qradar 7.2 admin guide

8/10/2019 QRadar 7.2 Admin Guide

1/347

IBM Security QRadar SIEM Version 7.2.0

Administration Guide


2/347


3/347

CONTENTS

A BOUT THIS GUIDEIntended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Technical documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Contacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Statement of good security practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1 OVERVIEWSupported web browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Admin tab overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Deploying changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Updating user details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Resetting SIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Monitoring QRadar SIEM systems with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

2 USER MANAGEMENTUser management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Role management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Creating a user role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Editing a user role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Deleting a user role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Managing security profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Permission precedences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Creating a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Editing a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Duplicating a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Deleting a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

User account management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Creating a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Editing a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Deleting a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Authentication management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Before you begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Configuring system authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Configuring RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19


4/347

Configuring TACACS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Configuring Active Directory authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Configuring Your SSL or TLS certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

User role parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Security profile parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25User Management window parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25User management window toolbar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26User Details window parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3 M ANAGING THE SYSTEM AND LICENSESSystem and License Management window overview. . . . . . . . . . . . . . . . . . . . . . . . 29License management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Uploading a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Allocating a system to a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Reverting an allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Viewing license details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Exporting a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

System management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Viewing system details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Allocating a license to a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Restarting a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Shutting down a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Access setting management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Configuring firewall access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Updating your host setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configuring interface roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Changing passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Time server configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Configuring your time server using RDATE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Manually configuring time settings for your system. . . . . . . . . . . . . . . . . . . . . . . 48

4 USER INFORMATION SOURCE CONFIGURATIONUser information source overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

User information sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Reference data collections for user information . . . . . . . . . . . . . . . . . . . . . . . . . 52Integration workflow example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53User information source configuration and management task overview. . . . . . . 54

Configuring the Tivoli Directory Integrator server . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Creating and managing user information source . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Creating a user information source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Retrieving user information sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Editing a user information source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Deleting a user information source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Collecting user information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60


5/347


6/347

Deleting reference sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Viewing the contents of a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Adding a new element to a reference set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Deleting elements from a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Importing elements into a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Exporting elements from a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

7 M ANAGING AUTHORIZED SERVICES Authorized services overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111Viewing authorized services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Adding an authorized service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112Revoking authorized services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Customer support authenticated service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Dismissing an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113Closing an offense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Adding notes to an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

8 M ANAGING BACKUP AND RECOVERYBackup and Recovery Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115Backup archive management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Viewing backup archives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116Importing a backup archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117Deleting a backup archive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Backup archive creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118Configuring your scheduled nightly backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . .118Creating an on-demand configuration backup archive . . . . . . . . . . . . . . . . . . . 121

Backup archive restoration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Restoring a backup archive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Restoring a backup archive created on a different QRadar SIEM system . . . . 125

9 USING THE DEPLOYMENT EDITORDeployment editor requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

About the deployment editor user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Menu options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Toolbar functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Configuring deployment editor preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Building your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Event view management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

QRadar SIEM components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Adding components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Connecting components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Forwarding normalized events and flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Renaming components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

System view management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 About the System View page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Software version requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142


7/347

Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Adding a managed host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143Editing a managed host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144Removing a managed host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145Configuring a managed host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Assigning a component to a host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146Configuring Host Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146Configuring an accumulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

NAT management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 About NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Adding a NATed Network to QRadar SIEM. . . . . . . . . . . . . . . . . . . . . . . . . . . . .150Editing a NATed network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Deleting a NATed network From QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . 151Changing the NAT status for a Managed Host . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Component configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Configuring a QFlow Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152Configuring an Event Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157Configuring an Event Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159Configuring the Magistrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Configuring an off-site source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Configuring an off-site target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

10 M ANAGING FLOW SOURCESFlow source overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163

NetFlow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164IPFIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166J-Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166Packeteer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Flowlog file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167Napatech interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Flow source management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Adding a Flow Source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167Editing a flow source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Enabling and Disabling a Flow Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170Deleting a Flow Source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Managing flow source aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

About flow source aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Adding a flow source alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171Editing a flow source alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172Deleting a flow source alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

11 CONFIGURING REMOTE NETWORKS AND SERVICESRemote networks and services overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

Default remote network groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173Default remote service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174


8/347

Managing remote networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Adding a remote networks object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Editing a remote networks object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Managing remote services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Adding a remote services object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Editing a Remote Services Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

12 S ERVER DISCOVERYServer discovery overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Discovering servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

13 FORWARDING EVENT DATAEvent forwarding overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Add forwarding destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Configuring bulk event forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Configuring selective event forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Forwarding destinations management tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Viewing forwarding Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Enabling and disabling a forwarding destination. . . . . . . . . . . . . . . . . . . . . . . . 187Resetting the counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Editing a forwarding destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Delete a forwarding destination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Managing routing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Viewing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Editing a routing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Enabling or disabling a routing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Deleting a routing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

14 S TORING AND FORWARDING EVENTSStore and forward overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Viewing the Store and Forward Schedule list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Creating a New Store and Forward Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Editing a Store and Forward Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Deleting a Store and Forward Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

15 D ATA OBFUSCATIONData obfuscation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Generating a private/public key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Configuring data obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Decrypting obfuscated data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

A ENTERPRISE TEMPLATEDefault rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Default building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231


9/347

B VIEWING AUDIT LOGS Audit log overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267Viewing the audit log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267Logged actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

C EVENT CATEGORIESHigh-level event categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Recon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287Suspicious Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295Unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296CRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296Potential Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297User Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298SIM Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300VIS Host Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301

Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324Risk Manager Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Asset Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327

D NOTICES AND TRADEMARKSNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333

INDEX


10/347


11/347


12/347

IBM Security QRadar SIEM Administration Guide

2 ABOUT THIS GUIDE

Statement of goodsecurity p ractices

IT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered,

destroyed, misappropriated or misused or can result in damage to or misuse ofyour systems, including for use in attacks on others. No IT system or productshould be considered completely secure and no single product, service or securitymeasure can be completely effective in preventing improper use or access. IBMsystems, products and services are designed to be part of a comprehensivesecurity approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be mosteffective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS ORSERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISEIMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.


