Transcription of IBM Security QRadar SIEM Users Guide
1 IBM Security QRadar SIEMV ersion Guide Note: Before using this information and the product that it supports, read the information in Notices and trademarks on page 341. Copyright IBM Corp. 2013 All Rights Reserved US Government Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM THIS GUIDEI ntended audience .. 1 Conventions .. 1 Technical documentation .. 1 Contacting customer support .. 11 ABOUT QRadar SIEMS upported web browsers .. 3 Logging in to QRadar SIEM .. 3 User interface tabs .. 4 Dashboard tab .. 4 Offenses tab .. 5 Log Activity tab .. 5 Network Activity tab .. 5 Assets tab .. 5 Reports tab .. 5 IBM Security QRadar Risk Manager.. 6 IBM Security QRadar Vulnerability Manager .. 6 Admin tab .. 6 QRadar SIEM common procedures .. 7 Viewing messages .. 7 Sorting results .. 9 Refreshing and pausing the user interface .. 10 Investigating IP addresses .. 10 Investigating user names.
2 12 System time .. 12 Updating user details .. 13 Accessing Online Help .. 13 Resizing columns .. 13 Configuring page size .. 132 DASHBOARD MANAGEMENTD ashboard overview .. 15 Default dashboards.. 15 Custom dashboards .. 17 Available dashboard items .. 18 Flow search items .. 18 Offense items .. 19 Log Activity items.. 19 Most Recent Reports items .. 20 System Summary item .. 20 Risk Manager items.. 21 Vulnerability Management items .. 21 System Notifications item .. 22 Internet Threat Information Center .. 23 Dashboard management tasks.. 23 Viewing a dashboard .. 23 Creating a custom dashboard .. 23 Investigating log or network activity from a dashboard item .. 24 Configuring charts .. 25 Removing items.. 26 Detaching an item .. 26 Renaming a dashboard .. 26 Deleting a dashboard .. 27 Managing system notifications .. 27 Adding search-based dashboard items to the Add Items list .. 273 OFFENSE MANAGEMENTO ffense overview.
3 29 Offense permission considerations .. 29 Key terms .. 29 Offense retention .. 30 Offense monitoring .. 30 Monitoring the All Offenses or My Offenses pages .. 31 Monitoring offenses grouped by category .. 31 Monitoring offenses grouped by source IP .. 32 Monitoring offenses grouped by destination IP .. 32 Monitoring offenses grouped by network .. 33 Offense management tasks .. 33 Adding notes .. 34 Hiding offenses .. 35 Showing hidden offenses .. 35 Closing offenses .. 35 Protecting offenses .. 36 Unprotecting offenses .. 37 Exporting offenses.. 37 Assigning offenses to Users .. 38 Sending email notification .. 39 Marking an item for follow-Up .. 40 Offense tab toolbar functions .. 41 Offense parameters .. 444 LOG ACTIVITY INVESTIGATIONLog Activity tab overview .. 65 Log Activity tab toolbar .. 65 Quick Filter syntax .. 68 Right-click menu options.. 69 Status bar .. 69 Log activity monitoring .. 70 Viewing streaming events.
4 70 Viewing normalized events .. 70 Viewing raw events .. 73 Viewing grouped events .. 74 Event details .. 78 Event details toolbar .. 81 Viewing associated offenses .. 81 Modifying event mapping .. 82 Tuning false positives.. 83 Managing PCAP data .. 84 Displaying the PCAP data column .. 84 Viewing PCAP information .. 85 Downloading the PCAP file to your desktop system.. 86 Exporting events .. 865 NETWORK ACTIVITY INVESTIGATIONN etwork Activity tab overview .. 89 Network Activity tab toolbar .. 89 Quick Filter syntax .. 92 Right-click menu options.. 93 Status bar .. 94 OverFlow records .. 94 Network activity monitoring .. 94 Viewing streaming flows .. 94 Viewing normalized flows .. 95 Viewing grouped flows .. 98 Flow details .. 101 Flow details toolbar .. 103 Tuning false positives.. 104 Exporting flows.. 1056 CHART MANAGEMENTC harts overview .. 107 Time series chart overview .. 108 Chart legends.. 109 Configuring charts .. 1107 DATA SEARCHESE vent and flow Searches.
5 113 Searching events or flows ..113 Saving event and flow search criteria ..118 Offense searches ..119 Searching offenses on the My Offenses and All Offenses pages ..119 Searching offenses on the By Source IP page .. 125 Searching offenses on the By Destination IP page .. 127 Searching offenses on the By Networks page .. 128 Saving search criteria on the Offense tab .. 129 Deleting search criteria.. 130 Performing a sub-search .. 130 Managing event and flow search results .. 131 Saving search results .. 132 Viewing managed search results .. 132 Canceling a search .. 134 Deleting a search result.. 134 Managing search groups .. 134 Viewing search groups .. 135 Creating a new search group .. 136 Editing a search group .. 136 Copying a saved search to another group .. 137 Removing a group or a saved search from a group .. 1378 CUSTOM EVENT AND FLOW PROPERTIESC ustom property overview .. 139 Required permissions.
