®
Student Exercises
IBM QRadar SIEM Foundations
Course code BQ103 ERC 1.0
IBM Training
October 2017 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
ITIL is a Registered Trade Mark of AXELOS Limited.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
© Copyright International Business Machines Corporation 2017.
This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
About these exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Logging in to the Client VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Logging in to the QRadar user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Running commands on the QRadar VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Unit 1 Introduction to IBM QRadar exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
This unit has no student exercises.
Unit 2 IBM QRadar SIEM architecture exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
This unit has no student exercises.
Unit 3 Using the QRadar SIEM user interface exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Exercise 1 Sending sample data to QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Exercise 2 Discover the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Unit 4 Investigating an Offense triggered by events exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Exercise 1 Investigating the local DNS scanner offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Unit 5 Investigating the events of an offense exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Exercise 1 Looking for events that contribute to an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Exercise 2 Saving search criteria and search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Exercise 3 Investigating event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Unit 6 Using asset profiles to investigate offenses exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
This unit has no student exercises.
Unit 7 Investigating an offense that is triggered by flows exercises . . . . . . . . . . . . . . . . . . . . . . . 19
Exercise 1 Investigating an offense that is triggered by flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Unit 8 Using rules exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Exercise 1 Creating an event rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 2 Analyzing the rule that contributed to the Local DNS Scanner offense . . . . . . . . . . . . . . . . . .
Exercise 3 Working with rule parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 4 Deleting changes that are made to a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 5 Searching for a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
32
32
34
36
Unit 9 Using the Network Hierarchy exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Exercise 1 Create a network object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Exercise 2 View network objects in flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
iii
V7.0
Contents
Uempty
Unit 10 Index and Aggregated Data Management exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Exercise 1 Manage indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Enable an index and view indexed properties data 42
Use an indexed property in a search 43
Create and index a custom property 45
Unit 11 Using Dashboards exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Exercise 1 Creating a new dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Unit 12 Creating reports exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Exercise 1 Viewing an existing report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Exercise 2 Creating a new event report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Exercise 3 Creating a new search and report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating a search of terminated user login activity 57
Creating a terminated user login activity report 60
Unit 13 Using filters exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
This unit has no student exercises.
Unit 14 Using AQL for advanced searches exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Exercise 1 Sending Windows events to QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 2 Using the Select statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 3 Using clauses to narrow a search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 4 Using functions and operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 5 Ready for a challenge? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
69
72
74
78
Unit 15 Analyze a real-world large-scale attack exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Exercise 1 Investigate the Target kill chain timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Exercise 2 Suggest improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
iv
About these exercises
Virtual machines
The lab environment uses the following two virtual machines (VMs):
• QRadar - a virtual machine running IBM QRadar on Red Hat Enterprise Linux.
• Client - a virtual machine providing a graphical user interface.
Logging in to the Client VM
The operating system of the Client VM is configured to automatically log you in as root user without
the need to enter a password. Screen lock is disabled. If you need to authenticate as root user,
enter the following password:
P@ssw0rd
the '0' is the digit zero
Logging in to the QRadar user interface
To log in to QRadar, perform the following steps:
1. To start the web browser, click the Firefox icon on the bottom panel of the desktop.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
v
V7.0
About these exercises
Uempty
You can also click Applications in the bottom-left corner of the desktop, and click the Firefox
icon to open the web browser.
2. Firefox starts and loads the QRadar login page. If the login page does not open, QRadar is still
in the process of starting. Wait at least one minute and click the Home icon in the upper-right
corner of Firefox to try again.
3. On the QRadar login page, the Username and Password fields should already be populated. If
they are not populated, enter the following credentials:
Username:
admin
Password:
P@ssw0rd
the '0' is the digit zero
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
vi
V7.0
About these exercises
Uempty
4. Click the Login To QRadar button.
5. To zoom in, click the plus button in the upper-right corner of Firefox.
To zoom out, click the minus button in the upper-right corner of Firefox.
Running commands on the QRadar VM
To run scripts that feed prepared sample data to QRadar, perform the following steps:
1. To open an SSH session to the QRadar VM, click the icon, that resembles the letter Q of
QRadar, on the bottom panel.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
vii
V7.0
About these exercises
Uempty
You can also click Applications in the bottom-left corner of the desktop, and click the Q icon to
open an SSH session to the QRadar VM.
Unless you are logged in automatically, enter the following credentials:
Username:
admin
Password:
P@ssw0rd
the '0' is the digit zero
2. Instead of using the OpenSSH client in a terminal, you can use PuTTY. To start PuTTY, click the
PuTTY icon on the bottom panel or in the Applications menu.
In PuTTY, double-click the QRadar saved session to connect to the QRadar VM.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
viii
Unit 1 Introduction to IBM QRadar
exercises
This unit has no student exercises.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
1
Unit 2 IBM QRadar SIEM architecture
exercises
This unit has no student exercises.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
2
Unit 3 Using the QRadar SIEM user
interface exercises
Exercise 1 Sending sample data to QRadar
QRadar SIEM needs to process sample data to create the examples used in this lab guide. Perform
the following steps to start the applicable script:
1. Before you can feed any of the prepared sample data you have to log in to the web interface to
verify that QRadar SIEM has started completely. To log in, use the procedure as outlined in
Logging in to the QRadar user interface.
After logging in, you see a web interface similar to the one in the following screen capture.
2. Next, open a remote shell to the QRadar VM. Use the procedure as outlined in Running
commands on the QRadar VM.
3. To feed prepared syslog messages to QRadar, run the following commands:
cd /labfiles
./sendCheckpoint.sh
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
3
V7.0
Unit 3 Using the QRadar SIEM user interface exercises
Exercise 2 Discover the User Interface
Uempty
The script runs for around 10 minutes. Do not close the terminal window.
4. Bring the browser to the front. One to two minutes after starting the script, Dashboard items and
the Log Activity tab start visualizing the sample data.
Exercise 2 Discover the User Interface
Discover QRadar SIEM together with your instructor.
1. Go to the different tabs and observe what information is displayed. Take a closer look at the Log
Activity tab.
2. Answer the following questions about the events QRadar receives from the script you started in
Exercise 1:
a. What time were these events received?
________________________________________________________________________
b. What log source is associated with these events?
________________________________________________________________________
c. What log source type is associated with these events?
________________________________________________________________________
d. Take a look at the Admin tab and search for information about this log source. Where do you
find these and how was the log source discovered?
________________________________________________________________________
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
4
Unit 4 Investigating an Offense triggered
by events exercises
Exercise 1 Investigating the local DNS scanner
offense
To investigate an offense triggered by events, this exercise looks at the offense named Local DNS
Scanner containing Invalid DNS. Perform the following steps:
1. In the QRadar user interface, double-click the Offenses tab.
The All Offenses page opens.
2. Select the offense with the description Local DNS Scanner containing Invalid DNS.
a. If you do not see the Local DNS Scanner containing Invalid DNS offense, search for the
offense. From the Search list, select New Search.
b. On the Search Parameters pane, define the search criteria. For Description, enter Local
DNS Scanner.
