Book Image

Building a Next-Gen SOC with IBM QRadar

By : Ashish M Kothekar
Book Image

Building a Next-Gen SOC with IBM QRadar

By: Ashish M Kothekar

Overview of this book

This comprehensive guide to QRadar will help you build an efficient security operations center (SOC) for threat hunting and need-to-know software updates, as well as understand compliance and reporting and how IBM QRadar stores network data in real time. The book begins with a quick introduction to QRadar components and architecture, teaching you the different ways of deploying QRadar. You’ll grasp the importance of being aware of the major and minor upgrades in software and learn how to scale, upgrade, and maintain QRadar. Once you gain a detailed understanding of QRadar and how its environment is built, the chapters will take you through the features and how they can be tailored to meet specifi c business requirements. You’ll also explore events, flows, and searches with the help of examples. As you advance, you’ll familiarize yourself with predefined QRadar applications and extensions that successfully mine data and find out how to integrate AI in threat management with confidence. Toward the end of this book, you’ll create different types of apps in QRadar, troubleshoot and maintain them, and recognize the current security challenges and address them through QRadar XDR. By the end of this book, you’ll be able to apply IBM QRadar SOC’s prescriptive practices and leverage its capabilities to build a very efficient SOC in your enterprise.
Table of Contents (18 chapters)
Part 1: Understanding Different QRadar Components and Architecture
Part 2: QRadar Features and Deployment
Part 3: Understanding QRadar Apps, Extensions, and Their Deployment

What this book covers

Chapter 1, QRadar Components, explains all the QRadar components, what the different QRadar services are, and which services run on which components. This chapter will help you understand how QRadar is designed and how different components provide different functionalities.

Chapter 2, How QRadar Components Fit Together, looks at the QRadar console, which is the central component around which other components fit together; depending on the requirement, other QRadar components can be added to the console. Also, we will explain in detail what different types of deployments exist – namely, all-in-one deployment and distributed deployment.

Chapter 3, Managing QRadar Deployments, deals with installing, upgrading, and scaling QRadar as and when required. We also discuss licensing requirements in QRadar.

Chapter 4, Integrating Logs and Flows in QRadar, discusses the practical aspects of ingesting data in QRadar. There are various ways in which different types of events and flow data are ingested, which are described in detail in this chapter.

Chapter 5, Leaving No Data Behind, explores how data is handled by QRadar. The majority of the shortcomings when working with QRadar occur while ingesting data. We will also discuss the DSM Editor, a tool to ingest data that is not supported out of the box.

Chapter 6, QRadar Searches, discusses how searches work and how they can be tuned in QRadar. SIEM is only as efficient as the searches performed on it. We will also discuss the different types of searches in QRadar and how data accumulation works in it.

Chapter 7, QRadar Rules and Offenses, delves into one of the most fundamental aspects of QRadar, which is rules and offenses. We will discuss the different types of rules, how to run rules for historical data called historical correlation, how offenses are generated, and finally, how to fine-tune and manage rules and offenses.

Chapter 8, The Insider Threat – Detection and Mitigation, examines how UBA can be used to detect an insider threat in your organization. IBM has a public portal where apps are published, which can be downloaded and installed on QRadar. Some of these apps are created by IBM, while other vendors have come up with apps for their own applications. IBM UBA is one such app developed by IBM for insider threat management.

Chapter 9, Integrating AI into Threat Management, discusses three QRadar apps – the QRadar Assistant app, QRadar Advisor for Watson, and QRadar Use Case Manager. We will also discuss the practical use of these apps.

Chapter 10, Re-Designing User Experience, explores how to use apps to improve the user experience. IBM QRadar needed an overhaul when it came to user experience. Hence, IBM devised apps such as IBM QRadar Pulse and IBM Analyst Workflow to change the way QRadar can be managed, which we will look at in this chapter.

Chapter 11, WinCollect – the Agent for Windows, focuses on how to install, manage, upgrade, and fine-tune Wincollect agents, one of many in-built features from IBM QRadar. Wincollect is an agent for the Windows operating system and collects events from Windows machines. It can also poll events from other Windows machines where it is not installed and send them to QRadar.

Chapter 12, Troubleshooting QRadar, examines the pain points and solutions to many of the issues in QRadar, based on years of experience working with it. There are tips and tricks as well as a list of frequently asked questions about QRadar. This chapter should help you become a pro user of QRadar.