SE Sec Ejercicio

IBM Training
IBM Security QRadar SIEM Foundations

Student Exercises
Course code BQ102 ERC 2.0
February 2015
IBM Security Systems

All files and material for this course are IBM copyright property covered by the following copyright notice.
© Copyright IBM Corp. 2015. All Rights Reserved.
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the
web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the
Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the
U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the
completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or
implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without
notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other
materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations
from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM
software.
References in this publication to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion
based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth, savings or other results.
Contents
About these exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Logging in to the Windows VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Logging in to the QRadar SIEM server VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Logging in to the QRadar SIEM console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
1 Introduction to IBM Security QRadar SIEM exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

This unit has no student exercises.
2 How QRadar SIEM collects security data exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3 Using the QRadar SIEM dashboard exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Exercise 1. Creating a new dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 Investigating an offense that is triggered by events exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Exercise 1. Investigating the local DNS scanner offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5 Investigating the events of an offense exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Exercise 1. Looking for events that contribute to an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Exercise 2. Saving search criteria and search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Exercise 3. Investigating event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6 Using asset profiles to investigate offenses exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

7 Investigating an offense that is triggered by flows exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Exercise 1. Investigating an offense that is triggered by flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
8 Using rules and building blocks exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Exercise 1. Creating an event rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Exercise 2. Analyzing the rule that contributed to the Local DNS Scanner offense . . . . . . . . . . . . . . . . . 30
Exercise 3. Working with rule parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Exercise 4. Deleting changes that are made to a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Exercise 5. Searching for a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
9 Creating QRadar SIEM reports exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Exercise 1. Viewing an existing report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Exercise 2. Creating a new event report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Exercise 3. Creating a new search and report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
© Copyright IBM Corp. 2014 Student Exercises iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Contents 
Creating a search of terminated user login activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Creating a terminated user login activity report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10 Performing advanced filtering exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

iv IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

About these exercises
Virtual machines
The lab environment uses the following two virtual machines (VMs):
• QRadar SIEM server, a virtual machine running IBM Security QRadar SIEM 7.2.3 licensed
program running on Red Hat Enterprise Linux server 6.5 licensed program
• Windows DC, a virtual machine running Microsoft Windows 2008 Enterprise Server x64 Edition
licensed program with PuTTY licensed program and Mozilla Firefox licensed program that is
used to access the QRadar SIEM virtual machine
Logging in to the Windows VM

To log in to the Windows VM, use the following credentials:
• User name: Administrator
• Password: object00
Note: On a Windows VM, the key combination Ctrl+Alt+Ins is the same as Ctrl+Alt+Del.
Logging in to the QRadar SIEM server VM

1. On the Windows VM desktop, double-click the PuTTY icon.
graphic
© Copyright IBM Corp. 2014 Student Exercises v

About these exercises 
2. Double-click the QRadar saved session.
3. Use the following credentials to log in to the QRadar SIEM server:

– User name: root
– Password: object00
Logging in to the QRadar SIEM console

To log in to the QRadar SIEM console, perform the following steps:
1. On the Windows VM desktop, open the Firefox web browser.
The browser opens the QRadar SIEM console.
2. Click Login to QRadar.
Note: The credentials to log in to the QRadar SIEM console are user name admin and password
object00.
vi IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

1 Introduction to IBM Security QRadar
SIEM exercises
© Copyright IBM Corp. 2014 Student Exercises 1

2 How QRadar SIEM collects security
data exercises
2 IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

3 Using the QRadar SIEM dashboard
exercises
The exercise in this unit teaches how to create a new dashboard and add items to the dashboard.
The Dashboard is the default view when you log in to QRadar SIEM. It provides a workspace
environment that supports multiple dashboards to display views of network security, activity, or data
that QRadar SIEM collects. The Dashboard tab provides seven default dashboards focused on
threat and security, network activity, application activity, system monitoring, compliance,
vulnerability management, and virtual cloud infrastructure. Each dashboard shows a default set of
items. The dashboard items act as launch points to navigate to more detailed data. Create a
custom dashboard to focus on your network security responsibilities.
Exercise 1 Creating a new dashboard

To create a new dashboard and add items to the dashboard, perform the following steps:
1. Log in to the Windows server. Use the procedure “Logging in to the Windows VM” on page v.
2. Open a PuTTY session on the QRadar SIEM server. Use the procedure “Logging in to the
QRadar SIEM server VM” on page v.
3. To generate events, in the PuTTY command line, type the following command:
cd /labfiles
./sendCheckpoint.sh 1>/dev/null 2>&1 &
4. Log in to the QRadar SIEM console. Use the procedure “Logging in to the QRadar SIEM
console” on page vi.
5. Click the New Dashboard icon.
6. In the Name field, type My Own Dashboard.

