PresentationMaterialLog PDF

®
Course Exercises
IBM Security QRadar SIEM
Administration
Course code BQ150 ERC 1.3
IBM Training
Licensed to Anim M for class on 5/29/2018
August 2016 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
ITIL is a Registered Trade Mark of AXELOS Limited.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
© Copyright International Business Machines Corporation 2016.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents
About these exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Logging in to the client VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Logging in to the QRadar web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Running commands on the QRadar VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Unit 1 Auto Update exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

This unit has no student exercises.
Unit 2 Backup and Recovery exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Exercise 1 Create an on-demand backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Exercise 2 Add a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Exercise 3 Create Offenses and Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Exercise 4 Recover the Initial backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Unit 3 Index and Aggregated Data Management exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Exercise 1 Manage indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Exercise 2 Use the Aggregated Data Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Unit 4 Network Hierarchy exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Exercise 1 Create a Network Hierarchy object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Exercise 2 View Network Hierarchy objects in flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Unit 5 System Management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Exercise 1 Collect logs from a QRadar managed host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Unit 6 License Management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Unit 7 Deployment Actions exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Unit 8 High Availability management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Unit 9 System Health and Master Console exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Exercise 1 Review data in the System Health tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Unit 10 System Settings and Asset Profiler Configuration exercises . . . . . . . . . . . . . . . . . . . . . 10-1

© Copyright IBM Corp. 2016 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents
Uempty
Unit 11 Custom Offense Close Reasons exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Unit 12 Store and Forward exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Unit 13 Reference Set Management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Exercise 1 Create a Reference Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Exercise 2 Import data to a Reference Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
Exercise 3 Use a Reference Set in rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Unit 14 Centralized Credentials Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Exercise 1 Add a Centralized Credentials Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
Unit 15 Forwarding Destinations exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

Exercise 1 Add Forwarding Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1
Exercise 2 Use the Forwarding destinations in a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
Unit 16 Routing Rules exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

Unit 17 Domain Management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1

Exercise 1 Create a Log Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1
Exercise 2 Create a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2
Exercise 3 Use DomainA in a Network Hierarchy object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3
Exercise 4 Use DomainA in a Security Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5
Exercise 5 Create a User Role for DomainA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6
Exercise 6 Create a user account for DomainA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6
Unit 18 Users, User Roles, and Security Profiles exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1

Exercise 1 Create a user role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1
Exercise 2 Create a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1
Exercise 3 Create a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-3
Unit 19 Authentication exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1

Unit 20 Authorized Services exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1

Unit 21 Custom Asset Properties exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-1

Unit 22 WinCollect exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-1

Unit 23 Log Sources Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-1

Exercise 1 Add a Log Source manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-1
Exercise 2 Search for events from a deleted Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-2
© Copyright IBM Corp. 2016 iv

V7.0
Contents
Uempty
Exercise 3 Assign a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-4
Unit 24 Log Source Extensions Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-1

Exercise 1 Add a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-1
Exercise 2 Edit a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-2
Exercise 3 Delete a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-2
Unit 25 Log Source Groups Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-1

Exercise 1 Add a Log Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-1
Exercise 2 Delete a Log Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-3
Unit 26 Log Source Parsing Ordering exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-1

Unit 27 Custom Properties exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27-1

Exercise 1 Disable and enable a custom property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27-1
Exercise 2 Delete a custom property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27-2
Unit 28 Event and Flow Retention exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28-1

Unit 29 Flow Sources exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29-1

Exercise 1 Filter packages with destination ports 22 and 443 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29-1
Unit 30 Flow Sources Aliases exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30-1

Unit 31 VA Scanners exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31-1

Exercise 1 Add a scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31-1
Exercise 2 Update the scan results file modification date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31-3
Exercise 3 Schedule a scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31-3
Unit 32 Remote Networks and Services exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32-1

© Copyright IBM Corp. 2016 v

V7.0
About these exercises
Uempty
Virtual machines
The lab environment uses the following virtual machines (VMs):
• QRadar® - a virtual machine running IBM® Security QRadar on Red Hat Enterprise Linux.
• Client - a virtual machine running a graphical user interface. For the exercises, you will use one
or more of the following installed software applications:
– Mozilla Firefox
– OpenSSH client or PuTTY
Logging in to the client VM

To log in to the client VM, perform the following steps:
1. For Username, enter root.
2. Press Enter or click Log In.

object00
3. For Password, enter object00.
4. Press Enter or click Log In.
© Copyright IBM Corp. 2016 vi

V7.0
Uempty
Logging in to the QRadar web interface
To log in to the QRadar web interface, perform the following steps:
1. Double-click the Firefox icon on the desktop of the client VM.
Alternatively, you can click the Firefox icon in the main menu of the desktop. To open the main
menu, click Computer in the very left of the bottom panel of the desktop.
2. The browser starts and loads the login page of QRadar.The Username and Password fields
should already be populated. If they are not populated, for the Username, enter admin, and for
the Password, enter object00.
3. Click Login To QRadar.
© Copyright IBM Corp. 2016 vii

V7.0
Uempty
Running commands on the QRadar VM
To establish an SSH session with the QRadar VM, perform the following steps:
1. Double-click the Terminal icon on the desktop of the client VM.
2. To establish an SSH session with the SSH service running on the QRadar VM, run the
OpenSSH client in the terminal window:
ssh 192.168.10.10
3. If the OpenSSH client prompts you to confirm the authenticity of the remote host, enter yes.
4. For password, enter object00.
5. Instead of the OpenSSH client in the terminal, you can use PuTTY. To start PuTTY, double-click
the PuTTY SSH Client icon on the desktop.
6. In PuTTY, double-click the session with the name QRadar to establish an SSH session to the
QRadar VM.
7. For login as, enter root.
8. For password, enter object00.
© Copyright IBM Corp. 2016 viii

Unit 1 Auto Update exercises
© Copyright IBM Corp. 2016 1-1

Unit 2 Backup and Recovery exercises
These exercises introduce you to the Backup and Recovery admin tool in QRadar SIEM 7.2.5.
Make sure you have access to the QRadar SIEM 7.2.5 server and the Student client.
Exercise 1 Create an on-demand backup

1. Log in to the Student client with username root and password object00.
2. On the desktop, double-click the Firefox icon.
3. Log in to the QRadar Console with username admin and password object00.
4. Navigate to the Admin tab and click the Backup and Recovery icon in the System
Configuration section.
5. In the Backup Archives window, click On Demand Backup in the options toolbar.
a. For Name, enter Initial.
b. For Decription, enter Exercise.
c. Click Run Backup.
d. Click OK.
6. Wait for the Initial backup to finish and display in the Existing Backups list.
Exercise 2 Add a user

1. In the User Management section, click the Users icon.
2. In the User Management window, click New.

V7.0
Exercise 2 Add a user
Uempty
3. In the User Details window, enter the values shown in the following table.
Field Value
Username Exercise
E-mail exercise@company.org
Password <any password>
Confirm Password <same as Password field>
Description Exercise user that will be removed when the
initial backup is recovered
User Role Admin
Note: Use any password you like.
4. Click Save and then Close.
5. Close the User Management window.
6. Click Deploy Changes.

