3 Using The Qradar Siem Dashboard

3 Using the QRadar SIEM dashboard
© Copyright IBM Corporation 2013

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Objectives
After completing this unit, you should be able to perform the
following tasks:
• Navigate the default dashboard
• Customize dashboards
© Copyright IBM Corporation 2013 2

Lesson 1. Navigating the Dashboard tab

Dashboard overview
• QRadar SIEM shows the Dashboard tab when you log in.
• You can create multiple dashboards.
• Each dashboard can contain items that provide summary and
detailed information.
• Six default dashboards are available.
• You can create custom dashboards to focus on your security or
operations responsibilities.
• Each dashboard is associated with a user. Changes that you
make to a dashboard do not affect the dashboards of other
users.

Instructor demonstration of the dashboard

Default dashboard
Click a tab to load it. Tabs Tables and charts

QRadar SIEM tabs
Use tabs to navigate the primary QRadar SIEM functions

• Dashboard: The initial summary view ‫اعطاء االولوية للحوادث‬
• Offenses: Displays offenses; list of prioritized incidents
• Log Activity: Query and display events
• Network Activity: Query and display flows
• Assets: Query and display information about systems in your
network
• Reports: Create templates and generate reports
• Admin: Administrative system management
Other menu options
The dashboard has the following additional menu options:
• Preferences
• Help
• Logout

Context-sensitive help
Click the question mark in any window to access help for the
current page.

Dashboard refresh
• In the displayed Pause/Play Refresh
dashboard, events
and flows refresh
every minute unless
you click Pause.
• Use the Refresh
button to manually
refresh the displayed
data.

Lesson 2. Customizing a dashboard

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 11
Dashboard variety
• QRadar SIEM includes the following default dashboards:
▪ Application Overview
▪ Compliance Overview
▪ Network Overview
▪ System Monitoring
▪ Threat and Security Monitoring
▪ Vulnerability Management
• Use multiple dashboards to better organize data
For example, a single user can have the following dashboards:
▪ Databases
▪ Critical Applications
to show log and network activity of these systems.

Creating a custom dashboard
Show Dashboard: New Dashboard: Add item:
Select a dashboard Create a new dashboard Add an item
to view. empty of items. to dashboard.

Items
Include no more than 15 items on each dashboard.

Managing dashboard items
Click Add Item to place additional objects on the dashboard.
Click the green icon to detach the object from the interface to the desktop.
Click the yellow icon to modify the settings of an object.
Click the red icon to delete an object from the dashboard.

Student exercise
Use the procedures in the Student
Exercises Guide to create a new
dashboard.

Summary
Now that you have completed this unit, you should be able to
perform the following tasks:
• Navigate and customize the user interface
• Customize dashboards

4 Investigating an offense triggered by
events

Objectives
After completing this unit, you should be able to perform the
following tasks:
• Explain the concept of offenses
• Investigate an offense, which includes this information:
▪ Summary information
▪ The details of an offense
• Respond to an offense

Lesson 1. Offenses overview

Introduction to offenses
• QRadar SIEMs prime benefit for security analysts is that it
detects suspicious activities and ties them together into
offenses.
• An offense represents a suspected attack or policy breach.
Some common offenses include these examples:
▪ Multiple login failures
▪ Worm infection
▪ P2P traffic
▪ Scanner reconnaissance
• Treat offenses as security incidents and have a security analyst
investigate them.

Creating and rating offenses
• QRadar SIEM creates an offense when events, flows, or both
meet the test criteria specified in changeable rules that
analyze the following information:
▪ Incoming events and flows
▪ Asset information
▪ Known vulnerabilities
• QRadar SIEMs magistrate rates each offense by its
magnitude, which has these characteristics:
▪ Ranges from 1 to 10, with 1 being low and 10 being high
▪ Specifies the relative importance of the offense

Lesson 2. Using summary information to
investigate an offense

Instructor demonstration of offense parameters
This demonstration uses an offense that alerts to a suspected

ICMP scanner as an example. Investigating this kind of offense
is a typical part of a security analyst's job.

Selecting an offense to investigate
Offenses are listed in these locations:
• In Dashboard items
• In the Offense Manager on the Offenses tab

Offense Summary window
The offense summary displays
information about the ICMP scanning
offense.
The remainder of the unit examines the

window sections in the same way as
the security analyst does to investigate
an offense.

