Académique Documents
Professionnel Documents
Culture Documents
February 2015
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the
web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the
Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the
U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the
completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or
implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without
notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other
materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations
from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM
software.
References in this publication to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion
based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth, savings or other results.
Contents
About these exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Logging in to the Windows VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Logging in to the QRadar SIEM server VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Logging in to the QRadar SIEM console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Virtual machines
The lab environment uses the following two virtual machines (VMs):
• QRadar SIEM server, a virtual machine running IBM Security QRadar SIEM 7.2.3 licensed
program running on Red Hat Enterprise Linux server 6.5 licensed program
• Windows DC, a virtual machine running Microsoft Windows 2008 Enterprise Server x64 Edition
licensed program with PuTTY licensed program and Mozilla Firefox licensed program that is
used to access the QRadar SIEM virtual machine
Note: On a Windows VM, the key combination Ctrl+Alt+Ins is the same as Ctrl+Alt+Del.
Note: The credentials to log in to the QRadar SIEM console are user name admin and password
object00.
2. Open a PuTTY session on the QRadar SIEM server. Use the procedure “Logging in to the
QRadar SIEM server VM” on page v.
3. To generate events, in the PuTTY command line, type the following command:
cd /labfiles
./sendCheckpoint.sh 1>/dev/null 2>&1 &
4. Log in to the QRadar SIEM console. Use the procedure “Logging in to the QRadar SIEM
console” on page vi.
8. Click OK.
Note: A new custom dashboard is empty by default. Therefore, you must add items to the
dashboard.
9. To add items to the new dashboard, from the Add Item list, select the following items:
a. Offenses > Offenses > Most Severe Offenses
b. Log Activity > Event Searches > Top Services Denied through Firewalls
12. Verify that the dashboard includes an offense item and two log events items. Depending on
where you positioned the items, your dashboard looks similar to the following graphic.
2. Select the offense with the description Local DNS Scanner containing Invalid DNS.
a. If you do not see the Local DNS Scanner containing Invalid DNS offense, search for the
offense. From the Search list, select New Search.
b. On the Search Parameters pane, define the search criteria. In the Description field, type
Local DNS Scanner.
c. Click Search.
The All Offenses page shows the offense that meets the search criteria, Local DNS
Scanner containing Invalid DNS.
3. Answer the following questions for the Local DNS Scanner containing Invalid DNS offense.
a. What is the offense type and offense source and magnitude?
Hint: Hold the mouse over the Magnitude to obtain the numeric value.
_________________________________________________________________________
Hint: Hold the mouse over the Offense Source IP to obtain the network.
_________________________________________________________________________
Uempty 4. Double-click the Local DNS Scanner containing Invalid DNS offense to view the Offense
Summary page. The Offense Summary page provides detailed information about the offense.
d. How many destinations IPs are targets of the offense? Are the destinations IPs local or
remote devices?
________________________________________________________________________
e. List the event categories that contributed to this offense. From the Display list on the
toolbar, select Categories to view the event categories.
_________________________________________________________________________
_____________________________________________
f. What do you learn about this offense based on the annotations? From the Display list on
the toolbar, select Annotations.
_________________________________________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
g. What is the event name, event category, and destination port for the events listed in the
Last 10 Events list? Click Summary on the toolbar and scroll down to the Last 10 Events
list.
Uempty
________________________________________________________________________
h. The destination port is well known for what type of server communications?
________________________________________________________________________
ii. Type This offense was investigated in the QRadar SIEM Foundations course.
Note: The note is displayed in the Last 5 Notes pane on the Offense Summary page. A Notes
icon is displayed in the Status field on the Offense Summary page and in the flag column for the
offense on the All Offenses page. Hold the mouse over the Notes icon to view the note.
b. Protect the offense. From the Actions toolbar on the Offense Summary page, select
Protect Offense. The Protected icon is displayed in the Status field on the Offense
Summary page and in the flag column for the offense on the All Offenses page.
2. Find and double-click the Local DNS Scanner containing invalid DNS offense.
3. Show the low-level categories of the offense’s events by selecting Display > Categories on the
toolbar.
4. To investigate the events that are associated with this offense in the low-level category DNS
Protocol Anomaly, right-click the table row that shows DNS Protocol Anomaly and click
Events.
Uempty
Note: Alternatively, you can select DNS Protocol Anomaly and click Events in the title bar
above the table.
5. Create a filter to exclude the source IP that contributed to the Local DNS Scanner offense.
Select an event. Right-click 10.152.247.69 and select Filter on Source IP is not
10.152.247.69.
8. To look for similar DNS requests unrelated to the offense, click Clear Filter for the Offense is
Local DNS Scanner filter.
10. To view events from the last 24 hours, in the View list, select Last 24 Hours.
QRadar SIEM shows events of the low-level category DNS Protocol Anomaly that do not
originate from the IP address 10.152.247.69, which is the source IP address of the offense
triggered by DNS scanning.
