After the installation
This chapter covers additional steps that the administrator can follow after QRadar V7.3 is installed. Remember that no two network configurations have the same components, requirements, traffic patterns, or log sources. Therefore, you need to customize and adjust the configuration of QRadar to your environment.
This chapter is intended to provide a description of several available components that the administrator can add to the basic setup of QRadar. The administrator can use this information to understand which components can provide additional value to the console.
This chapter includes the following topics:
4.1 Event monitoring
From the Log Activity tab, shown in Figure 4-1, you can review the logs received by QRadar.
Figure 4-1 QRadar main menu
From here, you can perform searches against the logs that are stored on the system or the logs that are coming real time. You can also filter events by time by selecting from the drop-down menu. In the example shown in Figure 4-2, QRadar is showing the events from the last 5 minutes.
Figure 4-2 Log activity criteria
You can quickly determine if events are flowing into QRadar by viewing the Log Activity tab. You can also complete more detailed searches. For example, you can determine if a specific event processor is receiving events. Using Add Filter (Figure 4-3) and choosing the Event Processor from there (Figure 4-4) can quickly show whether events are flowing to the EP.
Figure 4-3 Filtering options
Figure 4-4 Add filter parameters
You can also create a new search from the New Search menu, as shown in Figure 4-5.
Figure 4-5 New Search option
You can filter by saved searches, as shown in Figure 4-6.
Figure 4-6 Filtering Saved Searches
The data that is going to contain the search can then be manipulated from here. You can select what columns the search is going to have and group the data by a specific column, as shown in Figure 4-7.
Figure 4-7 Column definition
Specifying the search parameters helps to narrow down the search to make it as accurate as possible. Parameters can, for example, help to find a specific event type by using the Event Name parameter, as shown in Figure 4-8.
Figure 4-8 Search parameters
For better performance searches, filter by the less specific to the most specific, so that the search looks like an inverted pyramid—going from the more general to the more specific.
4.2 Events Per Second
QRadar comes with a pre-built search for monitoring the Events Per Second (EPS). This search allows you to quickly determine if the number of events coming to QRadar are going over the license for each Event Processor.
To use this feature, go to the Log Activity tab, and then in Quick Searches, look for the searches named Event Rate (EPS) – Last 15 Minutes, as shown in Figure 4-9.
Figure 4-9 Log Activity, Event Rate (EPS)
When the search completes, you can modify it by clicking the green gear icon. There are several types of values that you can graph. The Events per Second Raw – Peak 1 Sec graph (Figure 4-10) gives a good picture of the EPS for each EP and the console.
Figure 4-10 Top 10 Parent Results by Count
4.3 Features check
IBM Security QRadar can serve as a security solution for a small, medium, or large organization. It also integrates with many other products and provides complete, unified visibility to security events in on-premises, hybrid, and cloud environments. This section describes some of the most important features that are available for IBM Security QRadar.
4.3.1 IBM Security QRadar Vulnerability Manager
IBM QRadar Vulnerability Manager senses security vulnerabilities, adds context, and helps prioritize remediation activities. It uses advanced analytics to enrich the results of vulnerability scans to lower risk and achieve compliance. QRadar Vulnerability Manager correlates vulnerability data with network topology and connection data to intelligently manage risk. A policy engine automates compliance checks. Using QRadar Vulnerability Manager can help your security team to develop an optimized action plan to address security exposures to work more efficiently and decrease costs.
Figure 4-11 shows the QRadar Vulnerability Manager dashboard.
Figure 4-11 QRadar Vulnerability Management dashboard
4.3.2 The Health Check Framework for IBM Security QRadar SIEM
The Health Check Framework for IBM Security QRadar SIEM is an automated monitoring tool that allows you to continuously sustain the platform’s operability and to perform periodical monitoring of a range of statistical, performance, and behavioral parameters of QRadar deployment. This tool allows you to continuously sustain the platform’s operability.
The Health Check Framework (HCF) Manager, installed as a QRadar tab, is a user-side tool for HCF administrating, which provides HCF updating, report execution and scheduling, mailing list management, and reports download. This tool can be download from the this official IBM website.
