Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Building a Next-Gen SOC with IBM QRadar
Building a Next-Gen SOC with IBM QRadar

Building a Next-Gen SOC with IBM QRadar: Accelerate your security operations and detect cyber threats effectively

Arrow left icon
Profile Icon Ashish Kothekar Profile Icon Ashish M Kothekar
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8 (12 Ratings)
Paperback Jun 2023 198 pages 1st Edition
eBook
€17.99 €26.99
Paperback
€33.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Ashish Kothekar Profile Icon Ashish M Kothekar
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8 (12 Ratings)
Paperback Jun 2023 198 pages 1st Edition
eBook
€17.99 €26.99
Paperback
€33.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€17.99 €26.99
Paperback
€33.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Building a Next-Gen SOC with IBM QRadar

QRadar Components

We live in a digital age in which the paradigms of security have changed. In the past, wars were fought on battlefields. Now, digital space is where the security of a nation-state, an enterprise, or an individual is threatened. Gartner predicts that by 2025, cyber attackers will use weaponized technology to harm or kill humans. Earlier, cyberattacks were restricted to things such as denial of services, information theft, and ransomware.

These cyberattacks have a heavy financial toll (billions of dollars), cause disruption in production, cause intellectual property to be stolen, and eventually, the brand reputation is tarnished. This is a never-ending battle in this digital age. Security vendors have come up with hundreds of security products and solutions to counter these cyberattacks. IBM has been at the forefront and is leading the security space with top-of-the-line products and solutions.

To understand the impact of a cyberattack, we just have to look a few years back at what happened with Ashley Madison. Ashley Madison was a dating app for those who were married, and the slogan they used to advertise then was “Life is short. Have an affair.” Not surprisingly, the service had 37 million subscribers.

And then the unthinkable happened for the subscribers of the site. Ashley Madison used the weakest password encryption algorithm, and it was easily hacked. A hacker group called the Impact Group gave Ashley Madison 30 days to pay a ransom. As Ashley Madison did not pay, on the 30th day, they released about 60 GB of data with the names, email addresses, credit card numbers, and other details of the subscribers on the dark net. Soon, the media and the crooks started looking for famous personalities to hold them for ransom. The hack soon became public knowledge, leading to a large number of breakups, divorces, and even suicides. The financial implications of such breaches are unaccountable. The site and the brand of Ashley Madison were damaged permanently.

The point that needs to be understood from this scenario is that security breaches can cost lives, and hence any organization (whether it be a dating website, a bank, or a telecom company) needs to be on top of its game when it comes to security.

IBM QRadar is a solution suite that provides enhanced threat intelligence and insights into cyberattacks. These insights help organizations automate responses to threats and also help in devising new strategies to counter cyberattacks. An organization uses hundreds of enterprise solutions and security products from different vendors, such as firewalls, Endpoint Detection Response (EDR), Intrusion Prevention System (IPS), Data Loss Prevention (DLP), and so on. IBM QRadar seamlessly integrates with all these products, consumes all the security data from them, and provides security alerts or insights that are actionable.

In this book, we will learn more about how to build your next-generation Security Operations Center (SOC) using the IBM QRadar solution suite. To understand IBM QRadar and how it functions, it is important to understand the different components. We call all these different QRadar components managed hosts (apart from the Console).

In this chapter, we will discuss various QRadar services for each component, which should be a good starting point to design the architecture for your SOC. As per different requirements, different components can be used in the deployment. Various aspects such as deployment types, scaling, upgrades, and licensing are discussed in corresponding chapters. In this chapter, however, we’re going to cover the following main topics:

  • Understanding the QRadar Console
  • Exploring event data
  • Exploring flow data
  • Getting to know the Data Node
  • Investigating QRadar components

Understanding the QRadar Console

The Console is the brain of QRadar and is the single indispensable component of QRadar. It can collect and process data and throw alerts based on the rules. This is the primary job of the Console. Other components (described later) are mostly used to scale these functionalities in one form or another. Now, let us look at the three major services running on the Console and understand them.

Tomcat

The primary utility of this service is for displaying the User Interface (UI) of QRadar. The QRadar UI can be accessed by typing the IP address or the hostname (if it can be resolved) in the browser.

