Administer IBM’s QRadar SIEM
Create rules and detections based on different telemetry sources
Troubleshoot various technical issues
Understand QRadar core services and functions
Hello everyone!
My name is Daniel Koifman, a recognized IBM Subject Matter Expert for QRadar, CASP+ Certified.
In this course, I will be showing you all of the most important subjects you need to know in order to be a skilled QRadar administrator, in addition to various real-world scenarios and best practices.
Get Instant Notification of New Courses on our
Telegram channel.
The course is divided into the following 15 sections:
- Introduction & Installation
- QRadar overview
- Rules
- Working with Reference Data
- QRadar Administration – System Configuration
- QRadar Administration – Performance Optimization
- QRadar Administration – Data Source Configuration
- QRadar Administration – Accuracy Tuning
- QRadar Administration – User Management
- QRadar Administration – Reporting, Searching & Offense Management
- QRadar Administration – Tenants and Domains
- QRadar Administration – Troubleshooting
- Working with the QRadar Console
- Working with the API
- Practical Use Cases for New/Existing Deployments
Each section was carefully designed based on all of my experience working as a Senior Threat Detection engineer for fortune-500 and for MSSPs. This is the ONLY course with a detailed, in-depth practical use cases section, which will show you common problems that administrators are facing throughout the world. I developed this section based on my endless hours of trial & error and independent research, so I hope all of you can learn very useful things in the course, regardless of skill level!
Introduction & Installation
A quick word from me to you
Introduction & About the instructor
Quick note about external resources – Important!
Introduction to SIEM
Introduction to QRadar
Installing QRadar
Ingesting events from a Windows machine
Ingesting events from PfSense firewall
QRadar overview
User Interface
Log Activity basic searching
QRadar Services
Rules
Requirements for upcoming application installations
Use Case Manager, Rules and Building Blocks
Using AQL inside rules
Troubleshooting rules
Optimizing rules
Identifying expensive rules
Practical Example #1 – SIGMA rules
Practical Example #2 – Firewall rules
Working with Reference Data
Different types of Reference Data
Using Reference Data with the default user interface
Integrating Reference Data and Rules
Advice on dealing with massive amounts of Reference Data
QRadar Administration – System Configuration
Managed hosts
Network hierarchy
Automatic updates
Event retention
Backup and recovery
Custom offense Email templates
QRadar Administration – Performance Optimization
Index management
Configuring resource restrictions
Routing Rules
QRadar Administration – Data Source Configuration
XPath queries
Log source management
Event coalescing
Log source groups
Exporting event data
Custom log source types (DSM) / Event Mappings
Custom AQL Properties
Custom event properties
QRadar Administration – Accuracy Tuning
Configuring MaxMind GeoIP
Verifying GeoIP Changes
Configuring X-Force Integration
QRadar Administration – User Management
Managing users
User roles
Security profiles
Managing user authentication & authorization
QRadar Administration – Reporting, Searching & Offense Management
Managing reports
Utilizing different search types
Managing offenses
Sharing content among users
QRadar Administration – Tenants and Domains
Differentiating between network hierarchy and domain definition
Managing domains and tenants
Monitoring license usage
Assigning users to tenants
QRadar Administration – Troubleshooting
Responding to and dealing with system notifications
Troubleshooting common issues
Troubleshooting applications
Troubleshoot service performance
Working with the QRadar Console
Connecting to the Console
QRadar filesystem
Running AQL inside the Console
Troubleshooting services
Troubleshooting events rate and connectivity
Performing a manual deploy
Reverting SSL certificate to locally signed
Deleting a rule directly from the console
Useful Console commands list
Working with the API
QRadar API basics
Example – Python script with QRadar API
Practical Use Cases for New/Existing Deployments
Alerting on non-reporting log sources
Alerting on non-reporting domains
Alerting on disabled custom properties
Alerting on disk usage exceeded warning/maximum threshold
Alerting on events dropped
DSM “Failed to load data” error
Creating useful dashboards with Pulse
Working with Threat Intelligence
Working with QRadar Deployment Intelligence
Mandatory steps after upgrading Console CPU
Logs are being truncated / split
Section Notes
Notes about updating applications
Course End – Congratulations!
End Notes