The HCF Manager generates an Excel report containing all the details of the QRadar environment disk, CPU, and memory usage on managed hosts, system warning and errors, correlation rules, and reports performance, and a console summary of the system’s state that includes the number of active log sources and assets, storage and memory available.
Figure 4-12 on page 82 shows the Health Check Console Summary.
Figure 4-12 Heath Check, Console Summary
4.3.3 IBM QRadar Incident Forensics
IBM QRadar Incident Forensics (shown in Figure 4-13 on page 83) allows you to retrace the step-by-step actions of a potential attacker and then to quickly and easily conduct an in-depth forensics investigation of suspected malicious network security incidents. It reduces the time it takes for security teams to investigate QRadar offense records, in many cases from days to hours or even minutes. It can also help you to remediate a network security breach and to prevent it from happening again. IBM QRadar Packet Capture appliances are also available to store and manage data if no other network packet capture (PCAP) device is deployed.
Figure 4-13 The Forensics tab
4.3.4 IBM QRadar Network Insights
IBM QRadar Network Insights (shown in Figure 4-14) analyzes network data in real time to uncover an attacker’s footprints and to expose hidden security threats in many scenarios before they can damage the organization, including phishing e-mails, malware, data exfiltration, lateral movement, DNS, and other application abuse and compliance gaps. This features helps the security teams with the huge quantity of log activity that the company generate every day.
Figure 4-14 Network Activity tab
4.4 Upgrades and patching
As any other IT tool or application, you need to continually update QRadar so that it is adjusted for any new requirements. New features can be added through console upgrades, but also patching helps to fix any identified software bugs.
4.4.1 Preparing for the upgrade
To successfully upgrade an IBM Security QRadar system, verify the upgrade path when upgrading from older versions that require intermediate steps. The administrator must also review the software, hardware, and high availability requirements.
Is important to notice that when you upgrade to QRadar V7.2.6 or later that the SSH keys on every managed host are replaced. If you are connecting to or from a QRadar managed host and if you are using key-based authentication, do not remove or alter the SSH keys. Removing or altering the keys might disrupt communication between the QRadar Console and the managed hosts and can result in lost data. Consider to update the firmware on IBM Security QRadar appliances to take advantage of additional features and updates for the internal hardware components. You can find more information at IBM Support.
To ensure that IBM Security QRadar upgrades without errors, use only the supported versions of QRadar software V7.2.8 (20161118202122 and later). Check the software version in the software by clicking Help → About.
Memory and disk space requirements
Before the upgrade, ensure that IBM Security QRadar meets the minimum or suggested memory and disk space requirements shown in Table 4-1. Also, if you plan to enable payload indexing, the system requires a minimum of 24 GB of memory. However, 48 GB of memory is suggested. If you install QRadar software on your own hardware, your system requires a minimum of 24 GB of memory. Also before you upgrade to QRadar V7.3.0, ensure that the total size of the primary disk is at least 130 gigabytes (GB).