If the tomcat service is down on QRadar, you will not be able to load the QRadar UI. It maintains the user sessions, active sessions, and current users – all those who have logged in to QRadar UI. It also plays a part in authenticating users, whether it is local authentication, Lightweight Directory Access Protocol (LDAP) authentication, or any other type of authentication. It is a multithreaded service that also deals with the export of data from the QRadar UI. The status of the tomcat service can be checked using a simple command:

 systemctl status tomcat

We will cover troubleshooting tricks and tips for tomcat in the final chapter.

Important note

The Tomcat service is only available on the QRadar Console.

Hostcontext

When the hostcontext service is started, it triggers many other services with it. All the functionalities of QRadar are dependent on the hostcontext service. This service is part of all the QRadar managed hosts, unlike the tomcat service. The hostcontext service is responsible for replicating the deployment changes from the Console to other managed hosts.

The following is the list of services triggered because of hostcontext:

  • ecs-ec-ingress: The specialty of this service from the following services is that even if the hostcontext service is stopped from the command line or if the hostcontext service crashes, ecs-ec-ingress keeps running and collecting events from Log Sources. If the ecs-ec-ingress service is stopped, there are two ways of starting:
    1. Restarting the hostcontext service
    2. Starting the ecs-ec-ingress service separately
  • ecs-ec: The primary function of this service is to parse (map) the incoming events/flows. This service converts the events into a form that QRadar understands. The event is mapped to its event name by this service. For example, Linux OS has sent an authentication event to QRadar that there is an invalid user named testdev trying to log in via SSH.

The payload of such an event would look like this:

"Apr  10 18:26:40 servername sshd[26388]: input_userauth_request: invalid user testdev
"

QRadar needs to make sense of this payload. This is called parsing. Then, QRadar needs to map this event to an appropriate event name, which is called event mapping. The event will be parsed as follows:

  • Time: 6:26:40 p.m.
  • Date: 10th April
  • Event Name: Authentication Failure
  • Server Details: servername

So, the two important functions of ecs-ec are as follows:

  • Event parsing
  • Event mapping
  • ecs-ep: Once the events are parsed and mapped, they need to be processed. Rules are provided as a part of the initial installation. These rules can further be customized as per the security use cases of the organization. ecs-ep is responsible for matching each incoming event against all the enabled rules. If the rule conditions are fulfilled based on the incoming event/events, offenses (security alerts) can be triggered based on the rule action and rule response (defined).

For example, we could have a rule to trigger an offense if we receive an event called Authentication Failure from Linux OS after 6 p.m. In such a case, looking at the previous event in the example, an offense will be generated.

ecs-ep is also responsible for offense management in terms of the following:

  • Offense creation
  • Renaming offenses
  • Attaching events to triggered offenses
  • Offenses in a dormant condition
  • Offense closure
  • Offense deletion
  • QFlow: This service is responsible for collecting flows in QRadar. Flows are network packet information collected in a specific format over a period of time.
  • Accumulator: This service is responsible for creating global views in QRadar, which can be used for dashboards, reports, and so on.
  • Ariel proxy: This service is responsible for relaying the search queries to the appropriate managed hosts.
  • Ariel query: This service queries ariel databases across all managed hosts based on the query run on the Console.

There are many other services, and we will discuss them in detail when introducing the concepts related to them.

Hostservices

This service is also part of the Console and other managed hosts. Typically, QRadar has two types of databases:

  • Ariel, which is not managed by hostservices (it stores event/flow data)
  • Postgres, which is managed by hostservices (it stores configuration)

An ariel database has security data that is collected, and processed by hostcontext. Postgres has the configuration details of QRadar. This is managed by the hostservices service. Postgres is a relational database management system (RDBMS) that has multiple tables containing information on QRadar deployment, configuration, and settings. The Postgres database is replicated on different managed hosts using the hostcontext service. The Postgres database can be queried, if required, using the psql command line. We will discuss this in detail when we talk about optimization and tuning QRadar.

The brain behind QRadar is the Console, and the other components act as auxiliary parts of the system helping the Console perform the functions in a better way. Before jumping on to other QRadar components, let's first discuss and understand event data and flow data.

Exploring event data

Every organization that plans on building a SOC has hundreds and thousands of applications, servers, and endpoints that it would like to monitor. Each of these applications or servers has security and audit logs. These security and audit logs are what we call event data. QRadar supports multiple protocols such as Syslog, JDBC, and UDP multiline. It also supports product-specific protocols such as the Akamai Kona REST API protocol and the CISCO NSEL protocol. Using these protocols, QRadar can either pull data from Log Sources or we can configure Log Sources to send data to QRadar.