Note: The description search criteria is case sensitive.
c. Click Search.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
5
V7.0
Unit 4 Investigating an Offense triggered by events exercises
Exercise 1 Investigating the local DNS scanner offense
Uempty
The All Offenses page shows the offense that meets the search criteria, Local DNS
Scanner containing Invalid DNS.
3. Answer the following questions for the Local DNS Scanner containing Invalid DNS offense.
a. What is the offense type and offense source and magnitude?
Hint: Hover the mouse over the Magnitude to obtain the numeric value.
_____________________________________________
b. What network does the offense source IP belong to?
Hint: Hover the mouse over the Offense Source IP to obtain the network.
_____________________________________________
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
6
V7.0
Unit 4 Investigating an Offense triggered by events exercises
Exercise 1 Investigating the local DNS scanner offense
Uempty
4. Double-click the Local DNS Scanner containing Invalid DNS offense to view the Offense
Summary page. The Offense Summary page provides detailed information about the offense.
5. Answer the following questions for this offense.
a. How many events or flows have been added to this offense?
_____________________________________________
b. What time did this offense begin?
_____________________________________________
c. Is the source IP involved in any other offenses?
_____________________________________________
d. How many destination IPs are targets of the offense? Are the destination IPs local or
remote?
_____________________________________________
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
7
V7.0
Unit 4 Investigating an Offense triggered by events exercises
Exercise 1 Investigating the local DNS scanner offense
Uempty
e. List the categories of the events that contributed to this offense. From the Display
drop-down list on the toolbar, select Categories to display the event categories.
_____________________________________________
_____________________________________________
f.
What do you learn about this offense based on the annotations? From the Display
drop-down list on the toolbar, select Annotations.
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
g. What is the event name, event category, and destination port for the events listed in the
Last 10 Events list? Click Summary on the toolbar and scroll down to the Last 10 Events
list.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
8
V7.0
Unit 4 Investigating an Offense triggered by events exercises
Exercise 1 Investigating the local DNS scanner offense
Uempty
_____________________________________________
h. For which service is the destination port well known?
_____________________________________________
6. Perform the following actions on this offense.
a. Add a note:
i.
From the Actions drop-down list, select Add Note.
ii. Enter This offense was investigated in the QRadar SIEM Foundations course.
iii. Click Add Note.
Note: The note is displayed in the Last 5 Notes pane on the Offense Summary page. The Notes
icon is displayed in the Status field on the Offense Summary page and in the flag column for the
offense on the All Offenses page. Hover the mouse over the Notes icon to view the note.
b. Protect the offense. From the Actions drop-down list on the Offense Summary page, select
Protect Offense. As a result, the Protected icon is displayed in the Status field on the
Offense Summary page and in the flag column for the offense on the All Offenses page.
Why do you protect an offense?
_____________________________________________
_____________________________________________
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
9
Unit 5 Investigating the events of an
offense exercises
Exercise 1 Looking for events that contribute
to an offense
In Unit 4 Investigating an Offense triggered by events exercises on page 5 you investigated the
offense by analyzing the offense summary information. In this exercise, you use the events that are
viewed in the Log Activity tab to further analyze the offense.
1. In the QRadar SIEM web interface, double-click the Offenses tab.
The All Offenses page opens.
2. Find and double-click the Local DNS Scanner containing invalid DNS offense.
3. Show the low-level categories of the offense’s events by selecting Display > Categories on the
toolbar.
4. To investigate the events that are associated with this offense in the low-level category DNS
Protocol Anomaly, right-click the table row that shows DNS Protocol Anomaly and click
Events.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
10
V7.0
Unit 5 Investigating the events of an offense exercises
Exercise 1 Looking for events that contribute to an offense
Uempty
Note: Alternatively, you can select DNS Protocol Anomaly and click Events in the title bar
above the table.
The List of Events page opens.
5. Create a filter to exclude the source IP that contributed to the Local DNS Scanner offense.
Select an event. Right-click 10.152.247.69 and select Filter on Source IP is not
10.152.247.69.
6. What results are returned?
________________________________________________________________________
7. What do the results of this search indicate?
________________________________________________________________________
_____________________________________________
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
11
V7.0
Unit 5 Investigating the events of an offense exercises
Exercise 1 Looking for events that contribute to an offense
Uempty
8. To look for similar DNS requests unrelated to the offense, click Clear Filter for the Offense is
Local DNS Scanner filter.
9. What results are returned? Why?
________________________________________________________________________
_____________________________________________
10. To view events from the last 24 hours, in the View drop-down list, select Last 24 Hours.
QRadar SIEM displays events of the low-level category DNS Protocol Anomaly that do not
originate from the IP address 10.152.247.69, which is the source IP address of the offense
triggered by DNS scanning.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
12
V7.0
Unit 5 Investigating the events of an offense exercises
Exercise 2 Saving search criteria and search results
Uempty
11. Review the suspicious DNS requests from other sources.
Exercise 2 Saving search criteria and search
results
To save the search criteria and search results for future reference, perform the following steps:
1. Save the current search criteria.
a. On the toolbar, click Save Criteria.
The Save Criteria window opens.
b. Configure the Save Criteria window as shown in the following table:
Field / Option
Setting
Search Name
Dept - DNS Protocol Anomaly
without 10.152.247.69
Assign Search to Group(s)
Disable
Timespan options
Recent Last 24 Hours
Include in my Quick Searches
Enable
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
13
V7.0
Unit 5 Investigating the events of an offense exercises
Exercise 2 Saving search criteria and search results
Uempty
Field / Option
Setting
Set as Default
Disable
Share with Everyone
Disable
c. Verify that the Save Criteria settings look like the ones in the graphic.
d. Click OK.
2. Save the current search results.
a. On the toolbar, click Save Results.
The Save Search Result window opens.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
14
V7.0
Unit 5 Investigating the events of an offense exercises
Exercise 2 Saving search criteria and search results
Uempty
b. For the name field, enter DNS Protocol Anomaly without 10.152.247.69.
c. Click OK.
3. Revisit or delete your saved search results.
a. On the List of Events page’s toolbar, click Search > Manage Search Results.
The Search Results Management page opens.
b. Select your search results and click Delete.
c. Close the Search Results Management page.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
15
V7.0
Unit 5 Investigating the events of an offense exercises
Exercise 3 Investigating event details
Uempty
Exercise 3 Investigating event details
The details of an event, particularly its original log message attached as payload, can provide
further insights. To investigate the details of an event, perform the following steps:
1. Find and run your saved search.
a. In the QRadar SIEM console, double-click the Log Activity tab.
b. On the Log Activity tab toolbar, click Quick Searches.
c. Select Dept - DNS Protocol Anomaly without 10.152.247.69 - Last 24 Hours.
Hint: If you do not see your saved search, double-click the Log Activity tab and click Quick
Searches again.
d. In the search result, double-click an event.
The Event Details page opens in the Log Activity tab.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
16
V7.0
Unit 5 Investigating the events of an offense exercises
Exercise 3 Investigating event details
Uempty
2. Verify with the firewall and DNS experts of your organization whether the log message that is
displayed in the payload is a concern.
Note: Use Previous and Next on the Events Details toolbar to browse the events.