Table 4-1 Upgrade path
|
Appliance
|
Minimum memory requirement
|
Suggested memory requirement
|
|
QFlow Collector 1201
|
6 GB
|
6 GB
|
|
QFlow Collector 1202
|
6 GB
|
6 GB
|
|
QFlow Collector Virtual 1299 without QRadar Vulnerability Scanner
|
2 GB
|
2 GB
|
|
QFlow Collector Virtual 1299 with QRadar Vulnerability Scanner
|
6 GB
|
6 GB
|
|
QFlow Collector 1301
|
6 GB
|
6 GB
|
|
QFlow Collector 1310
|
6 GB
|
6 GB
|
|
QRadar Event Collector 1501
|
12 GB
|
16 GB
|
|
QRadar Event Collector Virtual 1599
|
12 GB
|
16 GB
|
|
QRadar Event Processor 1601
|
12 GB
|
48 GB
|
|
QRadar Event Processor 1605
|
12 GB
|
48 GB
|
|
QRadar Event Processor 1624
|
64 GB
|
64 GB
|
|
QRadar Event Processor 1628
|
128 GB
|
128 GB
|
|
QRadar Event Processor Virtual 1699
|
12 GB
|
48 GB
|
|
QRadar Flow Processor 1701
|
12 GB
|
48 GB
|
|
QRadar Flow Processor 1705
|
12 GB
|
48 GB
|
|
QRadar Flow Processor 1724
|
64 GB
|
64 GB
|
|
QRadar Flow Processor 1728
|
128 GB
|
128 GB
|
|
QRadar Flow Processor Virtual 1799
|
12 GB
|
48 GB
|
|
QRadar Event and Flow Processor 1805
|
12 GB
|
48 GB
|
|
QRadar Event and Flow Processor 1824
|
64 GB
|
64 GB
|
|
QRadar Event and Flow Processor 1828
|
128 GB
|
128 GB
|
|
QRadar SIEM 2100
|
24 GB
|
24 GB
|
|
QRadar SIEM 2100 Light
|
24 GB
|
24 GB
|
|
QRadar SIEM 3100
|
24 GB
|
48 GB
|
|
QRadar SIEM 3105
|
24 GB
|
48 GB
|
|
QRadar SIEM 3124
|
64 GB
|
64 GB
|
|
QRadar SIEM 3128
|
128 GB
|
128 GB
|
|
QRadar SIEM Virtual 3199
|
24 GB
|
48 GB
|
|
QRadar xx48
|
128 GB
|
128 GB
|
|
QRadar Network Packet Capture
|
128 GB
|
128 GB
|
|
QRadar Network Insights
|
128 GB
|
128 GB
|
|
QRadar xx48
|
128 GB
|
128 GB
|
|
QRadar Log Manager 1605
|
12 GB
|
48 GB
|
|
QRadar Log Manager 1624
|
64 GB
|
64 GB
|
|
QRadar Log Manager 1628
|
128 GB
|
128 GB
|
|
QRadar Log Manager 2100
|
24 GB
|
24 GB
|
|
QRadar Log Manager 3105
|
24 GB
|
48 GB
|
|
QRadar Log Manager 3124
|
64 GB
|
64 GB
|
|
QRadar Log Manager 3128
|
128 GB
|
128 GB
|
|
QRadar Log Manager 3199
|
24 GB
|
48 GB
|
Backing up third-party data
Before the upgrade, be sure to back up all third-party data on the system. All third-party data on the system is removed during the OS upgrade portion of the QRadar upgrade. Only data stored in the /store partition is preserved. Back up the following data before performing the upgrade:
•Any third-party user accounts and data
•Any static route files for network interfaces
•Any files, scripts, or data in /root
Upgrade sequence in distributed deployments
When upgrading IBM Security QRadar systems, the administrator must complete the upgrade process on the QRadar Console first. You must be able to access the user interface on the desktop system before upgrading the secondary QRadar Console and managed hosts.
Upgrade QRadar systems in the following order:
1. Console
2. The following QRadar systems can be upgraded concurrently:
– Event Processors
– QRadar Event Collectors
– Flow Processors
– QFlow Collectors
Precautions for upgrading appliances
Follow these precautions before upgrading QRadar appliances:
•Back up the data, and confirm that backups are complete before you begin the upgrade.
•Ensure either that you have a QRadar Console connected to the hardware or that you have a remote connection to the management port (often called an out of band management setup). This connection is important because if a problem is detected while reinstalling RHEL the administrator needs to access the server through one of these connections.
•Ensure that the appliance is updated with the most recent BIOS or UEFI firmware version.
•Upgrade all managed hosts before deploying changes.
•To avoid access errors in the log file, close all open QRadar sessions.
•Confirm that the appliance meets the minimum requirements for QRadar.
•Disconnect high availability hosts before the upgrade if the entire /store directory is mounted on offboard storage.
•Ensure that the following order of mount points in the /etc/fstab file matches on both the primary and secondary HA hosts:
– /store
– /store/tmp
– /store/transient
– Any subdirectory of /store if the partition is mounted on offboard storage
Restart the system after any updates to the /etc/fstab file.
•If the entire /store directory is mounted on offboard storage, run the following command to prepare the system for the upgrade:
/media/cdrom/post/prepare_offboard_storage_upgrade.sh
•If you are not prompted to remount your offboard storage solution during the upgrade, remount the storage when the upgrade finishes.
