qradar 7.2 admin guide
TRANSCRIPT
-
8/10/2019 QRadar 7.2 Admin Guide
1/347
IBM Security QRadar SIEM Version 7.2.0
Administration Guide
-
8/10/2019 QRadar 7.2 Admin Guide
2/347
-
8/10/2019 QRadar 7.2 Admin Guide
3/347
CONTENTS
A BOUT THIS GUIDEIntended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Technical documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Contacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Statement of good security practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1 OVERVIEWSupported web browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Admin tab overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Deploying changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Updating user details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Resetting SIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Monitoring QRadar SIEM systems with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
2 USER MANAGEMENTUser management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Role management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Creating a user role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Editing a user role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Deleting a user role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Managing security profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Permission precedences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Creating a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Editing a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Duplicating a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Deleting a security profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
User account management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Creating a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Editing a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Deleting a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Authentication management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Before you begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Configuring system authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Configuring RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
-
8/10/2019 QRadar 7.2 Admin Guide
4/347
Configuring TACACS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Configuring Active Directory authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Configuring Your SSL or TLS certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
User role parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Security profile parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25User Management window parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25User management window toolbar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26User Details window parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3 M ANAGING THE SYSTEM AND LICENSESSystem and License Management window overview. . . . . . . . . . . . . . . . . . . . . . . . 29License management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Uploading a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Allocating a system to a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Reverting an allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Viewing license details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Exporting a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
System management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Viewing system details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Allocating a license to a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Restarting a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Shutting down a system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Access setting management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Configuring firewall access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Updating your host setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuring interface roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Changing passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Time server configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Configuring your time server using RDATE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Manually configuring time settings for your system. . . . . . . . . . . . . . . . . . . . . . . 48
4 USER INFORMATION SOURCE CONFIGURATIONUser information source overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
User information sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Reference data collections for user information . . . . . . . . . . . . . . . . . . . . . . . . . 52Integration workflow example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53User information source configuration and management task overview. . . . . . . 54
Configuring the Tivoli Directory Integrator server . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Creating and managing user information source . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Creating a user information source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Retrieving user information sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Editing a user information source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Deleting a user information source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Collecting user information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
-
8/10/2019 QRadar 7.2 Admin Guide
5/347
-
8/10/2019 QRadar 7.2 Admin Guide
6/347
Deleting reference sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Viewing the contents of a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Adding a new element to a reference set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Deleting elements from a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Importing elements into a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Exporting elements from a reference set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
7 M ANAGING AUTHORIZED SERVICES Authorized services overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111Viewing authorized services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Adding an authorized service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112Revoking authorized services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Customer support authenticated service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Dismissing an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113Closing an offense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Adding notes to an offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
8 M ANAGING BACKUP AND RECOVERYBackup and Recovery Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115Backup archive management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Viewing backup archives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116Importing a backup archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117Deleting a backup archive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Backup archive creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118Configuring your scheduled nightly backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . .118Creating an on-demand configuration backup archive . . . . . . . . . . . . . . . . . . . 121
Backup archive restoration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Restoring a backup archive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Restoring a backup archive created on a different QRadar SIEM system . . . . 125
9 USING THE DEPLOYMENT EDITORDeployment editor requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
About the deployment editor user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Menu options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Toolbar functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Configuring deployment editor preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Building your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Event view management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
QRadar SIEM components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Adding components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Connecting components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Forwarding normalized events and flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Renaming components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
System view management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 About the System View page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Software version requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
-
8/10/2019 QRadar 7.2 Admin Guide
7/347
Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Adding a managed host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143Editing a managed host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144Removing a managed host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145Configuring a managed host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Assigning a component to a host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146Configuring Host Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146Configuring an accumulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
NAT management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 About NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Adding a NATed Network to QRadar SIEM. . . . . . . . . . . . . . . . . . . . . . . . . . . . .150Editing a NATed network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Deleting a NATed network From QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . 151Changing the NAT status for a Managed Host . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Component configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Configuring a QFlow Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152Configuring an Event Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157Configuring an Event Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159Configuring the Magistrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Configuring an off-site source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Configuring an off-site target. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
10 M ANAGING FLOW SOURCESFlow source overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
NetFlow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164IPFIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166J-Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166Packeteer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Flowlog file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167Napatech interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Flow source management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Adding a Flow Source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167Editing a flow source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Enabling and Disabling a Flow Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170Deleting a Flow Source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Managing flow source aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
About flow source aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Adding a flow source alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171Editing a flow source alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172Deleting a flow source alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
11 CONFIGURING REMOTE NETWORKS AND SERVICESRemote networks and services overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Default remote network groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173Default remote service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
-
8/10/2019 QRadar 7.2 Admin Guide
8/347
Managing remote networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Adding a remote networks object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Editing a remote networks object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Managing remote services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Adding a remote services object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Editing a Remote Services Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
12 S ERVER DISCOVERYServer discovery overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Discovering servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
13 FORWARDING EVENT DATAEvent forwarding overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Add forwarding destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Configuring bulk event forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Configuring selective event forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Forwarding destinations management tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Viewing forwarding Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Enabling and disabling a forwarding destination. . . . . . . . . . . . . . . . . . . . . . . . 187Resetting the counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Editing a forwarding destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Delete a forwarding destination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Managing routing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Viewing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Editing a routing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Enabling or disabling a routing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Deleting a routing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
14 S TORING AND FORWARDING EVENTSStore and forward overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Viewing the Store and Forward Schedule list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Creating a New Store and Forward Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Editing a Store and Forward Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Deleting a Store and Forward Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
15 D ATA OBFUSCATIONData obfuscation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Generating a private/public key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Configuring data obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Decrypting obfuscated data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
A ENTERPRISE TEMPLATEDefault rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Default building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
-
8/10/2019 QRadar 7.2 Admin Guide
9/347
B VIEWING AUDIT LOGS Audit log overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267Viewing the audit log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267Logged actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
C EVENT CATEGORIESHigh-level event categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Recon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287Suspicious Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295Unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296CRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296Potential Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297User Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298SIM Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300VIS Host Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324Risk Manager Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Asset Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
D NOTICES AND TRADEMARKSNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
INDEX
-
8/10/2019 QRadar 7.2 Admin Guide
10/347
-
8/10/2019 QRadar 7.2 Admin Guide
11/347
-
8/10/2019 QRadar 7.2 Admin Guide
12/347
IBM Security QRadar SIEM Administration Guide
2 ABOUT THIS GUIDE
Statement of goodsecurity p ractices
IT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered,
destroyed, misappropriated or misused or can result in damage to or misuse ofyour systems, including for use in attacks on others. No IT system or productshould be considered completely secure and no single product, service or securitymeasure can be completely effective in preventing improper use or access. IBMsystems, products and services are designed to be part of a comprehensivesecurity approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be mosteffective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS ORSERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISEIMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
-
8/10/2019 QRadar 7.2 Admin Guide
13/347
IBM Security QRadar SIEM Administration Guide
1 OVERVIEW
This overview includes general information on how to access and use the QRadarSIEM user interface and the Admin tab.
