1. ( Latest version is 7.2, Build number 636622)
Requirements :
1. QRadar is software that be installed on RHEL6
2. PostgreSQL
3. Ariel database
K Siva Sreenivasulu
FixNix InfoSec solutions
2. • QRadar has been developed over the years from a
company called Q1Labs Oda was acquired by IBM in
2012.
• QRadar acquired IBM All in the IBM Security Systems
Security all security related issues so you can see that
the plan to place the top of the solution, running.
3. 'All Log Data were collected and analyzed by correlation,
potential threats / attacks to find.'
4. QRadar's architecture
It is based on RHEL6, most of law data is stored
on Ariel database.
Processed data and Configurations are stored on
PostgreSQL.
And Green boxes can be called core that
collecting, processing, storing logs in QRadar.
All tasks are working on terminal and we can view
this tasks also using SSL GUI Web Console, and
we can work on Graphic interface.
5. QRadar Web console
Firstly, above feature is
'Dashboard'.
Based on collected logs, We
can confirm 'what logs were
collected more', 'how
actions were detected',
'what kind of threats are
exist in our infrastructure'.
There are 5 dashboard that
be supplied from IBM, We
can create new dashboard
using widget that we want
only.
6. Offenses
Offense feature is so
important.
It shows us threat after
analyzing Event / Flow logs.
IBM X-Force research institute
update rules that be able to
analyze new threats, and user
can makes rules also, rules
feature is used widely.
If it is configured correctly, We
can confirm threats and
analyze threats with out
monitoring in UTM / IPS / Virus
wall / etc.
To make integrated threat
monitoring system, log / flow
data are be material for making
Offense.
7. Log Activity
So, are used log / flow
data for offense only?
Yes, You can think like
that, but it is wrong.
Purpose of original plan
to collect logs is to make
offense, but while
collecting logs, these can
be used other ways.
We can abstract
meaningful data.
11. Assets
Because It find IP list in the
infrastructure but It can't know
about detail OS, MAC
Addresses, Author name. So You
have to fill asset format passive
typing, It is never useful.
'Server Discovery' feature in
Assets.
It can find frequently accessed
ports.
Before release 7.2 version,
QRadar must have 3rd party
scanner program
When 3rd party scanner
program find vulnerability,
QRadar use this result.
Open source 3rd part scanner :
NMap, Nessus
http://nmap.org/
http://www.tenable.com/produ
cts/nessus
12. Reports
QRadar collect log and
flow, process data, give us
useful data.
Report is one of useful
data on QRadar.
Report can be generated
as schedules, We can
make use this result for
regular reporting.
13. Admin
In here, there are many
buttons to configure settings
related user, log, system.
Finding vulnerability,
defining dangerous web site,
configuring life-cycle of data,
It's are in here.
investigated main feature of
QRadar.