•Before you upgrade to QRadar V7.3.0, ensure that the QRadar Console doesn’t have a QRadar Incident Forensics license allocated to it. Upgrading a QRadar Console that uses a QRadar Incident Forensics license might cause the shared license pool to become over-allocated and can prevent you from using some features on the Log Activity and Network Activity tabs. To avoid this issue, remove the QRadar Incident Forensics license and re-add it after the upgrade completes.
4.4.2 Upgrading QRadar appliances
Before you upgrade QRadar, ensure that you take the following appropriated precautions:
•Ensure that you have sufficient RAM according to the product specification.
•Back up all your data, and confirm that backups are complete before you begin the upgrade.
•Disconnect your offboard storage (if your deployment includes offboard storage solutions).
•Close all open QRadar product sessions to avoid access errors in your log file.
During the upgrade, a system pretest checks that the minimum amount of RAM is available. If there is not enough RAM, the upgrade stops.
After you complete the upgrade, you can remount your external storage solutions
Procedure
The first time that you run the patch installer script, there is expected delay before the first patch installer menu displays.
Remember that If the SSH session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the installation resumes.
To upgrade QRadar, complete these steps:
1. If you are not on QRadar V7.2.8.1 or later, complete the following steps to update to the minimum QRadar software version patch that is required for the QRadar V7.3.0 upgrade. Otherwise, skip to step 2.
b. Use SSH to log in to your system as the root user.
c. Copy the patch file to the /tmp directory or to another location that has sufficient disk space. Is import to remember not to copy the file to an existing QRadar system directory, such as /store or /root.
d. Create the /media/updates directory by entering the following command:
mkdir -p /media/updates
e. Change to the directory where you copied the patch file.
f. Mount the patch file to the /media/updates directory by entering the following command:
mount -o loop -t squashfs <QRadar_patchupdate>.sfs /media/updates/
g. Run the patch installer by entering the following command:
/media/updates/installer
h. Provide answers to the pre-patch questions based on your QRadar deployment.
i. Apply the software fix to all systems in the deployment using the patch installer.
The patch installer menu lists the following options:
• Console
• All
If you select Console, the software fix is applied only to the QRadar Console. If you select All, the software fix is applied to the QRadar Console first, and then to all managed hosts. After the software fix is applied to the QRadar Console, the menu lists the remaining managed hosts and the All option.
j. After the upgrade is complete, unmount the software update by using the following command:
umount /media/updates
k. Finally, complete an automatic update to ensure that your configuration files include the latest network security information.
a. Use SSH to log in to your system as the root user.
b. Copy the ISO file to the /tmp directory or to another location that has sufficient disk space. Is important to remember to avoid copy the file to an existing QRadar system directory, such as /store or /root.
c. Create the /media/cdrom directory by entering the following command:
mkdir -p /media/cdrom
d. Change to the directory where you copied the ISO file.
e. Mount the ISO file to the /media/cdrom directory by entering the following command:
mount -o loop <QRadar>.iso /media/cdrom/
f. Pretest the installation by entering the following command:
/media/cdrom/setup –t
g. Review the pretest output and, if your deployment fails any pretests, take any of the suggested actions.
h. Run the installer by entering the following command:
/media/cdrom/setup
The SSH connection pauses for 20 minutes because the system restarts. Monitor the console screen to confirm when the SSH becomes available after the system restart.
i. Complete an automatic update to ensure that your configuration files include the latest network security information.
j. Clear your web browser cache. After you upgrade QRadar, the Vulnerabilities tab might not display. To use QRadar Vulnerability Manager after you upgrade, you must upload and allocate a valid license key.
4.4.3 Upgrading QRadar software installations
Upgrade IBM Security QRadar V7.2.8 to V7.3.0 on your own appliance with a QRadar software installation. A software installation includes custom Red Hat Enterprise Linux partitions that are already configured.
Upgrading the QRadar Console to V7.3.0 can take approximately 3 hours. Upgrading managed hosts can take approximately 1:30 hours. If you experience extended upgrade times, contact IBM Support to review the progress of the upgrade.
