12. .
13. . Offenses
All Offenses.
14. Actions Close.
15. Reason for Closing
False-Positive, Tuned. OK.

_____________________________________________________________________
QRadar SIEM 7.2

29
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

6.

1.
1. ,
. QRadar SIEM
Admin.
2. Reference Set Management.

3. Add.

_____________________________________________________________________
30
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
4. Name My Watchlist. AlphaNumeric
Create.

5. My Watchlist . .

6. Add :

dcross
gyates
jchong
jstarco
krussell
wallenberg

7. Log Activity.

_____________________________________________________________________
QRadar SIEM 7.2

31
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
8. Rules Rules.

9. Actions New Event Rule.


.

10. Next, .
11. Apply My Watchlist Rule.

12. when any of these event properties are


contained in any of these reference set(s).

_____________________________________________________________________
32
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
, Type to filter when any of these
event. when any of these event
properties are contained in any of these reference set(s).

13. these event properties.

14. Username, Add +,


Submit.

15. these reference


set(s) My Watchlist.

_____________________________________________________________________
QRadar SIEM 7.2

33
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
16. . Test Group
Functions Simple.

17. .
rules.
18. Type to filter BB:Category.
BB:CategoryDefinition: Authentication Success Add. Submit.

19. Authentication Notes


: This rule tracks successful logon of Watchlist users. Next.

_____________________________________________________________________
34
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
20. :

Ensure the detected event is part of an offense


Index offense based on
Annotate this offense

Annotate event
Enter annotation for this event

Dispatch New Event


Event Name
Event Description
Severity
Credibility
Relevance
High Level Category
Low Level Category
Annotate this offense
Ensure the dispatched event is part of an offense
Index offense based on
This information should contribute to the
naming of the associated offense(s)

Username

Watchlist user
successful login

Watchlist user
successful login

Watchlist user login


Watchlist user login
8
10
10
Authentication
User Login Success
Watchlist user login

Username

_____________________________________________________________________
QRadar SIEM 7.2

35
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
21. , ,
Next.

_____________________________________________________________________
36
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
22. , ,
Finish.

23. Log Activity. View Real Time


(streaming).
24.
:
cd /labfiles
./sendWindows.sh
25. , . ,
.

26. .
_____________________________________________________________________
QRadar SIEM 7.2

37
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
?
_____________________________________________________________________
?
_____________________________________________________________________

2.
1. Local DNS Scanner containing
Invalid DNS.
2. , .
, ?
_____________________________________________________________________
?
_____________________________________________________________________
_____________________________________________________________________
, ,
,
IP ?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

_____________________________________________________________________
38
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

3.
1. QRadar SIEM Offenses.
2. Rules.
3. ,
Offense Count.

4. ?
_____________________________________________________________________
5. My Watchlist Rule?
_____________________________________________________________________
6. ?
_____________________________________________________________________

_____________________________________________________________________
QRadar SIEM 7.2

39
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
7. All Offenses. An account was
successfully logged on.

8. Actions Close.
9. Reason for Closing Policy
Violation OK.
10. Rules. My Watchlist Rule.
11. ?
_____________________________________________________________________
12. ?
_____________________________________________________________________

4.
1. Offenses QRadar SIEM . All
Offenses.
2. Communication to a known Bot Command and
Control 10.126.152.5.

3. . Firewall Deny
.
4. Rules Offenses.

_____________________________________________________________________
40
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
5. Display Building Blocks. Group
User Tuning.

6. User-BB-FalsePositive: User Defined


False Positives Tuning.
.

7. .
CAT.
8. Remove Submit.

9. Finish.
. Revert Rule.

_____________________________________________________________________
QRadar SIEM 7.2

41
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
10. . OK.

_____________________________________________________________________
42
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

7.
1.
1. QRadar SIEM 1500 .
. QRadar SIEM
Reports.
2. , Hide Inactive Reports.
3. Group SOX.

4. Search Report Daily Top ,


.

5. Daily Top Targeted Hosts.

_____________________________________________________________________
QRadar SIEM 7.2

43
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

6. Actions Run Report.

7. , .
Daily Top Targeted Hosts?
_____________________________________________________________________
8. Daily Top Targeted Hosts.
.
9. Next, Specify Report Contents.
10. Define . .
,
?
_____________________________________________________________________
?
_____________________________________________________________________
X Y ?
_____________________________________________________________________

_____________________________________________________________________
44
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
11. Cancel, (
Cancel; ,
).
12. Define .
.
,
?
_____________________________________________________________________
X Y ?
_____________________________________________________________________
13. Cancel, (
Cancel; ,
).
14. Next , pdf .

15. Cancel, .
_____________________________________________________________________
QRadar SIEM 7.2

45
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
16. Refresh Daily Top
Targeted Hosts.

17. , PDF Formats,


.
18. . Group
Reporting Group Search Report.

2.
1. Reports Actions Create.
Next.
2. This report should be scheduled to generate
Daily . Next.

_____________________________________________________________________
46
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
3. Choose a Layout Orientation Landscape.
4. , , Next.

5. Specify Report Content Report Title Top Log


Sources.
6. Chart Type Events/Logs.
7.
:

Chart Title
Limit the Events/Logs to Top
Graph Type
Saved Searches
Horizontal (X) Axis
Timeline Interval

My Top Log Sources


10
Stacked Line
Top Log Sources
Event Count (Sum)
1 Minute

_____________________________________________________________________
QRadar SIEM 7.2

47
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
8. , , Save
Container Details. , ,
.

9. Next.
10. Report Format HTML PDF.
11. Next, Finishing Up.

_____________________________________________________________________
48
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
12. Report Description The Daily Top Log Sources report lists the
top ten log sources by event count.
13. , Run this report when the wizard is complete
.
14. Next, Finish.
15. Refresh,
My Top Log Sources.
16. ( Next Run Time),
PDF Formats, .