3. To return to the list of events, on the toolbar, click Return to Event List.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
17
Unit 6 Using asset profiles to investigate
offenses exercises
This unit has no student exercises.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
18
Unit 7 Investigating an offense that is
triggered by flows exercises
Exercise 1 Investigating an offense that is
triggered by flows
To investigate an offense that is triggered by flows, perform the following steps:
1. Open a remote shell to the QRadar VM. Use the procedure as outlined in Running commands
on the QRadar VM.
2. To feed prepared network activity to QRadar, run the following commands:
cd /labfiles
./startRdp.sh
3. In the QRadar user interface, navigate to the Network Activity tab.
4. Observe the network activity and verify that a network activity triggers an offense.
Note: QRadar SIEM shows a red icon in the left-most column for flows that contribute to an
offense.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
19
V7.0
Unit 7 Investigating an offense that is triggered by flows exercises
Exercise 1 Investigating an offense that is triggered by flows
Uempty
5. To investigate the offense, click the red icon in the left-most column.
Note: There is a delay between the time the red icon is shown next to the flow and when the
offense is created on the All Offenses page in the Offenses tab.
The Offense Summary page opens.
6. What is the name of the offense?
_____________________________________________
7. What is the offense type and offense source?
_____________________________________________
8. What is the destination IP?
_____________________________________________
9. How many events are associated with this offense?
_____________________________________________
How many flows are associated with this offense?
_____________________________________________
10. Which rule added events or flows to this offense?
_____________________________________________
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
20
V7.0
Unit 7 Investigating an offense that is triggered by flows exercises
Exercise 1 Investigating an offense that is triggered by flows
Uempty
Hint: To determine which rule triggered the offense, click the Display drop-down list and select
Rules.
Note: The offense has been triggered by the Remote: Remote Desktop Access from the Internet
rule. The rule detects remote desktop access from external IP addresses to local Microsoft
Windows servers. A newly installed QRadar SIEM does not have this rule. The following
extensions add this rule:
- Compliance (http://www.ibm.com/support/docview.wss?uid=swg21973570)
- Intrusions (http://www.ibm.com/support/docview.wss?uid=swg21973571)
11. To investigate the flows that contributed to the offense, click Flows on the Offense Summary
page toolbar.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
21
V7.0
Unit 7 Investigating an offense that is triggered by flows exercises
Exercise 1 Investigating an offense that is triggered by flows
Uempty
The Flow List page opens.
12. Examine the flow associated with this offense. Double-click the flow listed.
The Flow Details page opens.
13. Answer the following questions:
a. What is the flow direction?
_____________________________________________
b. What is the application name?
_____________________________________________
c. Based on your investigation, which activity triggered this offense?
_____________________________________________
14. Tune the flow as a false positive.
a. On the Flow Details page’s toolbar, click False Positive.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
22
V7.0
Unit 7 Investigating an offense that is triggered by flows exercises
Exercise 1 Investigating an offense that is triggered by flows
Uempty
The False Positive page opens.
b. Click Tune.
c. Click Close.
Note: Tuning an event or flow as a false positive updates the User-BB-FalsePositive: User
Defined False Positives building block.
15. Close the offense.
a. On the Offense tab navigation menu, select All Offenses.
b. From the Actions drop-down list on the toolbar, select Close.
c. From the Reason for Closing list, select False-Positive, Tuned.
d. Click OK.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
23
V7.0
Unit 7 Investigating an offense that is triggered by flows exercises
Exercise 1 Investigating an offense that is triggered by flows
Uempty
16. Answer the following question:
a. Would you choose this False Positive tuning option? Provide a reason!
_____________________________________________
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
24
Unit 8 Using rules exercises
Exercise 1 Creating an event rule
Because scripts might run using terminated employees’ user IDs, the organization wants to monitor
the user accounts of terminated employees. You decide to configure QRadar SIEM to perform the
following tasks:
• Create an event rule to create offenses for login activity
• Use a reference set to store and look up the usernames of terminated employees
Note: The QRadar SIEM administrator created the reference set of terminated users. Therefore,
the reference set already exists.
In this exercise, you perform the following tasks:
• Create an event rule
• Generate events to trigger offenses
• Investigate the offenses
To create an event rule, perform the following steps:
1. In the QRadar user interface, click the Log Activity tab.
2. From the Rules drop-down list on the toolbar, select Rules.
The Rules List window opens.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
25
V7.0
Unit 8 Using rules exercises
Exercise 1 Creating an event rule
Uempty
3. From the Actions drop-down list, select New Event Rule.
The Rules wizard opens.
4. Click Next twice.
The Rule Test Stack Editor opens.
5. For the rule name in the Apply field, enter the following name:
Exercise: BQX Watchlist User Activity
Note: It is a best practice to define a rule-naming policy for rules that you create. You might
choose to name the rules with a prefix that easily identifies the rule. For example, IBM identifies
the IBM Corporation. Alternatively, create a group and assign the rules that you create to the
group.
6. Add the following tests to the rule under these conditions:
–
when any of these event properties are contained in any of these reference set(s)
–
when an event matches any|all of the following rules
To add the first rule test, when any of these event properties are contained in any of these
reference set(s), perform the following steps:
a. Filter the options in the Test Group list. For Type to filter, enter ref
b. Click the green plus (+) icon next to the when any of these event properties are contained in
any of these reference set(s) test.
Click the green + sign in front of the test to select it. The test will appear in the rule section.
The underlined green sections of the rule are parameters.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
26
V7.0
Unit 8 Using rules exercises
Exercise 1 Creating an event rule
Uempty
c. Click the parameter these event properties.
d. Filter the fields in the event property list. In the Type to filter field, enter user.
Select Username and click Add
e. Select Username and click Add.
f.
Click Submit.
g. Click the parameter these reference set(s).
h. Select the reference set Exercise: User Watchlist and click Add.
i.
Click Submit.
To add the second rule test, when an event matches any|all of the following rules, perform the
following steps:
j.
In the Test Group drop-down list, select Functions - Simple.
k. Click the green plus (+) icon next to the only test listed.
l.
Click the parameter rules.
m. Filter the options in the rules list. In the Type to filter field, enter the following text:
BB:Category
n. Select BB:Category Definition: Authentication Success and click Add.
o. Click Submit.
7. Assign the rule to the group Authentication.
8. To document the rule in the Notes field, enter the following text:
This rule tracks the successful login of terminated users accounts.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
27
V7.0
Unit 8 Using rules exercises
Exercise 1 Creating an event rule
Uempty
9. Verify that your Rule Wizard looks like the following screen capture.
10. Click Next.
11. Configure the rule action and response as shown in the following table.
Configure the rule response.WA123
Field / Option
Setting
Rule Action
Ensure the detected event is part of an offense
enable
Index offense based on list
Username
Annotate this offense
• enable
• User Watchlist login success
Annotate event
• enable
• User Watchlist login success
Rule Response
Dispatch New Event
enable
Type Event Name
User Watchlist login
Type Event Description
User Watchlist login
Severity
8
Credibility
10
Relevance
10
High Level Category
Authentication
Low Level Category
User Login Success
Annotate this offense
• enable
• User Watchlist login success
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
28
V7.0
Unit 8 Using rules exercises
Exercise 1 Creating an event rule
Uempty
Field / Option
Setting
Ensure the dispatched event is part of an offense
enable
Index offense based on
Username
This information should contribute to the naming of
the associated offense(s)
enable
Note: The Index offense based on parameter field configures the offense type.
