Uploaded by Muhammad Ali Ejaz

QRadar Tasks

advertisement
Trillium Information Security Systems
IBM QRadar
Tasks List
Table of Contents
INTRODUCTION........................................................................................................................................... 4
WEEK 1 ........................................................................................................................................................... 5
Pre-Installation ........................................................................................................................................................... 5
Task - 01 Understanding QRadar Components .......................................................................................................... 5
Task - 02 Understanding Sizing .................................................................................................................................. 5
Task - 03 Planning Network Hierarchy ....................................................................................................................... 5
Task - 04 Planning Log Source Integration ................................................................................................................. 5
Task - 05 Planning Flow Source Integration ............................................................................................................... 5
WEEK 2 ........................................................................................................................................................... 5
Installation ................................................................................................................................................................. 5
Task - 01 Installation & Initial Configuration.............................................................................................................. 5
Task - 02 License Management .................................................................................................................................. 5
Task – 03 Patching and Update Settings .................................................................................................................... 6
WEEK 3 ........................................................................................................................................................... 6
Configuration .............................................................................................................................................................. 6
Task - 01 Configuring Network Hierarchy .................................................................................................................. 6
Task - 02 Configuring Users ........................................................................................................................................ 6
Task - 03 Configuring External Storage ...................................................................................................................... 6
Task - 04 Configuring Log Sources.............................................................................................................................. 6
Task - 05 Configuring Flow Sources ........................................................................................................................... 7
Task - 06 Configuring Reference Set .......................................................................................................................... 7
Task - 07 Configuring Retention and Backup ............................................................................................................. 7
Task - 08 Extracting Custom Properties ..................................................................................................................... 7
WEEK 4 ........................................................................................................................................................... 7
Performance Tuning and Problem Determination ...................................................................................................... 7
Task – 01 Tuning Rules and Building Blocks ............................................................................................................... 7
Task – 02 Aggregated Data Management .................................................................................................................. 7
Task – 03 Index Management .................................................................................................................................... 8
Task – 04 System Notifications .................................................................................................................................. 8
Page 2 of 9
©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any
manner without the explicit written permission of TISS.
WEEK 5 ........................................................................................................................................................... 8
Administration............................................................................................................................................................ 8
Task – 01 Reports Schedules ...................................................................................................................................... 8
Task – 02 Offenses Investigation ............................................................................................................................... 8
Task – 03 Monitoring ................................................................................................................................................. 8
Task – 04 Asset management and Server Discovery.................................................................................................. 8
Page 3 of 9
©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any
manner without the explicit written permission of TISS.
Introduction
This document entails the tasks related to IBM QRadar for starter. These tasks and activities lay down
the criteria based on which evaluations of IBM QRadar Engineers would be carried out. The performance
indicators mentioned in this document are:
-
Internal Demonstrations
Reports and Documentations
Page 4 of 9
©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any
manner without the explicit written permission of TISS.
Week 1
Pre-Installation
Task - 01 Understanding QRadar Components
Description:
•
Describe the different QRadar components that make up a distributed deployment - hardware or
virtual machine, flow collector, event processor, etc.
Task - 02 Understanding Sizing
Description:
•
Determine the sizing of the overall installation. How many devices are needed for the environment,
how many events per second, how many flows per interval, geographical locations etc.?
Task - 03 Planning Network Hierarchy
Description:
•
Plan the network hierarchy - identify the networks and CIDRs.
Task - 04 Planning Log Source Integration
Description:
•
Plan log sources - Plan which log sources to receive logs from.
Task - 05 Planning Flow Source Integration
Description:
•
Plan for receiving flows (Layer 4 and Layer 7) - taps, port mirrors / span ports, netflow.
Week 2
Installation
Task - 01 Installation & Initial Configuration
Description:
•
Install software and initial configuration, ISO, DVD, USB, recovering an appliance from a USB storage
device, set up IP addresses, Gateway, DNS, email server.
Task - 02 License Management
Page 5 of 9
©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any
manner without the explicit written permission of TISS.
Description:
•
•
Uploading license key.
Allocating license to a system.
Task – 03 Patching and Update Settings
Description:
•
•
•
Patching QRadar with latest available patch.
Update DSM’s, protocols with or without internet connection.
Setting auto-update.
Week 3
Configuration
Task - 01 Configuring Network Hierarchy
Description:
•
Configure the network hierarchy - Determining local network hierarchy.
Task - 02 Configuring Users
Description:
•
Configure security profiles, user roles, users.
Task - 03 Configuring External Storage
Description:
•
Configure external storage and backup.
Task - 04 Configuring Log Sources
Description:
•
•
•
•
•
•
•
•
Network Devices, Windows OS’s, Linux OS’s etc.
Wincollect Agent installation on Windows Host for OS log collection.
File Forwarder on Windows OS’s using Wincollect Agent.
File Forwarder on Linux OS’s using TailtoSysLog
Agentless (MSRPC, WMI etc.)
Log collection from database (SQL Server, Oracle) using JDBC connection.
Log source Extensions.
Log source groups.
Page 6 of 9
©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any
manner without the explicit written permission of TISS.
Task - 05 Configuring Flow Sources
Description:
Configure different types of flow sources such as Jflow, Sflow, netflow, PACKETEER (QFlow),
NAPATECH etc.
Task - 06 Configuring Reference Set
•
Description:
Manually creating reference set.
Creating reference set by using rule to collect user specific data from the payload.
•
•
Task - 07 Configuring Retention and Backup
Description:
Configure retention period for events, flows and offenses.
Configure data backup and configuration back.
•
•
Task - 08 Extracting Custom Properties
Description:
Extract custom properties using REGEX from payload.
•
Week 4
Performance Tuning and Problem Determination
Task – 01 Tuning Rules and Building Blocks
Description:
• Manage Rules and building blocks. Custom rules, enable or disable rules, tune building blocks,
•
false positives.
Using Reference Maps in rules.
Task – 02 Aggregated Data Management
Description:
•
Administer aggregated data management - Scenario. Determining issues with report data.
Page 7 of 9
©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any
manner without the explicit written permission of TISS.
Task – 03 Index Management
Description:
•
Set up index management, determine properties to index.
Task – 04 System Notifications
Description:
• Respond to system notification for problem determination, system performance, hardware
problems, dropped events.
Week 5
Administration
Task – 01 Reports Schedules
Description:
• Set up report schedules - which reports should be run and on what basis.
Task – 02 Offenses Investigation
Description:
•
Navigate through offenses, related events and flows, analyze offenses.
Task – 03 Monitoring
Description:
• Monitor Network and Log activities - filtering, searching, grouping and sorting, saving searches,
creating dashboard widgets from searches, viewing audit logs etc.
Task – 04 Asset management and Server Discovery
Description:
• Asset management and server discovery -vulnerabilities, filtering, searching, grouping, sorting,
saving searches on assets, importing, exporting.
Page 8 of 9
©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any
manner without the explicit written permission of TISS.
Note: Documentation pertaining to each task is mandatory, documentation includes step by step
guide/report against each task and may be presentation at the end if required.
Page 9 of 9
©Trillium Information Security Systems 2016. Contents are protected by copyright and cannot be reproduced in any
manner without the explicit written permission of TISS.
Download