6 139 Custom property types .. 139 Custom property management .. 140 Creating a regex-based custom property .. 140 Creating a calculation-based custom property .. 143 Modifying a custom property .. 144 Copying a custom property .. 146 Deleting a custom property .. 1469 RULE MANAGEMENTRule permission considerations .. 149 Rules overview .. 149 Rule categories .. 149 Rule types .. 150 Rule conditions .. 151 Rule responses .. 151 Viewing rules .. 152 Creating a custom rule .. 153 Creating an anomaly detection rule .. 154 Rule management tasks.. 156 Enabling/disabling rules .. 156 Editing a rule .. 157 Copying a rule .. 157 Deleting a rule.. 158 Rule group management .. 158 Viewing a rule group .. 158 Creating a group .. 159 Assigning an item to a group .. 159 Editing a group .. 159 Copying an item to another group .. 160 Deleting an item from a group .. 160 Deleting a group .. 161 Editing building blocks .. 161 Rules page parameters.
7 162 Rules page toolbar .. 163 Rule Response page parameters .. 16410 ASSET MANAGEMENTA sset profile overview .. 177 Vulnerability overview .. 177 Assets tab overview .. 178 Asset tab list .. 178 Assets tab toolbar .. 180 Right-click menu options.. 181 Viewing an asset profile .. 182 Adding or editing an asset profile.. 185 Searching asset profiles.. 189 Saving asset search criteria .. 190 Asset search groups .. 191 Viewing search groups .. 191 Creating a new search group .. 192 Editing a search group .. 193 Copying a saved search to another group .. 193 Removing a group or a saved search from a group .. 193 Asset profile management tasks .. 194 Deleting assets .. 194 Importing asset profiles.. 194 Exporting assets .. 195 Research asset vulnerabilities .. 196 Assets profile page parameters .. 198 Asset Summary pane .. 198 Network Interface Summary pane .. 201 Vulnerability pane .. 201 Services pane .. 202 Windows Services pane.
8 203 Packages pane .. 203 Windows Patches pane .. 204 Properties pane .. 204 Risk Policies pane .. 204 Products pane.. 20411 REPORTS MANAGEMENTR eports tab overview .. 207 Timezone considerations .. 207 Report tab permissions .. 207 Reports tab parameters.. 207 Report tab sort order .. 208 Reports tab toolbar .. 209 Status bar .. 210 Report layout .. 210 Chart types .. 210 Graph types.. 212 Creating custom reports .. 213 Report management tasks .. 217 Editing a report .. 217 Viewing generated reports .. 217 Deleting generated content .. 218 Manually generating a report.. 218 Duplicating a report .. 219 Sharing a report.. 219 Branding reports .. 220 Report groups.. 221 Creating a group .. 221 Editing a group .. 222 Assigning a report to a group .. 222 Copying a report to another group .. 222 Removing a report from a group .. 223 Chart container parameters .. 223 Asset Vulnerabilities chart container parameters.
9 223 Event/Logs chart container parameters .. 226 Flows chart container parameters .. 231 Top Source IPs chart container parameters .. 236 Top Offenses chart container parameters .. 236 Top Destination IPs chart container parameters .. 238 ARULE TESTSE vent rule tests.. 241 Host profile tests .. 242IP/Port tests.. 244 Event property tests .. 245 Common property tests .. 251 Log source tests .. 252 Function - Sequence tests.. 253 Function - Counter tests .. 262 Function - Simple tests .. 267 Date/Time tests .. 267 Network Property tests .. 268 Function - Negative tests.. 269 Flow rule tests .. 269 Host Profile tests.. 270IP/Port tests .. 272 Flow Property tests .. 273 Common Property tests .. 280 Function - Sequence tests .. 282 Function - Counters tests .. 290 Function - Simple tests .. 294 Date/Time tests .. 295 Network Property tests .. 295 Function - Negative tests .. 296 Common rule tests .. 297 Host Profile tests.
10 298IP/Port tests .. 300 Common Property tests .. 301 Functions - Sequence tests .. 305 Function - Counter tests .. 313 Function - Simple tests .. 317 Date/Time tests .. 318 Network Property tests .. 318 Functions Negative tests .. 319 Offense rule tests .. 320IP/Port tests .. 320 Function tests .. 321 Date/Time tests .. 321 Log Source tests .. 322 Offense Property tests .. 322 Anomaly detection rule tests .. 325 Anomaly rule tests .. 325 Behavioral rule tests .. 327 Threshold rule tests .. 329 BGLOSSARYCNOTICES AND TRADEMARKSN otices .. 341 Trademarks .. 343 INDEXIBM Security QRadar SIEM Users GuideABOUT THIS GUIDEThe IBM Security QRadar SIEM Users Guide provides information on managing IBM Security QRadar SIEM including the Dashboard, Offenses, Log Activity, Network Activity, Assets, and Reports tabs. Intended audienceThis Guide is intended for all QRadar SIEM Users responsible for investigating and managing network Security .