Supported webbrowsers
You can access the Console from a standard web browser. When you access thesystem, a prompt is displayed asking for a user name and a password, which mustbe configured in advance by the QRadar SIEM administrator.
Admin tab overview The Admin tab provides several tab and menu options that allow you to configureQRadar SIEM.
You must have administrative privileges to access administrative functions. Toaccess administrative functions, click the Admin tab on the QRadar SIEM userinterface.
The Admin tab provides access to the following functions:
Manage users. See User management . Manage your network settings. See Managing th e system and lic enses .
Manage high availability. See the IBM Security QRadar High Availability Guide .
Manage QRadar SIEM settings. See Setting Up QRadar SIEM .
Table 1-1 Supported web browsers
Web browser Supported versions
Mozilla Firefox 10.0 ESR 17.0 ESRDue to Mozillas short release cycle, we cannot commit to testing on thelatest versions of the Mozilla Firefox web browser. However, we are fullycommitted to investigating any issues that are reported.
Microsoft Windows Internet Explorer 8.0 9.0
Google Chrome Latest versionWe are fully committed to investigating any issue that are reported.
-
8/10/2019 QRadar 7.2 Admin Guide
14/347
IBM Security QRadar SIEM Administration Guide
4 OVERVIEW
Manage references sets. See Managing reference sets .
Manage authorized services. See Managing authorized services .
Backup and recover your data. See Managing backup and recovery .
Manage your deployment views. See Using the deployment editor . Manage flow sources. See Managing flow s ources .
Configure remote networks and remote services. See Configuring remotenetworks and services .
Discover servers. See Server di scovery .
Configure syslog forwarding. See Forwarding event data .
Managing vulnerability scanners. For more information, see the ManagingVulnerability Assessment Guide .
Configure plug-ins. For more information, see the associated documentation.
Configure the IBM Security QRadar Risk Manager. For more information, seethe IBM Security QRadar Risk Manager Users Guide .
Manage log sources. For more information, see the IBM Security QRadar LogSources Users Guide.
The Admin tab also includes the following menu options:
Deploying changes When you update your configuration settings using the Admin tab, your changesare saved to a staging area where they are stored until you manually deploy thechanges.
Abou t thi s task
Each time you access the Admin tab and each time you close a window on the Admin tab, a banner at the top of the Admin tab displays the following message:Checking for undeployed changes. If undeployed changes are found, thebanner updates to provide information about the undeployed changes.
Table 1-2 Admin tab menu options
Menu option Description
Deployment Editor Opens the Deployment Editor window. For moreinformation, see Using the deployment editor .
Deploy Changes Deploys any configuration changes from the current
session to your deployment. For more information, seeDeploying changes . Advanced The Advanced menu provides the following options:
Clean SIM Model - Resets the SIM module. SeeResetting SIM .Deploy Full Configuration - Deploys all configurationchanges. For more information, see Deploying changes .
-
8/10/2019 QRadar 7.2 Admin Guide
15/347
IBM Security QRadar SIEM Administration Guide
Updating user details 5
If the list of undeployed changes is lengthy, a scroll bar is provided to allow you toscroll through the list.
The banner message also recommends which type of deployment change to
make. The two options are: Deploy Changes - Click the Deploy Changes icon on the Admin tab toolbar to
deploy any configuration changes from the current session to your deployment.
Deploy Full Configuration - Select Advanced > Deploy Full Configurationfrom the Admin tab menu to deploy all configuration settings to yourdeployment. All deployed changes are then applied throughout yourdeployment.
CAUTION: When you click Deploy Full Configuration , QRadar SIEM restarts allservices, which results in a gap in data collection for events and flows untildeployment completes.
After you deploy your changes, the banner clears the list of undeployed changesand checks the staging area again for any new undeployed changes. If none arepresent, the following message is displayed: There are no changes todeploy.
Procedure
Step 1 Click View Details .
The details are displayed in groups.
Step 2 Choose one of the following options:
To expand a group to display all items, click the plus sign (+) beside the text.When done, you can click the minus sign (-).
To expand all groups, click Expand All . When done, you can click Collapse All . Click Hide Details to hide the details from view again.
Step 3 Perform the recommended task. Recommendations might include:
From the Admin tab menu, click Deploy Changes .
From the Admin tab menu, click Advanced > Deploy Ful l Conf igurati on .
Updating userdetails
You can access your administrative user details through the main QRadar SIEMinterface.
ProcedureStep 1 Click Preferences .
Step 2 Optional. Update the configurable user details:
Parameter Description
Email Type a new email address.Password Type a new password.
-
8/10/2019 QRadar 7.2 Admin Guide
16/347
-
8/10/2019 QRadar 7.2 Admin Guide
17/347
IBM Security QRadar SIEM Administration Guide
Monitoring QRadar SIEM systems with SNMP 7
Step 7 When the SIM reset process is complete, click Close .
Step 8 When the SIM reset process is complete, reset your browser.
Monitoring QRadarSIEM systems withSNMP
QRadar SIEM supports the monitoring of our appliances through SNMP polling.QRadar SIEM uses the Net-SNMP agent, which supports a variety of systemresource monitoring MIBs that can be polled by Network Management solutions forthe monitoring and alerting of system resources. For more information onNet-SNMP, refer to Net-SNMP documentation.
-
8/10/2019 QRadar 7.2 Admin Guide
18/347
-
8/10/2019 QRadar 7.2 Admin Guide
19/347
IBM Security QRadar SIEM Administration Guide
2 USER MANAGEMENT
When you initially configure IBM Security QRadar SIEM, you must create useraccounts for all users that require access to QRadar SIEM. After initialconfiguration, you can edit user accounts to ensure that user information is current.You can also add and delete user accounts as required.
User managementoverview
A user account defines the user name, default password, and email address for auser. For each new user account you create, you must assign the following items:
User role - Determines the privileges the user is granted to access functionalityand information in QRadar SIEM. QRadar SIEM includes two default user roles:
Admin and All. Before you add user accounts, you must create additional userroles to meet the specific permissions requirement of your users.
Security profile - Determines the networks and log sources the user is grantedaccess to. QRadar SIEM includes one default security profile for administrativeusers. The Admin security profile includes access to all networks and logsources. Before you add user accounts, you must create additional securityprofiles to meet the specific access requirements of your users.
Role management Using the User Roles window, you can create and manage user roles.