3 Using the QRadar SIEM dashboard exercises 
Exercise 1 Creating a new dashboard
7. In the Description field, type Demonstration Dashboard.
8. Click OK.
Note: A new custom dashboard is empty by default. Therefore, you must add items to the
dashboard.
9. To add items to the new dashboard, from the Add Item list, select the following items:
a. Offenses > Offenses > Most Severe Offenses
b. Log Activity > Event Searches > Top Services Denied through Firewalls
c. Log Activity > Event Searches > Event Rate (EPS)
10. Drag the items to an empty spot on the dashboard.
11. Click the Refresh icon to update the window.
12. Verify that the dashboard includes an offense item and two log events items. Depending on
where you positioned the items, your dashboard looks similar to the following graphic.

4 Investigating an offense that is
triggered by events exercises
Exercise 1 Investigating the local DNS scanner

offense
To investigate an offense triggered by events, this exercise looks at the offense named Local DNS
Scanner containing Invalid DNS. Perform the following steps:
1. In the QRadar SIEM console, double-click the Offenses tab.
The All Offenses page opens.
2. Select the offense with the description Local DNS Scanner containing Invalid DNS.
a. If you do not see the Local DNS Scanner containing Invalid DNS offense, search for the
offense. From the Search list, select New Search.
b. On the Search Parameters pane, define the search criteria. In the Description field, type
Local DNS Scanner.
Note: The description search criteria is case sensitive.
c. Click Search.

4 Investigating an offense that is triggered by events exercises 
Exercise 1 Investigating the local DNS scanner offense
The All Offenses page shows the offense that meets the search criteria, Local DNS
Scanner containing Invalid DNS.
3. Answer the following questions for the Local DNS Scanner containing Invalid DNS offense.
a. What is the offense type and offense source and magnitude?
Hint: Hold the mouse over the Magnitude to obtain the numeric value.
_________________________________________________________________________
b. What network does the offense source IP belong to?
Hint: Hold the mouse over the Offense Source IP to obtain the network.
_________________________________________________________________________

V7.0
4 Investigating an offense that is triggered by events exercises
Uempty 4. Double-click the Local DNS Scanner containing Invalid DNS offense to view the Offense
Summary page. The Offense Summary page provides detailed information about the offense.
5. Answer the following questions for this offense.

a. How many events or flows are associated with this offense?
________________________________________________________________________
b. What time did this offense begin?

________________________________________________________________________
c. Is the source IP involved in any other offenses?

________________________________________________________________________
d. How many destinations IPs are targets of the offense? Are the destinations IPs local or
remote devices?
________________________________________________________________________

4 Investigating an offense that is triggered by events exercises 
e. List the event categories that contributed to this offense. From the Display list on the
toolbar, select Categories to view the event categories.
_________________________________________________________________________
_____________________________________________
f. What do you learn about this offense based on the annotations? From the Display list on
the toolbar, select Annotations.
_________________________________________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
g. What is the event name, event category, and destination port for the events listed in the
Last 10 Events list? Click Summary on the toolbar and scroll down to the Last 10 Events
list.

V7.0
4 Investigating an offense that is triggered by events exercises
Uempty
________________________________________________________________________
h. The destination port is well known for what type of server communications?
________________________________________________________________________
6. Perform the following actions on this offense.

a. Add a note:
i. From the Actions toolbar, select Add Note.
ii. Type This offense was investigated in the QRadar SIEM Foundations course.
iii. Click Add Note.
Note: The note is displayed in the Last 5 Notes pane on the Offense Summary page. A Notes
icon is displayed in the Status field on the Offense Summary page and in the flag column for the
offense on the All Offenses page. Hold the mouse over the Notes icon to view the note.
b. Protect the offense. From the Actions toolbar on the Offense Summary page, select
Protect Offense. The Protected icon is displayed in the Status field on the Offense
Summary page and in the flag column for the offense on the All Offenses page.
Why do you protect an offense?