V7.0
Exercise 3 Create Offenses and Assets
Uempty
Exercise 3 Create Offenses and Assets
1. Return to the desktop of the Student client.
2. On the Student machine desktop, double-click the PuTTY SSH Client icon.
3. In the PuTTY client window, select the QRadar Saved Session, and click Load.
4. Click Open in the PuTTY client.
5. In the PuTTY command line window, log in to the QRadar SIEM machine as root with
password object00.
6. On the command line, enter the following text:

service sendevents start
7. Log and flow records are generated in the background. Let the service execute for about
5 minutes.
8. On the command line, enter the following text:

service sendevents stop
9. Click the Log Sources icon in the Data Sources section and verify that at least 20 log sources
are listed.
10. Navigate to the Assets tab and refresh the list. You notice a list of assets added since the initial
backup was made. Verify that at least 100 assets are listed.
11. Navigate to the Offenses tab and refresh the list. You notice a long list of offenses added since
the initial backup was created. Verify that at least nine offenses are listed.

V7.0
Exercise 4 Recover the Initial backup
Uempty
1. In the QRadar Console, navigate to the Admin tab and click the Backup and Recovery icon in
the System Configuration section.
2. Select the backup with the name Initial.
3. Click Restore in the options toolbar.
4. Select all the check boxes in the Restore backup window.
5. Click Restore and click OK.
6. Wait until the recover process finishes and click OK on the recover result window.
Note: It takes approximately 15 minutes for the recovery process to complete.
8. Navigate to the Admin tab.
9. Click Advanced, select Deploy Full Configuration from the menu, and wait until the
deployment finishes.
Note: You must log in to QRadar interface again after the full deployment has completed.
10. Click the Users icon in the User Management section and verify that the user Exercise is
removed.
11. Click the Log Sources icon in the Data Sources section and verify that only one log source
remains.

V7.0
Uempty
12. Navigate to the Offenses tab. Verify that no offenses are listed.
13. Navigate to the Assets tab. Verify that two or three assets are listed.

Unit 3 Index and Aggregated Data
Management exercises
Exercise 1 Manage indexes

In this exercise, you create an index for two properties. Then you use the indexed properties in
searches and observe how the statistics for the indexed properties are updated. Because time
does not allow the tool to collect index statistics, this exercise concentrates only on the behavior of
the tool.
Task 1 Enable an index and view indexed properties data

1. In the QRadar SIEM console, click the Admin tab.
2. Click Index Management.

The Index Management window opens.
3. Verify that some indexed properties have data-written values by sorting the Data Written
column in descending order.
Note: Management information for the indexed property updates every hour.
4. Right-click AccountName (custom) and click Enable Index.
5. Click Save.
6. Click OK.

V7.0
Unit 3 Index and Aggregated Data Management exercises
Uempty
Task 2 Use an indexed property in a search
2. Load the QRadar Saved Session and click Open.
3. Log in as root with password object00.
4. In the PuTTY CLI, type the following text:

cd /labfiles
./sendWindows.sh
5. In the QRadar SIEM console, double-click the Log Activity tab.
6. Modify the search using Add Filter and View using the following criteria:
a. View the events from the last 30 minutes.
b. Add the AccountName (custom) [Indexed] is not N/A filter.
c. Add the Log Source is WindowsAuthServer @ 10.0.120.11 filter.
d. Edit the search.

i. In the columns definition pane, group the search results by AccountName (custom).
ii. For the Columns list, select only Event Name and Event Count.
iii. From the Order By list, select Event Count.
7. Click Search.
8. Verify that your search results look similar to the results in the following figure.

V7.0
Uempty
9. Click Save Criteria to save the search.
10. Save the search using the values shown in the following table.
Field / Option Value

Search Name Exercise:Report:Index
management
Timespan options Recent <enabled>
Last 15 minutes
Include in my Quick Searches <enabled>

V7.0
Uempty
11. Verify that your save search configuration looks like the one in the following figure.
12. Wait for the sendWindows.sh script to finish.
Because Index Management refreshes the statistics every hour, you must wait one hour to see any
modifications to the statistics. To view the data for the indexed property used in the search, perform
the following steps:
15. Verify that the AccountName property now includes statistics for the indexed property.
16. Close the Index Management window.
Task 3 Create and index a custom property

2. In the Quick Filter search field, enter "Logon Type".
Hint: Be sure to include the quotation marks.
3. From the View list, select Last 30 minutes.
4. Double-click the first event in the search results list.
5. In the Event Details window on the toolbar, click Extract Property.

The Custom Event Property Definition window opens.

V7.0
Uempty
6. Create a new property using the values shown in the following table.

New Property WinLogonType
Description Windows log on type value.
Category <Enable>
High Level category Any (Enable Category first)
Low Level category Any
RegEx Logon\sType:.*?(\d{1,2})
Capture Group 1
All other fields <Keep the default values>
7. Verify that your configuration looks like the one in the following figure.
8. Click Save.
11. Search for the WinLogonType property.
12. Right-click WinLogonType and click Enable Index.
13. Click Save.
14. Click OK.

V7.0
Uempty
Task 4 Verify that the indexed property is configured to
use in searches or rules
2. Click Add a Filter and use the following criteria:

a. Add the WinlogonType (custom) [Indexed] equals any of 3 filter.
b. View the events for the Last Hour.
Note: You can use the new property in searches and reports.
To use an indexed property in a rule, perform the following steps:
3. In the QRadar SIEM console, click the Offenses tab.
4. Click Rules.
5. Search for Rules starting with the string Exercise.
6. Edit the Exercise-Policy: Accounts under Surveillance rule and verify that you cannot
change the Username testable object to WinLogonType (custom).
Task 5 Configure an indexed property to use in rules

2. Click Custom Event Properties.
3. Double-click the WinLogonType property.
4. In the Property Definition window, enable the Optimize parsing for rules, reports, and
searches option.
5. Click Save.

V7.0
Exercise 2 Use the Aggregated Data Management tool
Uempty
6. Edit the Exercise: Policy: Accounts under Surveillance rule and change the
AccountName(Custom) testable object to WinLogonType (custom).
7. Verify that you can modify the testable object to WinLogonType.
Note: If you disable indexing for the WinLogon Type property and keep parsing optimized for
rules, reports, and searches, you can continue to use the property in searches and rules.
8. Click Cancel twice and OK to close the Rule Wizard window.
Exercise 2 Use the Aggregated Data

Management tool
This exercise introduces the Aggregated Data Management tool. Because time does not allow the
tool to collect data view statistics, this exercise concentrates only on the behavior of the tool.
Task 1 View search data in the Aggregated Data

Management tool
2. Click Aggregated Data Management.