The administrator must have the QRadar v7.2.8 -QRFULL- 20161118202122 fix pack and later installed before you can upgrade to QRadar V7.3.0. Click Help → About to view the QRadar version, and download the software fix from IBM Fix Central.
The administrator must complete the following tasks to upgrade QRadar with customer Red Hat Enterprise Linux partitions:
1. Copy the required files to the appliance and start the upgrade.
2. Install Red Hat Enterprise Linux V7.3 and configure partitions.
3. Follow the installation wizard to complete the QRadar installation.
Copying the required files
Copy the files to the host where you want to upgrade IBM Security QRadar, and begin the setup process.
Before you begin
Before you begin the installation, ensure that you have completed the following actions:
•Download the QRadar release ISO file from IBM Fix Central.
•Obtain the Red Hat Enterprise Linux V7.3 ISO.
•Confirm that your appliance meets the minimum requirements for QRadar
•Upgrade all managed hosts before you deploy changes.
•Disconnect HA hosts before the upgrade if the entire /store directory is mounted on offboard storage.
•Ensure that the order of mount points in the /etc/fstab file matches on both the primary and secondary HA host:
– /store
– /store/tmp
– /store/transient
Any subdirectory of /store if the partition is mounted on offboard storage.
•Restart the system after any updates to the /etc/fstab file.
•Run the following command to prepare the system for the upgrade, if the entire /store directory is mounted on offboard storage:
/media/cdrom/post/prepare_offboard_storage_upgrade.sh
•If you are not prompted to remount your offboard storage solution during the upgrade, remount the storage when the upgrade finishes.
Procedure
To upgrade QRadar with customer Red Hat Enterprise Linux partitions, complete the following steps:
1. Copy the Red Hat Enterprise Linux operating system DVD ISO to one of the following portable storage devices:
– Digital Versatile Disk (DVD)
– Bootable USB flash drive
2. Using a Secure File Transfer Protocol (SFTP) program, such as WinSCP, copy the QRadar ISO to the host where you want to install QRadar.
3. Use SSH to log in to the system as the root user.
4. Create the installation directory by typing the following command:
mkdir -p /media/cdrom
5. Mount the QRadar ISO by entering the following command:
mount -o loop <QRadar_ISO> /media/cdrom
6. Start the QRadar setup by entering the following command:
/media/cdrom/setup
4.4.4 Installing Red Hat Enterprise Linux V7.3 and configuring partitions
When you initiate an IBM Security QRadar upgrade on a host that has custom Red Hat Enterprise Linux partitions configured, a message appears stating that a Red Hat Enterprise Linux Software Installation exists. Copy the recommendations for sizing your existing partitions for Red Hat Enterprise Linux V7.3 to use later in the procedure.
Procedure
To install Red Hat Enterprise Linux and configure partitions, follow these steps:
1. Insert the portable storage device into your appliance and restart your appliance.
2. From the starting menu, select one of the following options:
– Select the USB or DVD drive as the boot option.
– To install on a system that supports Extensible Firmware Interface (EFI), the administrator must start the system in legacy mode.
3. Follow the instructions in the wizard to begin the installation:
a. Select the language.
b. Click Date & Time and set the time for your deployment.
c. Click Installation Destination, select the “I will configure partitioning” option, and then click Done.
4. Adjust the partition sizes according to the recommendations for the deployment that is listed in the installation window. The following steps are an example of adjusting partition sizes to upgrade a deployment with a /root partition that is 20,000 MB.
In the Red Hat Enterprise Linux Server Linux V6.8 for x86_64 section, modify the following partitions:
a. Select Swap, and select the Reformat option.
b. Select /store, and enter /store in the Mount Point field.
This option is not available in HA deployments.
c. Select /storetmp, and enter /storetmp in the Mount Point field.
d. Select /transient, and enter /transient in the Mount Point field.
e. Select /boot, and enter the new value of /bootold in the Mount Point field.
f. Delete /.