________________________________________________________________________
_____________________________________________

5 Investigating the events of an offense
exercises
Exercise 1 Looking for events that contribute to

an offense
In Unit 4, "Investigating an offense that is triggered by events exercises," on page 5, you
investigated the offense by analyzing the offense summary information. In this exercise, you use
the log events that are viewed in the Log Activity tab to further analyze the offense.
1. In the QRadar SIEM console, double-click the Offenses tab.
The All Offenses page opens.
2. Find and double-click the Local DNS Scanner containing invalid DNS offense.
3. Show the low-level categories of the offense’s events by selecting Display > Categories on the
toolbar.
4. To investigate the events that are associated with this offense in the low-level category DNS
Protocol Anomaly, right-click the table row that shows DNS Protocol Anomaly and click
Events.

V7.0
5 Investigating the events of an offense exercises
Exercise 1 Looking for events that contribute to an offense
Uempty
Note: Alternatively, you can select DNS Protocol Anomaly and click Events in the title bar
above the table.
The List of Events page opens.
5. Create a filter to exclude the source IP that contributed to the Local DNS Scanner offense.
Select an event. Right-click 10.152.247.69 and select Filter on Source IP is not
10.152.247.69.
6. What results are returned?

________________________________________________________________________
7. What do the results of this search indicate?

________________________________________________________________________
_____________________________________________

5 Investigating the events of an offense exercises 
Exercise 1 Looking for events that contribute to an offense
8. To look for similar DNS requests unrelated to the offense, click Clear Filter for the Offense is
Local DNS Scanner filter.
9. What results are returned? Why?

_________________________________________________________________________
_____________________________________________
10. To view events from the last 24 hours, in the View list, select Last 24 Hours.
QRadar SIEM shows events of the low-level category DNS Protocol Anomaly that do not
originate from the IP address 10.152.247.69, which is the source IP address of the offense
triggered by DNS scanning.

V7.0
Exercise 2 Saving search criteria and search results
Uempty 11. Review the suspicious DNS requests from other sources.
Exercise 2 Saving search criteria and search

results
To save the search criteria and search results for future reference, perform the following steps:
1. Save the current search criteria.
a. On the toolbar, click Save Criteria.
The Save Criteria window opens.
b. Configure the Save Criteria window as shown in the following table:

Exercise 2 Saving search criteria and search results
Field / Option Setting

Search Name Dept - DNS Protocol Anomaly
without 10.152.247.69
Assign Search to Group(s) CheckPoint
Timespan options Recent Last 24 Hours
Include in my Quick Searches Enable
Set as Default Disable
Share with Everyone Disable
c. Verify that the Save Criteria settings look like the ones in the graphic.
d. Click OK.
2. Save the current search results.

a. On the toolbar, click Save Results.
The Save Search Result window opens.

V7.0
Exercise 3 Investigating event details
Uempty b. In the name field, type DNS Protocol Anomaly without 10.152.247.69.
c. Click OK.
3. Revisit or delete your saved search results.

a. On the List of Events page’s toolbar, click Search > Manage Search Results.
The Search Results Management page opens.
b. Select your search results and click Delete.
c. Close the Search Results Management page.

The details of an event, particularly its payload, can provide further insights. To investigate the
details of an event, perform the following steps:
1. Find and run your saved search.
a. In the QRadar SIEM console, double-click the Log Activity tab.
b. On the Log Activity tab toolbar, click Quick Searches.
c. Select Dept - DNS Protocol Anomaly without 10.152.247.69 - Last 24 Hours.

Hint: If you do not see your saved search, double-click the Log Activity tab and click Quick
Searches again.
d. In the search result, double-click an event.

The Event Details page opens in the Log Activity tab.

V7.0
Uempty 2. Verify with the firewall and DNS experts of your organization whether the log message that is
displayed in the payload is a concern.
Note: Use Previous and Next on the Events Details toolbar to browse the events.
3. To return to the list of events, on the toolbar, click Return to Event List.

6 Using asset profiles to investigate
offenses exercises

7 Investigating an offense that is
triggered by flows exercises
Exercise 1 Investigating an offense that is

triggered by flows
To investigate an offense that is triggered by flows, perform the following steps:
1. Generate network traffic. In the PuTTY command line, type the following command:
./startRdp.sh
2. In the QRadar SIEM console, click the Network Activity tab.
3. Observe the network events and verify that a network event triggers an offense.
Note: QRadar SIEM shows a red icon in the left-most column for network events that contribute to
an offense.
4. To investigate the offense, click the red icon in the left-most column.

7 Investigating an offense that is triggered by flows exercises 
Exercise 1 Investigating an offense that is triggered by flows
Note: There is a delay between the time the red icon is shown next to the network event and
when the offense is created on the All Offenses page in the Offenses tab.
Note: Disable block pop-up windows in Firefox. On the Firefox toolbar, select Tools > Options >
Content > Disable block pop-up windows > OK.
The Offense Summary page opens.
5. What is the name of the offense?