12. Verify that your Rule Action configuration looks like the one in the screen capture.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
29
V7.0
Unit 8 Using rules exercises
Exercise 1 Creating an event rule
Uempty
13. Verify that your Rule Response configuration looks like the one in the screen capture.
14. Click Next.
15. Verify that your rule summary looks similar to the one in the screen capture.
16. Click Finish.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
30
V7.0
Unit 8 Using rules exercises
Exercise 1 Creating an event rule
Uempty
17. Open a remote shell to the QRadar VM. Use the procedure as outlined in Running commands
on the QRadar VM.
18. To feed prepared syslog messages to QRadar, run the following commands:
cd /labfiles
./sendWindows.sh
19. In the browser return to the Offenses tab.
Note: Wait five minutes for the events to trigger offenses.
20. Investigate the offenses created. Answer the following questions:
a. How many offenses did the BQX Watchlist User Activity rule create? On the Rule list page,
select the rule and look for the offense count parameter.
________________________________________________________________________
b. List the user IDs that created offenses. In the QRadar user interface, double-click the
Offenses tab and find offenses that have Watchlist in the description.
________________________________________________________________________
c. What is the source IP address of the offenses created?
_____________________________________________
_____________________________________________
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
31
V7.0
Unit 8 Using rules exercises
Exercise 2 Analyzing the rule that contributed to the Local DNS Scanner offense
Uempty
Exercise 2 Analyzing the rule that contributed
to the Local DNS Scanner offense
To analyze the rule that contributed to the Local DNS Scanner offense, perform the following steps:
1. Review the Local DNS Scanner containing Invalid DNS offense investigated in Unit 4
Investigating an Offense triggered by events exercises on page 5.
2. Answer the following questions about the rule that contributed to this offense.
a. What is the name of the rule that triggered this offense? On the All Offenses page,
double-click the Local DNS Scanner containing Invalid DNS offense. From the Display
drop-down list on the Offense Summary toolbar, select Rule.
________________________________________________________________________
b. Which activity caused this rule to trigger? Double-click the rule listed previously to launch
the Rule Wizard. Review the rules notes.
________________________________________________________________________
_____________________________________________
c. If your investigation determines that the result is a false positive, what do you change so
that this source IP does not create an offense?
_____________________________________________
_____________________________________________
Exercise 3 Working with rule parameters
To work with the parameters of a rule, perform the following steps:
1. In the QRadar user interface, navigate to the Offenses tab.
2. Click Rules in the left pane.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
32
V7.0
Unit 8 Using rules exercises
Exercise 3 Working with rule parameters
Uempty
3. Sort the Offense Count column in descending order.
a. Click the header for the Offense Count column to sort in descending order.
b. What rule created the most offenses?
________________________________________________________________________
4. How many events or flows are associated with the Exercise: BQX Watchlist User Activity rule?
View the Event/Flow Count parameter.
________________________________________________________________________
5. How many offenses are associated with the rule? View the Offense Count parameter.
________________________________________________________________________
6. Close the User Watchlist login containing Successful Logon Attempt offense for the
dcross offense source.
a. From the Offense tab navigation menu, select All Offenses.
b. Select the offense that is named previously.
c. From the Actions drop-down list on the toolbar, click Close.
d. From the Reason for Closing drop-down list, select Policy Violation.
e. Click OK.
7. From the Offense tab navigation menu, select Rules.
8. Find the Exercise: BQX Watchlist User Activity rule.
9. How many events or flows are associated with this rule? View the Event/Flow Count
parameter.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
33
V7.0
Unit 8 Using rules exercises
Exercise 4 Deleting changes that are made to a rule
Uempty
Note: After an offense is closed, wait until the rule Event/Flow Count parameter updates.
________________________________________________________________________
10. How many offenses are associated with this rule? View the Offense Count parameter.
________________________________________________________________________
11. What did you learn about the rule Event/Flow Count and Offense Count parameters?
________________________________________________________________________
_____________________________________________
Exercise 4 Deleting changes that are made to a
rule
The Origin rule parameter specifies whether the system or the user created the rule. The values for
the origin parameter are listed in the following table.
Origin parameter value
Meaning
System
Rule bundled with QRadar SIEM or added by an extension
Modified
Changes were made to a System rule
User
Custom rule that is created by the user
Perform the following steps to learn two different methods to delete changes that are made to a
system rule:
1. From the Offense tab navigation menu, select All Offenses.
2. Double-click the offense that is named Windows SMB Protection Violation, whose offense
source IP is 192.168.0.12.
3. Navigate to the events associated with this offense.
4. Tune the Windows SMB Protection Violation event as a false positive.
Hint: Refer to Step 14 on page 22.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
34
V7.0
Unit 8 Using rules exercises
Exercise 4 Deleting changes that are made to a rule
Uempty
5. Edit the User-BB-FalsePositive: User Defined False Positives Tunings building block.
a. From the Offense tab navigation menu, select Rules.
b. On the Rules list page, from the Display drop-down list, select Building Blocks.
c. Scroll through the list of building blocks.
6. Double-click the User-BB-FalsePositive: User Defined False Positives Tunings building
block to open it for editing.
7. Remove one of the values.
a. Select the value that begins with CAT.
The False Positive Signature list page opens.
b. From the Selected Values list, select any object.
c. Click Remove.
d. Click Submit.
You return to the Rule Wizard page.
e. Click Finish.
8. Double-click the User-BB-FalsePositive: User Defined False Positives Tunings building
block to open it for editing.
9. Revert the rule to the system default.
a. Select the User-BB-FalsePositive: User Defined False Positives Tunings building block.
b. On the Rules List toolbar, click Revert Rule.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
35
V7.0
Unit 8 Using rules exercises
Exercise 5 Searching for a rule
Uempty
The revert rule confirmation page opens.
c. Click OK.
Note: If you made many changes to a rule, use the Revert Rule option to set the rule to the
system default. The origin value for the rule changes from modified to system.
10. Answer the following questions:
a. What problem will arise when you use the Revert Rule option for reverting changes to the
building block User-BB-FalsePositive: User Defined False Positives Tunings after you
accidentally false positive tuned a single event?
________________________________________________________________________
b. What other option can you use to revert this accidentally false positive tuned event and what
information do you need to do this?
_____________________________________________
Exercise 5 Searching for a rule
To find a rule or building block that is included in other rules, perform the following steps:
1. On the Rules page, from the Display drop-down list, select Rules.
2. From the Group drop-down list, do not select any group.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
36
V7.0
Unit 8 Using rules exercises
Exercise 5 Searching for a rule
Uempty
3. In the Search Rules field, enter the following name:
BB:CategoryDefinition: Authentication Success
The Rules display lists all the rules that meet the search criteria.
4. Select several of the rules and review the rule tests.
Notice that the rules listed include the BB:CategoryDefinition: Authentication Success
building block. Before editing a building block or rule, determine which other rules use it.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
37
Unit 9 Using the Network Hierarchy
exercises
These exercises are part of the Network Hierarchy module.
Exercise 1 Create a network object
1. Navigate to the Admin tab and click the Network Hierarchy icon in the System Configuration
section.