13/347


1 OVERVIEW

This overview includes general information on how to access and use the QRadarSIEM user interface and the Admin tab.

Supported webbrowsers

You can access the Console from a standard web browser. When you access thesystem, a prompt is displayed asking for a user name and a password, which mustbe configured in advance by the QRadar SIEM administrator.

Admin tab overview The Admin tab provides several tab and menu options that allow you to configureQRadar SIEM.

You must have administrative privileges to access administrative functions. Toaccess administrative functions, click the Admin tab on the QRadar SIEM userinterface.

The Admin tab provides access to the following functions:

Manage users. See User management . Manage your network settings. See Managing th e system and lic enses .

Manage high availability. See the IBM Security QRadar High Availability Guide .

Manage QRadar SIEM settings. See Setting Up QRadar SIEM .

Table 1-1 Supported web browsers

Web browser Supported versions

Mozilla Firefox 10.0 ESR 17.0 ESRDue to Mozillas short release cycle, we cannot commit to testing on thelatest versions of the Mozilla Firefox web browser. However, we are fullycommitted to investigating any issues that are reported.

Microsoft Windows Internet Explorer 8.0 9.0

Google Chrome Latest versionWe are fully committed to investigating any issue that are reported.


14/347


4 OVERVIEW

Manage references sets. See Managing reference sets .

Manage authorized services. See Managing authorized services .

Backup and recover your data. See Managing backup and recovery .

Manage your deployment views. See Using the deployment editor . Manage flow sources. See Managing flow s ources .

Configure remote networks and remote services. See Configuring remotenetworks and services .

Discover servers. See Server di scovery .

Configure syslog forwarding. See Forwarding event data .

Managing vulnerability scanners. For more information, see the ManagingVulnerability Assessment Guide .

Configure plug-ins. For more information, see the associated documentation.

Configure the IBM Security QRadar Risk Manager. For more information, seethe IBM Security QRadar Risk Manager Users Guide .

Manage log sources. For more information, see the IBM Security QRadar LogSources Users Guide.

The Admin tab also includes the following menu options:

Deploying changes When you update your configuration settings using the Admin tab, your changesare saved to a staging area where they are stored until you manually deploy thechanges.

Abou t thi s task

Each time you access the Admin tab and each time you close a window on the Admin tab, a banner at the top of the Admin tab displays the following message:Checking for undeployed changes. If undeployed changes are found, thebanner updates to provide information about the undeployed changes.

Table 1-2 Admin tab menu options

Menu option Description

Deployment Editor Opens the Deployment Editor window. For moreinformation, see Using the deployment editor .

Deploy Changes Deploys any configuration changes from the current

session to your deployment. For more information, seeDeploying changes . Advanced The Advanced menu provides the following options:

Clean SIM Model - Resets the SIM module. SeeResetting SIM .Deploy Full Configuration - Deploys all configurationchanges. For more information, see Deploying changes .


15/347


Updating user details 5

If the list of undeployed changes is lengthy, a scroll bar is provided to allow you toscroll through the list.

The banner message also recommends which type of deployment change to

make. The two options are: Deploy Changes - Click the Deploy Changes icon on the Admin tab toolbar to

deploy any configuration changes from the current session to your deployment.

Deploy Full Configuration - Select Advanced > Deploy Full Configurationfrom the Admin tab menu to deploy all configuration settings to yourdeployment. All deployed changes are then applied throughout yourdeployment.

CAUTION: When you click Deploy Full Configuration , QRadar SIEM restarts allservices, which results in a gap in data collection for events and flows untildeployment completes.

After you deploy your changes, the banner clears the list of undeployed changesand checks the staging area again for any new undeployed changes. If none arepresent, the following message is displayed: There are no changes todeploy.

Procedure

Step 1 Click View Details .

The details are displayed in groups.

Step 2 Choose one of the following options:

To expand a group to display all items, click the plus sign (+) beside the text.When done, you can click the minus sign (-).

To expand all groups, click Expand All . When done, you can click Collapse All . Click Hide Details to hide the details from view again.

Step 3 Perform the recommended task. Recommendations might include:

From the Admin tab menu, click Deploy Changes .

From the Admin tab menu, click Advanced > Deploy Ful l Conf igurati on .

Updating userdetails

You can access your administrative user details through the main QRadar SIEMinterface.

ProcedureStep 1 Click Preferences .

Step 2 Optional. Update the configurable user details:

Parameter Description

Email Type a new email address.Password Type a new password.


16/347


17/347


Monitoring QRadar SIEM systems with SNMP 7

Step 7 When the SIM reset process is complete, click Close .

Step 8 When the SIM reset process is complete, reset your browser.

Monitoring QRadarSIEM systems withSNMP

QRadar SIEM supports the monitoring of our appliances through SNMP polling.QRadar SIEM uses the Net-SNMP agent, which supports a variety of systemresource monitoring MIBs that can be polled by Network Management solutions forthe monitoring and alerting of system resources. For more information onNet-SNMP, refer to Net-SNMP documentation.


18/347


19/347


2 USER MANAGEMENT

When you initially configure IBM Security QRadar SIEM, you must create useraccounts for all users that require access to QRadar SIEM. After initialconfiguration, you can edit user accounts to ensure that user information is current.You can also add and delete user accounts as required.

User managementoverview

A user account defines the user name, default password, and email address for auser. For each new user account you create, you must assign the following items:

User role - Determines the privileges the user is granted to access functionalityand information in QRadar SIEM. QRadar SIEM includes two default user roles:

Admin and All. Before you add user accounts, you must create additional userroles to meet the specific permissions requirement of your users.

Security profile - Determines the networks and log sources the user is grantedaccess to. QRadar SIEM includes one default security profile for administrativeusers. The Admin security profile includes access to all networks and logsources. Before you add user accounts, you must create additional securityprofiles to meet the specific access requirements of your users.

