IBM C1000-156 - IBM Security QRadar SIEM V7.5 Administration

In IBM QRadar SIEM V7.5, managing what functions a user can access is crucial for maintaining security and ensuring that users have appropriate permissions. TheSecurity Profileoption is used to manage these access controls. Here’s how it works:

Security Profile: Defines the specific permissions and roles assigned to users, dictating what actions they can perform within QRadar. This includes access to various modules, dashboards, and functionalities.

User Role: While related, user roles are more about grouping users with similar permissions rather than defining individual access.

Admin Role: Typically reserved for users with administrative privileges but does not manage the specific functions users can access.

Security Options: This is not a relevant option for managing user access to QRadar functions.

ReferencesIBM QRadar SIEM V7.5 documentation details how security profiles are configured and managed, providing comprehensive steps on assigning and modifying user access based on roles and profiles.

Administrators can configure a rule response in QRadar to add event data to a reference set by using the "add to reference set" rule response. This is a predefined responseaction in QRadar that allows specific event data to be added to a reference set when the rule conditions are met.

Navigate to the "Offenses" tab in the QRadar console.

Select "Rules" from the navigation pane.

Create a new rule or edit an existing rule.

In the "Rule Response" section, add a new response.

Select the "Add to Reference Set" response.

Specify the reference set and the data to be added.

Save and deploy the rule.

ReferencesIBM QRadar SIEM V7.5 Administration documentation

The QRadar Threat Intelligence app uses open standards to integrate and utilize threat intelligence feeds effectively. The two key standards used are:

TAXII (Trusted Automated eXchange of Indicator Information): This is an application layer protocol used for exchanging cyber threat intelligence over HTTPS. It enables the sharing of threat information across different systems and organizations.

STIX (Structured Threat Information eXpression): This is a standardized language used for representing structured cyber threat information. STIX enables the consistent and machine-readable representation of threat data, facilitating the integration and analysis of threat intelligence.

These standards ensure that threat intelligence data is formatted and exchanged in a consistent and interoperable manner, enhancing the overall effectiveness of the threat intelligence processes in QRadar.

ReferencesThe IBM QRadar SIEM documentation and threat intelligence app configuration guides describe the use of TAXII and STIX for integrating threat intelligence feeds.

The Server Discovery function in IBM QRadar SIEM V7.5 uses the Asset Profile Database to discover various types of servers on a network. This database stores detailed information about the assets, including server types, configurations, and roles within the network. Here’s how it works:

Asset Profile Database: This is the central repository that contains all the discovered asset information.

Discovery Process: During the discovery process, QRadar scans the network to identify servers and other devices, collecting information such as IP addresses, open ports, services, and operating systems.

Classification: The collected data is then analyzed and classified, updating the Asset Profile Database with the types of servers discovered.

ReferencesIBM QRadar SIEM documentation specifies the use of the Asset Profile Database for server discovery functionalities and provides details on configuring and managing asset profiles.

When the error "Insufficient disk space to complete data export request" is encountered, and the Export Directory property in the System Settings has the default configuration, the disk partition that needs to be checked is/store/ariel/events/exports. This directory is typically used for exporting event data in QRadar SIEM. The error indicates that the available disk space in this partition is insufficient to handle the export operation. Administrators should check the storage usage of this partition and manage the space by either cleaning up unnecessary files or expanding the storage capacity.

ReferencesQRadar SIEM V7.5 Administration Guide - Chapter on System Notifications and Disk Management

When exporting a list of events to a CSV file in IBM QRadar SIEM V7.5, the default columns included in the search result typically are:

Log Source: The origin of the log data.

Event Count: The number of events.

High Level Category: The broad classification of the event.

Related Offense: The associated offense ID or description.

These columns provide a comprehensive overview of the events, helping analysts quickly understand the context and significance of the data.

ReferencesIBM QRadar SIEM documentation provides details on the default columns included in search results and their significance in event analysis.

Forward: Data is forwarded to a specified destination. It is also stored in the database and processed by the Custom Rules Engine (CRE).

Drop: Data is dropped, meaning it is not stored in the database and is not processed by the CRE. If you select the “Drop” option, any events that match this rule are credited back 100% to the license.

Bypass Correlation: Data bypasses the CRE but is stored in the database. This option allows events to be used in analytic apps and for historical correlation runs. It’s useful when you want specific events to skip real-time rules.

Log Only (Exclude Analytics): Events are stored in the database and flagged as “Log Only.” They bypass the CRE and are not available for historical correlation. These events contribute to neither offenses nor real-time analytics.

Now, let’s look at the valid combinations:

Forward and Drop: Data is forwarded to a specified destination, but it is not stored in the database or processed by the CRE. Dropped events are credited back to the license.

Forward and Bypass Correlation: Data is forwarded to a destination and stored in the database, but CRE rules do not run on it. Useful for scenarios where you want events to bypass real-time rules but still be available for historical correlation.

Forward and Log Only (Exclude Analytics): Events are forwarded to a destination, stored as “Log Only,” and bypass the CRE. They are not available for historical correlation and are credited back to the license.

To configure a log source in IBM QRadar SIEM V7.5 to provide events to different domains, administrators can use custom properties. Here’s how it works:

Custom Properties: Create and configure custom properties to tag events with specific domain information.

Assigning Events: When events are ingested from a log source, these custom properties can be used to dynamically assign events to different domains based on predefined criteria.

Domain Management: This approach allows flexibility in managing and segregating data from a single log source across multiple domains, ensuring that each domain receives the relevant events.

ReferencesThe configuration of custom properties for domain assignment is detailed in the QRadar SIEM administration guides, providing step-by-step instructions for setting up and using custom properties for domain management.

To track network bandwidth violations by any application coming from your network source and report on all applications that create traffic along with the amount of data from each IP address, you need to store the IP address, the application, and the amount of data in a reference data collection. The appropriate type of reference data collection for this use case is a "Reference map." Here is why:

Reference Map: A reference map allows you to store key-value pairs where each key is unique. In this context, the key can be the combination of the IP address and the application, and the value can be the amount of data (total bytes).

Data Structure: This structure enables efficient lookups and updates, which is ideal for tracking and reporting bandwidth usage per application per IP address.

Use Case Suitability: The reference map is suitable for scenarios where you need to store and retrieve values based on a specific key, and it supports storing complex data structures efficiently.

This type of reference data collection supports the use case by allowing the storage and retrieval of detailed network traffic information per application and IP address.

ReferencesIBM Security QRadar SIEM and IBM Security QRadar EDR integration.pdf​