Offense parameters (1 of 4)
Investigating an offense begins with the parameters at the top of
the offense summary window:
Magnitude: Credibility:
Relative importance of the How valid is information
offense, as calculated from from that source?
relevance, severity, and credibility. 20% of magnitude
Relevance: Severity:
How important is the How high is the potential
destination? damage to the destination?
50% of magnitude 30% of magnitude
Offense Type:
General root cause of the offense. The offense
type determines which information is displayed
in the next section of the Offense Summary.
Description: Event count: Flow count:

Reflects the causes for the Number of events Number of flows
offense. The description can associated with associated with
change when new events or this offense. this offense.
flows are associated with the
offense.
Source IP(s): Start:
Origin of the Date and time when the first event or flow
ICMP scanning. associated with the offense was created.
Destination IP(s): Duration:

Targets of the Amount of time elapsed since the first event or
ICMP scanning. flow associated with the offense was created.
Network(s): Assigned to:

Local network(s) of the QRadar SIEM user
local Destination IP(s) assigned to investigate
that have been scanned. this offense.

Offense Source Summary (1 of 4)
To the security analyst, the Offense Source Summary provides
information about the origin of the ICMP scanning.
IP: Location:
Origin of the Network of the source
ICMP scanning. IP address if it is local.
Magnitude: Vulnerabilities:
Indication about the level of A known vulnerability of a local
risk an IP address poses host can have been exploited
relative to other IP addresses. and turned it into an attacker.
When you right-click the IP, you see navigation options for
further investigation.

Port Scan: WHOIS Lookup:

Nmap scans Find registered
the IP address. owner of the IP
Search Flows: address.
Find flows associated
with the IP address.
Weight:
Relevance of
the source IP
address.
Offenses: Events/Flows:
Number of offenses Number of events and flows
associated with this associated with this offense.
source IP address.
Lesson 3. Investigating offense details

Notes
QRadar SIEM users can add notes to offenses.
• You cannot edit or delete notes.
• The maximum length is 2000 characters.
Notes: Add Note:

View all notes Create new note.
of the offense.

Top 5 Source IPs (1 of 2)
QRadar SIEM lists the five IP addresses with the highest
magnitude, from which the suspected attack or policy breach
originates.
Location:
Hover the mouse over a Sources:
shortened field value to View all source IP
display the full value. addresses of the offense.
Note: The example offense has only one source IP address.

Therefore, the table contains only one row.
Top 5 Source IPs (2 of 2)
Right-click anywhere on the row to view more information about
the source IP address.
Destinations: Offenses:
List all destination IP List all offenses for
addresses targeted by which the source IP
the source IP address. address is source or
destination IP address.

Top 5 Destination IPs
QRadar SIEM lists the five local IP addresses with the highest
magnitude, which were targets of the ICMP scan.
Chained: Destinations:
Indicates whether the destination IP address View all destinations IP
is the source IP address in another offense. addresses of the offense.
Destination IP:
Hover the mouse over the
asset name or IP address to
display further information.
Note: In this example, only two local IP addresses were

scanned. Therefore, the table contains only two rows.
Top 5 Log Sources
A firewall provided the log messages about firewall denies. This
firewall is the major log source of the ICMP scanner offense.
Log Sources:
Events: View all log sources
Number of events sent by the log contributing to the offense.
source contributing to the offense.
Custom Rule Engine: Offenses: Total Events:

QRadar SIEMs CRE Number of Sum of all events received
creates events and adds offenses related from this log source while
them to offenses. to the log source. the offense is active.

Top 5 Users
QRadar SIEM lists the five users with the most events
contributing to the offense.
Users:
View all users associated
to the offense.
Note: In this example, QRadar SIEM did not receive an event

with user information and therefore does not list a user.
Top 5 Categories (1 of 2)
QRadar SIEM categorized most events Categories:
into the Firewall Deny category. From View all low level
this categorization and the nature of the categories of the
events, rules deduced the ICMP events contributing
scanning. to the offense.
Name: Local Destination Count:

Low level category Number of local destination IP
of the event. addresses affected by offenses
with events in this category.
Top 5 Categories (2 of 2)
Right-click anywhere on the row to view events and flows.
Events: Flows:
List all events that List all flows that
contribute to the viewed contribute to the viewed
offense in the category offense in the category
under the mouse pointer. under the mouse pointer.