_________________________________________________________________________
6. What is the offense type and offense source?

_________________________________________________________________________
7. What is the destination IP?

_________________________________________________________________________
8. How many events are associated with this offense?

_________________________________________________________________________
How many flows are associated with this offense?
_________________________________________________________________________

V7.0
7 Investigating an offense that is triggered by flows exercises
Uempty 9. What rule contributed to this offense?

________________________________________________________________________
Hint: To determine which rule triggered the offense, click the Display list and select Rules.
Note: The Policy Remote: Remote Desktop Access from the Internet rule that triggered this
offense is one of the default rules in the Enterprise tuning template. The rule evaluates Remote
Desktop Access from external IP addresses to internally hosted Microsoft Windows servers.
10. To investigate the flows that contributed to the offense, click Flows on the Offense Summary
page toolbar.

7 Investigating an offense that is triggered by flows exercises 
The Flow List page opens.
11. Examine the flow associated with this offense. Double-click the network event listed.
The Flow Details page opens.
12. Answer the following questions:

a. What is the flow direction?
_________________________________________________________________________
b. What is the application name?

_________________________________________________________________________
c. Based on your investigation, what behavior triggered this offense?

_________________________________________________________________________
13. Tune the network event as a false positive.

a. On the Flow Details page’s toolbar, click False Positive.

V7.0
7 Investigating an offense that is triggered by flows exercises
Uempty The False Positive page opens.
b. Click Tune.
c. Click Close.
Note: Tuning an event or flow as a false positive updates the User-BB-FalsePositive: User
Defined False Positives building block.
14. Close the Flow Details page.
15. Close the offense.

a. On the Offense tab navigation menu, select All Offenses.
b. From the Actions list on the toolbar, select Close.
c. From the Reason for Closing list, select False-Positive, Tuned.
d. Click OK.

8 Using rules and building blocks
exercises
Exercise 1 Creating an event rule

Because scripts might run using terminated employees’ user IDs, the organization wants to monitor
the user accounts of terminated employees. You decide to configure QRadar SIEM to perform the
following tasks:
• Create an event rule to create offenses for login activity
• Use a reference set to identify a class of objects
Note: The QRadar SIEM administrator created the reference set of terminated users. Therefore,
the reference set exists.
In this exercise, you perform the following tasks:

– Create an event rule
– Generate events to trigger offenses
– Investigate the offenses
To create an event rule, perform the following steps:

1. In the QRadar SIEM console, click the Log Activity tab.
2. From the Rules list on the toolbar, select Rules.

V7.0
8 Using rules and building blocks exercises
Uempty 3. From the Actions list, select New Event Rule.
The Rules wizard opens.
4. Click Next twice.

The Rule Wizard – Rule Test Stack Editor opens.
5. In the Apply field, type BQX Watchlist User Activity.
Note: It is a best practice to define a rule-naming policy for rules that you create. You might
choose to name the rules with a prefix that easily identifies the rule. For example, IBM identifies
the IBM Corporation. Alternatively, create a group and assign the rules that you create to the
group.
6. Add the following tests to the rule under these conditions:

– when any of these event properties are contained in any of these reference set(s)
– when an event matches any|all of the following rules
To add the first rule test, when any of these event properties are contained in any of these
reference set(s), perform the following steps:
a. Filter the options in the Test Group list. In the Type to filter field, type ref.
b. Click the green plus (+) icon next to the when any of these event properties are contained in
any of these reference set(s) test.
Click the green + sign in front of the test to select it. The test will appear in the rule section.
The underlined green sections of the rule are testable objects.
c. Click the testable object these event properties.

8 Using rules and building blocks exercises 
d. Filter the fields in the event property list. In the Type to filter field, type user.
Select Username and click Add
e. Select Username and click Add.
f. Click Submit.
g. Click the testable object these reference set(s).
h. Select the reference set Watchlist Users and click Add.
i. Click Submit.
To add the second rule test, when an event matches any|all of the following rules, perform the
following steps:
j. In the Test Group list, select Functions - Simple.
k. Click the green plus (+) icon next to the only test listed.
l. Click the testable object rules.
m. Filter the options in the rules list. In the Type to filter field, type BB:Category.
n. Select BB:Category Definition: Authentication Success and click Add.
o. Click Submit.
7. Assign the rule to the group Authentication.
8. In the Note field, type This rule tracks the successful login of terminated users
accounts.
9. Verify that your rule tests look similar to the one in the graphic.
10. Click Next.