In the New Red Hat Linux Enterprise V7.X Installation section, click + to create the new Red Hat Linux Enterprise V7.3 partitions:
|
Important: Click Update Settings after you create each partition.
|
a. Create a /boot mount point that is 1024 MB in size, with XFS for a file system, and Standard Partition for the device type.
b. Create a / mount point that is 6672 MB in size, with XFS for a file system, and LVM for the device type.
c. With the / partition still selected, click Modify under the Volume Group button to create a rootrhel volume group, and select Size Policy → As large as possible.
d. Create a /var mount point that is 2594 MB in size, with XFS for a file system, and LVM for the device type. Ensure that rootrhel is selected for the Volume Group.
e. Create a /opt mount point that is 6672 MB in size, with XFS for a file system, and LVM for the device type. Ensure that rootrhel is selected for the Volume Group.
f. Create a /tmp mount point that is 1482 MB in size, with XFS for a file system, and LVM for the device type. Ensure that rootrhel is selected for the Volume Group.
g. Create a /home mount point that is 370 MB in size, with XFS for a file system, and LVM for the device type. Ensure that rootrhel is selected for the Volume Group.
h. Delete the /var/log partition in the Red Hat Enterprise Linux Server V6.8 for x86_64 section.
|
Note: Do not select the “Delete all other file systems in the Red Hat Enterprise Linux Server Linux V6.8 for x86_64 root as well” option.
|
i. Create a new /var/log mount point that is 8063 MB in size, with XFS for a file system, and LVM for the device type.
j. With the /var/log partition still selected, click Modify under the Volume Group button to create a varlogrhel volume group, and select Size Policy → As large as possible.
k. Create a /var/log/audit mount point that is 1651 MB in size, with XFS for a file system, and LVM for the device type. Ensure that varlogrhel is selected for the Volume Group.
l. Delete the /bootold partition in the Red Hat Enterprise Linux Server Linux.
m. For the V6.8 for x86_64 section, only three partitions are now listed for Red Hat Enterprise Linux V6.8:
• /store
• /storetmp
• /transient
5. Click Done on the Manual Partitioning window.
6. Follow the instructions in the wizard to complete the installation:
a. Click Network & Host Name.
b. Enter the host name for your appliance.
c. Select the interface in the list, move the switch to the ON position, and click Configure.
d. On the General tab, select the “Automatically connect to this network when it is available” option.
e. On the IPv4 Settings tab, in the Method list, select Manual.
f. Click Add to enter the IP address, netmask, and gateway for the appliance in the Addresses field.
g. Add two DNS servers.
h. Click Save, click Done, and then click Begin Installation.
7. Set the root password, and then click Finish Configuration.
8. Restart the host after the Red Hat Enterprise Linux V7.3 installation finishes.
4.4.5 Completing the QRadar installation
After you configure Red Hat Enterprise Linux V7.3, complete the IBM Security QRadar installation by preparing for the QRadar installation wizard:
1. Use SSH to log in to the system as a root user.
2. Modify the SELINUX value in the /etc/sysconfig/selinux file to SELINUX=disabled, and restart the host.
3. Use SSH to log back in to the system as the root user.
4. Confirm that the /store partition is not mounted by typing the following command:
mount
If the /store partition is mounted, unmount the partition by typing the following command:
umount /store
5. Confirm that the /storetmp partition is mounted by typing the following command:
mount /storetmp
6. Create the /media/cdrom directory by typing the following command:
mkdir -p /media/cdrom
7. Mount the QRadar ISO by typing the following command:
mount /storetmp/730/<QRadar_ISO_name> /media/cdrom
8. Type the following command to begin the QRadar upgrade:
/media/cdrom/setup
9. After the installation finishes, clear your browser cache.
4.5 Health checks, monitoring tools
QRadar capabilities include monitoring features to view specific network activities. The next sections provide a brief description of these features that can be used by the administrator for a deeper understanding of network behavior.
4.5.1 QRadar basic procedures
Various controls on the QRadar user interface are common to most user interface tabs. Some information about these common procedures is described in the following sections.
Viewing messages
The Messages menu, which is on the upper, right corner of the user interface, provides access to a window in which you can read and manage your system notifications.
For system notifications to show on the Messages window, the administrator must create a rule that is based on each notification message type and select the Notify check box in the Custom Rules Wizard. The Messages menu indicates how many unread system notifications you have in your system.