Role management Using the User Roles window, you can create and manage user roles.

Creating a user role Before you can create user accounts, you must create the user roles required foryour deployment. By default, QRadar SIEM provides a default administrative userrole, which provides access to all areas of QRadar SIEM.

Before you begin

Users who are assigned an administrative user role cannot edit their own account.This restriction applies to the default Admin user role. Another administrative usermust make any account changes.

Procedure

Step 1 Click the Admin tab.

Step 2 On the navigation menu, click System Config uration > User Management .

Step 3 Click the User Roles icon.


20/347


10 USER MANAGEMENT

Step 4 On the toolbar, click New .

Step 5 Configure the following parameters:

a In the User Role Name field, type a unique name for this user role.

b Select the permissions you want to assign to this user role. See Table 2-1 .Step 6 Click Save .

Step 7 Close the User Role Management window.

Step 8 On the Admin tab menu, click Deploy Changes .

Editing a user role You can edit an existing role to change the permissions assigned to the role.

Abou t thi s task

To quickly locate the user role you want to edit on the User Role Managementwindow, you can type a role name in the Type to filter text box, which is locatedabove the left pane.

Procedure


Step 2 On the navigation menu, click System Configuration > User Management .


Step 4 In the left pane of the User Role Management window, select the user role youwant to edit.

Step 5 On the right pane, update the permissions, as necessary. See Table 2-1 .

Step 6 Click Save .

Step 7 Close the User Role Management window.Step 8 On the Admin tab menu, click Deploy Changes .

Deleting a user rol e If a user role is no longer required, you can delete the user role.

Abou t thi s task

If user accounts are assigned to the user role you want to delete, you mustreassign the user accounts to another user role. QRadar SIEM automaticallydetects this condition and prompts you to update the user accounts.

To quickly locate the user role you want to delete on the User Role Managementwindow, you can type a role name in the Type to filter text box, which is locatedabove the left pane.

Procedure





21/347


Managing security profiles 11

Step 4 In the left pane of the User Role Management window, select the role you want todelete.

Step 5 On the toolbar, click Delete .

Step 6 Click OK .If user accounts are assigned to this user role, the Users are Assigned to thisUser Role window opens. Go to Step 7 .

If no user accounts are assigned to this role, the user role is successfully deleted.go to Step 8 .

Step 7 Reassign the listed user accounts to another user role:

a From the User Role to assign list box, select a user role.

b Click Confirm .

Step 8 Close the User Role Management window.


Managing securityprofiles

Security profiles define which networks and log sources a user can access and thepermission precedence. Using the Security Profile Management window, you canview, create, update, and delete security profiles.

Permissionprecedences

Permission precedence determines which Security Profile components to considerwhen the system displays events in the Log Activity tab and flows in the Network

Activi ty tab.

Permission precedence options include:

No Restrictions - This option does not place restrictions on which events aredisplayed in the Log Activity tab and which flows are displayed in the Network

Activi ty tab.

Network Only - This option restricts the user to only view events and flowsassociated with the networks specified in this security profile.

Log Sources Only - This option restricts the user to only view eventsassociated with the log sources specified in this security profile.

Networks AND Log Sources - This option allows the user to only view eventsand flows associated with the log sources and networks specified in thissecurity profile.

For example, if an event is associated with a log source the security profileallows access to, but the destination network is restricted, the event is notdisplayed in the Log Activity tab. The event must match both requirements.

Networks OR Log Sources - This option allows the user to only view eventsand flows associated with the log sources or networks specified in this securityprofile.


22/347


12 USER MANAGEMENT

For example, if an event is associated with a log source the security profileallows access to, but the destination network is restricted, the event isdisplayed in the Log Activity tab. The event only needs to match onerequirement.

Creating a securityprofile

Before you add user accounts, you must create security profiles to meet thespecific access requirements of your users.

Abou t thi s task

QRadar SIEM includes one default security profile for administrative users. The Admin security profile includes access to all networks and log sources.

To select multiple items on the Security Profile Management window, hold theControl key while you select each network or network group you want to add.

If, after you add log sources or networks, you want to remove one or more before

you save the configuration, you can select the item and click the Remove ( User Management .

Step 3 Click the Security Profi les icon.

Step 4 On the Security Profile Management window toolbar, click New .


a In the Securit y Profil e Name field, type a unique name for the security profile.

The security profile name must meet the following requirements:- Minimum of three characters

- Maximum of 30 characters

b Optional. Type a description of the security profile. The maximum number ofcharacters is 255.

Step 6 Click the Permissi on Precedence tab.

Step 7 In the Permission Precedence Setting pane, select a permission precedenceoption. See Permission precedences .

Step 8 Configure the networks you want to assign to the security profile:

a Click the Networks tab.b From the navigation tree in the left pane of the Networks tab, select the

network you want this security profile to have access to. Choose one of thefollowing options:

- From the Al l Networks list box, select a network group or network.

- Select the network group or network in the navigation tree.


23/347


Managing security profiles 13

c Click the Add (>) icon to add the network to the Assigned Networks pane.

d Repeat for each network you want to add.

Step 9 Configure the log sources you want to assign to the security profile:

a Click the Log Sources tab.b From the navigation tree in the left pane, select the log source group or log

source you want this security profile to have access to. Choose one of thefollowing options:

- From the Log Sources list box, select a log source group or log source.

- Double-click the folder icons in the navigation tree to navigate to a specificlog source group or log source.

c Click the Add (>) icon to add the log source to the Assigned Log Sources pane.

d Repeat for each log source you want to add.

Step 10 Click Save .

Step 11 Close the Security Profile Management window.


Editing a securityprofile

You can edit an existing security profile to update which networks and log sourcesa user can access and the permission precedence.

Abou t thi s task

To quickly locate the security profile you want to edit on the Security ProfileManagement window, you can type the security profile name in the Type to filter text box, which is located above the left pane.

Procedure



Step 3 Click the Securit y Profiles icon.