V7.0
Uempty 11. Configure the rule action and response as shown in the following table.
Configure the rule response.

Rule Action
Ensure the detected event is part of an offense enable
Index offense based on list Username
Annotate this offense • enable
• Watchlist user login success
Annotate the event • enable
Rule Response
Dispatch New Event enable
Type Event Name Watchlist user login
Type Event Description Watchlist user login
Severity 8
Credibility 10
Relevance 10
High Level Category Authentication
Low Level Category User Login Success
Annotate this offense • enable
Ensure the dispatched event is part of an offense enable
Index offense based on list Username
This information should contribute to the naming of enable
the associated offense(s)
Note: The Index offense based on parameter field defines the offense type on the All Offenses
page.

12. Verify that the configuration looks like the one in the graphic.
13. Click Next.
14. Verify that your rule summary looks similar to the one in the graphic.
15. Click Finish.

V7.0
Uempty 16. Generate events to trigger offenses. In the PuTTY command line, type the following command:
./sendWindows.sh
Note: Wait five minutes for the log events to trigger offenses.
17. Investigate the offenses created. Answer the following questions:

a. How many offenses did the BQX Watchlist User Activity rule create? On the Rule list page,
select the rule and look for the offense count parameter.
________________________________________________________________________
b. List the user IDs that created offenses. In the QRadar SIEM console, double-click the
Offenses tab and find offenses that have Watchlist in the description.
________________________________________________________________________
c. What is the source IP address of the offenses created?
_____________________________________________
_____________________________________________

Exercise 2 Analyzing the rule that contributed to the Local DNS Scanner offense
Exercise 2 Analyzing the rule that contributed

to the Local DNS Scanner offense
To analyze the rule that contributed to the Local DNS Scanner offense, perform the following steps:
1. Review the Local DNS Scanner containing Invalid DNS offense investigated in
Exercise 1 “Investigating the local DNS scanner offense” on page 5.
2. Answer the following questions about the rule that contributed to this offense.
a. What is the name of the rule that triggered this offense? On the All Offenses page,
double-click the Local DNS Scanner containing Invalid DNS offense. From the Display
list on the Offense Summary toolbar, select Rule.
_________________________________________________________________________
b. What behavior caused this rule to trigger? Double-click the rule listed previously to launch
the Edit Rules page. Review the rules notes.
_________________________________________________________________________
_____________________________________________
c. If your investigation determines that the result is a false positive, how do you change the
rule behavior so that this source IP does not create an offense?
_____________________________________________
_____________________________________________
Exercise 3 Working with rule parameters

To work with the parameters of a rule, perform the following steps:
2. From the Offense tab navigation menu, select Rules.

V7.0
Exercise 3 Working with rule parameters
Uempty 3. Sort the Offense Count parameter in descending order.

a. Click the header for the Offense Count parameter to sort in descending order.
b. What rule created the most offenses?

________________________________________________________________________
4. How many events or flows are associated with the BQX Watchlist User Activity rule? View the
Event/Flow Count parameter.
________________________________________________________________________
5. How many offenses are associated with the rule? View the Offense Count parameter.
________________________________________________________________________
6. Close the Watchlist user login containing Successful Logon Attempt offense for the
dcross offense source.
a. From the Offense tab navigation menu, select All Offenses.
b. Select the offense that is named previously.
c. From the Actions list on the toolbar, click Close.
d. From the Reason for Closing list, select Policy Violation.
e. Click OK.
7. From the Offense tab navigation menu, select Rules.
8. Find the BQX Watchlist User Activity rule.
9. How many events or flows are associated with this rule? View the Event/Flow Count
parameter.
Note: After an offense is closed, wait until the rule Event/Flow Count parameter updates.
________________________________________________________________________

Exercise 4 Deleting changes that are made to a rule
10. How many offenses are associated with this rule? View the Offense Count parameter.
_________________________________________________________________________
11. What did you learn about the rule Event/Flow Count and Offense Count parameters?
_________________________________________________________________________
_____________________________________________
Exercise 4 Deleting changes that are made to a

rule
The origin rule parameter specifies whether the system or the user created the rule. The values for
the origin parameter are listed in the following table.
Origin parameter value Meaning

System Default rule in the QRadar SIEM enterprise template
Modified Changes were made to a system rule
User Custom rule that is created by the user
Perform the following steps to learn two different methods to delete changes that are made to a
system rule:
1. From the Offense tab navigation menu, select All Offenses.
2. Double-click the offense that is named Communication to a known Bot Command and
Control, whose offense source is 10.126.152.5.
3. Navigate to the events associated with this offense.
4. Tune the Firewall Deny event as a false positive.
Hint: Refer to Step 13 on page 22.
5. Edit the User-BB-FalsePositive: User Defined False Positives building block.

a. From the Offense tab navigation menu, select Rules.
b. On the Rules list page, from the Display list, select Building Blocks.
c. Scroll through the list.