_____________________________________________________________________
QRadar SIEM 7.2

49
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

3.

1. QRadar SIEM Log Activity.
2. View Last 3 Hours.
3. Add Filter :
Custom Rules; Equals; Rule Group
Authentication; Rule My Watchlist Rule.

4. Add Filter.
5. . Display
Username.
6. . Save Criteria.
7. Search Name Watchlist User Logins by Username.
Authentication, Identity and User Activity.

_____________________________________________________________________
50
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
8. ,
, OK.

9. . Search
New Search.
10. Watchlist Type Saved Search.
Watchlist User Logins by Username
Load.

11. IP (Source IP)


( ,
, Log Source
, Group By; ).
Start Date Start Time .
Count.
_____________________________________________________________________
QRadar SIEM 7.2

51
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
12. ,
Search.

13. . Save
Criteria, Search Name Watchlist User Logins by Log Source.
14. Authentication, Identity and
User Activity OK.
15. Reports.
16. Actions Create. Next .
17. This report should be scheduled to generate Manually.
18. Choose a Layout Orientation
Landscape.
19. , , Next.
20. Specify Reports Contents Report Title Terminated
user logins.
21. Chart Type Event/Logs.
22.
:

Type Chart Title

Terminated user logins

_____________________________________________________________________
52
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

Limit the Events/Logs to Top


Graph Type
Manually Scheduling

Saved Searches
Horizontal (X) Axis
Vertical (Y) Axis

10
Bar
24


Watchlist User Logins by Username
Username
Count


.
23. , ,
Save Container Details.

24. Chart Type Events/Logs.


_____________________________________________________________________
QRadar SIEM 7.2

53
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
25.
:

Type Chart Title


Limit the Events/Logs to Top
Graph Type
Manually Scheduling
Saved Searches

Terminated user logins by IP


10
Table

Watchlist User Logins by Log Sources

26. Save Container Details.


27. Next. Report Format HTML PDF.
28. Next , Finishing Up.
29. Report Description Watchlist User Logins.
30. Authentication, Identity and User Activity.
31. , Yes - Run this report when the wizard is complete
, Finish.

_____________________________________________________________________
54
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
32. Refresh, .
, PDF Formats,
.

_____________________________________________________________________
QRadar SIEM 7.2

55
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

8.

1. Deployment Editor
1. Admin Deployment Editor.

2. OK, Java .

3. Run, .

_____________________________________________________________________
56
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
4. No, Java .
Deployment Editor.

_____________________________________________________________________
QRadar SIEM 7.2

57
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
5. qflow0::COE
Configure.

_____________________________________________________________________
58
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
6. Advance (Advan).

7. . ?
Maximum Data Capture/Packet
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Maximum Content Capture
_____________________________________________________________________
_____________________________________________________________________
8. Cancel Deployment Editor.

_____________________________________________________________________
QRadar SIEM 7.2

59
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

2. soft clean hard


clean
1. Admin Advanced.
2. Clean SIM Model. : Soft Clean Hard
Clean.

3. . .
4. .
Soft Clean
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Hard Clean
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
5. Reset Clean SIM Data Model.

_____________________________________________________________________
60
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

3.

1. Admin Auto Update.


2. Change Settings.
Update Configuration.
3.

Advanced.
http://www.ibm.com/support/fixcentral/.

Web

Server

4. , Directory autoupdates/.
5. Basic.
6.
:

Frequency
Hour
Week Day

Weekly
12:00 PM
Tuesday

, , , .
Setting up QRadar SIEM Setting up a QRadar SIEM update server.
7. Save Update Configuration. QRadar
SIEM , ..
,
.

_____________________________________________________________________
QRadar SIEM 7.2

61
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

9.
1.
1. Admin Network Hierarchy.
2. all Add.

3. Add Group Group.

4. Europe.Sales OK.
5. :

Name
Weight
IP/CIDR(s)
Color
Database Length

Ireland
50
87.198.175.120/32

System Network Object Default

_____________________________________________________________________
62
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
6. , Save.

7. Return. , .

8.
:

Group
Name
Weight
IP/CIDR(s)

Color
Database Length

Americas.HQ
Sales
50
55.0.0.0/8
10.1.121.0/24

System Network Object Default

_____________________________________________________________________
QRadar SIEM 7.2

63
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

Group
Name
Weight
IP/CIDR(s)
Color
Database Length

Americas.HQ
Development
50
74.0.0.0/8

System Network Object Default

Group
Name
Weight
IP/CIDR(s)
Color
Database Length

Asia.Turkey
Support
50
94.122.0.0/16

System Network Object Default

9. , ,
Network Views.

10. Admin Deploy Changes.

_____________________________________________________________________
64
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

10.

1.
1. , .
QRadar SIEM Assets.
2. Asset Profiles.
3. Vulnerabilities.

4. . Admin
VA Scanners.
5. Add.
:

Scanner Name
Description
Type
Collection Type
Remote Results Hostname
Remote Results Port
SSH Username
SSH Password
Enable Key Authentication

My Nessus Scanner
Exercise
Nessus Scanner
Scheduled Results Import
192.168.10.10
22
root
object00

_____________________________________________________________________
QRadar SIEM 7.2

65
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

Remote Results Directory


Remote Results File Pattern
Remote Results Max Age
CIDR Ranges

/labfiles/VIS
.*\.nessus
7
0.0.0.0/0

6. , , Save.

7. Admin Deploy Changes.


8. /labfiles/VIS,
. :
cd /labfiles/VIS
touch *
9. QRadar VA Scanner, My Nessus Scanner,
Schedule.

_____________________________________________________________________
66
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
10. Add.
:

VA Scanner
Network CIDR
Priority
Ports
Start Time

Interval

My Nessus Scanner
0.0.0.0/0
Low
1-63553
+ 2

0 Hours

11. , ,
Save.

12. .
Complete.