Step 4 In the left pane, select the security profile you want to edit.

Step 5 On the toolbar, click Edit .

Step 6 Update the parameters as required.

Step 7 Click Save .

Step 8 If the Security Profile Has Time Series Data window opens, select one of thefollowing options:

Option Description

Keep Old Data and Save Select this option to keep previously accumulated timeseries data. If you choose this option, issues mightoccur when users associated with this security profileviews time series charts.


24/347


14 USER MANAGEMENT



Duplicating asecurity profile

If you want to create a new security profile that closely matches an existingsecurity profile, you can duplicate the existing security profile and then modify theparameters.

Abou t thi s task

To quickly locate the security profile you want to duplicate on the Security ProfileManagement window, you can type the security profile name in the Type to filter

text box, which is located above the left pane.Procedure



Step 3 Click the Security Profi les icon.

Step 4 In the left pane, select the security profile you want to duplicate.

Step 5 On the toolbar, click Duplicate .

Step 6 In the confirmation window, type a unique name for the duplicated security profile.

Step 7 Click OK .

Step 8 Update the parameters as required.



Deleting a securi typrofile

If a security profile is no longer required, you can delete the security profile.

Abou t thi s task

If user accounts are assigned to the security profiles you want to delete, you mustreassign the user accounts to another security profile. QRadar SIEM automaticallydetects this condition and prompts you to update the user accounts.

To quickly locate the security profile you want to delete on the Security ProfileManagement window, you can type the security profile name in the Type to filter text box, which is located above the left pane.

Hide Old Data and Save Select this option to hide the time-series data. If youchoose this option, time series data accumulationrestarts after you deploy your configuration changes.

Option Description


25/347


User account management 15

Procedure



Step 3 Click the Securit y Profiles icon.Step 4 In the left pane, select the security profile you want to delete.


Step 6 Click OK .

If user accounts are assigned to this security profile, the Users are Assigned tothis Security Profile window opens. Go to Step 7 .

If no user accounts are assigned to this security profile, the security profile issuccessfully deleted. Go to Step 8 .

Step 7 Reassign the listed user accounts to another security profile:

a From the User Security Profi le to assign list box, select a security profile.b Click Confirm .



User accountmanagement

When you initially configure QRadar SIEM, you must create user accounts foreach of your users. After initial configuration, you might be required to createadditional user accounts or edit existing user accounts.

Creating a user account

You can create new user accounts.

Before you begin

Before you can create a user account, you must ensure that the required user roleand security profile are created.

Abou t thi s task

When you create a new user account, you must assign access credentials, a userrole, and a security profile to the user. User Roles define what actions the user haspermission to perform. Security Profiles define what data the user has permissionto access.

You can create multiple user accounts that include administrative privileges;however, any Administrator Manager user accounts can create otheradministrative user accounts.

Procedure




26/347


16 USER MANAGEMENT

Step 3 Click the Users icon.

Step 4 On the User Management toolbar, click New .

Step 5 Enter values for the following parameters:

a In the Username field, Type a unique user name for the new user. The username must contain a maximum 30 characters.

b In the E-mail field, type the users email address.

The email address must meet the following requirements:

- Must be a valid email address

- Minimum of 10 characters


c In the Password field, type a password for the user to gain access. Thepassword must meet the following criteria:

- Minimum of five characters


d In the Confirm Password field, type the password again for confirmation.

e Optional. Type a description for the user account. The maximum number ofcharacters is 2,048.

f From the User Role list box, select the user role you want to assign to this user.

g From the Security Profil e list box, select the security profile you want to assignto this user.

Step 6 Click Save .

Step 7 Close the User Details window.

Step 8 Close the User Management window.


Editing a user account

You can edit an existing user account.

Abou t thi s task

To quickly locate the user account you want to edit on the User Managementwindow, you can type the user name in the Search User text box, which is locatedon the toolbar.

Procedure

Step 1 Click the Admin tab.Step 2 On the navigation menu, click System Configuration > User Management .


Step 4 On the User Management window, select the user account you want to edit.

Step 5 On the toolbar, click Edit .


27/347


Authentication management 17

Step 6 Update parameters, as necessary. See Table 2-3

Step 7 Click Save .

Step 8 Close the User Details window.

Step 9 Close the User Management window.Step 10 On the Admin tab menu, click Deploy Changes .

Deleting a user account

If a user account is no longer required, you can delete the user account.

Abou t thi s task

After you delete a user, the user no longer has access to the QRadar SIEM userinterface. If the user attempts to log in to QRadar SIEM, a message is displayed toinform the user that the user name and password is no longer valid. Items that adeleted user created, such as saved searches, reports, and assigned offenses,remain associated with the deleted user.

To quickly locate the user account you want to delete on the User Managementwindow, you can type the user name in the Search User text box, which is locatedon the toolbar.

Procedure




Step 4 Select the user you want to delete.


Step 6 Click OK .

Step 7 Close the User Management window.

Authent icationmanagement

You can configure authentication to validate QRadar SIEM users and passwords.QRadar SIEM supports various authentication types. This topic providesinformation and instructions for how to configure authentication.

Authent icati onoverview

When authentication is configured and a user enters an invalid user name andpassword combination, a message is displayed to indicate that the login was

invalid. If the user attempts to access the system multiple times using invalidinformation, the user must wait the configured amount of time before anotherattempt to access the system again. You can configure Console settings todetermine the maximum number of failed logins, and other related settings. Formore information on how to configure Console settings for authentication, seeSetting Up QRadar SIEM - Configuring the Console settings .


28/347


18 USER MANAGEMENT

An administrative user can access QRadar SIEM through a vendor authenticationmodule or by using the local QRadar SIEM Admin password. The QRadar SIEM

Admin password functions if you have set up and activated a vendor authenticationmodule, however, you cannot change the QRadar SIEM Admin password while the

authentication module is active. To change the QRadar SIEM admin password,you must temporarily disable the vendor authentication module, reset thepassword, and then reconfigure the vendor authentication module.