Creating a user role Before you can create user accounts, you must create the user roles required foryour deployment. By default, QRadar SIEM provides a default administrative userrole, which provides access to all areas of QRadar SIEM.
Before you begin
Users who are assigned an administrative user role cannot edit their own account.This restriction applies to the default Admin user role. Another administrative usermust make any account changes.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Config uration > User Management .
Step 3 Click the User Roles icon.
-
8/10/2019 QRadar 7.2 Admin Guide
20/347
IBM Security QRadar SIEM Administration Guide
10 USER MANAGEMENT
Step 4 On the toolbar, click New .
Step 5 Configure the following parameters:
a In the User Role Name field, type a unique name for this user role.
b Select the permissions you want to assign to this user role. See Table 2-1 .Step 6 Click Save .
Step 7 Close the User Role Management window.
Step 8 On the Admin tab menu, click Deploy Changes .
Editing a user role You can edit an existing role to change the permissions assigned to the role.
Abou t thi s task
To quickly locate the user role you want to edit on the User Role Managementwindow, you can type a role name in the Type to filter text box, which is locatedabove the left pane.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the User Roles icon.
Step 4 In the left pane of the User Role Management window, select the user role youwant to edit.
Step 5 On the right pane, update the permissions, as necessary. See Table 2-1 .
Step 6 Click Save .
Step 7 Close the User Role Management window.Step 8 On the Admin tab menu, click Deploy Changes .
Deleting a user rol e If a user role is no longer required, you can delete the user role.
Abou t thi s task
If user accounts are assigned to the user role you want to delete, you mustreassign the user accounts to another user role. QRadar SIEM automaticallydetects this condition and prompts you to update the user accounts.
To quickly locate the user role you want to delete on the User Role Managementwindow, you can type a role name in the Type to filter text box, which is locatedabove the left pane.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the User Roles icon.
-
8/10/2019 QRadar 7.2 Admin Guide
21/347
IBM Security QRadar SIEM Administration Guide
Managing security profiles 11
Step 4 In the left pane of the User Role Management window, select the role you want todelete.
Step 5 On the toolbar, click Delete .
Step 6 Click OK .If user accounts are assigned to this user role, the Users are Assigned to thisUser Role window opens. Go to Step 7 .
If no user accounts are assigned to this role, the user role is successfully deleted.go to Step 8 .
Step 7 Reassign the listed user accounts to another user role:
a From the User Role to assign list box, select a user role.
b Click Confirm .
Step 8 Close the User Role Management window.
Step 9 On the Admin tab menu, click Deploy Changes .
Managing securityprofiles
Security profiles define which networks and log sources a user can access and thepermission precedence. Using the Security Profile Management window, you canview, create, update, and delete security profiles.
Permissionprecedences
Permission precedence determines which Security Profile components to considerwhen the system displays events in the Log Activity tab and flows in the Network
Activi ty tab.
Permission precedence options include:
No Restrictions - This option does not place restrictions on which events aredisplayed in the Log Activity tab and which flows are displayed in the Network
Activi ty tab.
Network Only - This option restricts the user to only view events and flowsassociated with the networks specified in this security profile.
Log Sources Only - This option restricts the user to only view eventsassociated with the log sources specified in this security profile.
Networks AND Log Sources - This option allows the user to only view eventsand flows associated with the log sources and networks specified in thissecurity profile.
For example, if an event is associated with a log source the security profileallows access to, but the destination network is restricted, the event is notdisplayed in the Log Activity tab. The event must match both requirements.
Networks OR Log Sources - This option allows the user to only view eventsand flows associated with the log sources or networks specified in this securityprofile.
-
8/10/2019 QRadar 7.2 Admin Guide
22/347
IBM Security QRadar SIEM Administration Guide
12 USER MANAGEMENT
For example, if an event is associated with a log source the security profileallows access to, but the destination network is restricted, the event isdisplayed in the Log Activity tab. The event only needs to match onerequirement.
Creating a securityprofile
Before you add user accounts, you must create security profiles to meet thespecific access requirements of your users.
Abou t thi s task
QRadar SIEM includes one default security profile for administrative users. The Admin security profile includes access to all networks and log sources.
To select multiple items on the Security Profile Management window, hold theControl key while you select each network or network group you want to add.
If, after you add log sources or networks, you want to remove one or more before
you save the configuration, you can select the item and click the Remove ( User Management .
Step 3 Click the Security Profi les icon.
Step 4 On the Security Profile Management window toolbar, click New .
Step 5 Configure the following parameters:
a In the Securit y Profil e Name field, type a unique name for the security profile.
The security profile name must meet the following requirements:- Minimum of three characters
- Maximum of 30 characters
b Optional. Type a description of the security profile. The maximum number ofcharacters is 255.
Step 6 Click the Permissi on Precedence tab.
Step 7 In the Permission Precedence Setting pane, select a permission precedenceoption. See Permission precedences .
Step 8 Configure the networks you want to assign to the security profile:
a Click the Networks tab.b From the navigation tree in the left pane of the Networks tab, select the
network you want this security profile to have access to. Choose one of thefollowing options:
- From the Al l Networks list box, select a network group or network.
- Select the network group or network in the navigation tree.
-
8/10/2019 QRadar 7.2 Admin Guide
23/347
IBM Security QRadar SIEM Administration Guide
Managing security profiles 13
c Click the Add (>) icon to add the network to the Assigned Networks pane.
d Repeat for each network you want to add.
Step 9 Configure the log sources you want to assign to the security profile:
a Click the Log Sources tab.b From the navigation tree in the left pane, select the log source group or log
source you want this security profile to have access to. Choose one of thefollowing options:
- From the Log Sources list box, select a log source group or log source.
- Double-click the folder icons in the navigation tree to navigate to a specificlog source group or log source.
c Click the Add (>) icon to add the log source to the Assigned Log Sources pane.
d Repeat for each log source you want to add.
Step 10 Click Save .
Step 11 Close the Security Profile Management window.
Step 12 On the Admin tab menu, click Deploy Changes .
Editing a securityprofile
You can edit an existing security profile to update which networks and log sourcesa user can access and the permission precedence.
Abou t thi s task
To quickly locate the security profile you want to edit on the Security ProfileManagement window, you can type the security profile name in the Type to filter text box, which is located above the left pane.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the Securit y Profiles icon.
Step 4 In the left pane, select the security profile you want to edit.
Step 5 On the toolbar, click Edit .
Step 6 Update the parameters as required.
Step 7 Click Save .
Step 8 If the Security Profile Has Time Series Data window opens, select one of thefollowing options:
Option Description
Keep Old Data and Save Select this option to keep previously accumulated timeseries data. If you choose this option, issues mightoccur when users associated with this security profileviews time series charts.
