• Post category:StudyBullet-14
  • Reading time:9 mins read


Understand modern best practices that will make you a better SIEM administrator

What you will learn

Administer IBM’s QRadar SIEM

Create rules and detections based on different telemetry sources

Troubleshoot various technical issues

Understand QRadar core services and functions

Description

Hello everyone!

My name is Daniel Koifman, a recognized IBM Subject Matter Expert for QRadar, CASP+ Certified.

In this course, I will be showing you all of the most important subjects you need to know in order to be a skilled QRadar administrator, in addition to various real-world scenarios and best practices.


Get Instant Notification of New Courses on our Telegram channel.


The course is divided into the following 15 sections:

  1. Introduction &  Installation
  2. QRadar overview
  3. Rules
  4. Working with Reference Data
  5. QRadar Administration – System Configuration
  6. QRadar Administration – Performance Optimization
  7. QRadar Administration – Data Source Configuration
  8. QRadar Administration – Accuracy Tuning
  9. QRadar Administration – User Management
  10. QRadar Administration – Reporting, Searching & Offense Management
  11. QRadar Administration – Tenants and Domains
  12. QRadar Administration – Troubleshooting
  13. Working with the QRadar Console
  14. Working with the API
  15. Practical Use Cases for New/Existing Deployments

Each section was carefully designed based on all of my experience working as a Senior Threat Detection engineer for fortune-500 and for MSSPs. This is the ONLY course with a detailed, in-depth practical use cases section, which will show you common problems that administrators are facing throughout the world. I developed this section based on my endless hours of trial & error and independent research, so I hope all of you can learn very useful things in the course, regardless of skill level!

English
language

Content

Introduction & Installation

A quick word from me to you
Introduction & About the instructor
Quick note about external resources – Important!
Introduction to SIEM
Introduction to QRadar
Installing QRadar
Ingesting events from a Windows machine
Ingesting events from PfSense firewall

QRadar overview

User Interface
Log Activity basic searching
QRadar Services

Rules

Requirements for upcoming application installations
Use Case Manager, Rules and Building Blocks
Using AQL inside rules
Troubleshooting rules
Optimizing rules
Identifying expensive rules
Practical Example #1 – SIGMA rules
Practical Example #2 – Firewall rules

Working with Reference Data

Different types of Reference Data
Using Reference Data with the default user interface
Integrating Reference Data and Rules
Advice on dealing with massive amounts of Reference Data

QRadar Administration – System Configuration

Managed hosts
Network hierarchy
Automatic updates
Event retention
Backup and recovery
Custom offense Email templates

QRadar Administration – Performance Optimization

Index management
Configuring resource restrictions
Routing Rules

QRadar Administration – Data Source Configuration

XPath queries
Log source management
Event coalescing
Log source groups
Exporting event data
Custom log source types (DSM) / Event Mappings
Custom AQL Properties
Custom event properties

QRadar Administration – Accuracy Tuning

Configuring MaxMind GeoIP
Verifying GeoIP Changes
Configuring X-Force Integration

QRadar Administration – User Management

Managing users
User roles
Security profiles
Managing user authentication & authorization

QRadar Administration – Reporting, Searching & Offense Management

Managing reports
Utilizing different search types
Managing offenses
Sharing content among users

QRadar Administration – Tenants and Domains

Differentiating between network hierarchy and domain definition
Managing domains and tenants
Monitoring license usage
Assigning users to tenants

QRadar Administration – Troubleshooting

Responding to and dealing with system notifications
Troubleshooting common issues
Troubleshooting applications
Troubleshoot service performance

Working with the QRadar Console

Connecting to the Console
QRadar filesystem
Running AQL inside the Console
Troubleshooting services
Troubleshooting events rate and connectivity
Performing a manual deploy
Reverting SSL certificate to locally signed
Deleting a rule directly from the console
Useful Console commands list

Working with the API

QRadar API basics
Example – Python script with QRadar API

Practical Use Cases for New/Existing Deployments

Alerting on non-reporting log sources
Alerting on non-reporting domains
Alerting on disabled custom properties
Alerting on disk usage exceeded warning/maximum threshold
Alerting on events dropped
DSM “Failed to load data” error
Creating useful dashboards with Pulse
Working with Threat Intelligence
Working with QRadar Deployment Intelligence
Mandatory steps after upgrading Console CPU
Logs are being truncated / split
Section Notes
Notes about updating applications

Course End – Congratulations!

End Notes