13. Assets.
14. Assets Profiles.
Vulnerabilities. ,
.

_____________________________________________________________________
QRadar SIEM 7.2

67
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

2.
1. Asset 10.0.100.162.
2. Display Services.
3. , .

4. 192.168.10.10.
5. Application.

_____________________________________________________________________
68
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
6. Search.

?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
7. .
8. MAC IP 192.168.10.10.
QRadar :
ifconfig

_____________________________________________________________________
QRadar SIEM 7.2

69
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
9. MAC IP .
MAC .

eth0
_____________________________________________________________________
eth1
_____________________________________________________________________

_____________________________________________________________________
70
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
10. 192.168.10.10
Edit Asset.

11. MAC & IP Address Unknown NIC


Edit.
12. MAC eth0, ,
OK.

13. New MAC Address


eth1, . Add.
14. MAC eth1 New IP
Address.
15. IP eth1 Add.

_____________________________________________________________________
QRadar SIEM 7.2

71
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
16. , .

17. DNS
. Names & Description.
18. DNS Name COE.ibm.com Add.
19. NetBios Name COE.ibm.com Add.
20. Given Name QRadar Server.
21. Operating System :

Vendor
Product
Version

Red Hat
Enterprise Linux
5.4.0

22. Add. Save.

_____________________________________________________________________
72
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
23. Asset
Details Network Interface Summary. ,
.

24. Asset Details.


25. 445.
Assets Search New Search.
26. Vulnerabilities On Open Port Equals 445 Search.

_____________________________________________________________________
QRadar SIEM 7.2

73
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
27. , .

3.
1. QRadar SIEM Admin.
2. Reference Set Management Add.
3. (reference set)
:

Name
Type
Time to Live of Elements
Since first seen
Lives Forever

Newly created users


AlphaNumeric
5 Days

4. , ,
Create.

_____________________________________________________________________
74
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

4.

1. :
C:\labfiles\HR
C:\labfiles\HR\Resource Actions.txt
2. HR files.txt.
3. Reference Set Management HR Data.
4. Import.
5. Browse.
6. Open.
7. Import.
8. , ,
.

_____________________________________________________________________
QRadar SIEM 7.2

75
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

5.

1. . Reference Set
Management Add.
2. :

Name
Type
Time to Live of Elements
Since first seen
Lives Forever

High Surveillance
AlphaNumeric (Ignore Case)
14 Days

3.
:
PeggyBundy
MarcydArchy
KellyBundy
4. Surveillance.txt.
5. Reference Set Management High Surveillance.
6. Import Browse.
7. Open.
8. Import. , .
9. High Surveillance
. ,
.
10. , Time to Live .
11. . Add.
12. cary Add.
_____________________________________________________________________
76
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
13. .
14. QRadar SIEM Offenses.
15. Display Rules.
16. (Event Rule).
17. when the event QID is one of the following QIDs.
18. QIDs (5000094) User Account Locked Out.
19. Apply My Rule: Add locked account
to Surveillance list.
20. Authentication.
21. Notes : This rule adds the locked
account to the surveillance list.
22. , ,
Next.

23. Rule Response Add to a Reference Set.


24. Low Level Category AccountName (custom).
25. High Surveillance
AlphaNumeric (Ignore Case).

_____________________________________________________________________
QRadar SIEM 7.2

77
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
26. , ,
Finish.

27. .
28. when any of these event properties are contained in
any of these reference set(s).
29. these event properties Username.
30. these reference set(s) High Surveillance.
31. Apply My Rule: Accounts under
Surveillance.
32. Authentication.
33. Notes : This rule checks if the event has
been generated by an account under surveillance.

_____________________________________________________________________
78
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
34. , ,
Next.

35. Rule Response Dispatch New Event.


36. Event Name User Surveillance Event.
37. Event Description User under surveillance generated this
event.
38. Event Details High-Level Category
Suspicious Activity, Low-Level Category Misc
Suspicious Event. Notify.

_____________________________________________________________________
QRadar SIEM 7.2

79
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
39. , ,
Finish.

40. Admin Reference Set


Management.
41. High Surveillance. ?
_____________________________________________________________________
42. References. ,
.
43. .
:
cd /labfiles
./sendWindows.sh

_____________________________________________________________________
80
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
44.
CTRL + C.
45. QRadar SIEM Log Activity.
46. Event Name Equals User Surveillance Event.
47. View Last 5 minutes.
48. .
?
_____________________________________________________________________
?
_____________________________________________________________________
49. High Surveillance.
50. My Rule: Accounts under Surveillance
QRadar SIEM. ,
Messages View All.

51. User Account Locked


Out. . .
, .

_____________________________________________________________________
QRadar SIEM 7.2

81
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

6.
1. QRadar SIEM Admin.
2. Index Management.
3. AccountName
(custom) Enable Index.
4. Save Index Management.
5. :
./sendWindows.sh
6. QRadar SIEM Log Activity.
7. :

24
AccountName (custom) is not N/A
AccountName
Event Names Event Count
Event Count

_____________________________________________________________________
82
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
8. , , Save
Criteria.

9. :

Search Name
Timespan options

Include in my Quick Searches

My Search: Index management


Recent (enable)
Last 24 hours

_____________________________________________________________________
QRadar SIEM 7.2

83
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
10. , ,
OK.

11. sendWindows.sh.
12. Admin QRadar SIEM Index
Management.
13. , AccountName .
,
, . Index
Management.
14. Log Activity.
15. Quick Filter Logon Type .
16. View Last 24 hours.
17. .
18. Extract Property.
19. .
:

New Property
Description

WinLogonType
Windows log on type determines how
the log on was issued: interactive,
_____________________________________________________________________
84
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

Category
High Level category
Low Level category
RegEx
Capture Group

network, local, batch, etc.

Any
Any
Logon\sType:.*?(\d{1,2})
1

20. , , Save.

