Trillium Information Security Systems IBM QRadar Tasks List Table of Contents INTRODUCTION........................................................................................................................................... 4 WEEK 1 ........................................................................................................................................................... 5 Pre-Installation ........................................................................................................................................................... 5 Task - 01 Understanding QRadar Components .......................................................................................................... 5 Task - 02 Understanding Sizing .................................................................................................................................. 5 Task - 03 Planning Network Hierarchy ....................................................................................................................... 5 Task - 04 Planning Log Source Integration ................................................................................................................. 5 Task - 05 Planning Flow Source Integration ............................................................................................................... 5 WEEK 2 ........................................................................................................................................................... 5 Installation ................................................................................................................................................................. 5 Task - 01 Installation & Initial Configuration.............................................................................................................. 5 Task - 02 License Management .................................................................................................................................. 5 Task – 03 Patching and Update Settings .................................................................................................................... 6 WEEK 3 ........................................................................................................................................................... 6 Configuration .............................................................................................................................................................. 6 Task - 01 Configuring Network Hierarchy .................................................................................................................. 6 Task - 02 Configuring Users ........................................................................................................................................ 6 Task - 03 Configuring External Storage ...................................................................................................................... 6 Task - 04 Configuring Log Sources.............................................................................................................................. 6 Task - 05 Configuring Flow Sources ........................................................................................................................... 7 Task - 06 Configuring Reference Set .......................................................................................................................... 7 Task - 07 Configuring Retention and Backup ............................................................................................................. 7 Task - 08 Extracting Custom Properties ..................................................................................................................... 7 WEEK 4 ........................................................................................................................................................... 7 Performance Tuning and Problem Determination ...................................................................................................... 7 Task – 01 Tuning Rules and Building Blocks ............................................................................................................... 7 Task – 02 Aggregated Data Management .................................................................................................................. 7 Task – 03 Index Management .................................................................................................................................... 8 Task – 04 System Notifications .................................................................................................................................. 8 Page 2 of 9 ©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any manner without the explicit written permission of TISS. WEEK 5 ........................................................................................................................................................... 8 Administration............................................................................................................................................................ 8 Task – 01 Reports Schedules ...................................................................................................................................... 8 Task – 02 Offenses Investigation ............................................................................................................................... 8 Task – 03 Monitoring ................................................................................................................................................. 8 Task – 04 Asset management and Server Discovery.................................................................................................. 8 Page 3 of 9 ©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any manner without the explicit written permission of TISS. Introduction This document entails the tasks related to IBM QRadar for starter. These tasks and activities lay down the criteria based on which evaluations of IBM QRadar Engineers would be carried out. The performance indicators mentioned in this document are: - Internal Demonstrations Reports and Documentations Page 4 of 9 ©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any manner without the explicit written permission of TISS. Week 1 Pre-Installation Task - 01 Understanding QRadar Components Description: • Describe the different QRadar components that make up a distributed deployment - hardware or virtual machine, flow collector, event processor, etc. Task - 02 Understanding Sizing Description: • Determine the sizing of the overall installation. How many devices are needed for the environment, how many events per second, how many flows per interval, geographical locations etc.? Task - 03 Planning Network Hierarchy Description: • Plan the network hierarchy - identify the networks and CIDRs. Task - 04 Planning Log Source Integration Description: • Plan log sources - Plan which log sources to receive logs from. Task - 05 Planning Flow Source Integration Description: • Plan for receiving flows (Layer 4 and Layer 7) - taps, port mirrors / span ports, netflow. Week 2 Installation Task - 01 Installation & Initial Configuration Description: • Install software and initial configuration, ISO, DVD, USB, recovering an appliance from a USB storage device, set up IP addresses, Gateway, DNS, email server. Task - 02 License Management Page 5 of 9 ©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any manner without the explicit written permission of TISS. Description: • • Uploading license key. Allocating license to a system. Task – 03 Patching and Update Settings Description: • • • Patching QRadar with latest available patch. Update DSM’s, protocols with or without internet connection. Setting auto-update. Week 3 Configuration Task - 01 Configuring Network Hierarchy Description: • Configure the network hierarchy - Determining local network hierarchy. Task - 02 Configuring Users Description: • Configure security profiles, user roles, users. Task - 03 Configuring External Storage Description: • Configure external storage and backup. Task - 04 Configuring Log Sources Description: • • • • • • • • Network Devices, Windows OS’s, Linux OS’s etc. Wincollect Agent installation on Windows Host for OS log collection. File Forwarder on Windows OS’s using Wincollect Agent. File Forwarder on Linux OS’s using TailtoSysLog Agentless (MSRPC, WMI etc.) Log collection from database (SQL Server, Oracle) using JDBC connection. Log source Extensions. Log source groups. Page 6 of 9 ©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any manner without the explicit written permission of TISS. Task - 05 Configuring Flow Sources Description: Configure different types of flow sources such as Jflow, Sflow, netflow, PACKETEER (QFlow), NAPATECH etc. Task - 06 Configuring Reference Set • Description: Manually creating reference set. Creating reference set by using rule to collect user specific data from the payload. • • Task - 07 Configuring Retention and Backup Description: Configure retention period for events, flows and offenses. Configure data backup and configuration back. • • Task - 08 Extracting Custom Properties Description: Extract custom properties using REGEX from payload. • Week 4 Performance Tuning and Problem Determination Task – 01 Tuning Rules and Building Blocks Description: • Manage Rules and building blocks. Custom rules, enable or disable rules, tune building blocks, • false positives. Using Reference Maps in rules. Task – 02 Aggregated Data Management Description: • Administer aggregated data management - Scenario. Determining issues with report data. Page 7 of 9 ©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any manner without the explicit written permission of TISS. Task – 03 Index Management Description: • Set up index management, determine properties to index. Task – 04 System Notifications Description: • Respond to system notification for problem determination, system performance, hardware problems, dropped events. Week 5 Administration Task – 01 Reports Schedules Description: • Set up report schedules - which reports should be run and on what basis. Task – 02 Offenses Investigation Description: • Navigate through offenses, related events and flows, analyze offenses. Task – 03 Monitoring Description: • Monitor Network and Log activities - filtering, searching, grouping and sorting, saving searches, creating dashboard widgets from searches, viewing audit logs etc. Task – 04 Asset management and Server Discovery Description: • Asset management and server discovery -vulnerabilities, filtering, searching, grouping, sorting, saving searches on assets, importing, exporting. Page 8 of 9 ©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any manner without the explicit written permission of TISS. Note: Documentation pertaining to each task is mandatory, documentation includes step by step guide/report against each task and may be presentation at the end if required. Page 9 of 9 ©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any manner without the explicit written permission of TISS.