Course info
Jan 19, 2018
3h 15m

IBM Security QRadar is a leader in SIEM solutions according to the 2016 Gartner Magic Quadrant. In this course, Incident Detection and Investigation with QRadar, you will explore QRadar’s main features from a SOC analyst perspective. First, you will explore what SIEM is and how QRadar provides more functions than a regular SIEM. Next, you will walk through all relevant functionalities provided by the tool and some extra functions, such as Risk Manager and Vulnerability Manager. Finally, with the SIEM basics covered, you will dive into incident investigation using QRadar, where you will learn about events, flows, and offenses. When you’ve completed this course, you’ll understand how to investigate the most common cyber threats using QRadar. This course covers the objectives of the IBM Security QRadar SIEM V7.2.6 Associate Analyst exam (Exam C2150-612) which is required to achieve the IBM Certified Associate Analyst - Security QRadar SIEM V7.2.6 certification.

About the author
About the author

"Ricardo is a Cybersecurity Consultant based in Toronto (Canada). He has 10+ years of IT experience, 6 of them in the IT Security field. His main interests are: SIEM solutions (IBM QRadar), Enterprise Security Risk, Penetration Testing, Security processes/procedures and Network Security.

More from the author
Planning, Deploying, and Maintaining QRadar
2h 50m
20 Sep 2018
SIEM Administration with QRadar
3h 10m
24 May 2018
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone. My name is Ricardo, and welcome to the incident detection and investigation with QRadar. I am a cyber security consultant with three years of experience in IBM QRadar and in incident investigation. I'll be showing you pretty much everything you need to know for your role as a SOC analyst in a QRadar environment. So we start this course by giving an overview of the QRadar and discussing the basic concepts related to the tool. Then, we'll have a section only talk about the incident investigation process. In which you will learn every step of an incident. Later, we will discuss how QRadar collects and parts the data. And after understanding the collection and the basic concepts, we can then move to the meat of this course, which is learning about events, flows, and offenses. We're also going to cover how QRadar utilizes rules to generate offenses and how the tool can be a good source of accident information. In the last two modules, we will cover reporting, and how to create and customize dashboards. This course contains a lot of demos, in which you will be able to see each concept being applied in the real life. And by the end of this course, you'll be able to understand the incident investigation process, understand the QRadar architecture and inner workings, perform event and flow searches, investigate offenses, customize reports, customize dashboards, and as mentioned before, you'll be able to understand the main security threats and how they can be investigated. If you're applying to take the IBM QRadar Associate Analyst certification, you're in the right place. The content of this course is based on the certification requirements. So, if you watch this course, if you do the course exercises, and most important, if you practice the concepts in your own environment, you probably will be in good shape for the certification. So, I hope you join me in this journey to learn about the incident detection and investigation with Qradar here at Pluralsight.

Data Collection
Welcome to incident detection and investigation with QRadar. In this module, we'll be discussing how QRadar collects information across environment to generate defenses. You may be wondering, but wait, if I'm analyst, why should I know the data is being collected? Isn't this a job for admins and architects? The main point of understanding data collection is that if we understand where the information is coming from, then we are able to understand the incident. During an incident investigation, you may notice that QRadar puts together a lot of data from different sources into one single offense to help you in the investigation. So you need to be able to understand where the information is coming from, to be able to understand the incident. So to be able to understand data collection, we'll be learning the three main sources of data for QRadar. First and most important one is event collection. We will be covering about how the logs are collected across the environment, they are processed and a few of the main particles and supported log sources. Second data source is the flow collection. Which we'd discuss how QRadar gather information from network traffic and how this data is aggregated into an incident. Third source of information is the vulnerability scans. Which can be done using the own QRadar Vulnerability Manager solution or external integrations.

Rules are the base for any SIEM solution. They are responsible for generating offenses, alerting correlation and much more. If you're a SOC analyst, you may not be directly responsible for creating rules, but that doesn't mean that it is not important for you. Actually, understanding the rules is extremely important because then you'll be able to understand how the offenses were generated. You'll be able to understand how QRadar thinks, which will help you in your instant investigation. Also, mostly likely you will see several false positives in your environment. If you understand the rules, you will be able to help your SIEM administrator to tune the rules and reduce the amount of false positives. So, let's take a look on what I'll be covering in this module. We'll start by discussing some rule basics. For example, do you know what is the difference between a rule and a building block? This is something that I will be discussing. And you also take a look on rule response, rule actions and datasets. And in the second part of this module we will study more details about CRE and ADE rules.