21. Admin Index Management


WinLogonType (custom).
22.
Enable Index.
23. Save.
24. Log Activity.
25. .
:

WinLogonType (custom) equals any of 3


24

26. .
Offenses , Display, Rules.
27. My Rule: Accounts under Surveillance.
_____________________________________________________________________
QRadar SIEM 7.2

85
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
28. DEMO: Accounts under Surveillance,
Username WinLogonType (custom).
29. ? ?
_____________________________________________________________________
30. Admin Custom Event Properties.
31. WinLogonType.
32. Property Definition Optimize parsing for rules, reports,
and searches Save.
33. DEMO: Accounts under Surveillance,
AccountName(Custom) WinLogonType (custom).
34. ? ?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
35. Cancel, .

_____________________________________________________________________
86
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

11.
1.
1. QRadar SIEM Admin
Authentication.
2. Authentication Module Active
Directory.
3.
:

Server URL
LDAP Context
LDAP Domain

ldap://192.168.10.12:389
DC=coe,DC=ibm,DC=com
coe.ibm.com

4. , , Save.

5. Authentication Configuration.
6. Admin Deploy Changes.
7. QRadar SIEM. Admin
Users New .
8. QRadar SIEM
:
_____________________________________________________________________
QRadar SIEM 7.2

87
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

Username
E-mail
Password
Confirm Password
Description
User Role
Security Profile

PeggyBundy
peggy.bundy@coe.ibm.com
object00
object00
Exercise user
All
Admin

9. ,
, Save, Close.

10. User Management.


11. Admin Deploy Changes.
12. .
QRadar SIEM.
13. PeggyBundy
object00.
14. ? ?
_____________________________________________________________________
88
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
15. Active Directory.
Windows :
dsa.msc
16. coe.ibm.com.
17. Users Users.
18. Actions New User.

19. :

First name
Last name
User logon name

Peggy
Bundy
PeggyBundy

_____________________________________________________________________
QRadar SIEM 7.2

89
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
20. , ,
Next.

21. :

Password
User must change password
at next log on
User cannot change password
Password never expires
Account is disabled

object00

_____________________________________________________________________
90
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
22. , ,
Next, Finish.

23. Active Directory.


24. QRadar SIEM
PeggyBundy object00.
25. Preferences User Preferences.
26. . ? ?
_____________________________________________________________________
_____________________________________________________________________
27. QRadar SIEM - .

2.
1. Admin Security Profiles.
_____________________________________________________________________
QRadar SIEM 7.2

91
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
2. New .
3. :

Security Profile Name


Description

Permission Precedence
Networks

Log Sources

WinAud
Auditor with privileges to see windows
event logs and networks
Networks OR Log Sources
Europe.Sales.Ireland
Regulatory_Compliance_Servers
WindowsAuthServer@10.0.120.11

4. , .

_____________________________________________________________________
92
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
5. ,
, Save, Close.

6. User Roles.
7. New.
8. :

User Role name


Admin
Offenses
Log Activity
Network Activity
Assets
Reports
IP Right Click Menu Extensions

WinAud

_____________________________________________________________________
QRadar SIEM 7.2

93
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
9. , , Save,
Close.

10. PeggyBundy .
Admin Users.
11. PeggyBundy.
12. User Role Security Profile WinAud.
13. Save, Close.
14. Admin Deploy Changes.

_____________________________________________________________________
94
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

3.

1. QRadar SIEM PeggyBundy.


2. Offenses. ?
_____________________________________________________________________
3. Rules.
4. Actions New Event Rule.
5. Next , All Test Group,
when the local network is one of the following networks.
6. one of the following networks.
7. ?
_____________________________________________________________________
8. Cancel.
9. when the event(s) were detected by one or more of these
log sources.
10. these log sources.
11. ?
_____________________________________________________________________
12. Cancel, Cancel.
13. Log Activity.
14. Add Filter Log Source.
?
_____________________________________________________________________
15. Add Filter Source or Destination Network.
?
_____________________________________________________________________
QRadar SIEM 7.2

95
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
_____________________________________________________________________
16. Asset. ?
_____________________________________________________________________
17. QRadar SIEM
13 16. .
?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
18. :
cd /labfiles
./sendDemologs.sh
19. QRadar SIEM
PeggyBundy :

Log Activity
Network Activity
Assets
Offenses

20. ?
_____________________________________________________________________
_____________________________________________________________________
21.
sendDemologs.sh CTRL + C.
22. 18 21 admin. ?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

_____________________________________________________________________
96
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

4.
1. QRadar SIEM admin.
2. Admin Users.
3. PeggyBundy .
4. User Management Admin
Deploy Changes.
5. QRadar SIEM PeggyBundy.
6. Preferences User Preferences.
7. ? ?
_____________________________________________________________________
8. PeggyBundy object00 object11
.
9. PeggyBundy
object00. ?
_____________________________________________________________________
10. , ,
PeggyBundy: QRadar SIEM Active Directory?
_____________________________________________________________________
11.
PeggyBundy object11. ?
_____________________________________________________________________
_____________________________________________________________________
12. ?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
QRadar SIEM 7.2

97
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
13. .

_____________________________________________________________________
98
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

12.
1.

1. QRadar SIEM Admin.


2. Backup and Recovery.
3. Configure.
4.
:

Backup Repository Path


Backup Retention Period(days)
No Nightly Backups
Configuration Backup Only
Configuration and Data Backups
COE :: 192.168.10.10 Event Data
COE :: 192.168.10.10 Flow Data

/tmp
2

_____________________________________________________________________
QRadar SIEM 7.2

99
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
5. , ,
Save.