2. Click Add.
3. In the Add Network window, click the yellow gear wheel icon.
4. For Name in the Add a new Group window, enter the following text
QRadar.Clients
5. Click Save.
6. In the Add Network window, enter the values shown in the following table.
Table 1
Field
Value
Name
Student
Description
Exercise
IP/CIDR(s)
192.168.42.205
7. Make sure you click the plus icon to add the IP/CIDR(s) value to the object’s list.
8. Click Create.
9. Click Add.
10. In the Add Network window, click the yellow gear wheel icon.
The Add a new group window opens.
11. In the Name field, enter QRadar.Managed_Hosts.
12. Click Save.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
38
V7.0
Unit 9 Using the Network Hierarchy exercises
Exercise 2 View network objects in flows
Uempty
13. In the Add Network window, enter the values shown in the following table.
Table 2
Field
Values
Name
On_Premise
Description
Exercise
IP/CIDR(s)
192.168.10.20/32
192.168.10.16/30
192.168.10.12/30
192.168.42.150/31
14. Click Create.
15. Close the Network Hierarchy window.
16. Click Deploy Changes.
Hint: If clicking Deploy Changes does not have an effect, double-click the Admin tab. The
double-click resets the tab to its default settings. Click Deploy Changes again.
17. Click Network Hierarchy.
18. Open the QRadar related nodes.
19. Verify that the Student and On_Premise network objects are listed.
Exercise 2 View network objects in flows
1. To view incoming flows, double-click the Network Activity tab. The double-click resets the tab
to its default settings.
2. Wait until you see flows with the IP addresses 192.168.42.150 and 192.168.42.205.
3. To pause the incoming events, click the Pause icon in the upper-right corner of the QRadar user
interface.
4. Hover the mouse over either of the IP addresses and review the Network field information.
5. Open a remote shell to the QRadar VM. Use the procedure as outlined in Running commands
on the QRadar VM.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
39
V7.0
Unit 9 Using the Network Hierarchy exercises
Exercise 2 View network objects in flows
Uempty
6. To feed prepared network activity data to QRadar, run the following commands:
cd /labfiles
./startPcap.sh
7. In the browser return to the Network Activity tab.
8. If refresh of the Network Activity tab is paused, press the Play button in the upper-right corner of
the QRadar user interface.
9. Wait for at least one minute.
10. To display only flows with destination IP addresses part of the network objects you created, click
Add Filter.
11. In the Add Filter window, enter the values shown in the following table.
Table 3
Field
Value
Parameter
Destination Network
Operator
Equals
Value
QRadar.Managed_Hosts
12. Click Add Filter.
13. Verify that no rows other than one with a Destination Network of On_Premise are listed.
14. Change the View to show the Last Hour.
15. Change the Display to Destination Network.
16. Use the right-click option menu on the Destination IP column to apply Filter on Destination IP
is not 192.168.42.150.
17. Verify that you only see rows with Destination IP 192.168.10.12.
18. Hover the mouse over the Destination IP address and review the Network field information.
19. Navigate to the Admin tab and click the Network Hierarchy icon in the System Configuration
section.
20. Click the plus signs in front of QRadar and Managed_Hosts.
21. Double-click On_Premise.
22. Select 192.168.10.12/30 from the IP/CIDR(s) list and click the red X.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
40
V7.0
Unit 9 Using the Network Hierarchy exercises
Exercise 2 View network objects in flows
Uempty
23. Click Save.
24. Close the Network Hierarchy Window.
25. Click Deploy Changes.
26. Return to the Network Activity page using only one single click.
27. Hover the mouse over the Destination IP address and review the Network field information to
verify that it no longer displays QRadar.Managed_Hosts.On_Premise.
28. Clear the Destination Network is QRadar.Managed_Hosts filter.
29. Reapply the Destination Network is QRadar.Managed_Hosts filter.
30. Verify that the result set is now empty.
Note: Imagine a rule that is triggered by flows matching a specific network object. Now assume
that an offense was triggered by the rule, and a local IP address in the offense is removed from the
network object afterwards. The offense will then no longer show the original network object for the
local IP address, although the offense was triggered by the fact that the IP address was covered
by the network object. This demonstrates how fundamental the Network Hierarchy is to QRadar
and that its configuration must be part of the initial configuration of QRadar.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
41
Unit 10 Index and Aggregated Data
Management exercises
Exercise 1 Manage indexes
In this exercise, you create an index for two properties. Then you use the indexed properties in
searches and observe how the statistics for the indexed properties are updated. Because time does
not allow the tool to collect index statistics, this exercise focuses on how to use the tool.
Task 1 Enable an index and view indexed properties data
1. In the QRadar user interface, click the Admin tab.
2. Click the Index Management icon.
The Index Management window opens.
3. Verify that some indexed properties have data-written values by sorting the Data Written
column in descending order.
Note: Management information for the indexed property updates every hour.
4. Enter Account in the search field on top the screen and click on the magnifier glass.
5. Right-click AccountName (custom) and click Enable Index.
Note: This is a preparation for the filtering you will perform in Task 2.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
42
V7.0
Unit 10 Index and Aggregated Data Management exercises
Exercise 1 Manage indexes
Uempty
6. Click Save.
7. Click OK.
Task 2 Use an indexed property in a search
1. Open a remote shell to the QRadar VM. Use the procedure as outlined in Running commands
on the QRadar VM.
2. To feed prepared syslog messages to QRadar, run the following commands:
cd /labfiles
./sendWindows.sh
3. In the QRadar user interface, double-click the Log Activity tab.
4. Modify the search using Add Filter and View using the following criteria:
a. View the events from the last 30 minutes.
b. Add the AccountName (custom) [Indexed] is not N/A filter.
c. Add the Log Source is WindowsAuthServer @ 10.0.120.11 filter.
d. Edit the search.
i.
In the columns definition pane, group the search results by AccountName (custom).
ii. For the Columns list, select only Event Name and Event Count (Sum).
iii. From the Order By list, select Event Count (Sum).
5. Click Search.
6. Verify that your search results look similar to the results in the following screen capture.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
43
V7.0
Unit 10 Index and Aggregated Data Management exercises
Exercise 1 Manage indexes
Uempty
7. Click Save Criteria to save the search.
8. Save the search using the values shown in the following table.
Table 1.
Field / Option
Value
Search Name
Exercise:Report:Index
management
Timespan options
Recent <enabled>
Last 15 minutes
Include in my Quick Searches
<enabled>
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
44
V7.0
Unit 10 Index and Aggregated Data Management exercises
Exercise 1 Manage indexes
Uempty
9. Verify that your save search configuration looks like the one in the following screen capture.
10. Wait for the sendWindows.sh script to finish.
Because Index Management refreshes the statistics every hour, you need to wait one hour to see
any modifications to the statistics. To view the data for the indexed property used in the search,
perform the following steps:
11. In the QRadar user interface, click the Admin tab.
12. Click the Index Management icon.
13. Verify that the AccountName property now includes statistics for the indexed property.
14. Close the Index Management window.
Task 3 Create and index a custom property
1. In the QRadar user interface, double-click the Log Activity tab.
2. In the Quick Filter search field, enter "Logon Type".
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
45
V7.0
Unit 10 Index and Aggregated Data Management exercises
Exercise 1 Manage indexes
Uempty
Hint: Be sure to include the quotation marks.