The Aggregated Data Management window opens.
3. In the Quick Search field, enter Exercise and click the magnifying glass icon.
4. In the Display menu, try the available options.
5. Verify that you do not see any results.
Task 2 View time series data in the Aggregated Data

Management tool
1. Double-click the Log Activity tab.
2. Open the Quick Searches menu and select Exercise:Report:Index Management - Last 15
Minutes.
3. Click any green gear wheel icon and change the Chart Type to Time Series.
4. Enable the Capture Time Series Data check box and click Save.

V7.0
Uempty
5. Repeat the steps in Task 1 on page 3-7.
6. If you see a result, what is the Aggregated Data ID of the result? _______________
7. Use this ID to search the Aggregated Data View.
Task 3 View ADE rules in the Aggregated Data

Management tool
1. Double-click the Log Activity tab.
2. Open the Quick Searches menu and select Exercise:Report:Index Management - Last 15
Minutes. Click Rules and then click Add Behavioral Rule.
3. Create an ADE Rule using the information shown in the following table.

Name Exercise:ADE:Aggregated data
this accumulated property Event Name (Unique Count)
4. Click Next and Finish to create the rule.

7. Enter the Aggregated Data ID you found in Step 6 of Task 2 into the search field and click the
magnifying glass icon.
9. Verify that all Display views show results, except for the Reports view.
Task 4 Report schedules, Aggregated Data Views, and

their dependencies
1. Create a report using the information shown in the following table.

Schedule Manually
Orientation Landscape and 1 container
Report Title Exercise:AggrData

V7.0
Uempty
Chart Type Events/Logs
Chart Title Demo
Type Saved Search Exercise:Report:Index Management
2. Save the Container Details and click Next and Finish until the report wizard exits.

5. Enter the Aggregated Data ID you found in Step 6 on page 3-8 into the search field and click
the magnifying glass icon.
7. Verify that the Reports view shows no results.
8. Change the schedule of the Exercise:AggrData report to Daily: Monday to Friday.
Hint: Double-click the report, change the schedule in the Report Wizard, and then click Finish.
9. Repeat Step 3 to Step 6 of this task.
10. Verify that the Reports view shows results.

V7.0
Uempty
11. For every selectable report schedule, verify that the following statements are true:
– Manual schedules do not use Aggregated Data Views.
– Hourly schedules do not use Aggregated Data Views.
– Daily schedules use Aggregated Data Views.
– Weekly schedules use Aggregated Data Views.
– Monthly schedules use Aggregated Data Views.

Unit 4 Network Hierarchy exercises
These exercises are part of the Network Hierarchy module.
Exercise 1 Create a Network Hierarchy object

4. Navigate to the Admin tab and click the Network Hierarchy icon in the System Configuration
section.
5. Click Add.
6. In the Add Network window, click the green gear wheel icon.
7. For Name in the Add a new Group window, enter the following text: QRadar.Clients
8. .Click Save.
9. In the Add Network window, enter the values shown in the following table.
Field Value
Name Student
Description Exercise
IP/CIDR(s) 192.168.10.30
10. Make sure you click the plus icon to add the IP/CIDR(s) value to the object’s list.
11. Click Create.
12. Click Add.
The Add a new group window opens.
14. in the Name field, enter QRadar.Managed_Hosts.

V7.0
Exercise 2 View Network Hierarchy objects in flows
Uempty
15. Click Save.
Field Values
Name On_Premise
IP/CIDR(s) 192.168.10.20/32
192.168.10.16/30
192.168.10.12/30
192.168.10.10/31
17. Click Create.
18. Close the Network Hierarchy window.
20. Click Network Hierarchy.
21. Open the QRadar related nodes.
22. Verify that the Student and On_Premise Network Hierarchy objects are listed.
Exercise 2 View Network Hierarchy objects in

flows
1. Double-click the Network Activity tab.
2. Wait until you see flow records with the IP address 192.168.10.10 or 192.168.10.30.
3. Hover the mouse over either of the IP addresses and review the Network field information.
4. To view the Network Hierarchy objects you created, click Add Filter.
5. In the Add Filter window, enter the values shown in the following table.
Field Value
Parameter Destination Network
Operator Equals
Value QRadar.Managed_Hosts

V7.0
Uempty
6. Click Add Filter.
7. Change the Display to Destination Network.
11. In the PuTTY CLI, enter the following text:

cd /labfiles
./startPcap.sh
12. Wait for at least one minute.
13. Return to the QRadar Network Activity page.
14. Verify that no rows other than one with a Destination Network of On_Premise are listed.
15. Wait until the startPcap.sh script terminates.
16. Change the View to show the Last Hour.
17. Use the right-click option menu on the Destination IP column to apply Filter on Destination IP
is not 192.168.10.10.
18. Verify that you only see rows with Destination IP 192.168.10.12.
19. Hover the mouse over the Destination IP address and review the Network field information.
section.
21. Click the plus signs in front of QRadar and Managed_Hosts.
22. Double-click On_Premise.
23. Select 192.168.10.12/30 from the IP/CIDR(s) list and click the red X.
24. Click Save.
25. Close the Network Hierarchy Window.
27. Return to the Network Activity page.

V7.0
Uempty
28. Hover the mouse over the Destination IP address and review the Network field information to
verify that it no longer displays QRadar.Managed_Hosts.On_Premise.
29. Clear the Destination IP is not 192.168.10.10 filter.
30. Reapply the Destination IP is not 192.168.10.10 filter.
31. Verify that the result set is now empty.
Note: Imagine an offense rule that is triggered by flows matching a specific Network Hierarchy
object. Now assume that an offense was triggered by the rule, and a local IP address in the
offense is removed from the Network Hierarchy object afterwards. The offense will then no longer
show the original Network Hierarchy object for the local IP address, although the offense was
triggered by the fact that the IP address was covered by the Network Hierarchy object.
Hint: Check the Offenses and hover your mouse over the Destination IPs field (192.168.10.12) of
the “Remote Desktop Access from the Internet containing RemoteAccess.MSTerminalServices”
offense. Add 192.168.10.12/30 to the Students Network Hierarchy object and then check the
offense again. This demonstrates how fundamental the Network Hierarchy is to QRadar and that
its configuration must be part of the initial configuration of QRadar.

Unit 5 System Management exercises
Exercise 1 Collect logs from a QRadar

managed host
4. Navigate to the Admin tab and click the System and License Management icon in the System
5. From the Display menu, select Systems.
6. Select the single managed host in the list.
7. Click the Actions menu and click Collect Log Files.
8. Click Advanced Options.
9. In the Advanced Options area, enter the values shown in the following table.
Field Value
Include Debug Logs <enable>
Include Setup Logs (Current Version) <enable>
Collect Logs for this Many Days 1
10. Click Collect Log Files.

V7.0
Unit 5 System Management exercises
Exercise 1 Collect logs from a QRadar managed host
Uempty
11. When you see the Log file collection completed successfully. Click here to download file
message, click the hyperlink.
12. In the window, select Save File.
13. Click OK.
14. Click Save.