V7.0
Exercise 4 Deleting changes that are made to a rule
Uempty 6. Double-click the User-BB-FalsePositive: User Defined False Positives building block to
open it for editing.
7. Remove one of the testable objects.

a. Select the testable object that begins with CAT.
The False Positive Signature list page opens.
b. From the Selected Values list, select any object.
c. Click Remove.
d. Click Submit.
You return to the Rule Wizard page.
e. Click Finish.
Note: To remove a limited number of rule changes, edit the rule.
8. Revert the rule to the system default.

a. Select the User-BB-FalsePositive: User Defined False Positives building block.
b. On the Rules List toolbar, click Revert Rule.

The revert rule confirmation page opens.
c. Click OK.

Exercise 5 Searching for a rule
Note: If you made many changes to a rule, use the Revert Rule option to set the rule to the
system default. The origin value for the rule changes from modified to system.
Exercise 5 Searching for a rule

To find a rule or building block that is included in other rules, perform the following steps:
1. On the Rules page, from the Display list, select Rules.
2. From the Group list, clear the Group filter.
3. In the Search Rules field, type BB:CategoryDefinition: Authentication Success.

The Rules display lists all the rules that meet the search criteria.
4. Select several of the rules and review the rule tests.

Notice that the rules listed include the BB:CategoryDefinition: Authentication Success
building block. Before editing a building block or rule, determine which other rules include this
rule.

9 Creating QRadar SIEM reports
exercises
Exercise 1 Viewing an existing report

QRadar SIEM includes over 1600 ready-to-use reports. Perform the following steps to view the
configuration and run a report provided by QRadar SIEM:
1. In the QRadar SIEM console, click the Reports tab.
2. To show all the reports, disable the Hide Inactive Reports check box.
3. From the Group list, scroll down and select the SOX group.
4. In the Search Reports field, type Daily Top and click the Search Reports icon to filter the
report list.
5. Select Daily Top Targeted Hosts.

V7.0
9 Creating QRadar SIEM reports exercises
Exercise 1 Viewing an existing report
Uempty 6. From the Actions list on the Reports toolbar, select Run Report.
7. While the report is generating, examine the report. What groups contain the Daily Top
Targeted Hosts report?
________________________________________________________________________
8. Double-click the Daily Top Targeted Hosts report.

The Report Wizard opens.
9. Click Next until you see the Specify Report Contents page.
Note: This report has two containers. Each container defines the data to present in that section of
the report.
10. Click Define in the top container.

The top container details page opens.
a. What is the name of the event search that generates the data in the top container?
________________________________________________________________________
b. What is the graph type?

________________________________________________________________________
c. What parameters are graphed on the X and Y axes?

________________________________________________________________________
11. Click Cancel to exit the top container details page.
12. Click Define in the bottom container. The bottom container details page opens. What is the
name of the event search that generates the data in the bottom container?
________________________________________________________________________
d. What parameters are graphed on the X and Y axes?

________________________________________________________________________
13. Click Cancel to exit the bottom container details page.

9 Creating QRadar SIEM reports exercises 
Exercise 2 Creating a new event report
14. Click Next twice. Note that the report format is PDF.
15. Click Cancel to exit the Report wizard.
16. On the Reports tab, click the Refresh icon to update the status of the generation of the Daily
Top Targeted Hosts report.
17. When the report generates content, click the PDF icon in the Formats column to view the
report.
18. Clear the report filters.

a. On the Reports tab, from the Group list, select Reporting Group.
b. Clear the Search Report field.

QRadar SIEM uses saved searches to create reports. To use an existing search to create a report,
perform the following steps:
1. From the Actions list on the Reports toolbar, select Create.
2. To bypass the Welcome to Reports page, click Next.
3. In the “This report should be scheduled to generate” pane, select the Daily option and the
check boxes for Monday through Friday.
4. Click Next.
5. On the Choose a Layout page, from the Orientation list, select Landscape.

V7.0
Uempty 6. Click the single-container layout.
7. Click Next.
8. On the Specify Report Contents page, in the Reports Title field, type Top Log Sources.
9. In the Chart Type list, select Events/Logs.
Note: A white background on the Chart Type container indicates that the container is not
configured.
10. Configure the Container Details as shown in the following table.

