Qradar, also known as IBM QRadar, is a comprehensive security information and event management (SIEM) solution developed by IBM. It is designed to help organizations detect and respond to cybersecurity threats effectively. QRadar integrates various security functionalities, including event log collection, correlation, analysis, and reporting, into a unified platform.
QRadar, similar to other SIEM solutions, consolidates log data from network and endpoint devices. It empowers security teams to identify suspicious and known malicious activity effectively. The platform stands out with its exceptional scalability for handling large data volumes, optimized data storage enabling simultaneous analytics and intricate rule configurations, and a versatile dashboarding and app feature set that can be expanded as needed.
When you access QRadar, the default dashboard provides an overview of threats and security monitoring, displaying signature detection hits, offenses, and a summary of network flows. Additional pre-configured dashboards are at your disposal, allowing you to explore different perspectives. As a SOC analyst, your primary focus in QRadar will revolve around incident investigation, primarily utilizing the Log Activity and Network Activity tabs to allocate your time effectively.
The Log Activity tab serves as the primary search page for event logs in QRadar. By default, it provides a real-time stream of events. Key components of this page include:
Ø Run/Pause button
Ø Quick Filter search bar
Ø Time range selector dropdown
Ø Add Filter button
Ø Overview of search results
These elements are crucial for effectively navigating and analyzing event logs within QRadar.
On the Log Activity page, you can view a live feed of events in real-time. Any filters you apply will be effective only for incoming events. To search for events within a specific time frame, you need to select the relevant time window. This ensures that you can precisely analyze events based on your desired timeframe in QRadar.
Ø It's worth noting that below the time picker, there is a timeline chart displaying the events. This visual representation helps identify peaks and gaps in event data that may require further investigation. By highlighting an area on the timeline, you can zoom in and use the click-and-drag function to navigate the chart. If needed, you can click the "Reset Zoom" link to return to the original view.
Ø Remember that zooming in on the timeline doesn't automatically filter the results table. It provides a visual aid to explore event patterns, while the results table remains unaffected until specific filters are applied.
The quick filter search feature in QRadar offers a rapid way to explore your event data. Similar to a regular Google search, you can input one or more search terms and logical operators. It's important to understand that the quick filter operates on the raw event data, meaning it hasn't been parsed or processed by the QRadar log ingester. Consequently, it doesn't differentiate between fields, such as identifying whether an IP address is a source or destination.
To utilize the quick filter search, simply enter your search term in the designated filter search box and press the Enter key on your keyboard or click the Search button located at the top right of the web page. This allows you to swiftly initiate targeted searches within your event data.
Search Results:
Beneath the search bar and time picker dropdown, the search results in QRadar are presented in the form of a table displaying events. By default, all events are displayed in a unified format, presenting the following elements: Event Name, Log Source, Event Count, Time, Low-Level Category, Source IP, Source Port, Destination IP, Destination Port, Username, and Magnitude. This standardized format allows for consistent and comprehensive visibility into the event details within the search results table.
Ø The quick filter search functionality in QRadar leverages Apache Lucene technology and follows the same syntax. This allows users to perform advanced searches by specifying search terms and utilizing a combination of search operators. The primary boolean operators available are AND, OR, and NOT.
Ø By default, the OR operator serves as the conjunction operator between two search terms if no boolean operator is specified. Double quotes (""), on the other hand, are used to search for words that contain spaces. For instance, the searches "john doe" john and "john doe" OR john are equivalent.
Ø To logically group search terms and boolean operators, parentheses () can be used. For example, the search ("User Account Locked Out" OR "User Unlocked") AND john would find events where the account of "john" has either been locked out or unlocked.
Ø It's important to note that boolean operators must always be written in capital letters; otherwise, they will be treated as regular search terms. This ensures proper interpretation of the search logic within the quick filter.
By default, QRadar presents the first 1000 events as the initial display for search results. To view the precise number of results, you can click the "Current Statistics" button located below the "Current Filters" area. If you wish to increase the results limit, you can easily modify the value in the "Results Limit" box.
If the number of results exceeds the defined limit, a notification will appear just above the results table. Once you click on the information, it will not reappear. The search results table initially shows the first 40 events, and you can navigate through the entire result set using the pagination buttons located in the bottom-right corner of the page.
Within the search results table in QRadar, you have the option to double-click on any event to access a more detailed view of its information. This action opens up an event information view where you can examine the event in greater depth. At the top of this view, there is a menu bar that allows you to easily navigate back to the Event List and switch between different events, enabling efficient exploration of the search results.
In conclusion, understanding the basics of IBM QRadar is essential for building a solid foundation in cybersecurity monitoring and threat detection. QRadar, as a comprehensive security information and event management (SIEM) solution, aggregates log data from various network and endpoint devices. Its strengths lie in its scalability, optimized data storage, and extensible dashboarding and app features.
The best articles, links, and news delivered once a week to your inbox.