6. Backup Archives.
7. QRadar SIEM There are
undeployed changes.
8. , View Details,
Expand All.

?
_____________________________________________________________________
_____________________________________________________________________
9. :
unalias ls
ls -al /store/configservices/deployed/globalconfig/backuprecovery-config.xml
_____________________________________________________________________
100
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
10. ?
_____________________________________________________________________
11. :
ls -al /store/configservices/staging/globalconfig/backuprecovery-config.xml
12. ?
_____________________________________________________________________
13. QRadar SIEM Admin
Deploy Changes.
14.
:
ls -al /store/configservices/deployed/globalconfig/backuprecovery-config.xml
15. ?
_____________________________________________________________________

2.
1. Admin Event Retention.
2. Edit .
3.
:

Name
Keep data in this bucket for
Allow data in this bucket
to be compressed
Delete data in this bucket
Description

PCI Server
3 month
Never
When storage space is required
My own bucket for 3 month data

_____________________________________________________________________
QRadar SIEM 7.2

101
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

Current Filters

Source or Destination Network


Equals
Regulatory_Compliance_Server.
Regulatory_Compliance_Server

4. , ,
Save.

_____________________________________________________________________
102
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

13.
1.

1. QRadar SIEM Admin.


2. Log Sources.
3. .
4. Log Sources.
5. :
cd /labfiles
./sendAIX.sh
6. QRadar SIEM
Real Time (streaming).

Log

Activity.

View

7. ,
:

LinuxServer@10.0.120.10
IBMAIXServer@10.0.120.10

8. ,
CTRL + C.
9. Admin.
10. Log Sources.
_____________________________________________________________________
QRadar SIEM 7.2

103
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
11. , 10.0.120.10 AIX .
LinuxServer@10.0.120.10.
12. Log Activity sendAIX.sh.
13. , Linux
, IBMAIXServer.
14. .
Admin Log Sources.
15. IBMAIXServer@10.0.120.10
Edit.
16. Coalescing Events Save.

17. Log Activity ,


Count .
18. 10.0.120.10 Oracle.
, .
, ,
:
cd /labfiles
./sendOracle.sh
19. Admin QRadar SIEM Log
Sources.

_____________________________________________________________________
104
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
20.
,

OracleOSAudit@10.0.120.10.

21. Log Sources Log Source Parsing Order.


22. , 10.0.120.10
:

IBMAIXServer@10.0.120.10
OracleOSAudit@10.0.120.10
LinuxServer@10.0.120.10

23. OracleOSAudit@10.0.120.10 UP.

24. Save.
25. OracleOSAudit@10.0.120.10.
26.
.
27. , .

2.

1. Log Sources Add.


_____________________________________________________________________
QRadar SIEM 7.2

105
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
2.
:

Log Source Name


Log Source Description
Log Source Type
Protocol Configuration
Log Source Identifier
Enabled
Credibility
Coalescing Events
Incoming Payload Encoding
Store Event Payload
Log Source Language

AS400
Exercise
IBM AS/400 iSeries
Syslog
10.0.120.11

5

UTF-8

English

3. , ,
Save.

4. Admin Deploy Changes.


5. AS400 .
:
cd /labfiles
./sendAS400.sh
6. Log Activity View Real
Time (streaming). , .
_____________________________________________________________________
106
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
7. .
Admin Log Source Extensions.
8. Add
:

Name
Description
Use Condition
Log Source Types
Upload Extension

AS400
Exercise
Parsing Enhancement
IBM AS/400 iSeries
C:\Document and
Settings\Administrator\
Desktop\IBM_AS400_EXT.xml

Set to default for.


9. , ,
Upload, Save.

10. Log Source Extensions Log Sources.


11. AS400, Log
Source Extensions AS400.
12. Save .
13. .

_____________________________________________________________________
QRadar SIEM 7.2

107
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

14. Windows
1.

1. QRadar SIEM Admin Authorized


Services.
2. Add Authorized Service.

3. :

Service Name
User Role
No Expiry

WinCollectFSPDC
Admin

4. , ,
Create Service.

_____________________________________________________________________
108
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
5. ,
Selected Token , ,
Copy.

2. WinCollect
1. Agent-WinCollect-7.1.1.569824-setup.exe
.
2. Next ,
, Customer Information :

User Name
Organization

Student
COE

_____________________________________________________________________
QRadar SIEM 7.2

109
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
3. , ,
Next.

4. Dialog Bold Title :

Host Identifier
Authentication Token
Configuration Console

FSPDC

192.168.10.10

_____________________________________________________________________
110
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
5. , , Next,
Install, Finish.

3. WinCollect

1. Admin QRadar SIEM WinCollect.
2. , .
3. Log Sources.
4. Add.
:
Name
FSPDC
Log Source Description
Exercise
Log Source Type
Microsoft Windows Security Event Log
Protocol Configuration
WinCollect
_____________________________________________________________________
QRadar SIEM 7.2

111
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

Log Source Identifier


User Name
Password
Confirm Password
Standard Log Types
o Security
o DNS Server
Event Types
o Informational
o Warning
o Error
o Success Audit
o Failure Audit
WinCollect Agent

FSPDC
administrator
object00
object00

WinCollect@FSPDC

5. , , Save.

_____________________________________________________________________
112
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
6. Deploy Changes Admin.
7. Log Activity View Real
Time (streaming). ,
FSPDC.

_____________________________________________________________________
QRadar SIEM 7.2

113
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

15.

1. QRadar SIEM
1. :
cd /labfiles
./sendAIX.sh
2. QRadar SIEM Log Activity View
Real Time (streaming).
3. 5.
4. CTRL + C.
5. 10.0.120.10?
_____________________________________________________________________
_____________________________________________________________________
6. View Last 15 Minutes.
7. Display Low Level Category.

_____________________________________________________________________
114
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
8. Stored.
.

9. Actions Export to XML, Full Export.


10. zip .
11. ,
Extract All.

_____________________________________________________________________
QRadar SIEM 7.2

115
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
12. Filezilla xml
/labfiles. Host
sftp://192.168.10.10. root.

13. :
./xml2logfile.pl xml > /tmp/AIXevents.log
14. , ,
:
tail /tmp/AIXevents.log
15. QRadar SIEM Log Activity.
16. View Real Time (streaming).
17. :
/opt/qradar/bin/logrun.pl
35

-f

/tmp/AIXevents.log

-u

10.0.120.10

18. ?
_____________________________________________________________________
_____________________________________________________________________
116
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

2.