Type Chart Title Today’s Top Log Sources
Limit the Events/Logs to Top 10
Graph Type Stacked Line
Saved Searches Top Log Sources
Horizontal (X) Axis Time
Vertical (Y) Axis Event Count (Sum)
Timeline Interval 1 Minute

11. Verify that the container details are configured as shown in the graphic.
(need graphic)
12. Click Save Container Details.
Note: After saving the container details, the background color of the container is green. The green
color indicates that the container is configured.
14. On the Report Format page, select HTML and PDF.

V7.0
Exercise 3 Creating a new search and report
Uempty 15. Click Next until the Finishing Up page displays.
16. In the Report Description field, type the following text:

The Daily Top Log Sources report lists the top ten log sources by event count.
17. Verify that the Yes - Run this report when the wizard is complete check box is enabled.
18. Click Next.
19. Click Finish.
20. Click the Refresh icon to update the status of the generation of the Top Log Sources report.
21. View the Next Run Time column for the Top Log Sources report.
Note: The Next Run Time column shows the status of the report generation. If the status is
Generating, it also provides an estimated time to finish generating the report. When the report
generates content, the Next Run Time column shows when the next report runs.
report.

Exercise 1 “Creating an event rule” on page 24 creates an offense if a terminated employee user
ID is successfully logged in to a system. The company requires that the compliance officer receives
a daily report of the login activity of terminated employee user IDs. This exercise creates a report of
user logins of the terminated employees. In this exercise, you perform the following tasks:
• Create a search for terminated user login activity
• Create a terminated user login activity report
Task 1. Creating a search of terminated user login activity

This task creates two searches, a list of terminated users who accessed the systems and the list of
terminated user logins by IP address. To create a search of terminated user login activity, perform
the following steps:
2. From the View list, select Last 3 Hours.

3. Add a filter using the following steps:

a. Click Add Filter on the toolbar.
b. In the first list, select the Custom Rule search parameter.
c. In the second list, select Equals.
d. In the Rule Group list, select Authentication.
e. In the Rule field, select BQX Watchlist User Activity.
f. Click Add Filter.
4. Group the search results by user name. From the Display list, select Username.
5. Save the search criteria.

a. On the Log Activity toolbar, click Save Criteria.
b. In the Search Name field, type BQX Watchlist User Logins by Username.
c. Assign the search to the Authentication, Identity and User Activity group.
6. Verify that the search criteria looks similar to one in the graphic.
7. Click OK.
8. Create a search of terminated user login activity by source IP.

a. From the Search list on the Log Activity tab toolbar, select New Search.
b. In the Type Saved Search field, type BQX.
c. Select the BQX Watchlist User Logins by Username saved search.

V7.0
Uempty d. Click Load.
e. Format the columns in the search results. Group the search results first by Source IP and
next by user name. Include Start Date and Start Time in the search results. Order the
search results by Count in descending order.
i. Scroll down to the Column Definition pane.
ii. In the Columns list, select Source IP. Click the Remove icon to move Source IP to the
Available Columns list.
Hint: The remove icon looks similar to the graphic.
iii. In the Available Columns list, select Source IP. Click the Add icon and move Source
IP to the Group By list.
iv. In the Group By list, select Source IP. Click the Move up icon to move Source IP to the
top of the Group By list.
v. In the Columns list, select all fields. Click the Remove icon to move the fields to the
Available Columns list.
vi. In the Available Columns list, select Start Date.
vii. Click the add icon to move the Start Date to the Columns list.
viii. In the Available Columns list, select Start Time.
ix. Click the add icon to move the Start Date to the Columns list.
x. In the Order By list, select Count and Desc.

The Column Definitions looks similar to one in the graphic.
f. Click Search.
9. Save the search criteria.

a. On the Log Activity toolbar, click Save Criteria.
b. In the Search Name field, type BQX Watchlist User Logins by IP.
c. Assign the search to the Authentication, Identity and User Activity group.
d. Click OK.
Task 2. Creating a terminated user login activity report

To create a report that shows terminated user login activity, perform the following steps:
1. In the QRadar SIEM console, click the Reports tab.
2. From the Actions list, select Create.
3. To bypass the Welcome to Reports page, click Next.
4. In the “This report should be scheduled to generate” pane, select Manually.
5. On the Choose a Layout page, from the Orientation list, select Landscape.
6. Select the two-container layout.
7. Click Next.
8. On the Specify Reports Contents page, in the Report Title field, type Terminated users
logins.