-
8/10/2019 QRadar 7.2 Admin Guide
24/347
IBM Security QRadar SIEM Administration Guide
14 USER MANAGEMENT
Step 9 Close the Security Profile Management window.
Step 10 On the Admin tab menu, click Deploy Changes .
Duplicating asecurity profile
If you want to create a new security profile that closely matches an existingsecurity profile, you can duplicate the existing security profile and then modify theparameters.
Abou t thi s task
To quickly locate the security profile you want to duplicate on the Security ProfileManagement window, you can type the security profile name in the Type to filter
text box, which is located above the left pane.Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the Security Profi les icon.
Step 4 In the left pane, select the security profile you want to duplicate.
Step 5 On the toolbar, click Duplicate .
Step 6 In the confirmation window, type a unique name for the duplicated security profile.
Step 7 Click OK .
Step 8 Update the parameters as required.
Step 9 Close the Security Profile Management window.
Step 10 On the Admin tab menu, click Deploy Changes .
Deleting a securi typrofile
If a security profile is no longer required, you can delete the security profile.
Abou t thi s task
If user accounts are assigned to the security profiles you want to delete, you mustreassign the user accounts to another security profile. QRadar SIEM automaticallydetects this condition and prompts you to update the user accounts.
To quickly locate the security profile you want to delete on the Security ProfileManagement window, you can type the security profile name in the Type to filter text box, which is located above the left pane.
Hide Old Data and Save Select this option to hide the time-series data. If youchoose this option, time series data accumulationrestarts after you deploy your configuration changes.
Option Description
-
8/10/2019 QRadar 7.2 Admin Guide
25/347
IBM Security QRadar SIEM Administration Guide
User account management 15
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the Securit y Profiles icon.Step 4 In the left pane, select the security profile you want to delete.
Step 5 On the toolbar, click Delete .
Step 6 Click OK .
If user accounts are assigned to this security profile, the Users are Assigned tothis Security Profile window opens. Go to Step 7 .
If no user accounts are assigned to this security profile, the security profile issuccessfully deleted. Go to Step 8 .
Step 7 Reassign the listed user accounts to another security profile:
a From the User Security Profi le to assign list box, select a security profile.b Click Confirm .
Step 8 Close the Security Profile Management window.
Step 9 On the Admin tab menu, click Deploy Changes .
User accountmanagement
When you initially configure QRadar SIEM, you must create user accounts foreach of your users. After initial configuration, you might be required to createadditional user accounts or edit existing user accounts.
Creating a user account
You can create new user accounts.
Before you begin
Before you can create a user account, you must ensure that the required user roleand security profile are created.
Abou t thi s task
When you create a new user account, you must assign access credentials, a userrole, and a security profile to the user. User Roles define what actions the user haspermission to perform. Security Profiles define what data the user has permissionto access.
You can create multiple user accounts that include administrative privileges;however, any Administrator Manager user accounts can create otheradministrative user accounts.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
-
8/10/2019 QRadar 7.2 Admin Guide
26/347
IBM Security QRadar SIEM Administration Guide
16 USER MANAGEMENT
Step 3 Click the Users icon.
Step 4 On the User Management toolbar, click New .
Step 5 Enter values for the following parameters:
a In the Username field, Type a unique user name for the new user. The username must contain a maximum 30 characters.
b In the E-mail field, type the users email address.
The email address must meet the following requirements:
- Must be a valid email address
- Minimum of 10 characters
- Maximum of 255 characters
c In the Password field, type a password for the user to gain access. Thepassword must meet the following criteria:
- Minimum of five characters
- Maximum of 255 characters
d In the Confirm Password field, type the password again for confirmation.
e Optional. Type a description for the user account. The maximum number ofcharacters is 2,048.
f From the User Role list box, select the user role you want to assign to this user.
g From the Security Profil e list box, select the security profile you want to assignto this user.
Step 6 Click Save .
Step 7 Close the User Details window.
Step 8 Close the User Management window.
Step 9 On the Admin tab menu, click Deploy Changes .
Editing a user account
You can edit an existing user account.
Abou t thi s task
To quickly locate the user account you want to edit on the User Managementwindow, you can type the user name in the Search User text box, which is locatedon the toolbar.
Procedure
Step 1 Click the Admin tab.Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the Users icon.
Step 4 On the User Management window, select the user account you want to edit.
Step 5 On the toolbar, click Edit .
-
8/10/2019 QRadar 7.2 Admin Guide
27/347
IBM Security QRadar SIEM Administration Guide
Authentication management 17
Step 6 Update parameters, as necessary. See Table 2-3
Step 7 Click Save .
Step 8 Close the User Details window.
Step 9 Close the User Management window.Step 10 On the Admin tab menu, click Deploy Changes .
Deleting a user account
If a user account is no longer required, you can delete the user account.
Abou t thi s task
After you delete a user, the user no longer has access to the QRadar SIEM userinterface. If the user attempts to log in to QRadar SIEM, a message is displayed toinform the user that the user name and password is no longer valid. Items that adeleted user created, such as saved searches, reports, and assigned offenses,remain associated with the deleted user.
To quickly locate the user account you want to delete on the User Managementwindow, you can type the user name in the Search User text box, which is locatedon the toolbar.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the Users icon.
Step 4 Select the user you want to delete.
Step 5 On the toolbar, click Delete .
Step 6 Click OK .
Step 7 Close the User Management window.
Authent icationmanagement
You can configure authentication to validate QRadar SIEM users and passwords.QRadar SIEM supports various authentication types. This topic providesinformation and instructions for how to configure authentication.
Authent icati onoverview
When authentication is configured and a user enters an invalid user name andpassword combination, a message is displayed to indicate that the login was
invalid. If the user attempts to access the system multiple times using invalidinformation, the user must wait the configured amount of time before anotherattempt to access the system again. You can configure Console settings todetermine the maximum number of failed logins, and other related settings. Formore information on how to configure Console settings for authentication, seeSetting Up QRadar SIEM - Configuring the Console settings .
-
8/10/2019 QRadar 7.2 Admin Guide
28/347
IBM Security QRadar SIEM Administration Guide
18 USER MANAGEMENT
An administrative user can access QRadar SIEM through a vendor authenticationmodule or by using the local QRadar SIEM Admin password. The QRadar SIEM
Admin password functions if you have set up and activated a vendor authenticationmodule, however, you cannot change the QRadar SIEM Admin password while the
authentication module is active. To change the QRadar SIEM admin password,you must temporarily disable the vendor authentication module, reset thepassword, and then reconfigure the vendor authentication module.
QRadar SIEM supports the following user authentication types:
System authentication - Users are authenticated locally by QRadar SIEM.This is the default authentication type.
