IBM Qradar SIEM Training

Module 1:

Introduction to IBM Security QRADAR SIEM

QRADAR SIEM Purpose and Framework
QRADAR SIEM Capabilities
QRADAR Deployment and Architecture
Collecting and Processing Logs – Dissecting Event Pipeline
Collecting and Processing Flows
QRADAR AIO Installation – Community edition on Virtual machine with CentOS

Module 2:

Using Administration tools

Deployment editor concepts in distributed environment.
Applying auto updates
License Management
Configuring common administrative tasks

Module 3:

Asset Profile

Host Profiler functioning
QRADAR learning assets automatically
Manually adding assets
Asset Reconciliation scenarios
Removing asset database /Updating Asset Database

Module 4:

Creating Network Hierarchy

Introduction to network hierarchy
Building network hierarchy to avoid false positives
Understanding traffic context
QRADAR Network Hierarchy App Integration
Tuning Network Hierarchy

Module 5:

Updated Administrator Tools

Creating Reference sets
Index Management for efficient search
Managing users and authentication
Managing Data Backup and Retention

Module 6:

Integrating Network Flows

Configuring QRADAR Network interface to collect live traffic flows
Different ways of integrating Flows into QRADAR
Generate Type A, B and C flows [DDOS, Port Scanning] and analysing QRADAR in action
Replaying flows using TCPReplay and bash scripts
Introduction to QNI [QRADAR Network Insights] and benefits with flows

Module 7:

Integrating Log Sources

Understanding different Log Source Protocols
Universal DSM Concepts
Traffic Analysis/Auto Detection in action
Integrating Known Log sources in QRADAR [O365, SYSLOG, Windows etc
Creating Log Sources
Dissecting Known DSMs and configuration
Installing DSM from IBM Fix Central using YUM

Module 8:

Collecting Windows log records and integrating Sysmon

Collecting Windows logs using Win collect
Understanding Windows Log collection agents – Win collect, Snare
Sysmon in action with live scenarios of potential attacks on windows using Kali

Module 9:

Managing Custom Log Sources

Creating custom log sources and using DSM editor to create new source type
All about custom DSM and parsing of the logs
Log Replaying using custom built tools [Syslog Gen] and Log Run
Custom log sources using a universal DSM
Mapping unknown log records
DSM editor in action for custom parsing
QRADAR Identities [QIDs]
Mapping Log Source IDs to QIDs
Event categorization and mapping

Module 10:

Advanced Filtering and Searching

Using AQL in detail for advanced search
Tips for efficient searching

Module 11:

CRE [Rules and Building Blocks in Action]

Building Blocks and usage in Rules
Using CRE to evaluate complex custom rules

Module 12:

ADE [Anomaly Detection Engine] Rules

Creating Anomaly and Threshold Rules

Module 13:

Offenses management

Generate offenses from custom and built in Rules
Analyse Offense

Module 14:

Extension Management

Integrating different Applications from X-Force Exchange into QRADAR
Integrating X-FORCE feeds using TAXII and builds rules
Integrating third party feeds for cognizance and reducing false positives
Integrating known custom content packs for advanced rule creation using Threat Intelligence

Module 15:

Integrating QRADAR Watson and User Behaviour Analytics [UBA]

Investigating Offenses with Watson advisor
UBA in action

Module 16:

Security Use cases and Scenarios

Sample malware analysis using Flow analysis
Capturing Reconnaissance attacks on DMZ servers configured in Network Hierarchy
Capturing possible Virus Outbreak
SQL injections detection and take custom action to stop data theft
Data exfiltration prevention [Using Kali Metasploit and reverse handlers]
Using and Ransomware content packs from X-FORCE Exchange and catch malicious traffic
Create scenarios to catch malicious payload in captured flows

Module 17:

Managing False Positives and Reference maps in rules

Identifying false positives based on different scenarios
Tuning rules
Using reference sets and maps in rules

Module 18:


Navigating reports tab
Creating reports template
Using QRADAR APIs for advanced reporting

Module 19:

API integration

Exploring QRADAR API
Create python scripts to pull data from QRADAR
Create Macros in excel to interact with QRADAR API
Introduction to creating APPS in QRADAR using APP developer and SDK

Module 20:


Check for error log sources
Network dumps at collector to check for traffic
Additional troubleshooting approach used based on scenarios