1. QRadar SIEM Log Activity.


2. .
3. Extract Property.
4. SampleAIXevent.txt.
5. Test Field:
<125>Jul 8 06:38:56
forwarded from

10.0.120.10

<10>Jan

24

17:17:49

Message

ibm.aix.test.com: syslog[1855696]: [CLSLog.Handler.File/LogFile


0x10100BE](P/PP/TID 1855696/2195608/2314)
File(/apps/MANH/wmdev/logs/PkMHEInboundS-18556960124.log).Write()
6. RegEx : File\(.*\)\.Write\(\).
7. ?
_____________________________________________________________________
8. RegEx File\((.*)\)\.Write\(\).
9. ?
_____________________________________________________________________
10. Custom Event Properties Definition.
11. :
_____________________________________________________________________
QRadar SIEM 7.2

117
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
cd /labfiles
./sendWindows.sh
12. 10.
.
13. QRadar SIEM Log Activity.
14. View Real Time (streaming).
15. :

High Level Category Equals Authentication


Low Level Category Equals User Account Added

16. A user account was created.


.

17. Extract Property.


18. SAM
Account Name.
: EventID=4720.*?SAM Account Name:\s(.*?)\s{2}Display.
19. Windows 2003
624 626.
, 624 626 ?
_____________________________________________________________________
: EventID=(4720|624|625).*?SAM Account Name:\s(.*?)\s{2}Display.
_____________________________________________________________________
118
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
20. RegEx : .*?Account\s(\w+).
21. ?
_____________________________________________________________________
22. RegEx .*Account\s(\w+).
23. ?
_____________________________________________________________________
24. ?? {2} \s?
_____________________________________________________________________
_____________________________________________________________________
25. Custom Event Property Definition.

3. DSM

1. QRadar SIEM Admin.
2. Log Source Extensions.
3. Add.
4.
LSX_Template.xml, :

Name
Description
Use Condition
Log Source Types
Upload Extension

CustomLogParser
Custom Application
Parsing Override
IBM AS/400 iSeries
LSX_Template.xml

_____________________________________________________________________
QRadar SIEM 7.2

119
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
5. , , Upload,
Save.

6. Log Sources Add.


7. DSM :

Log Source Name


Log Source Description
Log Source Type
Protocol Configuration
Log Source Identifier
Enabled
Credibility
Coalescing Events
Incoming Payload Encoding
Store Event Payload
Log Source Language
Log Source Extension
Extension Use Condition

CustomLog
Custom Application
Universal DSM
Syslog
10.0.120.12

5

UTF-8

English
CustomLogParser
Parsing Override

_____________________________________________________________________
120
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
8. , , Save.

9. Log Sources Deploy Changes


Admin.
10. .
:
cd /labfiles
./sendUDSM.sh
11. QRadar SIEM Log Activity.
12. Display Raw Events.
13. View Real Time (streaming).

_____________________________________________________________________
QRadar SIEM 7.2

121
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
14.
CustomLog.

15. , Username N/A.

16. Map Event , Log Source Event ID .

17. Log Source Event.


18. Extract Property.
19. ,
:

DD/MM/YYYY:hh:mm:ss

_____________________________________________________________________
122
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

Location
ID
Name
Entrance
Access
Direction

:(\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2})\tLocation:(.*?)\tID:(.*?)\tName:(.*?)\tE
ntrance:(.*?)\tAccess:(.*?)\tDirection:(.*).
20. LSX_Template.xml
UDSM_LSX.xml.
21. , 19
:
<pattern id="EventName" xmlns=""><![CDATA[] ]></pattern>
: <pattern id="EventName"
xmlns=""><![CDATA[(\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2})\tLocation:(.*?)\tID:(.*?)\tNa
me:(.*?)\tEntrance:(.*?)\tAccess:(.*?)\tDirection:(.*)]]></pattern>.
22. , <pattern id,
, <pattern id=EventName .
23. :

EventName = Access:Direction value:Access value


DeviceTime = timestamp value
UserName = Name value:ID value
HostName = Entrance value

capture groups.
: EventName: pattern-id="EventName" capture-group=Access:\7:\6
enable-substitutions=true, Devicetime: pattern-id="EventName" capturegroup="1"
ext-date="dd/MMM/YYYY:hh:mm:ss", UserName: pattern-id="EventName"
capture-group="\4:\3"
enable-substitutions="true", HostName = pattern-id="EventName" capturegroup="5"

_____________________________________________________________________
QRadar SIEM 7.2

123
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
24. CustomLogParser.
,
: LSX_UDSM.xml
C:\coursefiles.
25. Save.
26.
sendUDSM.sh .
27. Log Activity.
28. , CustomLog
5 .
29. .
Username?
_____________________________________________________________________
30. Map Event. , Log Source
Event ID :

Access:In:Granted
Access:In:Denied
Access:Out:Granted

31. QID.
:
/opt/qradar/bin/qidmap_cli.sh -c --qname "Physical entry
success"
--qdescription "Exercise" --severity 5 --lowlevelcategoryid 4014

_____________________________________________________________________
124
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
32. , .

33. Log Activity QRadar SIEM.


34. Access\:Granted
.
35. Map Event QID/Name ,
.
36. Search, , OK.

_____________________________________________________________________
QRadar SIEM 7.2

125
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
37. .
sendUDSM.sh .
38. Log Activity QRadar SIEM.
39. View Real Time (streaming).
40. , Physical entry success,
.

41. QID Access:In:Denied


( LLC = 4015) Access:Out:Granted ( LLC = 4014).
event ID .
42. QRadar SIEM Assets. ,
,
.