QRadar SIEM supports the following user authentication types:

System authentication - Users are authenticated locally by QRadar SIEM.This is the default authentication type.

RADIUS authentication - Users are authenticated by a Remote AuthenticationDial-in User Service (RADIUS) server. When a user attempts to log in, QRadarSIEM encrypts the password only, and forwards the user name and passwordto the RADIUS server for authentication.

TACACS authentication - Users are authenticated by a Terminal AccessController Access Control System (TACACS) server. When a user attempts tolog in, QRadar SIEM encrypts the user name and password, and forwards thisinformation to the TACACS server for authentication. TACACS Authenticationuses Cisco Secure ACS Express as a TACACS server. QRadar SIEM supportsup to Cisco Secure ACS Express 4.3.

Active d irectory - Users are authenticated by a Lightweight Directory AccessProtocol (LDAP) server using Kerberos.

LDAP - Users are authenticated by a Native LDAP server.

Before you begin Before you can configure RADIUS, TACACS, Active Directory, or LDAP as theauthentication type, you must perform the following tasks:

Configure the authentication server before you configure authentication inQRadar SIEM. See your server documentation for more information.

Ensure the server has the appropriate user accounts and privilege levels tocommunicate with QRadar SIEM. See your server documentation for moreinformation.

Ensure the time of the authentication server is synchronized with the time of theQRadar SIEM server. For more information on how to set QRadar SIEM time,see Setting Up QRadar SIEM .

Ensure all users have appropriate user accounts and roles in QRadar SIEM toallow authentication with the vendor servers.

Configuring systemauthentication

You can configure local authentication on your QRadar SIEM system.

Procedure




29/347



Step 3 Click the Au thent icati on icon.

Step 4 From the Au thent ication Module list box, select the System Authentication .

Step 5 Click Save .

Configuring RADIUSauthentication

You can configure RADIUS authentication on your QRadar SIEM system.

Procedure




Step 4 From the Au thent ication Module list box, select RADIUS Auth entication .

Step 5 Configure the parameters:

a In the RADIUS Server field, type the host name or IP address of the RADIUSserver.

b In the RADIUS Port field, type the port of the RADIUS server.

c From the Authent ication Type list box, select the type of authentication youwant to perform. The options are:

d In the Shared Secret field, type the shared secret that QRadar SIEM uses toencrypt RADIUS passwords for transmission to the RADIUS server.

Step 6 Click Save .

Configuring TACACSauthentication

You can configure TACACS authentication on your QRadar SIEM system.

ProcedureStep 1 Click the Admin tab.



Step 4 From the Au thent ication Module list box, select TACACS Authentication .

Step 5 Configure the parameters:

Option Description

CHAP Challenge Handshake Authentication Protocol (CHAP)establishes a Point-to-Point Protocol (PPP) connectionbetween the user and the server.

MSCHAP Microsoft Challenge Handshake AuthenticationProtocol (MSCHAP) authenticates remote Windows

workstations. ARAP Apple Remote Access Protocol (ARAP) establishes

authentication for AppleTalk network traffic.PAP Password Authentication Protocol (PAP) sends clear

text between the user and the server.


30/347


20 USER MANAGEMENT

a In the TACACS Server field, type the host name or IP address of the TACACSserver.

b In the TACACS Port field, type the port of the TACACS server.

c From the Authent icati on Type list box, select the type of authentication youwant to perform. The options are:

d In the Shared Secret field, type the shared secret that QRadar SIEM uses toencrypt TACACS passwords for transmission to the TACACS server.

Step 6 Click Save .

Configuring ActiveDirectory

authentication

You can configure Active Directory authentication on your QRadar SIEM system.

Procedure



Step 3 Click the Authent ication icon.

Step 4 From the Authent ication Module list box, select Active Direc tory .


Option Description

ASCII American Standard Code for Information Interchange(ASCII) sends the user name and password in clear,unencrypted text.

PAP Password Authentication Protocol (PAP) sends cleartext between the user and the server. This is the defaultauthentication type.

CHAP Challenge Handshake Authentication Protocol (CHAP)establishes a Point-to-Point Protocol (PPP) connectionbetween the user and the server.

MSCHAP Microsoft Challenge Handshake AuthenticationProtocol (MSCHAP) authenticates remote Windowsworkstations.

MSCHAP2 Microsoft Challenge Handshake AuthenticationProtocol version 2 (MSCHAP2) authenticates remoteWindows workstations using mutual authentication.

EAPMD5 Extensible Authentication Protocol using MD5 Protocol(EAPMD5) uses MD5 to establish a PPP connection.

Parameter DescriptionServer URL Type the URL used to connect to the LDAP server. For

example, ldaps://:. You can use aspace-separated list to specify multiple LDAP servers.

LDAP Context Type the LDAP context you want to use, for example,DC=QRADAR,DC=INC.

LDAP Domain Type the domain you want to use, for example qradar.inc.


31/347



Step 6 Click Save .

Configuring LDAPauthentication

You can configure LDAP authentication on your QRadar SIEM system.

Before you beginIf you plan to enable the SSL or TLS connection to your LDAP server, you mustimport the SSL or TLS certificate from the LDAP server to the/opt/qradar/conf/trusted_certificates directory on your QRadar SIEM Consolesystem. For more information on how to configure the SSL certificate, seeConfiguring Your SSL o r TLS certificate .

Procedure




Step 4 From the Au thent ication Module list box, select LDAP.


Step 6 Click Save .


Server URL Type the URL used to connect to the LDAP server. For example,ldaps://:. You can use a space-separated list tospecify multiple LDAP servers.

SSL Connection Select True to use Secure Socket Layer (SSL) encryption toconnect to the LDAP server.If SSL encryption is enabled, the value in the Server URL fieldmust specify a secure connection. For example,

ldaps://secureldap.mydomain.com:636".TLS

AuthenticationFrom the list box, select True to start Transport Layer Security(TLS) encryption to connect to the LDAP server. The default isTrue.TLS is negotiated as part of the normal LDAP protocol and doesnot require a special protocol designation or port in the ServerURL field.