Unit 6 License Management exercises

Unit 7 Deployment Actions exercises

Unit 8 High Availability management
exercises

Unit 9 System Health and Master
Console exercises
These exercises introduce the System Health tool and the Master Console.
Exercise 1 Review data in the System Health

tool
3. In the PuTTY Configuration window, click the QRadar Default Settings and click Load.
4. Click Open.
5. In the command line interface (CLI), log in as root with password object00.
6. In the CLI, type the following command:

7. Return to the Student desktop.
8. Double-click the Firefox icon on the desktop.
10. Navigate to the Admin tab and click the System Health icon in the System Configuration
section.
11. Wait until you see the Local QRadar janus (192.168.10.10) snap-in display in the System
Health window.

V7.0
Unit 9 System Health and Master Console exercises
Exercise 1 Review data in the System Health tool
Uempty
12. Click the graph in the window.
13. In the Host Notification Table window, scroll to the Memory Usage graph.
14. Hover your mouse on the top time series graph, as shown in the following figure.
15. Review the data.
16. To return to the System Health window, click Local QRadar or QRadar Health Console.
17. Return to the PuTTY SSH Client.
18. In the CLI, type the following command:


Unit 10 System Settings and Asset
Profiler Configuration exercises

Unit 11 Custom Offense Close Reasons
exercises

Unit 12 Store and Forward exercises

Unit 13 Reference Set Management
exercises
These exercises introduce you to Reference Sets. You must have experience with CRE Rules.
Exercise 1 Create a Reference Set

4. Navigate to the Admin tab and click the Reference Set Management icon in the System
5. Click Add.
6. Create a reference set using the values shown in the following table.

Name Newly created users
Type AlphaNumeric
Time to Live of Elements 5 Days
Since first seen <Enable>
Lives Forever <Disable>
7. Verify that your configuration looks like the one in the following figure.

V7.0
Unit 13 Reference Set Management exercises
Exercise 2 Import data to a Reference Set
Uempty .
8. Click Create. Verify that Newly created users is added to the list of Reference Sets.

To update the elements of the HR Data reference set from a file, you will create a text document
containing the Reference Set elements. To create the text document, perform the following steps:
1. Right-click anywhere on the Student desktop and select Create Document > Empty File. Then
right-click the new file on the desktop and open it with the gedit editor as illustrated below.

V7.0
Uempty
2. Add the following lines:

C:\labfiles\HR
C:\labfiles\HR\Resource Actions.txt
3. Save the file on the desktop as HR files.txt.
4. Close the gedit editor.
5. In the Reference Set Management window, double-click HR Data.

The Reference Set Editor window opens and displays the current contents of the HR Data
reference set.
6. Click Import.
7. In the window, click Browse.
8. Select the HR files.txt file on the Student desktop and click Open.
9. Click the upper Import button.

The import adds the content of the text file to the reference set.
10. Verify that your HR Data reference set content looks like the content in the following figure.

V7.0
Exercise 3 Use a Reference Set in rules
Uempty
11. Close the Reference Set Editor window.

In this exercise you create a reference set, incorporate it into rules, and verify that the reference set
is updated.
Task 1 Create a reference set

To create the High Surveillance reference set, perform the following steps:
1. In the Reference Set Management window, click Add.
2. Create the reference set using the values shown in the following table.
.

Name High Surveillance
Type AlphaNumeric (Ignore Case)
Time to Live of Elements 14 Days
Since first seen <Enable>
Lives Forever <Disable>
3. Click Create.

V7.0
Uempty
4. On the Student desktop, create another text file with the following lines, each terminated by a
new line character, except for the last entry:
– QRadar
– QRM
– QVM
5. Save the file on the desktop as Surveillance.txt.
6. In the Reference Set Management window, double-click High Surveillance.
7. Click the upper Import button.
8. In the window, click Import in the center.
9. Select the Surveillance.txt file on the desktop and click Open.
10. Click the lower Import button.
Note: Observe that the content is in lowercase. The case is ignored.
11. While looking at the elements in the High Surveillance reference set, click the Refresh icon
several times for approximately one minute.
12. Verify that the Time to Live value changes.
13. To manually add elements to the reference set, click Add.
14. In the new window, type cary.
15. Click Add.
16. Close the Reference Set Editor and the Reference Set Management windows.
Task 2 Edit rules that include a reference set

To edit rules that include the High Surveillance reference set, perform the following steps:
1. In the QRadar SIEM console, click the Offenses tab.
2. Click Rules.
3. From the Group list, select Suspicious.

V7.0
Uempty
4. Double-click the Exercise-Policy: Add locked account to Surveillance list rule.
5. In the Rule Wizard window, click Next until you see the Rule Wizard - Rule Response window.
6. In the Rule Wizard - Rule Response window, change the IT Admins-AlphaNumeric reference
set to High Surveillance - AlphaNumeric (Ignore Case).
7. Click Finish.
8. Double-click the Exercise-Policy:Accounts under Surveillance rule.
9. In the Rule Editor - Rule Test Stack Editor window, change the IT Admins testable object to
High Surveillance - AlphaNumeric (Ignore Case) by performing the following steps:
a. Select the IT Admins - AlphaNumeric testable object.
b. In the Selected Items list, click IT Admins - AlphaNumeric and click Remove -.

V7.0
Uempty
c. In the window, click High Surveillance - AlphaNumeric (Ignore Case) and click Add +.
d. Click Submit.
10. Verify that your rule looks like the one in the following figure.
11. Click Finish.
Note: You modified two sample rules to use the High Surveillance reference set. The first rule
adds any account that is locked out to the reference set. The second rule generates a new event
with the EventName User Surveillance Event when one of the listed users generates activity.
Task 3 View the content of a reference set

To view the content of the High Surveillance reference set before generating events that updates it,
perform the following steps:
2. Click Reference Set Management.
3. Double-click High Surveillance.
4. Verify that four records are listed.
5. Click the References tab.

V7.0
Uempty
6. Verify that the rule configured to add elements to the reference set is Exercise-Policy: Add
locked accounts to Surveillance list.
Task 4 Generate events to trigger the rules

To generate events that trigger the rules, perform the following steps:
1. In the QRadar Console, click Messages and click Dismiss All.
2. Double-click the PuTTY SSH Client icon on the Student desktop and load the QRadar Saved
Session, and then click Open.

cd /labfiles
./sendWindows.sh
5. Let the script run for five minutes.
6. To stop the script, press Ctrl+C.
Task 5 View the content of a reference set and log events

To verify the reference set content after the Demo: Add locked account to Surveillance list rule
updates it, perform the following steps:
2. Add the Event Name Equals User Surveillance Event filter.
Hint: When browsing for the user surveillance event to include in the filter, in the Event Browser
window in the QID/Name field, type User Surveillance Event.
3. From the View list, select Last 30 minutes.
4. Verify that you find more than 100 events listed.
5. Verify that the user names are listed in the High Surveillance Reference Set.
Task 6 View system notification messages

You use a reference set to monitor special accounts. Imagine that you closely monitor a list of
privileged accounts with unrestricted access to all system data and it is a requirement to receive a