4. Log Source Event ID


PostgreSQL dsmevent
1. :
psql -U qradar -o /tmp/Windows_supportedevents.txt q
2. :
select distinct (deviceeventid) from dsmevent where devicetypeid
in (select id from sensordevicetype where devicetypedescription
=
'Microsoft
Windows
Security
Event
Log')
order
by
deviceeventid;
3. \q .
4. , eventid 624.
:
grep -w 624 /tmp/Windows_supportedevents.txt
_____________________________________________________________________
126
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
5. , .

_____________________________________________________________________
QRadar SIEM 7.2

127
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

16.
1. RPC
1. QRadar SIEM Admin VA Scanners.
2. Add.
:

Scanner Name
Description
Type
Collection Type
Remote Results Host Name
SSH Username
SSH Password
Enable Key Authentication
Remote Results Directory
Remote Results File Pattern
Results File Max. Age
CIDR Ranges

Nessus attack
Attack
Nessus Scanner
Scheduled Results Import
192.168.10.10
root
object00

/labfiles/attack
.*\.nessus
7
0.0.0.0/0

_____________________________________________________________________
128
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
3. , , Save.

4. Admin Deploy Changes.


5. :
cd /labfiles/attack
touch *.nessus
6. VA Scanners
Schedule.
7. Add.
:
VA Scanner
Nessus attack
Network CIDR
0.0.0.0/0
_____________________________________________________________________
QRadar SIEM 7.2

129
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

Priority
Ports
Start Time
Interval

Low
1-63553
+ 2
0 Hours

8. , , Save.

9. .
10. .
Admin Log Sources.
11. Add
:

Log Source Name


Log Source Description
Log Source Type
Log Source Identifier
Coalescing Events

SNORT
Attack Log
Snort Open Source IDS
192.168.10.11

_____________________________________________________________________
130
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
12. , , Save.

13. Admin Deploy Changes.


14.
.

_____________________________________________________________________
QRadar SIEM 7.2

131
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
15. .

16. .
:
cd /labfiles
./startAttack.sh
17. , 5-10 .

_____________________________________________________________________
132
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

17.
1.
1. ,
. QRadar SIEM Offenses
Rules.
2. New Event Rule.
3. Next.
4. Apply My Rule: Administrator social engineering account
added.
5. when an event matches any | all of the following rules.
6. rules
Superuser Accounts.

BB:CategoryDefinition:

7. when the event category for the event is one of the


following categories.
8. categories Authentication.User
Account Added.
9. , .

10. Authentication.
_____________________________________________________________________
QRadar SIEM 7.2

133
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
11. Notes Administrator creates a user account in the Windows
environment.
12. Next.
13. Rule Action
:

Ensure the detected event is


part of an offense
Index offense based on
Annotate this offense

Annotate event

Source IP

Administrator creates an account

Administrator creates an account

13. Rule Response


:

Add to a Reference Set


Add the
Reference Set

AccountName(custom)
Newly created users

_____________________________________________________________________
134
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
14. , Next,
Finish.

15. , New Event Rule.


16. Next.
17. when any of these properties match this regular
expression.
18. these properties EventID (custom).
, EventID Custom Events Properties
Optimize parsing for rules, reports, and searches.
19. this regular expressions 560.
20. when the Event Payload contains this string.
21. this string labfiles.

_____________________________________________________________________
QRadar SIEM 7.2

135
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
22. , , Export as
Building Block. BB:CategoryDefinition: Sensitive data
Save.

23. Apply My Rule: New user accesses sensitive data.


24. when any of these event properties are contained in any
of these reference set(s).
25. these event properties Username.
26. these reference set(s) Newly created
users.
27. when the event category for the event is one of the
following categories.
28. categories Access.
29. when an event matches any | all of the following
rules.
30. rules BB:CategoryDefinition:
Sensitive data.
31. , .

32. Category Definitions Next.


33.
:

Ensure the detected event is

part of an offense
_____________________________________________________________________
136
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

Index offense based on


Annotate this offense

Annotate event

Source IP

Recently created account used to


access sensitive data

Recently created account used to


access sensitive data

34. , , Next,
Finish.

35. , .
New Event Rule.
36. Next.
37. Apply My Rule: Administrator social engineering new account
deleted.
38. when an event matches any | all of the following
rules test.
39. rules BB:CategoryDefinition:
Superuser Accounts.
40. when the event category for the event is one of the
following categories.
41. categories Authentication.User
Account Removed.
42. when any of these event properties are contained in any
of these reference set(s).
_____________________________________________________________________
QRadar SIEM 7.2

137
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
43. these event properties AccountName
(custom).
44. these reference set(s) Newly created
users.
45. , .

46. Category Definitions Next.


47. Rule Action
:

Ensure the detected event is


part of an offense
Index offense based on
Annotate this offense

Annotate event

Source IP

Administrator deletes newly created


account

Administrator deletes newly created


account

48. , , Next,
Finish.

_____________________________________________________________________
138
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
49. . New
Event Rule.
50. Next.
51. Apply My Rule: Social engineering used to access sensitive
data.
52. when these rules match at least this many times in
this many minutes after these rules match test.
53. these rules My Rule: Administrator
social engineering new account deleted.
54. this many 1.
55. this many 5.
56. minutes day(s).
57. these rules My Rule:
Administrator social engineering account added and My Rule: New user accesses
sensitive data.
58. , .

59. Authentication Next.


60.
:

Ensure the detected event is


part of an offense
Index offense based on
Annotate this offense

Source IP

Account created then used to access


sensitive data and then deleted
Annotate event

Account created then used to access


sensitive data and then deleted
_____________________________________________________________________
QRadar SIEM 7.2

139
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
61. , , Next,
Finish.

2.
1. Active Directory :

First name
Last name
User log on name
Password
User must change password
at next log on
User cannot change password
Password never expires
Account is disabled

Bad
Person
bad_person
object00

_____________________________________________________________________
140
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
2. Add to a group.