Search EntireBase

Select one of the following options: True - Enables you to search all subdirectories of the specified

Directory Name (DN). False - Enables you to search the immediate contents of the

Base DN. The subdirectories are not searched.LDAP User Field Type the user field identifier you want to search on, for example,

uid. You can use a comma-separated list to search for multipleuser identifiers.

Base DN Type the base DN for required to perform searches, for example,DC=IBM,DC=INC.


32/347


22 USER MANAGEMENT

Configuri ng Your SSL or TLS

certificate

If you use LDAP for user authentication and you want to enable SSL or TLS, youmust configure your SSL or TLS certificate.

Procedure

Step 1 Using SSH, log in to your system as the root user.User Name: root

Password:

Step 2 Type the following command to create the /opt/qradar/conf/trusted_certificates/directory:

mkdir -p /opt/qradar/conf/trusted_certificates

Step 3 Copy the SSL or TLS certificate from the LDAP server to the/opt/qradar/conf/trusted_certificates directory on your QRadar SIEM system.

Step 4 Verify that the certificate file name extension is .cert, which indicates that thecertificate is trusted. QRadar SIEM only loads .cert files.

User roleparameters

The following table provides descriptions for the User Role Management windowparameters:Table 2-1 User Role Management window parameters


User Role Name Type a unique name for the role. The user role name mustmeet the following requirements: Minimum of three characters Maximum of 30 characters

Admin Select this check box to grant the user administrative accessto the QRadar SIEM user interface. After you select the Admin check box, all permissions check boxes are selectedby default. Within the Admin role, you can grant individualaccess to the following Admin permissions: Administ rator Manager - Select this check box to allow

users to create and edit other administrative useraccounts. If you select this check box, the System

Administ rator check box is automatically selected. Remote Networks and Services Configuration - Select

this check box to allow users to configure remote networksand services on the Admin tab.

System Administrator - Select this check box to allowusers to access all areas of QRadar SIEM. Users with thisaccess are not able to edit other administrator accounts.


33/347


User role parameters 23

Offenses Select this check box to grant the user access to all Offenses

tab functionality. Within the Offenses role, you can grantindividual access to the following permissions: Assign Offenses to Users - Select this check box to

allow users to assign offenses to other users. Maintain Custom Rules - Select this check box to allow

users to create and edit custom rules. If you select thischeck box, the View Custom Rules check box isautomatically selected.

Manage Offense Closi ng Reasons - Select this checkbox to allow users to manage offense closing reasons.

View Custom Rules - Select this check box to allow thisuser role to view custom rules. This permission, when

granted to a user role that does not also have theMaintain Custom Rules permission, allows the user roleto view custom rules details. The user role is not able tocreate or edit custom rules.

For more information on the Offenses tab, see the IBMSecurity QRadar SIEM Users Guide .

Log Activity Select this check box to grant the user access to all Log Activi ty tab functionality. Within the Log Activity role, you canalso grant users individual access to the followingpermissions: Maintain Custom Rules - Select this check box to allow

users to create or edit rules using the Log Activity tab.

Manage Time Series - Select this check box to allowusers to configure and view time series data charts. User Defined Event Properti es - Select this check box to

allow users to create custom event properties. For moreinformation on custom event properties, see the IBMSecurity QRadar SIEM Users Guide .

View Custom Rules - Select this check box to allow thisuser role to view custom rules. This permission, whengranted to a user role that does not also have theMaintain Custom Rules permission, allows the user roleto view custom rules details. The user role is not able tocreate or edit custom rules.

For more information on the Log Activity tab, see the IBMSecurity QRadar SIEM Users Guide .

Table 2-1 User Role Management window parameters (continued)



34/347


24 USER MANAGEMENT

Assets Select this check box to grant the user access to all Assets tab functionality. Within the Assets role, you can grantindividual access to the following permissions: Perform VA Scans - Select this check box to allow users

to perform vulnerability assessment scans. For moreinformation on vulnerability assessment, see theManaging Vulnerability Assessment guide.

Remove Vulnerabilities - Select this check box to allowusers to remove vulnerabilities from assets.

Server Discovery - Select this check box to allow users todiscover servers.

View VA Data - Select this check box to allow usersaccess to vulnerability assessment data. For moreinformation on vulnerability assessment, see theManaging Vulnerability Assessment guide.

Network Activity Select this check box to grant the user access to all Network Activi ty tab functionality. Within the Network Activity role,you can grant individual access to the following permissions: Maintain Custom Rules - Select this check box to allow

users to create or edit rules using the Network Activ ity tab.

Manage Time Series - Select this check box to allowusers to configure and view time series data charts.

User Defined Flow Properties - Select this check box toallow users to create custom flow properties.

View Custo m Rules - Select this check box to allow thisuser role to view custom rules. This permission, whengranted to a user role that does not also have theMaintain Custom Rules permission, allows the user roleto view custom rules details. The user role is not able tocreate or edit custom rules.

View Flow Content - Select this check box to allow usersaccess to flow data. For more information on flows, seethe IBM Security QRadar SIEM Users Guide .

For more information on the Network Activi ty tab, see theIBM Security QRadar SIEM Users Guide.

Reports Select this check box to grant the user access to all Reports tab functionality. Within the Reports role, you can grant usersindividual access to the following permissions: Distribute Reports v ia Email - Select this check box to

allow users to distribute reports through email. Maintain Templates - Select this check box to allow users

to edit report templates.For more information, see the IBM Security QRadar SIEMUsers Guide.




35/347


Security profile parameters 25

Security profileparameters

The following table provides descriptions of the Security Profile Managementwindow parameters:

User Managementwindow parameters

The following table provides descriptions of User Management windowparameters:

Vulnerability Manager This option is only available if IBM Security QRadar

Vulnerability Manager is activated. Select this check box togrant users access to QRadar Vulnerability Managerfunctionality.For more information, see the IBM Security QRadarVulnerability Manager Users Guide .