Uempty 11. Review the suspicious DNS requests from other sources.
c. Verify that the Save Criteria settings look like the ones in the graphic.
d. Click OK.
Uempty b. In the name field, type DNS Protocol Anomaly without 10.152.247.69.
c. Click OK.
Hint: If you do not see your saved search, double-click the Log Activity tab and click Quick
Searches again.
Uempty 2. Verify with the firewall and DNS experts of your organization whether the log message that is
displayed in the payload is a concern.
Note: Use Previous and Next on the Events Details toolbar to browse the events.
3. To return to the list of events, on the toolbar, click Return to Event List.
3. Observe the network events and verify that a network event triggers an offense.
Note: QRadar SIEM shows a red icon in the left-most column for network events that contribute to
an offense.
4. To investigate the offense, click the red icon in the left-most column.
Note: There is a delay between the time the red icon is shown next to the network event and
when the offense is created on the All Offenses page in the Offenses tab.
Note: Disable block pop-up windows in Firefox. On the Firefox toolbar, select Tools > Options >
Content > Disable block pop-up windows > OK.
Hint: To determine which rule triggered the offense, click the Display list and select Rules.
Note: The Policy Remote: Remote Desktop Access from the Internet rule that triggered this
offense is one of the default rules in the Enterprise tuning template. The rule evaluates Remote
Desktop Access from external IP addresses to internally hosted Microsoft Windows servers.
10. To investigate the flows that contributed to the offense, click Flows on the Offense Summary
page toolbar.
11. Examine the flow associated with this offense. Double-click the network event listed.
The Flow Details page opens.
b. Click Tune.
c. Click Close.
Note: Tuning an event or flow as a false positive updates the User-BB-FalsePositive: User
Defined False Positives building block.
d. Click OK.
Note: The QRadar SIEM administrator created the reference set of terminated users. Therefore,
the reference set exists.
Note: It is a best practice to define a rule-naming policy for rules that you create. You might
choose to name the rules with a prefix that easily identifies the rule. For example, IBM identifies
the IBM Corporation. Alternatively, create a group and assign the rules that you create to the
group.
b. Click the green plus (+) icon next to the when any of these event properties are contained in
any of these reference set(s) test.
Click the green + sign in front of the test to select it. The test will appear in the rule section.
d. Filter the fields in the event property list. In the Type to filter field, type user.
Select Username and click Add
f. Click Submit.
i. Click Submit.
To add the second rule test, when an event matches any|all of the following rules, perform the
following steps:
k. Click the green plus (+) icon next to the only test listed.
m. Filter the options in the rules list. In the Type to filter field, type BB:Category.
o. Click Submit.
8. In the Note field, type This rule tracks the successful login of terminated users
accounts.
9. Verify that your rule tests look similar to the one in the graphic.
Uempty 11. Configure the rule action and response as shown in the following table.
Configure the rule response.
Note: The Index offense based on parameter field defines the offense type on the All Offenses
page.
12. Verify that the configuration looks like the one in the graphic.
14. Verify that your rule summary looks similar to the one in the graphic.
Uempty 16. Generate events to trigger offenses. In the PuTTY command line, type the following command:
./sendWindows.sh
Note: Wait five minutes for the log events to trigger offenses.
b. List the user IDs that created offenses. In the QRadar SIEM console, double-click the
Offenses tab and find offenses that have Watchlist in the description.
________________________________________________________________________
_____________________________________________
_____________________________________________
2. Answer the following questions about the rule that contributed to this offense.
a. What is the name of the rule that triggered this offense? On the All Offenses page,
double-click the Local DNS Scanner containing Invalid DNS offense. From the Display
list on the Offense Summary toolbar, select Rule.
_________________________________________________________________________
b. What behavior caused this rule to trigger? Double-click the rule listed previously to launch
the Edit Rules page. Review the rules notes.
_________________________________________________________________________
_____________________________________________
c. If your investigation determines that the result is a false positive, how do you change the
rule behavior so that this source IP does not create an offense?
_____________________________________________
_____________________________________________
4. How many events or flows are associated with the BQX Watchlist User Activity rule? View the
Event/Flow Count parameter.
________________________________________________________________________
5. How many offenses are associated with the rule? View the Offense Count parameter.
________________________________________________________________________
6. Close the Watchlist user login containing Successful Logon Attempt offense for the
dcross offense source.
a. From the Offense tab navigation menu, select All Offenses.
e. Click OK.
9. How many events or flows are associated with this rule? View the Event/Flow Count
parameter.
Note: After an offense is closed, wait until the rule Event/Flow Count parameter updates.