RADIUS authentication - Users are authenticated by a Remote AuthenticationDial-in User Service (RADIUS) server. When a user attempts to log in, QRadarSIEM encrypts the password only, and forwards the user name and passwordto the RADIUS server for authentication.
TACACS authentication - Users are authenticated by a Terminal AccessController Access Control System (TACACS) server. When a user attempts tolog in, QRadar SIEM encrypts the user name and password, and forwards thisinformation to the TACACS server for authentication. TACACS Authenticationuses Cisco Secure ACS Express as a TACACS server. QRadar SIEM supportsup to Cisco Secure ACS Express 4.3.
Active d irectory - Users are authenticated by a Lightweight Directory AccessProtocol (LDAP) server using Kerberos.
LDAP - Users are authenticated by a Native LDAP server.
Before you begin Before you can configure RADIUS, TACACS, Active Directory, or LDAP as theauthentication type, you must perform the following tasks:
Configure the authentication server before you configure authentication inQRadar SIEM. See your server documentation for more information.
Ensure the server has the appropriate user accounts and privilege levels tocommunicate with QRadar SIEM. See your server documentation for moreinformation.
Ensure the time of the authentication server is synchronized with the time of theQRadar SIEM server. For more information on how to set QRadar SIEM time,see Setting Up QRadar SIEM .
Ensure all users have appropriate user accounts and roles in QRadar SIEM toallow authentication with the vendor servers.
Configuring systemauthentication
You can configure local authentication on your QRadar SIEM system.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
-
8/10/2019 QRadar 7.2 Admin Guide
29/347
IBM Security QRadar SIEM Administration Guide
Authentication management 19
Step 3 Click the Au thent icati on icon.
Step 4 From the Au thent ication Module list box, select the System Authentication .
Step 5 Click Save .
Configuring RADIUSauthentication
You can configure RADIUS authentication on your QRadar SIEM system.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the Au thent icati on icon.
Step 4 From the Au thent ication Module list box, select RADIUS Auth entication .
Step 5 Configure the parameters:
a In the RADIUS Server field, type the host name or IP address of the RADIUSserver.
b In the RADIUS Port field, type the port of the RADIUS server.
c From the Authent ication Type list box, select the type of authentication youwant to perform. The options are:
d In the Shared Secret field, type the shared secret that QRadar SIEM uses toencrypt RADIUS passwords for transmission to the RADIUS server.
Step 6 Click Save .
Configuring TACACSauthentication
You can configure TACACS authentication on your QRadar SIEM system.
ProcedureStep 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the Au thent icati on icon.
Step 4 From the Au thent ication Module list box, select TACACS Authentication .
Step 5 Configure the parameters:
Option Description
CHAP Challenge Handshake Authentication Protocol (CHAP)establishes a Point-to-Point Protocol (PPP) connectionbetween the user and the server.
MSCHAP Microsoft Challenge Handshake AuthenticationProtocol (MSCHAP) authenticates remote Windows
workstations. ARAP Apple Remote Access Protocol (ARAP) establishes
authentication for AppleTalk network traffic.PAP Password Authentication Protocol (PAP) sends clear
text between the user and the server.
-
8/10/2019 QRadar 7.2 Admin Guide
30/347
IBM Security QRadar SIEM Administration Guide
20 USER MANAGEMENT
a In the TACACS Server field, type the host name or IP address of the TACACSserver.
b In the TACACS Port field, type the port of the TACACS server.
c From the Authent icati on Type list box, select the type of authentication youwant to perform. The options are:
d In the Shared Secret field, type the shared secret that QRadar SIEM uses toencrypt TACACS passwords for transmission to the TACACS server.
Step 6 Click Save .
Configuring ActiveDirectory
authentication
You can configure Active Directory authentication on your QRadar SIEM system.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the Authent ication icon.
Step 4 From the Authent ication Module list box, select Active Direc tory .
Step 5 Configure the following parameters:
Option Description
ASCII American Standard Code for Information Interchange(ASCII) sends the user name and password in clear,unencrypted text.
PAP Password Authentication Protocol (PAP) sends cleartext between the user and the server. This is the defaultauthentication type.
CHAP Challenge Handshake Authentication Protocol (CHAP)establishes a Point-to-Point Protocol (PPP) connectionbetween the user and the server.
MSCHAP Microsoft Challenge Handshake AuthenticationProtocol (MSCHAP) authenticates remote Windowsworkstations.
MSCHAP2 Microsoft Challenge Handshake AuthenticationProtocol version 2 (MSCHAP2) authenticates remoteWindows workstations using mutual authentication.
EAPMD5 Extensible Authentication Protocol using MD5 Protocol(EAPMD5) uses MD5 to establish a PPP connection.
Parameter DescriptionServer URL Type the URL used to connect to the LDAP server. For
example, ldaps://:. You can use aspace-separated list to specify multiple LDAP servers.
LDAP Context Type the LDAP context you want to use, for example,DC=QRADAR,DC=INC.
LDAP Domain Type the domain you want to use, for example qradar.inc.
-
8/10/2019 QRadar 7.2 Admin Guide
31/347
IBM Security QRadar SIEM Administration Guide
Authentication management 21
Step 6 Click Save .
Configuring LDAPauthentication
You can configure LDAP authentication on your QRadar SIEM system.
Before you beginIf you plan to enable the SSL or TLS connection to your LDAP server, you mustimport the SSL or TLS certificate from the LDAP server to the/opt/qradar/conf/trusted_certificates directory on your QRadar SIEM Consolesystem. For more information on how to configure the SSL certificate, seeConfiguring Your SSL o r TLS certificate .
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration > User Management .
Step 3 Click the Au thent icati on icon.
Step 4 From the Au thent ication Module list box, select LDAP.
Step 5 Configure the following parameters:
Step 6 Click Save .
Parameter Description
Server URL Type the URL used to connect to the LDAP server. For example,ldaps://:. You can use a space-separated list tospecify multiple LDAP servers.
SSL Connection Select True to use Secure Socket Layer (SSL) encryption toconnect to the LDAP server.If SSL encryption is enabled, the value in the Server URL fieldmust specify a secure connection. For example,
ldaps://secureldap.mydomain.com:636".TLS
AuthenticationFrom the list box, select True to start Transport Layer Security(TLS) encryption to connect to the LDAP server. The default isTrue.TLS is negotiated as part of the normal LDAP protocol and doesnot require a special protocol designation or port in the ServerURL field.
Search EntireBase
Select one of the following options: True - Enables you to search all subdirectories of the specified
Directory Name (DN). False - Enables you to search the immediate contents of the
Base DN. The subdirectories are not searched.LDAP User Field Type the user field identifier you want to search on, for example,
uid. You can use a comma-separated list to search for multipleuser identifiers.
Base DN Type the base DN for required to perform searches, for example,DC=IBM,DC=INC.