V7.0
Uempty
notification when these accounts are used. The Exercise-Policy:Accounts under Surveillance
rule sends a notification to the QRadar SIEM console to satisfy this requirement.
1. To see such a notification, in the QRadar SIEM console on the toolbar, click Messages.
2. Click View All.
3. In the List of Events window, double-click the User Account Locked Out event.
All the User Account Locked Out events are displayed. These events are also in the System
Monitoring dashboard under System Notifications. If time permits, examine these events and
explain which rule sends these events to the System Monitoring dashboard. Check the responses
defined for the demo rules that were triggered by these events.
Hint: Another use case of this functionality is to monitor the actions of employees leaving the
company. To perform the rule test only for events representing actions by leaving employees, add
another test to the Exercise-Policy: Accounts under Surveillance rule and test for user
accounts that access files contained in the sensitive data reference set.
Note: To follow the hint, you must create a custom event property to capture the file and directory
names from windows events. For testing, use the FSPDC log source and create a custom
property for the “Object Name” value. Add the value for this Custom Property to the sensitive data
reference set. Add the test group: ”and when any of these event properties are contained in any of
these reference set(s)” to the rule mentioned above and add the created custom event property
and the sensitive data reference set to the suitable underlined values. Emulate the windows log
source by using the sendFSPDC script in the labfiles directory of the QRadar SIEM server.

Unit 14 Centralized Credentials
Exercises
These exercises introduce you to the Centralized Credentials tool. These centralized Credentials
are only applicable if you have a QVM license deployed, require Authenticated scans, and decide
to use Centralized Credentials. Therefore, we cannot show the usage of the sets in this exercise.
Exercise 1 Add a Centralized Credentials Set

4. Navigate to the Admin tab and click the Centralized Credentials icon in the System
5. Click Add.
6. In the Credential set window, enter the values shown in the following table.
Field Value
Name Fredericton
7. Click the Assets tab.
8. In the CIDR field, type 10.0.0.0/8.
9. Click Add.
10. Click the Linux/Unix tab.

V7.0
Unit 14 Centralized Credentials Exercises
Uempty
Field Value
Username root
Password object00
12. Click Add.
13. Click the Windows tab.
Field Value
Domain coe.ibm.com
Username QVMUser
Password object00
15. Click Add.
16. Click the Linux/Unix tab.
17. In the Credential set window, double click root.
18. Change the value to QVMUser.
19. Click the Description tab.
20. Click Save.
21. Verify that a Credential Set with Name Fredericton was saved.
22. Click Add.
Field Value
Name Delft
24. Click the Assets tab.
25. In the CIDR field, type 129.168.10.0/24.
26. Click Add.
27. Click the Windows tab.

V7.0
Unit 14 Centralized Credentials Exercises
Uempty
Field Value
Domain nl.ibm.com
Username QVMUser
Password object00
29. Click Add.
30. Click Save.
31. Verify that a Credential Set with the Name Delft has been added to the Credentials list.

Unit 15 Forwarding Destinations
exercises
These exercises introduce you to the Forwarding Destinations tool.
Exercise 1 Add Forwarding Destinations

4. Navigate to the Admin tab and click the Forwarding Destinations icon in the System
5. Click Add.
6. In the Forwarding Destination Properties window, enter the values shown in the following table.
Field Value
Name UDP_Destination
Destination Address 192.168.10.30
Event Format Payload
Destination Port 514
Protocol UDP
7. Click Save.
8. Click Add.
9. In the Forwarding Destination Properties window, enter the values shown in the following table.
Field Value
Name JSON_Destination
Destination Address 192.168.10.30
Event Format JSON

V7.0
Unit 15 Forwarding Destinations exercises
Exercise 1 Add Forwarding Destinations
Uempty
Field Value
Destination Port 5141
Protocol TCP over SSL
10. Click the Profile Options > Create New Profile option from the list.
11. In the Profile Name field, type <Test Profile>.
12. In the table, activate the following properties by clicking the check box. Then type the default
values shown in the following table.
Property Default
src 192.168.10.10
dst
usrName QRadar
payload
protocolName TCP over SSL
eventName
lowLevelCategory
highLevelCategory
logSource QRadar
Hostname QRadar
13. Click Save.
14. Click Save.

V7.0
Unit 15 Forwarding Destinations exercises
Exercise 2 Use the Forwarding destinations in a rule
Uempty
Exercise 2 Use the Forwarding destinations in
a rule
1. Navigate to the Offenses tab and click the Rules menu option.
2. Find the Authentication: Multiple Login Failures for Single Username Rule and edit it.
3. Click Next.
4. Under the Rule Response section, select the Send to Forwarding Destinations check box.
5. Select both Forwarding Destinations.
6. Click Finish.

cd /labfiles
sendWindows.sh
11. In the QRadar Console, navigate to the Admin tab.
12. Click the Forwarding Destinations icon and refresh several times to see the column’s Seen,
Sent, and Dropped values increase.

Unit 16 Routing Rules exercises

Unit 17 Domain Management exercises
In these exercises you learn how to manage QRadar Domains. You must know how to create
QRadar Security Profiles, Users, User Roles, Network Hierarchy objects, and Log Source Groups
to perform all the steps in this module’s exercises. You can learn how to create these in the related
BQ150 modules. Make sure you have access to the QRadar SIEM 7.2.5 server and the Student
client.
Exercise 1 Create a Log Source Group

4. Navigate to the Admin tab and click the Log Source Groups icon in the Data Sources section.
5. In the Log Source Groups window, click New Group.
6. Enter the parameter values shown in the following table.
Parameter Value
Name DomainA
Description exercise

V7.0
Exercise 2 Create a Domain
Uempty
7. Click OK.
8. Close the Log Source Groups window.
Exercise 2 Create a Domain

1. Click the Domain Management icon in the System Configuration section.
2. In the Domain Management window, click Add.
3. Enter the parameter values shown in the following table.
Parameter Value
Name DomainA
4. Click the Events tab.
5. Click Log Sources.
6. From the All Log Source Groups list, select DomainA.
7. Click Add.
8. In the Edit Domain window, click the Flows tab.
9. Click Flow Sources.
10. From the Select Flow Sources list, select default_NIC_eth0.

V7.0
Exercise 3 Use DomainA in a Network Hierarchy object
Uempty
11. Click Add.
12. Click Create.
13. Close the Domain Management window.
Exercise 3 Use DomainA in a Network

Hierarchy object
section.
2. Click Add.
4. In the Add a new group window’s Name field, enter the following text:
Europe.Amsterdam.HQ
5. Click Save.
Field Value
Name DatabaseServers
Description DomainA
databaseservers
IP/CIDR(s) 192.168.10.0/24

V7.0
Exercise 3 Use DomainA in a Network Hierarchy object
Uempty
7. Make sure that you click the plus icon to add the IP/CIDR(s) value to the object’s list.
8. Click Create.
9. Close the Network Hierarchy window.
11. Click Network Hierarchy.
12. Expand the Europe node and all subnodes.
13. Verify that the DatabaseServers object is listed.
Note: Using domains allows the Network Hierarchy to contain objects with overlapping IP ranges.