Last 10 Events
Double-click anywhere on a row to open a window with details
about the event.
Events:
View all events
Dst Port: that contribute
The destination port is to the offense.
0 for layer 3 protocol
traffic such as ICMP.

Last 10 Flows
No flows contributed to the ICMP scanner offense. Therefore,
QRadar SIEM does not list any flows.
Flows:
Total Bytes: View all flows
Sum of bytes that contribute
transferred in to the offense.
both directions.

Annotations
• Annotations provide insight into why QRadar SIEM considers
the event or observed traffic threatening.
• QRadar SIEM can add annotations when it adds events and
flows to an offense.
• Read the oldest annotation because it was added when the
offense was created.
Annotation: Annotations:
Hold the mouse over a shortened View all annotations
annotation to show the full annotation. of the offense.

Offense Summary toolbar
On top of the Offense Summary offers Events:
the toolbar direct links to the information View all events
contributing to
that you just investigated.
the offense.
Summary:
Flows:
View the
View all flows
Offense
contributing to
Summary.
the offense.
Display:
View offense
information
introduced on
previous slides.

Lesson 4. Acting on an offense

Offense actions
After investigating an offense, click Actions at the top of the Offense
Summary page to set flags and status.
Follow up: Hide:
Choose if you want to Use with caution because
revisit the offense. QRadar SIEM still updates
the offense. Alarming
updates can stay hidden.
Protect Offense:
Prevent QRadar
SIEM from deleting
the offenses.
Close:
When you have resolved
the offense, close it.
Offense status and flags
Status: Icons indicates: The actions available depend
- Protected - Follow up on the status of the offense.
- Inactive - Notes
- Closed - Assigned
Unprotect Offense:
Allow QRadar SIEM
to delete this
protected offense.

Student exercise
Exercises Guide to investigate the local
DNS scanner offense.

Summary
• Explain the concept of offenses
• Investigate an offense, which includes this information:
▪ Summary information
▪ The details of an offense
• Respond to an offense

5 Investigating the events of an offense

Objectives
When you complete this unit, you can perform the following
tasks:
• Use the list of events to navigate event details
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
• Modify a saved search
• Add a search to the dashboard

Lesson 1. Investigating event details

Navigating to the events
In the Offense Summary, click Events to
open the list of events. Events:
View all events
that contribute
to the offense.

List of events
Hide graphical charts.
View event details by

double-clicking a row.

Event details: Base information
Event
information:
Similar offense
parameters
Source and
Destination
information:
Most fields do not
matter for this
particular event
because NAT and
IPv6 were not used.

Event details: Reviewing the raw event
Each normalized event carries its raw event as the payload.
‫فيها معلومات كما جاءت من المصدر‬
Review the raw event for

information that QRadar
SIEM has not normalized
into fields, which
therefore does not
display in the UI. An
example is the firewall
profile name Atlantis.

Event details: Additional details
Protocol: QID:
Network The QID determines the name,
protocol low-level category, and high-
level category of an event.
Log Source: Event Count:

This log source provided the Number of raw events
raw event that QRadar SIEM bundled into this
normalized into this event. normalized event

Returning to the list of events
After investigating the event details, click Return to Event List,
in the top left corner of the event details window, to return to the
event list.
Return to Event List: Offense:

Navigate back to the list Navigate to the offense to
of events for the offense. which the event contributes.

Lesson 2. Using filters to investigate
events

Filtering events (1 of 3)
• In the list of events, you can use filters to explore the offense
further
• Most events in this offense are Firewall Deny.
• Because other events provide more insight, right-click the
event name to filter for events that are not Firewall Deny.

By filtering Firewall Deny events, you can focus on events that
do not originate from the firewall.
QRadar SIEM's Custom Rule Engine (CRE) created the events

in this list to alert you to suspicious activity.
Clear Filter:
Click to view the Firewall
Deny events again.
Unlike searches, filters do not query each event processor.