Refreshing and pausing the user interface
The administrator can manually refresh, pause, and play the data that is displayed on tabs. Dashboard tab.
The Dashboard tab automatically refreshes every 60 seconds. The timer, which is on the upper, right corner of the interface, indicates the amount of time that remains until the tab is automatically refreshed. Click the title bar of any dashboard item to automatically pause the refresh time. The timer flashes red to indicate that the current display is paused.
Log Activity and Network Activity tabs
The Log Activity and Network Activity tabs automatically refresh every 60 seconds if the administrator is viewing the tab in Last Interval (auto refresh) mode. When the administrator view the Log Activity or Network Activity tab in Real Time (streaming) or Last Minute (auto refresh) mode, he can use the Pause icon to pause the current display.
Offenses tab
The Offenses tab must be refreshed manually. The timer, which is on the upper, right corner of the interface, indicates the amount of time since the data was last refreshed. The timer flashes red when the timer is paused.
4.5.2 Investigating IP addresses
You can use several methods to investigate information about IP addresses on the Dashboard, Log Activity, and Network Activity tabs. To investigate IP addresses:
1. Log in to QRadar.
2. Go to the tab that you want to view.
3. Move your mouse pointer over an IP address to view the location of the IP address.
4. Right-click the IP address or asset name and select one of the options shown in Table 4-2.
Table 4-2 Options for investigating IP addresses
|
Option
|
Description
|
|
Navigate → View by Network
|
Displays the networks that are associated with the selected IP address.
|
|
Navigate → View Source Summary
|
Displays the offenses that are associated with the selected source IP address.
|
|
Navigate → View Destination Summary
|
Displays the offenses that are associated with the selected destination IP address.
|
|
Information → DNS Lookup
|
Searches for DNS entries that are based on the IP address.
|
|
Information → WHOIS Lookup
|
Searches for the registered owner of a remote IP address. The default WHOIS server is whois.arin.net.
|
|
Information → Port Scan
|
Performs a Network Mapper (NMAP) scan of the selected IP address. This option is only available if NMAP is installed on your system. For more information about installing NMAP, see your vendor documentation.
|
|
Information → Asset Profile
|
Displays asset profile information. This option is displayed if IBM Security QRadar Vulnerability Manager is purchased and licensed. This menu option is available if QRadar acquired profile data either actively through a scan or passively through flow sources.
|
|
Information → Search Events
|
Searches for events that are associated with this IP address.
|
|
Information → Search Flows
|
Searches for flows that are associated with this IP address.
|
|
Information → Search Connections
|
Searches for connections that are associated with this IP address. This option is only displayed if you purchased IBM Security QRadar Risk Manager and connected QRadar and the IBM Security QRadar Risk Manager appliance.
|
|
Information → Switch Port Lookup
|
Determines the switch port on a Cisco IOS device for this IP address. This option applies only to switches that are discovered by using the Discover Devices option on the Risks tab. Note: This menu option isn’t available in QRadar Log Manager.
|
|
Information → View Topology
|
Displays the Risks tab, which depicts the layer 3 topology of your network. This option is available if you purchased IBM Security QRadar Risk Manager and connected QRadar and the IBM Security QRadar Risk Manager appliance.
|
|
Run Vulnerability Scan
|
Select the Run Vulnerability Scan option to scan an IBM Security QRadar Vulnerability Manager scan on this IP address. This option is only displayed when IBM Security QRadar Vulnerability Manager has been purchased and licensed.
|
4.5.3 Investigate user names
You can right-click a user name to access more menu options. Use these options to view more information about the user name or the IP address. Also, you can investigate user names when IBM Security QRadar Vulnerability Manager is purchased and licensed. When you right-click a user name, you can choose from the menu options shown in Table 4-3.
Table 4-3 Options for investigating user names
|
Option
|
Description
|
|
View Assets
|
Displays current assets that are associated to the selected user name.
|
|
View User History
|
Displays all assets that are associated to the selected user name over the previous 24 hours.
|
|
View Events
|
Displays the events that are associated to the selected user name.
|
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.