V7.0
Exercise 4 Use DomainA in a Security Profile
Uempty
Exercise 4 Use DomainA in a Security Profile
1. Navigate to the Admin tab and click the Security Profiles icon in the User Management
section.
2. In the Security Profile Management window, click New.
3. In the Security Profile Name field, type DomainA.
4. Click the Permission Precedence tab.
5. Select the Networks AND Log Sources option.
6. Click the Networks tab.
7. In the All Networks list, select the Europe object.
8. Select Amsterdam from the list, and click > to move the object to the Assigned Networks list.
9. Click the Log Sources tab.
10. Click All Log Source Groups.
11. Select the DomainA group.
12. Click > to move the object to the Assigned Log Sources list.
13. Click the Domains tab.
14. Click the All Domains list and select the Domains List.
15. In the All Domains list, select the DomainA object and click > to move the object to the
Assigned Domains list.
16. Click Save.
17. Click the Summary tab.
18. Verify that all choices you made in the previous steps are represented in the summary.

V7.0
Exercise 5 Create a User Role for DomainA
Uempty
19. Click Close.
20. On the Admin tab, click Deploy Changes.
Exercise 5 Create a User Role for DomainA

1. Navigate to the Admin tab and click the User Roles icon in the User Management section.
2. In the User Role Management window, click New.
3. In the User Role Name field, type DomainA.
4. Select the Offenses, Log Activity, and Reports authorities.
5. In the Available Dashboards list, select System Monitoring and click Add to add it to the
Selected Dashboard list.
6. Click Save.
7. Click Close.
Exercise 6 Create a user account for DomainA

1. Navigate to the Admin tab and click the Users icon in the User Management section.

V7.0
Exercise 6 Create a user account for DomainA
Uempty
3. Use the values in the following table to edit the User Details window.
Field Value
Username DomainA_User
E-mail email@company.org
Password object00
Confirm Password object00
User Role DomainA
Security Profile DomainA
4. Click Save.
5. Click Close.

Unit 18 Users, User Roles, and Security
Profiles exercises
In these exercises, you learn how to manage QRadar user accounts and assign user roles and
profiles. You must know how to create a QRadar Domain to perform all the steps in this module’s
exercises. You can learn how to create QRadar domains in the Domain Management module.
Make sure you have access to the QRadar SIEM 7.2.5 server and the Student client.
Exercise 1 Create a user role

4. Navigate to the Admin tab and click the User Roles icon in the User Management section.
5. In the User Role Management window, click New.
6. In the User Role Name field, type demorole.
7. Select all authorities except for the Admin authorities.
8. In the Available Dashboards list, select System Monitoring and Add it to the Selected
Dashboard list.
9. Click Save.
10. Click Close.
Exercise 2 Create a security profile

1. Navigate to the Admin tab and click the Security Profiles icon in the User Management
section.
2. In the Security Profile Management window, click New.

V7.0
Unit 18 Users, User Roles, and Security Profiles exercises
Exercise 2 Create a security profile
Uempty
3. In the Security Profile Name field, type demoprofile.
4. Click the Permission Precedence tab.
5. Select the Network Only option.
6. Click the Networks tab.
7. In the All Networks list, select the All object and click > to move the object to the Assigned
Networks list.
8. Click the Log Sources tab.
9. Click the All Log Sources list.
10. Select the Other group.
11. In the Other group, select all the log sources in the list by using the Shift and left-mouse click
combination.
12. Click > to move the object to the Assigned Log Sources list.
13. Click the Domains tab.
14. Click the All Domains list and select the Domains List.
15. In the All Domains list, select the DomainA object and click > to move the object to the
Assigned Domains list.
16. Click Save.
17. Click the Summary tab.

V7.0
Exercise 3 Create a user account
Uempty
18. Verify that all choices you made in the previous steps are represented in the summary.
19. Click Close.

1. Navigate to the Admin tab and click the Users icon in the User Management section.
3. Use the values in the following table to edit the User Details window.
Field Value
Username demouser
E-mail demo@company.org
Password object00
Confirm Password object00
User Role demorole
Security Profile demoprofile

V7.0
Uempty
4. Click Save.
5. Click Close.

Unit 19 Authentication exercises

Unit 20 Authorized Services exercises

Unit 21 Custom Asset Properties
exercises

Unit 22 WinCollect exercises

Unit 23 Log Sources Exercises
These exercises introduce you to the Log Sources administration tool.
Exercise 1 Add a Log Source manually

4. Navigate to the Admin tab and click the Log Sources icon in the Data Sources section.
5. Click Add.
6. In the Log Source window, enter the values shown in the following table.
Field Value
Log Source Name FSPDC_Demo
Log Source Description Exercise
Log Source Type Oracle RDBMS OS Audit Record
Protocol Configuration Syslog
Log Source Identifier FSPDC
7. Click Save.
8. Close the Log Sources window.
Note: You have just manually added a Log Source for the host FSPDC. You see two Log Sources
for the FSPDC host in the Log Sources window. One is for Microsoft Windows Security Event Log
and another is for Oracle RDBMS OS Audit Record. Such a scenario might be necessary if you
are collecting both types of Log Sources from a single host. In this example, a Windows database
server is running Oracle. As long the combination log source type, identifier, and protocol
configuration is unique, QRadar allows you to create additional Log Sources for the same source.

V7.0
Exercise 2 Search for events from a deleted Log Source
Uempty
Exercise 2 Search for events from a deleted
Log Source
1. In the Log Source window, select FSPDC_Demo and click Delete.
2. Click OK.
3. Double-click the FSPDC row.
4. Check the Coalescing Events option.
5. Click Save.

cd /labfiles
sendFSPDC.sh
10. In the QRadar Console, double-click the Log Activity tab.
11. Change the View to Real Time (streaming).
12. Add a filter for Log Source [indexed] Equals FSPDC.
13. Return to the PuTTY CLI. Wait for the sendFSPDC script to terminate.
14. In the QRadar Console, change the View to the Last 15 Minutes.
15. Click the Event Count column and sort in descending order.
16. Verify that the highest number for the Event Count column is above 100.
17. In the Log Sources window, select the FSPDC Log Source and click Delete.

V7.0
Exercise 2 Search for events from a deleted Log Source
Uempty
18. Click OK.
19. In the Log Sources window, click Add.
20. In the Log Source window, enter the values shown in the following table.

Log Source Name FSPDC
Log Source Description Exercise
Log Source Type Microsoft Windows Security Event Log
Protocol Configuration Syslog
Log Source Identifier FSPDC
Coalescing Events <Disable>
21. Click Save.
22. Close the Log Sources window.
24. Return to the PuTTY CLI.
25. Repeat steps 9 to 13 of this exercise.
26. Verify that the highest number in the Event Count column equals 1.
27. Change the view to Last Hour.
28. Clear the Log Source is FSPDC filter.
29. Change the Display to Log Source.
30. Right-click the Log Source FSPDC with the LOWEST Count and select Filter on Log Source
is FSPDC.
31. Change the display to Default (Normalized).
32. Click the Event Count column and sort in descending order. Verify that the highest count in the
column is higher than 100.
33. Add a filter for Log Source [indexed] Does not equal FSPDC.

