Book Image

Building a Next-Gen SOC with IBM QRadar

By : Ashish M Kothekar
Book Image

Building a Next-Gen SOC with IBM QRadar

By: Ashish M Kothekar

Overview of this book

This comprehensive guide to QRadar will help you build an efficient security operations center (SOC) for threat hunting and need-to-know software updates, as well as understand compliance and reporting and how IBM QRadar stores network data in real time. The book begins with a quick introduction to QRadar components and architecture, teaching you the different ways of deploying QRadar. You’ll grasp the importance of being aware of the major and minor upgrades in software and learn how to scale, upgrade, and maintain QRadar. Once you gain a detailed understanding of QRadar and how its environment is built, the chapters will take you through the features and how they can be tailored to meet specifi c business requirements. You’ll also explore events, flows, and searches with the help of examples. As you advance, you’ll familiarize yourself with predefined QRadar applications and extensions that successfully mine data and find out how to integrate AI in threat management with confidence. Toward the end of this book, you’ll create different types of apps in QRadar, troubleshoot and maintain them, and recognize the current security challenges and address them through QRadar XDR. By the end of this book, you’ll be able to apply IBM QRadar SOC’s prescriptive practices and leverage its capabilities to build a very efficient SOC in your enterprise.
Table of Contents (18 chapters)
1
Part 1: Understanding Different QRadar Components and Architecture
5
Part 2: QRadar Features and Deployment
10
Part 3: Understanding QRadar Apps, Extensions, and Their Deployment

Getting to know the Data Node

Event and flow data are required for security purposes as well as for compliance. The amount of storage available on the Console and processors might not be enough for compliance.

For example, it may be mandated by Central Banks to keep event and flow data for 2 years. The available storage on processors can store data only for 6 months. In such a scenario, multiple Data Nodes can be added to a processor so that the processed data can be stored.

Adding a Data Node to deployment has two advantages:

  • Increases the storage space for event and flow data
  • Searches are more efficient when Data Nodes are used

Multiple Data Nodes can be attached to a single processor. One Data Node cannot be attached to multiple processors. What this means is that one Data Node will share data with just one processor.

When Data Nodes are added to the deployment, there is a process called data rebalancing that happens. The incoming data in the processor is distributed amongst the Data Nodes that are attached.

If a Data Node goes down (or crashes), the incoming data is not written to the Data Node. Once the Data Node is up, data is again rebalanced between the processor and Data Node. We will touch more on Data Nodes while discussing searches in Chapter 6.