Building a Next-Gen SOC with IBM QRadar

Building a Next-Gen SOC with IBM QRadar

by Ashish M Kothekar, Sandeep Patil
Released June 2023
Publisher(s): Packt Publishing
ISBN: 9781801076029

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Discover how different QRadar components fit together and explore its features and implementations based on your platform and environment Purchase of the print or Kindle book includes a free PDF eBook

Key Features

  • Get to grips with QRadar architecture, components, features, and deployments
  • Utilize IBM QRadar SIEM to respond to network threats in real time
  • Learn how to integrate AI into threat management by using QRadar with Watson

Book Description

This comprehensive guide to QRadar will help you build an efficient security operations center (SOC) for threat hunting and need-to-know software updates, as well as understand compliance and reporting and how IBM QRadar stores network data in real time.

The book begins with a quick introduction to QRadar components and architecture, teaching you the different ways of deploying QRadar. You’ll grasp the importance of being aware of the major and minor upgrades in software and learn how to scale, upgrade, and maintain QRadar. Once you gain a detailed understanding of QRadar and how its environment is built, the chapters will take you through the features and how they can be tailored to meet specifi c business requirements. You’ll also explore events, flows, and searches with the help of examples. As you advance, you’ll familiarize yourself with predefined QRadar applications and extensions that successfully mine data and find out how to integrate AI in threat management with confidence. Toward the end of this book, you’ll create different types of apps in QRadar, troubleshoot and maintain them, and recognize the current security challenges and address them through QRadar XDR.

By the end of this book, you’ll be able to apply IBM QRadar SOC’s prescriptive practices and leverage its capabilities to build a very efficient SOC in your enterprise.

What you will learn

  • Discover how to effectively use QRadar for threat management
  • Understand the functionality of different QRadar components
  • Find out how QRadar is deployed on bare metal, cloud solutions, and VMs
  • Proactively keep up with software upgrades for QRadar
  • Understand how to ingest and analyze data and then correlate it in QRadar
  • Explore various searches, and learn how to tune and optimize them
  • See how to maintain and troubleshoot the QRadar environment with ease

Who this book is for

This book is for security professionals, SOC analysts, security engineers, and any cybersecurity individual looking at enhancing their SOC and SIEM skills and interested in using IBM QRadar to investigate incidents in their environment to provide necessary security analytics to responsible teams. Basic experience with networking tools and knowledge about cybersecurity threats is necessary to grasp the concepts present in this book.