3. Enter the object name to select Domain Admins


Check Names.
4. OK.
5. bad_person.
6. salary.txt C:\labfiles\Finance .
7. Administrator
bad_person.
8. QRadar SIEM Log Activity.
9. , User Account Deleted .
.

_____________________________________________________________________
QRadar SIEM 7.2

141
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

18.

1.

1. QRadar SIEM Offenses.


2. Rules.
3. My Rule: Administrator social engineering used to
access sensitive data :


when all of these rules, in | in any order, from the same | any
source IP to the same | any destination IP, over this many seconds
rules My Rule: Social engineering used to access
sensitive data, My Rule: Administrator social engineering new account
deleted
24

4. , , .

5. Newly created users.


Admin Reference Set
Management.
_____________________________________________________________________
142
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
6. Newly created users Edit.
7. Time to Live 1 day Since first seen.

_____________________________________________________________________
QRadar SIEM 7.2

143
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

19.

1.
1. Filezilla SampleRefSet.txt,
, /tmp .
2.
(reference map):
cd /opt/qradar/bin
./ReferenceDataUtil.sh create PrivilegedAccess MAPofSETS
3.
:
./ReferenceDataUtil.sh load PrivilegedAccess
/tmp/SampleRefSet.txt
4. :
./ReferenceDataUtil.sh list PrivilegedAccess displayContents
5. ,
.

_____________________________________________________________________
144
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

2.
1. QRadar SIEM Offenses Rules.
2. Actions New Event Rule.
3. Next . Apply
: My Rule: Granted privileged access to sensitive data.
4. when any of these event properties is the key and any
of these event properties is the value in any of these reference map of sets.
5. Username.
6. ObjectName (custom).
7. PrivilegedAccess.
8. Authentication.
9. Notes : This rule is used to monitor privileged access to
sensitive data.
10. , , ,
, Finish.

_____________________________________________________________________
QRadar SIEM 7.2

145
QDTS

QRadar SIEM 7.2


_____________________________________________________________________

3.
1. QRadar SIEM Log Activity.
2. Add Filter.
3. Custom Rule Partial or Full Matched.
4. Equals.
5. Rule Group Authentication.
6. Rule My Rule: Granted privileged access to sensitive
data.
7. , , Add Filter.

8. :

Username
ObjectName (custom)
Count

_____________________________________________________________________
146
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
9. , , .

10. . Add Filter.


11. Reference Map of Sets.
12. Data Entry Username,
ObjectName (custom).
13. Reference Maps of Sets PrivilegedAccess.
14. , .
15. , , Add Filter.

16. :

7
Username
ObjectName (custom)
Count

_____________________________________________________________________
QRadar SIEM 7.2

147
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
17. Top 10 Username Results By Count
.

18. Chart Type Time Series.


19. Capture Time Series Data.
20. , ,
Save.

21. Privileged User Monitoring Access,


Authentication, Identity and User Activity.

4. ADE
1. ,
. Log Activity
Rules Add Behavioral Rule.

2. Next.
3. Apply : My Rule: ADR Privleged Access.
_____________________________________________________________________
148
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
4. this accumulated property Count
(Count).
5. , ,
Next, Finish.

5. ADE
1. FSPDC,
.
2. Active Directory
:

First name
Last name
User log on name
Password
User must change password
at next log on
User cannot change password
Password never expires

Al
Bundy
AlBundy
object00

3. AlBundy Domain Admins.


4. - administrator
AlBundy.
5. AlBundysLoop.bat, C:\Documents
and Settings\Administrator\Desktop.
6. QRadar SIEM admin,
.
_____________________________________________________________________
QRadar SIEM 7.2

149
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
7. QRadar SIEM Log Activity.
8. View Real Time (streaming).
.
9. , finance.
10. View Last 5 minutes. ,
Object Opened Successfully.

11. ,
My Rule: Granted privileged access to sensitive data.

12. AlBundysLoop.bat
Administrator.

6. ADE
1. Offenses QRadar SIEM Rules.
_____________________________________________________________________
150
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
2. Actions New Event Rule.
3. Next.
4. when any of these properties match this regular
expression.
5. these properties ObjectName (custom).
6. this regular expression C:\\labfiles\\.*?\\.*.
7. Notes : This Building Block is reserved to classify the datasets
that are considered sensitive.
8. , , Export
as Building Block My Rule: BB: Sensitive data sets.

9. Apply My Rule: Rule to add new records to the


Privileged access reference map of sets.
10. when an event matches any | all of the following
rules.
11. any all.
12. rules My Rule: BB: Sensitive data
sets.
13. when the event QID is one of the following QIDs.
14. QID 5000026.
15. Authentication.
_____________________________________________________________________
QRadar SIEM 7.2

151
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
16. Notes This rule when triggered adds the username and
objectname to the PrivilegedAccess reference maps of sets.
17. , , Next.

18. Rule Response


:

Add to Reference Data


Add to a Reference Map of Sets

Reference Map of Sets

Username
ObjectName (custom)
PrivilegedAccess

_____________________________________________________________________
152
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________
19. , ,
Finish.

7.
ADE
1. Log Activity QRadar SIEM.
2. View Real Time (streaming).
3. Quick Filter Backdoors*.
4. C:\labfiles\Development Backdoors.txt.
5. .
6. , Log Activity
Successfully.

Object Opened

_____________________________________________________________________
QRadar SIEM 7.2

153
QDTS

QRadar SIEM 7.2


_____________________________________________________________________
7. . ,
ObjectName (custom) C:\labfiles\development\Backdoors.txt.

8. , My Rule: Rule to add new


records to the Privileged access reference map of sets.
9. :
cd /opt/qradar/bin
./ReferenceDataUtil.sh list PrivilegedAccess displayContents
10. , .
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

_____________________________________________________________________
154
QDTS

QRadar SIEM 7.2

QRadar SIEM 7.2


_____________________________________________________________________

_____________________________________________________________________
QRadar SIEM 7.2

155
QDTS