V7.0
Uempty 9. In the top container, from the Chart Type list, select Events/Logs.
10. Configure the Container Details as shown in the following table:

Type Chart Title Terminated users logins
Graph Type Bar
Manually Scheduling From: Date and time is 24 hours earlier than the
current date and time of the QRadar SIEM Server.
To: Use the current date and time of the QRadar
SIEM Server.
Type Saved Searches BQX Watchlist User Logins by Username
Horizontal (X) Axis Username
Vertical (Y) Axis Count
g table
Hint: To determine the date and time of the QRadar SIEM server, in the PuTTY command line,
type date.

11. Verify that the container details look similar to those in the graphic.
Note: When you manually schedule the reports, you can specify a time period that guarantees
that the generated report has data. The data for this report was generated earlier today during a
previous student exercise. Remember that hourly, daily, weekly, and monthly reports use data
from a specific time period. During initial testing, enter a manual schedule. You can change the
report schedule to daily at a later time.
13. In the bottom container, from the Chart Type list, select Events/Logs.

V7.0
Uempty 14. Configure the Container Details as shown in the following table:

Type Chart Title Terminated user login by IP
Graph Type Table
Manually Scheduling use the values listed
Type Saved Searches BQX Watchlist User Logins by IP
17. On the Report Format page, select HTML and PDF.
18. Click Next until the Finishing Up page opens.

a. In the Report Description field, type the following text:
Terminated user login by user name and IP address.
b. Assign the report to the Authentication, Identity and User Activity group.
c. Verify that the Yes - Run this report when the wizard is complete check box is enabled.
19. Click Finish.
20. Click the Refresh icon to update status of the generation of the report.
report.

The report looks similar to the one in the graphic.

10 Performing advanced filtering
exercises

10 Performing advanced filtering exercises 

V7.0
Uempty
BQ102 2.0
Authorized
Training
ibm.com/training

SE Sec Ejercicio

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SE Sec Ejercicio

Uploaded by

Copyright:

Available Formats

IBM Training

IBM Security QRadar SIEM Foundations

IBM Security Systems

© Copyright IBM Corp. 2015. All Rights Reserved.

1 Introduction to IBM Security QRadar SIEM exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 How QRadar SIEM collects security data exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3 Using the QRadar SIEM dashboard exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

4 Investigating an offense that is triggered by events exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

5 Investigating the events of an offense exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

6 Using asset profiles to investigate offenses exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

7 Investigating an offense that is triggered by flows exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

8 Using rules and building blocks exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

9 Creating QRadar SIEM reports exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

© Copyright IBM Corp. 2014 Student Exercises iii

Creating a search of terminated user login activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

10 Performing advanced filtering exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

iv IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

Logging in to the Windows VM

Logging in to the QRadar SIEM server VM

© Copyright IBM Corp. 2014 Student Exercises v

2. Double-click the QRadar saved session.

3. Use the following credentials to log in to the QRadar SIEM server:

Logging in to the QRadar SIEM console

2. Click Login to QRadar.

vi IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

© Copyright IBM Corp. 2014 Student Exercises 1

2 IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

Exercise 1 Creating a new dashboard

5. Click the New Dashboard icon.

6. In the Name field, type My Own Dashboard.

© Copyright IBM Corp. 2014 Student Exercises 3

7. In the Description field, type Demonstration Dashboard.

c. Log Activity > Event Searches > Event Rate (EPS)

10. Drag the items to an empty spot on the dashboard.

11. Click the Refresh icon to update the window.

4 IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

Exercise 1 Investigating the local DNS scanner

Note: The description search criteria is case sensitive.

© Copyright IBM Corp. 2014 Student Exercises 5

b. What network does the offense source IP belong to?

6 IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

5. Answer the following questions for this offense.

b. What time did this offense begin?

c. Is the source IP involved in any other offenses?

© Copyright IBM Corp. 2014 Student Exercises 7

8 IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

6. Perform the following actions on this offense.

iii. Click Add Note.

Why do you protect an offense?

© Copyright IBM Corp. 2014 Student Exercises 9

Exercise 1 Looking for events that contribute to

10 IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

The List of Events page opens.

6. What results are returned?

7. What do the results of this search indicate?

© Copyright IBM Corp. 2014 Student Exercises 11

9. What results are returned? Why?

12 IBM Security QRadar SIEM Foundations © Copyright IBM Corp. 2014

Exercise 2 Saving search criteria and search

b. Configure the Save Criteria window as shown in the following table:

© Copyright IBM Corp. 2014 Student Exercises 13

Field / Option Setting

2. Save the current search results.

The Save Search Result window opens.