Table of contents

  1. Building a Next-Gen SOC with IBM QRadar
  2. Foreword
  3. Contributors
  4. About the author
  5. About the reviewers
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share your thoughts
    8. Download a free PDF copy of this book
  7. Part 1: Understanding Different QRadar Components and Architecture
  8. Chapter 1: QRadar Components
    1. Understanding the QRadar Console
      1. Tomcat
      2. Hostcontext
      3. Hostservices
    2. Exploring event data
      1. Event Processor
      2. Event Collector
    3. Exploring flow data
      1. Flow Processor
      2. Flow Collector
    4. Getting to know the Data Node
    5. Other QRadar components
      1. QRadar Network Insights
      2. QRadar Incident Forensics
      3. QRadar Packet Capture
      4. QRadar Vulnerability Manager
      5. QRadar Risk Manager
      6. QRadar App Host
    6. Summary
  9. Chapter 2: How QRadar Components Fit Together
    1. All-in-one deployment
    2. Distributed deployment
    3. QRadar Incident Forensics (QRIF)
    4. QRadar Risk Manager
    5. Summary
  10. Chapter 3: Managing QRadar Deployments
    1. Understanding different types of QRadar deployments
      1. QRadar appliances
      2. QRadar installed on virtual machines
      3. QRadar on bare-metal servers
      4. QRadar installation on cloud solutions
      5. QRadar Community Edition
    2. Installing QRadar
    3. Upgrading QRadar deployments
      1. Upgrading the QRadar version
      2. Upgrading QRadar appliance firmware
    4. Scaling QRadar deployments
      1. Scaling by adding data nodes
      2. Scaling by adding processors
      3. Scaling by adding collectors
      4. Scaling by adding CPU and memory on QRadar appliances
    5. Licensing
    6. Summary
  11. Part 2: QRadar Features and Deployment
  12. Chapter 4: Integrating Logs and Flows in QRadar
    1. Exploring protocols and DSMs
      1. How to transfer data from applications to QRadar
      2. How to parse or make sense of data that is received
    2. Services involved in the integration of an event log
    3. Understanding flows and types of flows
      1. Internal flow sources
      2. External flow sources
      3. Superflows and their types
    4. Getting to know DLC
    5. Summary
  13. Chapter 5: Leaving No Data Behind
    1. Understanding queues and buffers
      1. Persistent queues
      2. In-memory queues and disk buffers
    2. Getting to know DSM Editor
    3. Summary
  14. Chapter 6: QRadar Searches
    1. How do searches work?
    2. Services involved in a QRadar search
    3. Different types of QRadar searches
      1. Default searches
      2. Customized searches
      3. Searches using quick filter
    4. Data accumulation
    5. QRadar search tuning
      1. Indexing and index management
      2. The sequence of filters used in a query
      3. Creating a MADV
    6. Summary
  15. Chapter 7: QRadar Rules and Offenses
    1. Different types of QRadar rules
    2. Understanding the Rule Wizard
      1. Rule name
      2. Rule systems
      3. Rule conditions
      4. Rule actions
      5. Rule responses
      6. Using reference data in rules
      7. Building blocks
    3. What is historical rule correlation?
    4. Offense generation and management
    5. Summary
  16. Part 3: Understanding QRadar Apps, Extensions, and Their Deployment
  17. Chapter 8: The Insider Threat – Detection and Mitigation
    1. Insider threats – detection and mitigation challenges
    2. What is UBA?
    3. Setting up QRadar UBA
      1. Installing QRadar UBA
      2. Importing users into QRadar UBA
      3. QRadar UBA internals
    4. How does QRadar UBA work?
    5. Understanding the UBA dashboard
    6. Integration with the ML app
    7. UBA application tuning
    8. Understanding the QRadar NTA app
    9. Summary
  18. Chapter 9: Integrating AI into Threat Management
    1. QRadar Assistant app – a quick overview
    2. QRadar Advisor with Watson
      1. QRAW integration with IBM QRadar SOAR
    3. QRadar Use Case Manager app
    4. Summary
  19. Chapter 10: Re-Designing User Experience
    1. QRadar Analyst Workflow
      1. Exploring the Search view
      2. Offenses view
    2. QRadar Pulse dashboard app
    3. QRadar Experience Center
    4. Creating your own app
    5. Summary
  20. Chapter 11: WinCollect – the Agent for Windows
    1. Understanding WinCollect
    2. The types of WinCollect agents
      1. Managed WinCollect agents
      2. Standalone WinCollect agents
    3. Tuning WinCollect
      1. Log source confirguation
      2. XPath query configuration
    4. Summary
  21. Chapter 12: Troubleshooting QRadar
    1. Exploring log source and flow integration issues
      1. Autoupdate issues
      2. Log source configuration issues
      3. Flow integration issues
      4. Understanding QRadar deployment issues
      5. Investigating QRadar app issues
      6. Exploring QRadar performance issues
    2. QRadar FAQs answered
      1. Query 1
      2. Query 2
      3. Query 3
      4. Query 4
      5. Query 5
      6. Query 6
      7. Query 7
      8. Query 8
      9. Query 9
      10. Query 10
      11. Query 11
    3. A next-generation QRadar sneak peek
    4. Summary
    5. Further reading
  22. Index
    1. Why subscribe?
  23. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share your thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Building a Next-Gen SOC with IBM QRadar
  • Author(s): Ashish M Kothekar, Sandeep Patil
  • Release date: June 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781801076029