Applying a Quick Filter to the payload
• The payload of an event contains the raw event that mentions
the firewall profile that denied the connection.
• To verify that the company's main profile, Atlantis, was always
active, filter events without profile: Atlantis in the payload.
Quick Filter:
Filter for events that do not contain
profile: Atlantis in the payload.
Clear Filter:
Click to view all events
of the offense again.

Using another filter option
• You can use each event field as a filter.
• To create a filter, in the top menu bar, click the icon .

Lesson 3. Using grouping to investigate
events

Grouping events
Display:
Explore the events further by
grouping them. For example, group
them by their Low Level Category.
Default (Normalized):
By default, QRadar SIEM
shows normalized events
without grouping.
Raw Events:
Instead of grouping, QRadar
SIEM shows the raw events
stored in the payload of
each normalized event.

Grouping events by low-level category
Grouping By: In this example, exploring by
QRadar SIEM shows the currently grouping indicates a second
selected grouping above the filters. protocol.
Protocol:
All events are
Some events recorded an additional
aggregated by their
protocol. Click Multiple (2).
low-level category.
Grouping events by protocol
In the Protocol column, click Multiple (2) to open a window with
events grouped by protocol. You learn that the firewall denied
udp_ip in addition to icmp_ip.
Grouping By: Current Filters:
Now QRadar SIEM The previous grouping, Log
groups by Protocol. Level Category, became a filter.

Removing grouping criteria
Display:
Group by Default (Normalized)
to remove the grouping by Low
Level Category.

Viewing a range of events
If events are still added to the investigated offenses, view them:
• Real Time (streaming): Shows events as they arrive at the
Event Processor (EP). Grouping and sorting are not available.
• Last Interval (auto refresh): Shows the last minute of events.
Refreshes automatically after 1 minute.
Pause/Play Refresh

Lesson 4. Saving a search

Monitoring the scanning host (1 of 3)
The event list always displays search results. To view traffic to
and from the scanning host, edit this search, save it, and add it
to the dashboard. Clear Filter:
To monitor all traffic, remove the offense filter.
Filter:
Right-click the Source IP to filter.

Monitoring the scanning host (2 of 3)
View: Display:
List events of the Group by High
last 24 hours. Level Category.

Monitoring the scanning host (3/3)
Save Criteria: Now the screen shows the selected
Save the criteria of
the current search.
time range, grouping, and filtering.
Grouping Save Results:

Time range
Save the results of
Filtering the current search.

Saving search criteria
Save the search with the criteria specified.
Prepend name with

department name or initials
for easy identification.
Assign to group.
Set as default
search for the
Log Activity tab.
Allows you to add the search

as an item to a dashboard.
Event list using the saved search
Using Search:
The event list shows the
result of the saved search.

Lesson 5. Modifying saved searches

About Quick Searches
When you
select Include
in my Quick
Searches
when saving a
search,
QRadar SIEM
lists the saved
search in the
predefined
Quick
Searches list.

Using alternative methods to create and edit
searches
• Most predefined saved searches are not listed under Quick
Searches.
• To find, use, and edit saved searches, select Search in the top
menu bar.
New Search:
Load a saved
Edit Search:
search. Edit
The Event List is the
the loaded
result of a search.
search or
Edit this current
create a new
search or edit another
search. Manage Search Results: saved search.
QRadar SIEM stores the
result from each search for
24 hours. You can revisit,
save, or delete results.

Finding and loading a saved search
If you select New Search or Edit Search, the Event Search
window opens.
Type Saved Search:

To find saved searches
easily, type your
department name, if
you prepended your
saved searches with it.

Search actions
Show All:
Clear all filters. Export:
You can resend
exported events
as raw events to
Delete: QRadar SIEM.
Delete the result
of the currently
displayed search. Notify:
Send an email
when the search in
progress finishes.

Lesson 6. Adding a search to the
dashboard

Adding a saved search as a dashboard item
To watch the scanning IP address from the dashboard, add the
saved search as a dashboard item.
Note: This screen capture

shows the Dashboard tab.