IP Right Click MenuExtensions

Select this check box to grant the user access to optionsadded to the right-click menu.

Risks This option is only available if IBM Security QRadar RiskManager is activated. Select this check box to grant usersaccess to QRadar Risk Manager functionality.For more information, see the IBM Security QRadar RiskManager Users Guide.



Table 2-2 Security Profile Management window parameters


Security ProfileName

Type a unique name for the security profile. Thesecurity profile name must meet the followingrequirements: Minimum of three characters

Maximum of 30 charactersDescription Optional. Type a description of the security

profile. The maximum number of characters is255.

Table 2-3 User Management window parameters


Username Displays the user name of this user account.

Description Displays the description of the user account.E-mail Displays the email address of this user account.User Role Displays the user role assigned to this user account.

User Roles define what actions the user haspermission to perform.


36/347


26 USER MANAGEMENT

User managementwindow toolbar

The following table provides descriptions of the User Management window toolbarfunctions:

User Detailswindow parameters

The following table provides descriptions of the User Details window parameters:

Security Profile Displays the security profile assigned to this useraccount. Security Profiles define what data the userhas permission to access.

Table 2-3 User Management window parameters (continued)


Table 2-4 User Management window toolbar functions

Function Description

New Click this icon to create a user account. For moreinformation on how to create a user account, seeCreating a user accoun t .

Edit Click this icon to edit the selected user account. Formore information on how to edit a user account, seeEditing a user account .

Delete Click this icon to delete the selected user account.For more information on how to delete a useraccount, see Deleting a us er account .

Search Users In this text box, you can type a keyword and thenpress Enter to locate a specific user account.

Table 2-5 User Details window parameters


Username Type a unique user name for the new user. The user name mustcontain a maximum of 30 characters.

E-mail Type the users email address. The email address must meet thefollowing requirements: Must be a valid email address Minimum of 10 characters Maximum of 255 characters

Password Type a password for the user to gain access. The password mustmeet the following criteria:

Minimum of five characters Maximum of 255 characters

Confirm Password Type the password again for confirmation.Description Optional. Type a description for the user account. The maximum

number of characters is 2,048.


37/347


User Details window parameters 27

User Role From the list box, select the user role you want to assign to this

user.To add, edit, or delete user roles, you can click the Manage UserRoles link. For information on user roles, see Rolemanagement .

Security Profile From the list box, select the security profile you want to assign tothis user.To add, edit, or delete security profiles, you can click the ManageSecurity Profiles link. For information on security profiles, seeManaging security profiles .

Table 2-5 User Details window parameters (continued)



38/347


39/347


3 M ANAGING THE SYSTEM ANDLICENSES

The System and License Management window provides information about eachsystem and license in your deployment. The System and License Managementwindow also provides options that you can use to manage your licenses, systems,and HA deployments.

System andLicenseManagementwindow overview

You can use the System and License Management window to manage yourlicense keys, restart or shut down your system, and configure access settings.

The toolbar on the System and License Management window provides thefollowing functions:

Table 3-1 System and License Management toolbar functions


Allocate Licenseto System

Use this function to allocate a license to a system.When you select the License option from the Display list box,the label on this function changes to Al locate System toLicense .

For more information, see Al locat ing a sys tem to a license or Al locat ing a l icense to a system .Upload License Use this function to upload a license to your Console. For more

information, see Uploading a license key .


40/347


30 M ANAGING THE SYSTEM AND LICENSES

Actions (License) If you select Licenses from the Display list box in theDeployment Details pane, the following functions are availableon the Actions menu: Revert Al location - Select this option to undo license

changes. The action reverts the license to the previous state.If you select Revert All ocation on a deployed license withinthe allocation grace period, which is 14 days afterdeployment, the license state changes to Unlocked so thatyou can re-allocate the license to another system.

Delete License - Select a license from the list, and thenselect this option to delete the license from your system. Thisoption is not available for undeployed licenses.

View License - Select a license from the list, and then selectthis option to view the Current License Details window. Formore information, see Viewing license details .

Export Licenses - Select this option to export the listedlicenses to an external file that you can store on your desktopsystem. For more information, see Exporting a license .

Table 3-1 System and License Management toolbar functions (continued)



41/347


System and License Management window overview 31

The Deployment Details pane provides information about your deployment. Youcan expand or collapse the Deployment Details pane.

Actions (System) If you select Systems from the Display list box in the

Deployment Details pane, the following functions are availableon the Actions menu: View System - Select a system, and then select this option to

view the System Details window. For more information, seeViewing s ystem d etails .

Add HA Hos t - Select a system, and then select this option toadd an HA host to the system to form an HA cluster. For moreinformation about HA, see the IBM Security QRadar High

Availability Guide . Revert All ocation - Select this option to undo staged license

changes. The configuration reverts to the last deployedlicense allocation.

If you select Revert Al location on a deployed license withinthe allocation grace period, which is 14 days afterdeployment, the license state changes to Unlocked so thatyou can re-allocate the license to another system.

Manage System - Select a system, and then select thisoption to open the System Setup window, which you can useto configure firewall rules, interface roles, passwords, andsystem time. For more information, see Access sett ingmanagement .

Restart Web Server - Select this option to restart the userinterface, when required. For example, you might be requiredto restart your user interface after you install a new protocolthat introduces new user interface components.

Shutdown System - Select a system, and then select thisoption to shut down the system. For more information, seeShutting down a system .

Restart System - Select a system, and then select this optionto restart the system. For more information, see Restarting asystem .

Table 3-2 Deployment Details pane


Display From this list box, select one of the following options: Licenses - Displays a list of the allocated and unallocated

licenses in your deployment. From this view, you can manageyour licenses.

Systems - Displays a list of the host systems in yourdeployment. From this view, you can manage your systems.

Table 3-1 System and License Management toolbar functions (continued)



42/347



When you select Systems from the Display list box in the Deployment Detailspane, the System and License Management window displays the followinginformation:

Log Source Count Displays the number of log sources that are configured for yourdeployment.