-
8/10/2019 QRadar 7.2 Admin Guide
32/347
IBM Security QRadar SIEM Administration Guide
22 USER MANAGEMENT
Configuri ng Your SSL or TLS
certificate
If you use LDAP for user authentication and you want to enable SSL or TLS, youmust configure your SSL or TLS certificate.
Procedure
Step 1 Using SSH, log in to your system as the root user.User Name: root
Password:
Step 2 Type the following command to create the /opt/qradar/conf/trusted_certificates/directory:
mkdir -p /opt/qradar/conf/trusted_certificates
Step 3 Copy the SSL or TLS certificate from the LDAP server to the/opt/qradar/conf/trusted_certificates directory on your QRadar SIEM system.
Step 4 Verify that the certificate file name extension is .cert, which indicates that thecertificate is trusted. QRadar SIEM only loads .cert files.
User roleparameters
The following table provides descriptions for the User Role Management windowparameters:Table 2-1 User Role Management window parameters
Parameter Description
User Role Name Type a unique name for the role. The user role name mustmeet the following requirements: Minimum of three characters Maximum of 30 characters
Admin Select this check box to grant the user administrative accessto the QRadar SIEM user interface. After you select the Admin check box, all permissions check boxes are selectedby default. Within the Admin role, you can grant individualaccess to the following Admin permissions: Administ rator Manager - Select this check box to allow
users to create and edit other administrative useraccounts. If you select this check box, the System
Administ rator check box is automatically selected. Remote Networks and Services Configuration - Select
this check box to allow users to configure remote networksand services on the Admin tab.
System Administrator - Select this check box to allowusers to access all areas of QRadar SIEM. Users with thisaccess are not able to edit other administrator accounts.
-
8/10/2019 QRadar 7.2 Admin Guide
33/347
IBM Security QRadar SIEM Administration Guide
User role parameters 23
Offenses Select this check box to grant the user access to all Offenses
tab functionality. Within the Offenses role, you can grantindividual access to the following permissions: Assign Offenses to Users - Select this check box to
allow users to assign offenses to other users. Maintain Custom Rules - Select this check box to allow
users to create and edit custom rules. If you select thischeck box, the View Custom Rules check box isautomatically selected.
Manage Offense Closi ng Reasons - Select this checkbox to allow users to manage offense closing reasons.
View Custom Rules - Select this check box to allow thisuser role to view custom rules. This permission, when
granted to a user role that does not also have theMaintain Custom Rules permission, allows the user roleto view custom rules details. The user role is not able tocreate or edit custom rules.
For more information on the Offenses tab, see the IBMSecurity QRadar SIEM Users Guide .
Log Activity Select this check box to grant the user access to all Log Activi ty tab functionality. Within the Log Activity role, you canalso grant users individual access to the followingpermissions: Maintain Custom Rules - Select this check box to allow
users to create or edit rules using the Log Activity tab.
Manage Time Series - Select this check box to allowusers to configure and view time series data charts. User Defined Event Properti es - Select this check box to
allow users to create custom event properties. For moreinformation on custom event properties, see the IBMSecurity QRadar SIEM Users Guide .
View Custom Rules - Select this check box to allow thisuser role to view custom rules. This permission, whengranted to a user role that does not also have theMaintain Custom Rules permission, allows the user roleto view custom rules details. The user role is not able tocreate or edit custom rules.
For more information on the Log Activity tab, see the IBMSecurity QRadar SIEM Users Guide .
Table 2-1 User Role Management window parameters (continued)
Parameter Description
-
8/10/2019 QRadar 7.2 Admin Guide
34/347
IBM Security QRadar SIEM Administration Guide
24 USER MANAGEMENT
Assets Select this check box to grant the user access to all Assets tab functionality. Within the Assets role, you can grantindividual access to the following permissions: Perform VA Scans - Select this check box to allow users
to perform vulnerability assessment scans. For moreinformation on vulnerability assessment, see theManaging Vulnerability Assessment guide.
Remove Vulnerabilities - Select this check box to allowusers to remove vulnerabilities from assets.
Server Discovery - Select this check box to allow users todiscover servers.
View VA Data - Select this check box to allow usersaccess to vulnerability assessment data. For moreinformation on vulnerability assessment, see theManaging Vulnerability Assessment guide.
Network Activity Select this check box to grant the user access to all Network Activi ty tab functionality. Within the Network Activity role,you can grant individual access to the following permissions: Maintain Custom Rules - Select this check box to allow
users to create or edit rules using the Network Activ ity tab.
Manage Time Series - Select this check box to allowusers to configure and view time series data charts.
User Defined Flow Properties - Select this check box toallow users to create custom flow properties.
View Custo m Rules - Select this check box to allow thisuser role to view custom rules. This permission, whengranted to a user role that does not also have theMaintain Custom Rules permission, allows the user roleto view custom rules details. The user role is not able tocreate or edit custom rules.
View Flow Content - Select this check box to allow usersaccess to flow data. For more information on flows, seethe IBM Security QRadar SIEM Users Guide .
For more information on the Network Activi ty tab, see theIBM Security QRadar SIEM Users Guide.
Reports Select this check box to grant the user access to all Reports tab functionality. Within the Reports role, you can grant usersindividual access to the following permissions: Distribute Reports v ia Email - Select this check box to
allow users to distribute reports through email. Maintain Templates - Select this check box to allow users
to edit report templates.For more information, see the IBM Security QRadar SIEMUsers Guide.
Table 2-1 User Role Management window parameters (continued)
Parameter Description
-
8/10/2019 QRadar 7.2 Admin Guide
35/347
IBM Security QRadar SIEM Administration Guide
Security profile parameters 25
Security profileparameters
The following table provides descriptions of the Security Profile Managementwindow parameters:
User Managementwindow parameters
The following table provides descriptions of User Management windowparameters:
Vulnerability Manager This option is only available if IBM Security QRadar
Vulnerability Manager is activated. Select this check box togrant users access to QRadar Vulnerability Managerfunctionality.For more information, see the IBM Security QRadarVulnerability Manager Users Guide .
IP Right Click MenuExtensions
Select this check box to grant the user access to optionsadded to the right-click menu.
Risks This option is only available if IBM Security QRadar RiskManager is activated. Select this check box to grant usersaccess to QRadar Risk Manager functionality.For more information, see the IBM Security QRadar RiskManager Users Guide.
Table 2-1 User Role Management window parameters (continued)
Parameter Description
Table 2-2 Security Profile Management window parameters
Parameter Description
Security ProfileName
Type a unique name for the security profile. Thesecurity profile name must meet the followingrequirements: Minimum of three characters
Maximum of 30 charactersDescription Optional. Type a description of the security
profile. The maximum number of characters is255.