3. From the View list, select Last 30 minutes.
4. Double-click the first event in the search results list.
5. In the Event Details window on the toolbar, click Extract Property.
The Custom Event Property Definition window opens.
6. Create a new property using the values shown in the following table.
Table 2.
Field / Option
Value
New Property
WinLogonType
Description
Windows log on type value.
Category
<Enable>
High Level category
Any (Enable Category first)
Low Level category
Any
RegEx
Logon\sType:.*?(\d{1,2})
Capture Group
1
All other fields
<Keep the default values>
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
46
V7.0
Unit 10 Index and Aggregated Data Management exercises
Exercise 1 Manage indexes
Uempty
7. Verify that your configuration looks like the one in the following screen capture.
8. Click Save.
9. In the QRadar user interface, click the Admin tab.
10. Click the Index Management icon.
11. Search for the WinLogonType property.
12. Right-click WinLogonType and click Enable Index.
13. Click Save.
14. Click OK.
Note: You can use the new property in searches and reports by default.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
47
Unit 11 Using Dashboards exercises
QRadar SIEM displays the Dashboard tab when you sign in. The exercise in this unit teaches how
to create a new dashboard and add items to the dashboard.
Exercise 1 Creating a new dashboard
To create a new dashboard and add items to the dashboard, perform the following steps:
1. Navigate to the Dashboard tab.
2. Click the New Dashboard button.
3. For Name, enter My Own Dashboard
4. For Description, enter Demonstration Dashboard
5. Click OK.
Note: A new custom dashboard is empty by default. Therefore, add items to the dashboard.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
48
V7.0
Unit 11 Using Dashboards exercises
Exercise 1 Creating a new dashboard
Uempty
6. To add items to the new dashboard, from the Add Item list, select the following items:
a. Offenses > Offenses > Most Severe Offenses
b. Log Activity > Event Searches > Top Services Denied through Firewalls
c. Log Activity > Event Searches > Event Rate (EPS)
7. Drag the items to an empty spot on the dashboard.
8. Click the Refresh icon to update the window.
9. Verify that the dashboard includes an offense item and two log events items. Depending on
where you positioned the items, your dashboard looks similar to the following screen capture.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
49
Unit 12 Creating reports exercises
Exercise 1 Viewing an existing report
QRadar SIEM includes over 100 ready-to-use reports. Perform the following steps to view the
configuration and run a report provided by QRadar SIEM:
1. In the QRadar user interface, navigate to the Reports tab.
2. To display all the reports, disable the Hide Inactive Reports check box.
3. From the Group drop-down list, scroll down and select the Security group.
4. In the Search Reports field, type Daily Top and click the Search Reports icon to filter the
report list.
5. Select Daily Top Targeted Hosts.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
50
V7.0
Unit 12 Creating reports exercises
Exercise 1 Viewing an existing report
Uempty
6. From the Actions drop-down list on the Reports toolbar, select Run Report.
7. While the report is generating, examine the report. What groups contain the Daily Top
Targeted Hosts report?
________________________________________________________________________
8. Double-click the Daily Top Targeted Hosts report.
The Report Wizard opens.
9. Click Next until you see the Specify Report Contents page.
Note: This report has two containers. Each container defines the data to present in that section of
the report.
10. Click Define in the top container.
The top container details page opens.
a. What is the name of the event search that generates the data in the top container?
________________________________________________________________________
b. What is the graph type?
________________________________________________________________________
c. What parameters are graphed on the X and Y axes?
________________________________________________________________________
11. Click Cancel to exit the top container details page.
12. Click Define in the bottom container. The bottom container details page opens. What is the
name of the event search that generates the data in the bottom container?
________________________________________________________________________
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
51
V7.0
Unit 12 Creating reports exercises
Exercise 2 Creating a new event report
Uempty
d. What parameters are graphed on the X and Y axes?
________________________________________________________________________
13. Click Cancel to exit the bottom container details page.
14. Click Next twice. Note that the report format is PDF.
15. Click Cancel to exit the Report wizard.
16. On the Reports tab, click the Refresh icon to update the status of the generation of the Daily
Top Targeted Hosts report.
17. When the report generates content, click the PDF icon in the Formats column to view the
report.
18. Clear the report filters.
a. On the Reports tab, from the Group drop-down list, select Reporting Groups.
b. Clear the Search Report field.
Exercise 2 Creating a new event report
QRadar SIEM uses saved searches to create reports. To use an existing search to create a report,
perform the following steps:
1. From the Actions drop-down list on the Reports toolbar, select Create.
2. To bypass the Welcome to Reports page, click Next.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
52
V7.0
Unit 12 Creating reports exercises
Exercise 2 Creating a new event report
Uempty
3. In the “This report should be scheduled to generate” pane, select the Daily option and the
check boxes for Monday through Friday.
4. Click Next.
5. On the Choose a Layout page, from the Orientation drop-down list, select Landscape.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
53
V7.0
Unit 12 Creating reports exercises
Exercise 2 Creating a new event report
Uempty
6. Click the single-container layout.
7. Click Next.
8. On the Specify Report Contents page, in the Reports Title field, type Top Log Sources.
9. In the Chart Type drop-down list, select Events/Logs.
Note: A white background on the Chart Type container indicates that the container is not
configured.
10. Configure the Container Details as shown in the following table.
Field / Option
Setting
Type Chart Title
Today’s Top Log Sources
Limit the Events/Logs to Top
10
Graph Type
Stacked Line
Saved Searches
Top Log Sources
Horizontal (X) Axis
Time
Vertical (Y) Axis
Event Count (Sum)
Timeline Interval
1 Minute
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
54
V7.0
Unit 12 Creating reports exercises
Exercise 2 Creating a new event report
Uempty
11. Verify that the container details are configured as shown in the screen capture.
(need screen capture)
12. Click Save Container Details.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
55
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
Note: After saving the container details, the background color of the container is green. The green
color indicates that the container is configured.
13. Click Next twice.
14. On the Report Format page, select HTML and PDF.
15. Click Next until the Finishing Up page displays.
16. In the Report Description field, type the following text:
The Daily Top Log Sources report lists the top ten log sources by event count.
17. Verify that the Yes - Run this report when the wizard is complete check box is enabled.
18. Click Next.
19. Click Finish.
20. Click the Refresh icon to update the status of the generation of the Top Log Sources report.
21. View the Next Run Time column for the Top Log Sources report.
Note: The Next Run Time column shows the status of the report generation. If the status is
Generating, it also provides an estimated time to finish generating the report. When the report
generates content, the Next Run Time column shows when the next report runs.
22. When the report generates content, click the PDF icon in the Formats column to view the
report.