V7.0
Exercise 3 Assign a Log Source
Uempty
34. Verify that the result has not changed compared to the result obtained before you added the
latest filter.
Note: This demonstrates that every time you create a new Log Source, even with the same
identifier, type, and protocol configuration of a deleted log source, the Log Source is assigned a
new index. The only way to select the “old” events from the Log Source FSPDC is by creating a
column,value filter like you did in Step 30.
Exercise 3 Assign a Log Source

1. In the Log Sources window, click Bulk Actions and select Bulk Add.
2. In the Bulk Log Source Name field, type Demo.
3. Click the Manual tab.
4. In the Host field, type 10.0.0.0 and click Add Host.
7. Click Save.
8. Click Continue.
10. Verify that the newly created Log Sources belong to the Demo group.
11. In the Log Sources window, use the Shift key to select all Log Sources with names that start
with Threecom8800SeriesSwitch.
12. Click Assign.
13. Clear the Demo option.
14. Click Assign Groups.
15. Verify that the newly created Log Sources belong to the Other group.

Unit 24 Log Source Extensions
Exercises
These exercises introduce you to the Log Source Extensions administration tool.
Exercise 1 Add a Log Source Extension

4. Navigate to the Admin tab and click the Log Source Extensions icon in the Data Sources
section.
5. Click Add.
6. In the Log Source Extension window, enter the values shown in the following table.
Field Value
Name AS400_Demo
Use Condition Parsing Enhancement
7. Click Browse.
8. Navigate to File System > LabFiles > QRadar courses files.
9. Select IBM_AS400_EXT.xml and click Open.
10. Click Upload.
11. Click Save.

V7.0
Unit 24 Log Source Extensions Exercises
Exercise 2 Edit a Log Source Extension
Uempty
Exercise 2 Edit a Log Source Extension

5. Wait 5 minutes.
6. In the Log Source Extensions page, click Log Sources.
7. Double-click the first Log Source with a name starting with IBM IMS @ and a status of
Success.
8. In the Edit a log source window, select AS400_Demo for Log Source Extension.
9. Click Save.
10. In the Log Source window, click Extensions.
11. Select AS400_Demo in the Log Source Extensions.
12. Click Enable/Disable and make sure the Enabled field changes to false.
13. On the Log Source Extensions page, click Log Sources.
Success.
15. Verify that you can still select a Log Source Extension that has been disabled.
Exercise 3 Delete a Log Source Extension

1. In the Log Source window, click Extensions.
2. Select AS400_Demo in the Log Source Extensions.
3. Click Delete.
4. Click OK.
5. On the Log Source Extensions page, click Log Sources.
Success.

V7.0
Unit 24 Log Source Extensions Exercises
Exercise 3 Delete a Log Source Extension
Uempty
7. Verify that you cannot select a Log Source Extension.


Unit 25 Log Source Groups Exercises
These exercises introduce you to the Log Source Groups administration tool.
Exercise 1 Add a Log Source Group


cd /labfiles
9. Click New Group.
10. In the Group Properties window, enter the values shown in the following table.
Field Value
Name Linux machines
11. Click OK.
12. Click the Other Log Source Group.
13. Select all LinuxServer machines.
Hint: Click the first LinuxServer record, press the Shift key, and click the last LinuxServer record.

V7.0
Exercise 1 Add a Log Source Group
Uempty
Note: The sendevents script will generate LinuxServer log sources. This takes about 5 minutes.
14. Click Copy.
15. Check the box for Linux machines.
17. Verify that the LinuxServer machines you selected earlier have disappeared from the Other
group.
18. Click on the Linux Machines group.
19. Verify that the LinuxServer machines you selected earlier have been added to the Linux
machines group.
20. While you have selected the Linux machines group, click New Group.
21. In the Group Properties window, enter the values shown in the following table.
Field Value
Name Amsterdam
22. Select the first two LinuxServer machines.
23. Click Copy.
24. Clear the for Linux machines check box.
25. Select the for Amsterdam check box.
27. Verify that the LinuxServer machines you selected earlier have disappeared from the Linux
machines group.
28. Click the Amsterdam group.
29. Verify that the LinuxServer machines you selected earlier have been added to the Amsterdam
group.


V7.0
Exercise 2 Delete a Log Source Group
Uempty
Exercise 2 Delete a Log Source Group
2. Click All Log Source Groups.
3. In the right pane, select the Linux machines group.
4. Click Remove.
5. Click OK.
6. Click Other.
7. Verify that all LinuxServer machines reappeared in the Other group.

Unit 26 Log Source Parsing Ordering
exercises

Unit 27 Custom Properties exercises
These exercises introduce you to the Custom Event Properties admin tool in QRadar SIEM 7.2.5.
Make sure you have access to the QRadar SIEM 7.2.5 server and the Student client. Because the
Custom Flow Properties tool usage is similar, these exercises concentrate only on the Custom
Event Properties tool.
Note: For information about creating and using Custom Event Properties, refer to Create and
index a custom property through Configure an indexed property to use in rules, starting on
page 3-4.
Exercise 1 Disable and enable a custom

property

cd /labfiles
./sendWindows.sh
7. Navigate to the Admin tab and click the Custom Event Properties icon in the Data Sources
section.
8. Search the WinLogonType property by entering the string winlogon in the search field and
clicking the magnifying glass.
9. Select the WinLogonType property and click Enable/Disable.
10. Click OK.
11. Verify that the Enabled column value for the WinLogonType property equals False.

V7.0
Exercise 2 Delete a custom property
Uempty
12. Return to the Log Activity page and click Add Filter.
13. Verify that you cannot choose the Parameter WinLogonType (custom).
section.
16. Select the WinLogonType property and click Enable/Disable.
17. Click OK.

1. Return to the Log Activity page and click Add Filter.
2. In the Add Filter window, use the settings in the following table.

Parameter Event Name [Indexed]
Operator Equals
Value An account failed to log on (use the QID
5000475 to search the value)
4. From the View options, choose Last Hour.
Note: Increase the time window if you don’t get any results.
5. Double-click any event. Verify that the WinLogonType (custom) property is listed under the
Event Information.
section.
8. Select the WinLogonType property and click Delete.
9. Click OK.

V7.0
Uempty
10. Double click the Log Activity page and click Add Filter.
11. In the Add Filter window, use the settings in the following table.

Parameter Event Name [Indexed]
Operator Equals
Value An account failed to log on (use the QID
5000475 to search the value)
13. From the View options, choose Last Hour.
Note: Increase the time window if you don’t get any results.
14. Double-click any event. Verify that the WinLogonType (custom) property is no longer listed
under the Event Information.