Table 2-3 User Management window parameters
Parameter Description
Username Displays the user name of this user account.
Description Displays the description of the user account.E-mail Displays the email address of this user account.User Role Displays the user role assigned to this user account.
User Roles define what actions the user haspermission to perform.
-
8/10/2019 QRadar 7.2 Admin Guide
36/347
IBM Security QRadar SIEM Administration Guide
26 USER MANAGEMENT
User managementwindow toolbar
The following table provides descriptions of the User Management window toolbarfunctions:
User Detailswindow parameters
The following table provides descriptions of the User Details window parameters:
Security Profile Displays the security profile assigned to this useraccount. Security Profiles define what data the userhas permission to access.
Table 2-3 User Management window parameters (continued)
Parameter Description
Table 2-4 User Management window toolbar functions
Function Description
New Click this icon to create a user account. For moreinformation on how to create a user account, seeCreating a user accoun t .
Edit Click this icon to edit the selected user account. Formore information on how to edit a user account, seeEditing a user account .
Delete Click this icon to delete the selected user account.For more information on how to delete a useraccount, see Deleting a us er account .
Search Users In this text box, you can type a keyword and thenpress Enter to locate a specific user account.
Table 2-5 User Details window parameters
Parameter Description
Username Type a unique user name for the new user. The user name mustcontain a maximum of 30 characters.
E-mail Type the users email address. The email address must meet thefollowing requirements: Must be a valid email address Minimum of 10 characters Maximum of 255 characters
Password Type a password for the user to gain access. The password mustmeet the following criteria:
Minimum of five characters Maximum of 255 characters
Confirm Password Type the password again for confirmation.Description Optional. Type a description for the user account. The maximum
number of characters is 2,048.
-
8/10/2019 QRadar 7.2 Admin Guide
37/347
IBM Security QRadar SIEM Administration Guide
User Details window parameters 27
User Role From the list box, select the user role you want to assign to this
user.To add, edit, or delete user roles, you can click the Manage UserRoles link. For information on user roles, see Rolemanagement .
Security Profile From the list box, select the security profile you want to assign tothis user.To add, edit, or delete security profiles, you can click the ManageSecurity Profiles link. For information on security profiles, seeManaging security profiles .
Table 2-5 User Details window parameters (continued)
Parameter Description
-
8/10/2019 QRadar 7.2 Admin Guide
38/347
-
8/10/2019 QRadar 7.2 Admin Guide
39/347
IBM Security QRadar SIEM Administration Guide
3 M ANAGING THE SYSTEM ANDLICENSES
The System and License Management window provides information about eachsystem and license in your deployment. The System and License Managementwindow also provides options that you can use to manage your licenses, systems,and HA deployments.
System andLicenseManagementwindow overview
You can use the System and License Management window to manage yourlicense keys, restart or shut down your system, and configure access settings.
The toolbar on the System and License Management window provides thefollowing functions:
Table 3-1 System and License Management toolbar functions
Function Description
Allocate Licenseto System
Use this function to allocate a license to a system.When you select the License option from the Display list box,the label on this function changes to Al locate System toLicense .
For more information, see Al locat ing a sys tem to a license or Al locat ing a l icense to a system .Upload License Use this function to upload a license to your Console. For more
information, see Uploading a license key .
-
8/10/2019 QRadar 7.2 Admin Guide
40/347
IBM Security QRadar SIEM Administration Guide
30 M ANAGING THE SYSTEM AND LICENSES
Actions (License) If you select Licenses from the Display list box in theDeployment Details pane, the following functions are availableon the Actions menu: Revert Al location - Select this option to undo license
changes. The action reverts the license to the previous state.If you select Revert All ocation on a deployed license withinthe allocation grace period, which is 14 days afterdeployment, the license state changes to Unlocked so thatyou can re-allocate the license to another system.
Delete License - Select a license from the list, and thenselect this option to delete the license from your system. Thisoption is not available for undeployed licenses.
View License - Select a license from the list, and then selectthis option to view the Current License Details window. Formore information, see Viewing license details .
Export Licenses - Select this option to export the listedlicenses to an external file that you can store on your desktopsystem. For more information, see Exporting a license .
Table 3-1 System and License Management toolbar functions (continued)
Function Description
-
8/10/2019 QRadar 7.2 Admin Guide
41/347
IBM Security QRadar SIEM Administration Guide
System and License Management window overview 31
The Deployment Details pane provides information about your deployment. Youcan expand or collapse the Deployment Details pane.
Actions (System) If you select Systems from the Display list box in the
Deployment Details pane, the following functions are availableon the Actions menu: View System - Select a system, and then select this option to
view the System Details window. For more information, seeViewing s ystem d etails .
Add HA Hos t - Select a system, and then select this option toadd an HA host to the system to form an HA cluster. For moreinformation about HA, see the IBM Security QRadar High
Availability Guide . Revert All ocation - Select this option to undo staged license
changes. The configuration reverts to the last deployedlicense allocation.
If you select Revert Al location on a deployed license withinthe allocation grace period, which is 14 days afterdeployment, the license state changes to Unlocked so thatyou can re-allocate the license to another system.
Manage System - Select a system, and then select thisoption to open the System Setup window, which you can useto configure firewall rules, interface roles, passwords, andsystem time. For more information, see Access sett ingmanagement .
Restart Web Server - Select this option to restart the userinterface, when required. For example, you might be requiredto restart your user interface after you install a new protocolthat introduces new user interface components.
Shutdown System - Select a system, and then select thisoption to shut down the system. For more information, seeShutting down a system .
Restart System - Select a system, and then select this optionto restart the system. For more information, see Restarting asystem .
Table 3-2 Deployment Details pane
Parameter Description
Display From this list box, select one of the following options: Licenses - Displays a list of the allocated and unallocated
licenses in your deployment. From this view, you can manageyour licenses.
Systems - Displays a list of the host systems in yourdeployment. From this view, you can manage your systems.
Table 3-1 System and License Management toolbar functions (continued)
Function Description
-
8/10/2019 QRadar 7.2 Admin Guide
42/347
IBM Security QRadar SIEM Administration Guide
32 M ANAGING THE SYSTEM AND LICENSES
When you select Systems from the Display list box in the Deployment Detailspane, the System and License Management window displays the followinginformation:
Log Source Count Displays the number of log sources that are configured for yourdeployment.
Users Displays the number of users that are configured for yourdeployment.
Event Limit Displays the total event rate limit your licenses allow for yourdeployment.
Flow Limit Displays the total flow rate limit your licenses allow for yourdeployment.
Table 3-3 System and License Management window parameters - Systems view
Parameter Description
Host Name Displays the host name of this system.Host IP Displays the IP address of this system.License ApplianceType
Displays the appliance type of this system.