Users Displays the number of users that are configured for yourdeployment.

Event Limit Displays the total event rate limit your licenses allow for yourdeployment.

Flow Limit Displays the total flow rate limit your licenses allow for yourdeployment.

Table 3-3 System and License Management window parameters - Systems view


Host Name Displays the host name of this system.Host IP Displays the IP address of this system.License ApplianceType

Displays the appliance type of this system.

Version Displays the version number of the QRadar software that thissystem uses.

Serial Number Displays the serial number of this system, if available.Host Status Displays the status of this system, if available.License ExpirationDate

Displays the expiration date of the license that is allocated to thissystem.

Table 3-2 Deployment Details pane (continued)



43/347


System and License Management window overview 33

When you select Licenses from the Display list box in the Deployment Detailspane, the System and License Management window displays the followinginformation:

License Status Displays the status of the license that is allocated to this system.

Statuses include: Unallocated - Indicates that this license is not allocated to a

system. Undeployed - Indicates that this license is allocated to a a

system, but you have not deployed the allocation change.This means that the license is not active in your deploymentyet.

Deployed - Indicates that this license is allocated and activein your deployment.

Unlocked - Indicates that this license has been unlocked.You can unlock a license if it has been deployed within thelast 14 days. This is the default grace period to reallocate a

license. After the grace period is passed, the license is lockedto the system. If you need to unlock a license after that period,contact Customer Support.

Invalid - Indicates that this license is not valid and must bereplaced. This status may indicate that your license has beenaltered without authorization.

Event Rate Limit Displays the event rate limit your license allows for this system.Flow Rate Limit Displays the flow rate limit your license allows for this system.

Table 3-4 System and License Management window parameters - Licenses view


Host Name Displays the host name of the system that is allocated to thislicense.

Host IP Displays the IP address of the system that is allocated to thislicense.

Appliance Type Displays the appliance type of the system that is allocated to thislicense.

License Identity Displays the name of the QRadar product this license provides.

Table 3-3 System and License Management window parameters - Systems view



44/347



Licensemanagement

You use the options available on the System and License Management window tomanage your license keys.

For your QRadar SIEM system, a default license key provides you with access tothe QRadar SIEM user interface for five weeks. You must allocate a license key toyour system.

When you initially set up a system, you must complete the following tasks:

1 Obtain a license key. Choose one of the following options for assistance with yourlicense key:

For a new or updated license key, contact your local sales representative.

For all other technical issues, contact Customer Support.2 Upload your license key. When you upload a license key, it is listed in the System

and License Management window, but remains unallocated. For more information,see Uploading a license key .

3 Allocate your license. Choose one of the following options:

Al locat ing a sys tem to a license

License Status Displays the status of the license that is allocated to this system.Statuses include: Unallocated - Indicates that this license is not allocated to a




Unlocked - Indicates that this license has been unlocked.You can unlock a license if it has been deployed within thelast 14 days. This is the default grace period to reallocate alicense. After the grace period is passed, the license is lockedto the system. If you need to unlock a license after that period,contact Customer Support.


License ExpirationDate

Displays the expiration date of this license.

Event Rate Limit Displays the event rate limit your license allows.Flow Rate Limit Displays the flow rate limit your license allows.

Table 3-4 System and License Management window parameters - Licenses view



45/347


License management 35

Al locat ing a license to a system

4 Deploy your changes. From the Admin tab menu, click Advanced > Deploy Ful lConfiguration .

Uploading a licensekey

You must upload a license key to the Console when you install a new QRadarsystem, update an expired license, or add a QRadar product, such as QRadarRisk Manager or QRadar Vulnerability Manager, to your deployment.

Before you begin

Choose one of the following options for assistance with your license key:

For a new or updated license key, contact your local sales representative.

For all other technical issues, contact Customer Support.

Abou t thi s task

If you log in to QRadar SIEM and your Console license key has expired, you areautomatically directed to the System and License Management window. You mustupload a license key before you can continue. If one of your non-Console systemsincludes an expired license key, a message is displayed when you log in indicatinga system requires a new license key. You must access the System and LicenseManagement window to update that license key.

Procedure


Step 2 On the navigation menu, click System Configuration .

Step 3 Click the System and License Management icon.

Step 4 On the toolbar, click Upload License .Step 5 In the dialog box, click Select File .

Step 6 On the File Upload window, locate and select the license key.

Step 7 Click Open .

Step 8 Click Upload .

Result

The license is uploaded to your Console and is displayed in the System andLicense Management window. By default, the license is not allocated.

What to do next

Al locat ing a sys tem to a license


46/347



Al locat ing a sys temto a license

Each system in your deployment must be allocated a license. After you obtain andupload a license, use the options in the System and License Management windowto allocate a license.

Before you begin

Before you begin, you must obtain and upload a license to your Console. SeeUploading a license key .

Abou t thi s task

You can allocate multiple licenses to a system. For example, in addition to theQRadar SIEM software license, you can allocate QRadar Risk Manager andQRadar Vulnerability Manager to your Console system.

The Upload License window provides the following license details:

Table 3-5 Upload Licenses window parameters

Parameter DescriptionLicense Identity Displays the name of the QRadar product this license provides.License Status Displays the status of the license that is allocated to this system.

Statuses include: Unallocated - Indicates that this license is not allocated to a




Unlocked - Indicates that this license has been unlocked.You can unlock a license if it has been deployed within thelast 14 days. This is the default grace period to reallocate alicense. After the grace period is passed, the license is lockedto the system. If you need to unlock a license after that period,contact Customer Support.


License ApplianceTypes

Displays the appliance type that this license is valid for.

License ExpirationDate

Displays the expiration date of this license.

Event Rate Limit Displays the event rate limit this license allows.Flow Rate Limit Displays the flow rate limit this license allows.


47/347


License management 37

Procedure


Step 2 On the navigation menu, click System Configuration .

Step 3 Click the System and Lic

qradar 7.2 admin guide

Documents