Saving a search as a dashboard item
Settings button: You can add
Modify the settings only grouped
of an item. searches as
dashboard items.
Last Minute:
Unless time series data is captured,
the dashboard item shows only the
result of the last 1-minute interval.
View in Log Activity:

Show saved search with a 24-hour
time range on Log Activity tab.
Enabling time series data
Capture Time Series Data:
Select to accumulate time series
data to count events and click Save.
• Capturing time series data means

that QRadar SIEM counts incoming
events according your search criteria,
grouping, and chosen value to graph.
• Most of the predefined searches
capture time series data.
• Capturing time series data can affect
QRadar SIEM's performance
negatively.

Selecting the time range
Value to Graph:
The asterisk (*) indicates
that QRadar SIEM
accumulates time series
data for this value.
Time Range:
Select Last 24 Hours.

Displaying 24 hours in a dashboard item
Accumulation began:
QRadar SIEM started
accumulating time series
data on this date at this time.
A third high-level category shows

now.
Potential Exploit:
This third high-level category
does not have enough events
to display in a bar chart.

Modifying items in the chart type table
Chart Type: Table

To view all high-level categories,
select the chart type Table.
Chart Type: Time Series

To view trending of data, select
the chart type Time Series.
Potential Exploit:
Two events of high-level
category Potential Exploit.

Student exercises
Exercises Guide to perform these tasks:
• Look for events contributing to an
offense
• Save search criteria and search results
• Investigate event details

Summary
• Use the list of events to navigate event details
• Filter events included in an offense
• Group events to gain different perspectives
• Save a search that monitors a suspicious host
• Modify a saved search
• Add a search to the dashboard

3 Using The Qradar Siem Dashboard

Uploaded by

Copyright:

Available Formats

3 Using The Qradar Siem Dashboard

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3 Using The Qradar Siem Dashboard

Uploaded by

Copyright:

Available Formats

3 Using the QRadar SIEM dashboard

© Copyright IBM Corporation 2013

© Copyright IBM Corporation 2013 2

© Copyright IBM Corporation 2013

© Copyright IBM Corporation 2013 4

© Copyright IBM Corporation 2013 5

© Copyright IBM Corporation 2013 6

Use tabs to navigate the primary QRadar SIEM functions

The dashboard has the following additional menu options:

© Copyright IBM Corporation 2013 8

© Copyright IBM Corporation 2013 9

© Copyright IBM Corporation 2013 10

© Copyright IBM Corporation 2013

© Copyright IBM Corporation 2013 12

© Copyright IBM Corporation 2013 13

© Copyright IBM Corporation 2013 14

© Copyright IBM Corporation 2013 15

© Copyright IBM Corporation 2013 16

© Copyright IBM Corporation 2013 17

© Copyright IBM Corporation 2013

© Copyright IBM Corporation 2013 19

© Copyright IBM Corporation 2013

© Copyright IBM Corporation 2013 21

© Copyright IBM Corporation 2013 22

© Copyright IBM Corporation 2013

This demonstration uses an offense that alerts to a suspected

© Copyright IBM Corporation 2013 24

© Copyright IBM Corporation 2013 25

The remainder of the unit examines the

© Copyright IBM Corporation 2013 26

Description: Event count: Flow count:

Destination IP(s): Duration:

Network(s): Assigned to:

© Copyright IBM Corporation 2013 30

© Copyright IBM Corporation 2013 32

Port Scan: WHOIS Lookup:

© Copyright IBM Corporation 2013

Notes: Add Note:

© Copyright IBM Corporation 2013 36

Note: The example offense has only one source IP address.

© Copyright IBM Corporation 2013 38

Note: In this example, only two local IP addresses were

Custom Rule Engine: Offenses: Total Events:

© Copyright IBM Corporation 2013 40

Note: In this example, QRadar SIEM did not receive an event

Name: Local Destination Count:

© Copyright IBM Corporation 2013 43

© Copyright IBM Corporation 2013 44

© Copyright IBM Corporation 2013 45

© Copyright IBM Corporation 2013 46

© Copyright IBM Corporation 2013 47

© Copyright IBM Corporation 2013

© Copyright IBM Corporation 2013 50

© Copyright IBM Corporation 2013 51

© Copyright IBM Corporation 2013 52

© Copyright IBM Corporation 2013

© Copyright IBM Corporation 2013 54

© Copyright IBM Corporation 2013

© Copyright IBM Corporation 2013 56