Version Displays the version number of the QRadar software that thissystem uses.
Serial Number Displays the serial number of this system, if available.Host Status Displays the status of this system, if available.License ExpirationDate
Displays the expiration date of the license that is allocated to thissystem.
Table 3-2 Deployment Details pane (continued)
Parameter Description
-
8/10/2019 QRadar 7.2 Admin Guide
43/347
IBM Security QRadar SIEM Administration Guide
System and License Management window overview 33
When you select Licenses from the Display list box in the Deployment Detailspane, the System and License Management window displays the followinginformation:
License Status Displays the status of the license that is allocated to this system.
Statuses include: Unallocated - Indicates that this license is not allocated to a
system. Undeployed - Indicates that this license is allocated to a a
system, but you have not deployed the allocation change.This means that the license is not active in your deploymentyet.
Deployed - Indicates that this license is allocated and activein your deployment.
Unlocked - Indicates that this license has been unlocked.You can unlock a license if it has been deployed within thelast 14 days. This is the default grace period to reallocate a
license. After the grace period is passed, the license is lockedto the system. If you need to unlock a license after that period,contact Customer Support.
Invalid - Indicates that this license is not valid and must bereplaced. This status may indicate that your license has beenaltered without authorization.
Event Rate Limit Displays the event rate limit your license allows for this system.Flow Rate Limit Displays the flow rate limit your license allows for this system.
Table 3-4 System and License Management window parameters - Licenses view
Parameter Description
Host Name Displays the host name of the system that is allocated to thislicense.
Host IP Displays the IP address of the system that is allocated to thislicense.
Appliance Type Displays the appliance type of the system that is allocated to thislicense.
License Identity Displays the name of the QRadar product this license provides.
Table 3-3 System and License Management window parameters - Systems view
Parameter Description
-
8/10/2019 QRadar 7.2 Admin Guide
44/347
IBM Security QRadar SIEM Administration Guide
34 M ANAGING THE SYSTEM AND LICENSES
Licensemanagement
You use the options available on the System and License Management window tomanage your license keys.
For your QRadar SIEM system, a default license key provides you with access tothe QRadar SIEM user interface for five weeks. You must allocate a license key toyour system.
When you initially set up a system, you must complete the following tasks:
1 Obtain a license key. Choose one of the following options for assistance with yourlicense key:
For a new or updated license key, contact your local sales representative.
For all other technical issues, contact Customer Support.2 Upload your license key. When you upload a license key, it is listed in the System
and License Management window, but remains unallocated. For more information,see Uploading a license key .
3 Allocate your license. Choose one of the following options:
Al locat ing a sys tem to a license
License Status Displays the status of the license that is allocated to this system.Statuses include: Unallocated - Indicates that this license is not allocated to a
system. Undeployed - Indicates that this license is allocated to a a
system, but you have not deployed the allocation change.This means that the license is not active in your deploymentyet.
Deployed - Indicates that this license is allocated and activein your deployment.
Unlocked - Indicates that this license has been unlocked.You can unlock a license if it has been deployed within thelast 14 days. This is the default grace period to reallocate alicense. After the grace period is passed, the license is lockedto the system. If you need to unlock a license after that period,contact Customer Support.
Invalid - Indicates that this license is not valid and must bereplaced. This status may indicate that your license has beenaltered without authorization.
License ExpirationDate
Displays the expiration date of this license.
Event Rate Limit Displays the event rate limit your license allows.Flow Rate Limit Displays the flow rate limit your license allows.
Table 3-4 System and License Management window parameters - Licenses view
Parameter Description
-
8/10/2019 QRadar 7.2 Admin Guide
45/347
IBM Security QRadar SIEM Administration Guide
License management 35
Al locat ing a license to a system
4 Deploy your changes. From the Admin tab menu, click Advanced > Deploy Ful lConfiguration .
Uploading a licensekey
You must upload a license key to the Console when you install a new QRadarsystem, update an expired license, or add a QRadar product, such as QRadarRisk Manager or QRadar Vulnerability Manager, to your deployment.
Before you begin
Choose one of the following options for assistance with your license key:
For a new or updated license key, contact your local sales representative.
For all other technical issues, contact Customer Support.
Abou t thi s task
If you log in to QRadar SIEM and your Console license key has expired, you areautomatically directed to the System and License Management window. You mustupload a license key before you can continue. If one of your non-Console systemsincludes an expired license key, a message is displayed when you log in indicatinga system requires a new license key. You must access the System and LicenseManagement window to update that license key.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration .
Step 3 Click the System and License Management icon.
Step 4 On the toolbar, click Upload License .Step 5 In the dialog box, click Select File .
Step 6 On the File Upload window, locate and select the license key.
Step 7 Click Open .
Step 8 Click Upload .
Result
The license is uploaded to your Console and is displayed in the System andLicense Management window. By default, the license is not allocated.
What to do next
Al locat ing a sys tem to a license
-
8/10/2019 QRadar 7.2 Admin Guide
46/347
IBM Security QRadar SIEM Administration Guide
36 M ANAGING THE SYSTEM AND LICENSES
Al locat ing a sys temto a license
Each system in your deployment must be allocated a license. After you obtain andupload a license, use the options in the System and License Management windowto allocate a license.
Before you begin
Before you begin, you must obtain and upload a license to your Console. SeeUploading a license key .
Abou t thi s task
You can allocate multiple licenses to a system. For example, in addition to theQRadar SIEM software license, you can allocate QRadar Risk Manager andQRadar Vulnerability Manager to your Console system.
The Upload License window provides the following license details:
Table 3-5 Upload Licenses window parameters
Parameter DescriptionLicense Identity Displays the name of the QRadar product this license provides.License Status Displays the status of the license that is allocated to this system.
Statuses include: Unallocated - Indicates that this license is not allocated to a
system. Undeployed - Indicates that this license is allocated to a a
system, but you have not deployed the allocation change.This means that the license is not active in your deploymentyet.
Deployed - Indicates that this license is allocated and activein your deployment.
Unlocked - Indicates that this license has been unlocked.You can unlock a license if it has been deployed within thelast 14 days. This is the default grace period to reallocate alicense. After the grace period is passed, the license is lockedto the system. If you need to unlock a license after that period,contact Customer Support.
Invalid - Indicates that this license is not valid and must bereplaced. This status may indicate that your license has beenaltered without authorization.
License ApplianceTypes
Displays the appliance type that this license is valid for.
License ExpirationDate
Displays the expiration date of this license.
Event Rate Limit Displays the event rate limit this license allows.Flow Rate Limit Displays the flow rate limit this license allows.
-
8/10/2019 QRadar 7.2 Admin Guide
47/347
IBM Security QRadar SIEM Administration Guide
License management 37
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration .
Step 3 Click the System and Lic