Exercise 3 Creating a new search and report
The Unit 8 Using rules exercises on page 25 created an offense if a terminated employee user ID is
successfully logged in to a system. The company requires that the compliance officer receives a
daily report of the login activity of terminated employee user IDs. This exercise creates a report of
user logins of the terminated employees. In this exercise, you perform the following tasks:
• Create a search for terminated user login activity
• Create a terminated user login activity report
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
56
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
Task 1 Creating a search of terminated user login activity
This task creates two searches, a list of terminated users who accessed the systems and the list of
terminated user logins by IP address. To create a search of terminated user login activity, perform
the following steps:
1. In the QRadar user interface, navigate to the Log Activity tab.
2. From the View drop-down list, select Last 3 Hours.
3. Add a filter using the following steps:
a. Click Add Filter on the toolbar.
b. In the first drop-down list, select the Custom Rule search parameter.
c. In the second drop-down list, select Equals.
d. In the Rule Group drop-down list, select Authentication.
e. For Rule, select BQX Watchlist User Activity.
f.
Click Add Filter.
4. Group the search results by user name. From the Display drop-down list, select Username.
5. Save the search criteria.
a. On the Log Activity toolbar, click Save Criteria.
b. In the Search Name field, type BQX Watchlist User Logins by Username.
c. Assign the search to the Authentication, Identity and User Activity group.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
57
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
6. Verify that the search criteria looks similar to one in the screen capture.
7. Click OK.
8. Create a search of terminated user login activity by source IP.
a. From the Search drop-down list on the Log Activity tab toolbar, select New Search.
b. In the Type Saved Search field, type BQX.
c. Select the BQX Watchlist User Logins by Username saved search.
d. Click Load.
e. Format the columns in the search results. Group the search results first by Source IP and
next by user name. Include Start Date and Start Time in the search results. Order the
search results by Count in descending order.
i.
Scroll down to the Column Definition pane.
ii. In the Columns list, select Source IP. Click the Remove icon to move Source IP to the
Available Columns list.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
58
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
Hint: The remove icon looks similar to the screen capture.
iii. In the Available Columns list, select Source IP. Click the Add icon and move Source
IP to the Group By list.
iv. In the Group By list, select Source IP. Click the Move up icon to move Source IP to the
top of the Group By list.
v. In the Columns list, select all fields. Click the Remove icon to move the fields to the
Available Columns list.
vi. In the Available Columns list, select Start Date.
vii. Click the add icon to move the Start Date to the Columns list.
viii. In the Available Columns list, select Start Time.
ix. Click the add icon to move the Start Date to the Columns list.
x. In the Order By list, select Count and Desc.
The Column Definitions looks similar to one in the screen capture.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
59
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
f.
Click Search.
9. Save the search criteria.
a. On the Log Activity toolbar, click Save Criteria.
b. In the Search Name field, type BQX Watchlist User Logins by IP.
c. Assign the search to the Authentication, Identity and User Activity group.
d. Click OK.
Task 2 Creating a terminated user login activity report
To create a report that shows terminated user login activity, perform the following steps:
1. In the QRadar user interface navigate to the Reports tab.
2. From the Actions drop-down list, select Create.
3. To bypass the Welcome to Reports page, click Next.
4. In the This report should be scheduled to generate pane, select Manually.
5. On the Choose a Layout page, from the Orientation drop-down list, select Landscape.
6. Select the two-container layout.
7. Click Next.
8. On the Specify Reports Contents page, for Report Title enter the following text:
Terminated users logins
9. In the top container, from the Chart Type drop-down list, select Events/Logs.
10. Configure the Container Details as shown in the following table:
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
60
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
Field / Option
Setting
Type Chart Title
Terminated users logins
Limit the Events/Logs to Top
10
Graph Type
Bar
Manually Scheduling
From: Date and time is 24 hours earlier than the
current date and time of the QRadar SIEM Server.
To: Use the current date and time of the QRadar
SIEM Server.
Type Saved Searches
BQX Watchlist User Logins by Username
Horizontal (X) Axis
Username
Vertical (Y) Axis
Count
g table
Hint: To determine the date and time of the QRadar VM, run the following command in the remote
shell:
date
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
61
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
11. Verify that the container details look similar to those in the screen capture.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
62
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
Note: When you manually schedule the reports, you can specify a time period that guarantees
that the generated report has data. The data for this report was generated earlier today during a
previous student exercise. Remember that hourly, daily, weekly, and monthly reports use data
from a specific time period. During initial testing, enter a manual schedule. You can change the
report schedule to daily at a later time.
12. Click Save Container Details.
13. In the bottom container, from the Chart Type drop-down list, select Events/Logs.
14. Configure the Container Details as shown in the following table:
Field / Option
Setting
Type Chart Title
Terminated user login by IP
Limit the Events/Logs to Top
10
Graph Type
Table
Manually Scheduling
use the values listed
Type Saved Searches
BQX Watchlist User Logins by IP
15. Click Save Container Details.
16. Click Next twice.
17. On the Report Format page, select HTML and PDF.
18. Click Next until the Finishing Up page opens.
a. In the Report Description field, type the following text:
Terminated user login by username and IP address.
b. Assign the report to the Security group.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
63
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
c. Verify that the Yes - Run this report when the wizard is complete check box is enabled.
19. Click Finish.
20. Click the Refresh icon to update status of the generation of the report.
21. When the report generates content, click the PDF icon in the Formats column to view the
report.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
64
V7.0
Unit 12 Creating reports exercises
Exercise 3 Creating a new search and report
Uempty
The report looks similar to the one in the screen capture.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
65
Unit 13 Using filters exercises
This unit has no student exercises.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
66
Unit 14 Using AQL for advanced
searches exercises
The Ariel Query Language (AQL) is a structured query language that you use to communicate with
the Ariel databases. Use AQL to query, filter, and perform actions on events and flows.
AQL is used for advanced searches to retrieve data that might not be easily accessible from the
user interface. This provides extended functionality to the search and filtering capabilities in
QRadar.
The following diagram shows the flow of an AQL query.
In this lab’s exercises, you will learn how to use AQL in advanced searches from the QRadar user
interface.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
67
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 1 Sending Windows events to QRadar SIEM
Uempty
You can also refer to the Ariel Query Language Guide:
http://public.dhe.ibm.com/software/security/products/qradar/documents/7.3.0/en/b_qradar_aql.pdf
Important: We recommend that you use this Ariel Query Language Guide during this lab for a
better understanding of the product.
Exercise 1 Sending Windows events to QRadar
SIEM
In this exercise, you send raw events from a Microsoft Windows Authentication Server to QRadar
SIEM.
1. Open a remote shell to the QRadar VM. Use the procedure as outlined in Running commands
on the QRadar VM on page vii.
2. To feed prepared syslog messages to QRadar, run the following commands:
cd /labfiles
./sendWindows.sh
Keep the script running during this lab.
3. To watch the incoming events, double-click the Log Activity tab in the QRadar user interface.
The double-click resets the tab to its default settings.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
68
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 2 Using the Select statement
Uempty
4. To pause the incoming events, click the pause icon in the upper-right corner of the QRadar user
interface. Observe the incoming events.
Now you can start performing advanced searches.
Exercise 2 Using the Select statement
You can perform Advanced Searches on the Log Activity tab and the Network Activity tab. They
begin with a Select statement followed by an option.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
69
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 2 Using the Select statement
Uempty
Note: Long AQL statements are better readable when broken into multiple lines. Therefore it is
best practice to enlarge the search field to see more than one line, which is the default setting.
1. Go to the Log Activity tab and switch from Quick Filter, which is the default setting, to
Advanced Search using the drop-down list.