Unit 28 Event and Flow Retention
exercises

Unit 29 Flow Sources exercises
Note: The Flow Sources exercise requires access to the Student client.
Exercise 1 Filter packages with destination

ports 22 and 443
1. Log in to the Student client as username root and password object00.
4. Double-click the Network Activity tab.
5. Change the View to Real Time (streaming).
6. Return to the desktop of the Student client.
7. Double-click the PuTTY SSH Client icon.
8. Load the QRadar Default Settings and click Open.
9. Log in as user root with password object00.
10. In the PuTTY SSH Client CLI, type the following text:
cd /labfiles
./startPcap.sh
11. Wait for the script to start processing the /labfiles/flows/dns1.pcap file.
12. In the QRadar Console, change the following settings on the Network Activity page:
– View: Last 15 Minutes
– Display: Destination Port
13. Sort the Destination Port column in ascending order.
14. Verify that Ports 22 and 443 are listed.

V7.0
Unit 29 Flow Sources exercises
Exercise 1 Filter packages with destination ports 22 and 443
Uempty
15. In the PuTTY CLI, press Ctrl+C to stop the script.
16. Navigate to the Admin tab and click the Flow Sources icon.
17. In the Flow Sources window, double-click the default_NIC_eth0 row.
18. In the Flow Source Management window, select the Filter String check box.
19. Enter the following filter string:

not dst 22 and not dst 443
20. Click Save.
22. Repeat steps 10 to 11.
23. Enter the following filter string:

port ftp or port http
24. Click Save.
26. In the PuTTY SSH Client CLI, type the following text:
cd /labfiles
./startPcap.sh
27. In the QRadar Console, change the following settings on the Network Activity page:
– View: Last Interval (auto refresh)
– Display: Application
28. Monitor the Network Activity page.
You will see that only flow records are generated for Web and FTP applications. When you use a
name in combination with the port parameter, both port and protocol values are checked.

Unit 30 Flow Sources Aliases exercises

Unit 31 VA Scanners exercises
In these exercises, you add a scanner, update the scans results file, and schedule a scan in
QRadar SIEM.
Exercise 1 Add a scanner

4. Click the Admin tab.
5. Click VA Scanners in the Data Sources section.

The VA Scanners window opens.
6. Click Add.
The Add Scanner window opens.
7. Add the new scanner using the values in the following table.
Field / Option Setting

Scanner Name Nessus Exercise
Managed Host <Default value>
Type Nessus Scanner
Collection Type Scheduled Results mport
Remote Results Hostname 192.168.10.10
Remote Results Port 22
SSH Username root
SSH Password object00
Enable Key Authentication disable
Remote Results Directory /labfiles/VIS
Remote Results File Pattern .*\.nessus

V7.0
Exercise 1 Add a scanner
Uempty
Remote Results Max Age 7
CIDR Ranges 0.0.0.0/0
Note: The Remote Results Directory value starts with a forward slash (/). Be sure to clear the
default value before you enter the correct value.
8. Verify that the configuration looks like the one in the following graphic.
9. Click Save.

V7.0
Exercise 2 Update the scan results file modification date
Uempty
Exercise 2 Update the scan results file
modification date
The Nessus scanner is configured to retrieve results from a scan performed during the last 7 days.
The Nessus result files are stored in the /labfiles/VIS directory on the QRadar SIEM server.
Because these files have a modification date older than 7 days, you must update the modification
date of these files to import the scan results.

cd /labfiles/VIS
touch *
5. Return to the QRadar SIEM console.
Exercise 3 Schedule a scan

1. In the VA Scanners window, select the Nessus Exercise VA scanner and click Schedule.
The Scan Scheduling window opens.
2. Click Add.
3. Create a new schedule using the values in the following table.

VA Scanner Nessus Exercise
Network CIDR 0.0.0.0/0
Priority Low
Ports 1-63553
Start Time <today’s date>
<2 minutes from the current time>
Interval 0 Hours

V7.0
Exercise 3 Schedule a scan
Uempty
4. Verify that the configuration looks similar to the one in the following graphic.
5. Click Save.
6. Wait two minutes and verify that the schedule’s Status changes to Complete.
7. Close the Scan Scheduling window and the VA Scanners window.
To verify that assets with vulnerabilities appear on the Assets tab, perform the following steps:
8. In the QRadar SIEM console, click the Assets tab.
9. On the navigation menu, click Asset Profiles.
10. Click the Vulnerabilities column and sort in descending order.

Unit 32 Remote Networks and Services
exercises

V7.0
Uempty
IBM Training
© Copyright IBM Corporation 201. All Rights Reserved.

PresentationMaterialLog PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

PresentationMaterialLog PDF

Hochgeladen von

Copyright:

Verfügbare Formate

®

© Copyright International Business Machines Corporation 2016.

Licensed to Anim M for class on 5/29/2018

Unit 1 Auto Update exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Unit 2 Backup and Recovery exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Unit 3 Index and Aggregated Data Management exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Unit 4 Network Hierarchy exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Unit 5 System Management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Unit 6 License Management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Unit 7 Deployment Actions exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Unit 8 High Availability management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Unit 9 System Health and Master Console exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Unit 10 System Settings and Asset Profiler Configuration exercises . . . . . . . . . . . . . . . . . . . . . 10-1

© Copyright IBM Corp. 2016 iii

Unit 12 Store and Forward exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Unit 13 Reference Set Management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Unit 14 Centralized Credentials Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Unit 15 Forwarding Destinations exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

Unit 16 Routing Rules exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

Unit 17 Domain Management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1

Unit 18 Users, User Roles, and Security Profiles exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1

Unit 19 Authentication exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1

Unit 20 Authorized Services exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1

Unit 21 Custom Asset Properties exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-1

Unit 22 WinCollect exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-1

Unit 23 Log Sources Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23-1

© Copyright IBM Corp. 2016 iv

Unit 24 Log Source Extensions Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-1

Unit 25 Log Source Groups Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-1

Unit 26 Log Source Parsing Ordering exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-1

Unit 27 Custom Properties exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27-1

Unit 28 Event and Flow Retention exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28-1

Unit 29 Flow Sources exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29-1

Unit 30 Flow Sources Aliases exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30-1

Unit 31 VA Scanners exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31-1

Unit 32 Remote Networks and Services exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32-1

© Copyright IBM Corp. 2016 v

About these exercises

Logging in to the client VM

2. Press Enter or click Log In.

3. For Password, enter object00.

4. Press Enter or click Log In.

© Copyright IBM Corp. 2016 vi

3. Click Login To QRadar.

© Copyright IBM Corp. 2016 vii

4. For password, enter object00.

7. For login as, enter root.

8. For password, enter object00.

© Copyright IBM Corp. 2016 viii

© Copyright IBM Corp. 2016 1-1

Exercise 1 Create an on-demand backup

2. On the desktop, double-click the Firefox icon.

b. For Decription, enter Exercise.

c. Click Run Backup.

Exercise 2 Add a user

2. In the User Management window, click New.

© Copyright IBM Corp. 2016 2-1

Note: Use any password you like.

4. Click Save and then Close.

5. Close the User Management window.

6. Click Deploy Changes.

© Copyright IBM Corp. 2016 2-2

4. Click Open in the PuTTY client.