________________________________________________________________________
10. How many offenses are associated with this rule? View the Offense Count parameter.
_________________________________________________________________________
11. What did you learn about the rule Event/Flow Count and Offense Count parameters?
_________________________________________________________________________
_____________________________________________
Perform the following steps to learn two different methods to delete changes that are made to a
system rule:
1. From the Offense tab navigation menu, select All Offenses.
2. Double-click the offense that is named Communication to a known Bot Command and
Control, whose offense source is 10.126.152.5.
b. On the Rules list page, from the Display list, select Building Blocks.
Uempty 6. Double-click the User-BB-FalsePositive: User Defined False Positives building block to
open it for editing.
c. Click Remove.
d. Click Submit.
You return to the Rule Wizard page.
e. Click Finish.
c. Click OK.
Note: If you made many changes to a rule, use the Revert Rule option to set the rule to the
system default. The origin value for the rule changes from modified to system.
2. To show all the reports, disable the Hide Inactive Reports check box.
3. From the Group list, scroll down and select the SOX group.
4. In the Search Reports field, type Daily Top and click the Search Reports icon to filter the
report list.
Uempty 6. From the Actions list on the Reports toolbar, select Run Report.
7. While the report is generating, examine the report. What groups contain the Daily Top
Targeted Hosts report?
________________________________________________________________________
9. Click Next until you see the Specify Report Contents page.
Note: This report has two containers. Each container defines the data to present in that section of
the report.
12. Click Define in the bottom container. The bottom container details page opens. What is the
name of the event search that generates the data in the bottom container?
________________________________________________________________________
14. Click Next twice. Note that the report format is PDF.
16. On the Reports tab, click the Refresh icon to update the status of the generation of the Daily
Top Targeted Hosts report.
17. When the report generates content, click the PDF icon in the Formats column to view the
report.
3. In the “This report should be scheduled to generate” pane, select the Daily option and the
check boxes for Monday through Friday.
4. Click Next.
5. On the Choose a Layout page, from the Orientation list, select Landscape.
7. Click Next.
8. On the Specify Report Contents page, in the Reports Title field, type Top Log Sources.
Note: A white background on the Chart Type container indicates that the container is not
configured.
11. Verify that the container details are configured as shown in the graphic.
(need graphic)
Note: After saving the container details, the background color of the container is green. The green
color indicates that the container is configured.
17. Verify that the Yes - Run this report when the wizard is complete check box is enabled.
20. Click the Refresh icon to update the status of the generation of the Top Log Sources report.
21. View the Next Run Time column for the Top Log Sources report.
Note: The Next Run Time column shows the status of the report generation. If the status is
Generating, it also provides an estimated time to finish generating the report. When the report
generates content, the Next Run Time column shows when the next report runs.
22. When the report generates content, click the PDF icon in the Formats column to view the
report.
4. Group the search results by user name. From the Display list, select Username.
b. In the Search Name field, type BQX Watchlist User Logins by Username.
c. Assign the search to the Authentication, Identity and User Activity group.
6. Verify that the search criteria looks similar to one in the graphic.
7. Click OK.
e. Format the columns in the search results. Group the search results first by Source IP and
next by user name. Include Start Date and Start Time in the search results. Order the
search results by Count in descending order.
i. Scroll down to the Column Definition pane.
ii. In the Columns list, select Source IP. Click the Remove icon to move Source IP to the
Available Columns list.
iii. In the Available Columns list, select Source IP. Click the Add icon and move Source
IP to the Group By list.
iv. In the Group By list, select Source IP. Click the Move up icon to move Source IP to the
top of the Group By list.
v. In the Columns list, select all fields. Click the Remove icon to move the fields to the
Available Columns list.
vii. Click the add icon to move the Start Date to the Columns list.
ix. Click the add icon to move the Start Date to the Columns list.
f. Click Search.
b. In the Search Name field, type BQX Watchlist User Logins by IP.
c. Assign the search to the Authentication, Identity and User Activity group.
d. Click OK.
5. On the Choose a Layout page, from the Orientation list, select Landscape.
7. Click Next.
8. On the Specify Reports Contents page, in the Report Title field, type Terminated users
logins.
Uempty 9. In the top container, from the Chart Type list, select Events/Logs.
g table
Hint: To determine the date and time of the QRadar SIEM server, in the PuTTY command line,
type date.
11. Verify that the container details look similar to those in the graphic.
Note: When you manually schedule the reports, you can specify a time period that guarantees
that the generated report has data. The data for this report was generated earlier today during a
previous student exercise. Remember that hourly, daily, weekly, and monthly reports use data
from a specific time period. During initial testing, enter a manual schedule. You can change the
report schedule to daily at a later time.
13. In the bottom container, from the Chart Type list, select Events/Logs.
Uempty 14. Configure the Container Details as shown in the following table:
b. Assign the report to the Authentication, Identity and User Activity group.
c. Verify that the Yes - Run this report when the wizard is complete check box is enabled.
20. Click the Refresh icon to update status of the generation of the report.
21. When the report generates content, click the PDF icon in the Formats column to view the
report.
Uempty
BQ102 2.0
Authorized
Training
ibm.com/training