2. Drag the Search field on the right side and pull it down. Enter SELECT * FROM events and click
the Search button on the right.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
70
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 2 Using the Select statement
Uempty
3. As the result of your search, a table with all of the default fields containing the data of the
matching events from the last 5 minutes is displayed.
.
In the next steps, you modify the options for the Select statement.
4. Run these queries:
a. SELECT sourceip, destinationip, username FROM events
In the options of the Select statement, you can specify the columns shown in the
search.
b. SELECT sourceip AS 'SRC IP', destinationip AS 'DST IP' FROM events
You can specify an alias for a column definition with an AS 'Column Name' expression
using single quotes.
c. SELECT * FROM flows
This query leads to an error because you cannot search for flow data when you are in the
Log Activity tab. Also you can not search for event data from the Network Activity tab.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
71
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 3 Using clauses to narrow a search
Uempty
Exercise 3 Using clauses to narrow a search
You can use clauses to add search conditions to an AQL query. A search condition is a combination
of logical and comparison operators that together perform a test. Only those input rows that pass
the test are included in the result.
Note: Break long AQL statements into multiple lines to improve readability. To get to the next
line, press the Shift and Enter keys together.
Test some examples about how to use clauses.
1. WHERE clause: Search for events where the username is ‘nina’. Here an exact match is
necessary. This can be combined with the LAST clause.
LAST clause: This gives a limitation to the time frame you want to use for the search. This
can be DAYS, HOURS, MINUTES. The syntax is shown in the next example.
Go to the Log Activity tab and enter the following expression in the Advanced Search field:
SELECT sourceip, destinationip, username FROM events
WHERE username = 'nina'
LAST 3 HOURS
2. LIKE clause: Use this clause to retrieve partial string matches in the Ariel database. For
example, to search for usernames that contain the nina string, use the LIKE clause with the
'%nina%' quotation. Use single quotes and the % character, which will act as a wildcard that
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
72
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 3 Using clauses to narrow a search
Uempty
matches a string of zero or more characters. Therefore, the nina string can be anywhere in the
username. Enter the following expression in the Advanced Search field:
SELECT sourceip, destinationip, username FROM events
WHERE username LIKE '%nina%'
LAST 6 HOURS
..
3. LIMIT clause: To reduce the number of events displayed, you can use the LIMIT clause.
Perform the following search:
SELECT * FROM events LIMIT 50
.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
73
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 4 Using functions and operators
Uempty
4. ORDER BY clause: Use this clause to order the results for a column in the AQL query. You can
order by ascending or descending order using ASC or DESC. Perform the following query:
SELECT username, sourceip, destinationip FROM events
WHERE username IS NOT NULL
ORDER BY username DESC LAST 1 HOURS
Exercise 4 Using functions and operators
AQL provides a large variety of functions and operators. With the basic elements that you have
already discovered in the last exercises, this feature provides powerful search capabilities. This
exercise provides a couple of useful scenarios for AQL queries and describes these functions and
operators. You can use the Ariel Query Language Guide mentioned at the beginning of this lab for
additional information.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
74
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 4 Using functions and operators
Uempty
Important: If the sendWindows.sh script that you started in Exercise 1 has finished, run it again.
1. UTF8(payload) - function: This function provides the payload as result of the query.
Double-click the Log Activity tab to refresh the view. Then enter the following expression in
the Advanced Search field:
SELECT utf8(payload) from events LIMIT 100
2. It can be useful to export the results of a search for external usage. Not every person in your
organization has access to QRadar, but might need the data you generated with your search.
To export, click the Action drop-down list and select Export to CSV or Export to XML.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
75
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 4 Using functions and operators
Uempty
3. You might want to search for the last user of the asset with the IP address 10.2.113.34. To do
so, use the ASSETUSER function, which provides the user of an asset, and the NOW function,
which provides the current time. Perform the following query:
SELECT sourceip, destinationip, ASSETUSER(sourceip, NOW()) as 'User' FROM events
where sourceip='10.2.113.34' LAST 1 HOURS
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
76
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 4 Using functions and operators
Uempty
4. You want to know how many different source IP addresses refer to each Username. To gather
this information, you can use the UNIQUECOUNT function. Perform the following search:
Select username, UNIQUECOUNT(sourceip) FROM events GROUP BY username LAST 2
HOURS
What is the outcome when you use the COUNT function instead of UNIQUECOUNT?
5. How can you find out if a specific IP address has been involved in an offense in the last 3
hours? Use the hasoffense operator.
Select * FROM events WHERE sourceip='192.168.8.69' AND hasoffense = 'TRUE' LAST
3 HOURS
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
77
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 5 Ready for a challenge?
Uempty
6. Do not forget to save your work. An AQL query performed in the Advanced Search field can be
stored like any other search or filter within QRadar. You can use the Save Criteria functionality
and include them in your Quick Searches or Share with everyone.
Exercise 5 Ready for a challenge?
Write some AQL queries to solve the problems mentioned below. Generally use last 3 days as
search period to reflect all Units and Exercises you dealt with in this course.
Hint: Use the AQL Guide. Take a look at Custom properties in AQL queries, as well as
Reference data query examples and AQL date and time formats
1. Search for flows that contributed to an offense.
a. What is the status of the corresponding offense?
b. Why don’t you see this offense in the list of “All Offenses”, when you double click the offense
tab?
2. Remember the custom property you created in Exercise Unit 10. Search for events from the last
3 days where the value of custom property “WinLogonType” is not empty.
a. Display WinLogonType, sourceip and the qid of the event.
b. Group the results by WinLogonType.
c. What do the WinLogonTypes have in common?
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
78
V7.0
Unit 14 Using AQL for advanced searches exercises
Exercise 5 Ready for a challenge?
Uempty
3. Use the reference set ‘Exercise: User Watchlist’ you used in Exercise 8 (rules) in an advanced
search. Search for events where elements of this reference set appear as username in the
event.
a. Display username, sourceip, starttime of the matching events and group them by username.
b. What is the starttime and is the format of the value displayed helpful?
4. Modify the AQL statement from the last task so that the value for startime becomes readable for
humans.
a. Sort startime in ascending order.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
79
Unit 15 Analyze a real-world large-scale
attack exercises
In this exercise, you investigate the Target breach to find potential improvements that could have
avoided the nightmare scenario.
Exercise 1 Investigate the Target kill chain
timeline
Look at the kill chain timeline and investigate the different events that have not been properly
treated as incidents in the organization, as well as other facts that did not comply with IT policy.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
80
V7.0
Unit 15 Analyze a real-world large-scale attack exercises
Exercise 2 Suggest improvements
Uempty
These incidents and facts include the following information:
• Third-party/vendor laptop device
• Network breaches
• Software/malware installation on POS systems
• Data exfiltration
Exercise 2 Suggest improvements
Based on the covered Security Intelligence and other security domain capabilities, suggest different
courses of action for the following individual situations.
1. Third-party/vendor laptop device
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
2. Network breaches
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
3. Software/malware installation on POS systems
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
4. Data exfiltration
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
Make some extra notes if you can think of any additional areas of improvements.
© Copyright IBM Corp. 2017
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
81
V7.0
Uempty
IBM Training
®
© Copyright IBM Corporation 201. All Rights Reserved.