The data sent is in the form of events that are parsed and mapped to certain event names. The events can be viewed from the QRadar UI from the Log Activity tab. There are multiple query options that can be used.

The following figure shows a screenshot of the Log Activity tab with filters applied:

Figure 1.1 – Log Activity tab

Figure 1.1 – Log Activity tab

Here, we refer to Data Source as Log Source, and they can be used interchangeably.

Event Processor

We previously learned that the Console is the brain of QRadar. However, there is a limit to the amount of data that can be collected and processed by the Console. This is where the Event Processor comes into the picture. The Console can delegate the work of collecting and processing event data to the Event Processor.

The main services running on the Event Processor are as follows:

  • hostcontext: There are multiple services that are triggered when the hostcontext service is started. On each managed host (Event Processor), there is a configuration file named /opt/qradar/conf/nva.hostcontext.conf. It has a parameter called 'COMPONENT_PROCESSES'. Based on the values, the services are started when hostcontext is started. The main services that are part of the hostcontext service on the Event Processor are as follows:
    • ecs-ec-ingress
    • ecs-ec
    • ecs-ep
    • Ariel query server
  • hostservices: This is like what we have seen on the Console.

You will see that there is no ariel proxy service on the Event Processor. This is because the ariel proxy service is only on the Console. When we search for data on the Console, the ariel proxy service sends the query request to the Event Processor. This request is accepted and worked on by the ariel query server service.

The ariel query server queries the ariel database, which is on the Event Processor, and sends the resultant data back to the Console, where it is shown in Log Activity.

Important note

We will be using the term managed host for any QRadar component that can be managed from the Console – for example, Event Processor, Flow Processor, Event Collector, and so on. There are very few QRadar components that are not managed by the Console. We will discuss them later.

An Event Processor can collect data using ecs-ec-ingress, parse the data using ecs-ec, and process the data using ecs-ep. You will notice that there is an ariel database in each Event Processor, which means that the event data is stored locally. Only when the data is searched is the resultant data sent to the Console for display. Over a period, the resultant data on the Console is removed as per configured policies

As the collection, parsing, and processing of data are done separately, whenever we add an Event Processor to the Console, we say that is a distributed environment.

Along with the Event Processor, the Event Collector also plays an important role in QRadar deployments. Let's discuss this further.

Event Collector

The Event Collector is the component that collects the event data and then either sends it to the Event Processor (if there is one) or to the Console for storage.

In some deployments, the Log Sources (which are configured to send data to QRadar) are in different time zones or different networks, and it is not feasible to send data directly to the Event Processor or Console. In such scenarios, the Event Collector can be used to collect local (to the network) event data, parse it using DSM, and send it to the Event Processor or Console for correlation and storage.

If the connection between the Event Collector and Event Processor is lost, event data is stored locally on the Event Collector, and when the connection is restored, the data is sent to the configured Event Processor.

Important services running on the Event Collector are as follows:

  • hostcontext: These are the subservices of the hostcontext service:
    • ecs-ec-ingress – To collect event data
    • ecs-ec – To parse collected event data
  • hostservices: Same as in the Console

We have discussed in detail the log data from the applications, servers, and endpoints. The other most striking feature of QRadar is its ability to process flow data. Let's discuss that in the next section.

Exploring flow data

Flows are different from events. Flow data is the information of the session between two hosts. For example, if an employee logs in at 9 a.m. and starts using social media, QRadar can capture these session details between the employee’s machine and the social media site. This is done by capturing the network traffic from the span port of a switch. There are different types of flows, which we will discuss in detail later in Chapter 4. Flow data can be viewed in the Network Activity tab on the QRadar UI, as shown in the following screenshot:

Figure 1.2 – Network Activity tab

Figure 1.2 – Network Activity tab

Similar to an Event Processor, we have a Flow Processor and Flow Collector for flow data. Let’s discuss them in detail next.

Flow Processor

Like the Event Processor, the Flow Processor is another managed host that collects and processes flow data. It has an ariel database where the flow data is stored, and it can be queried using the same mechanism as discussed for the Event Processor.

For the Event Processor, we had ecs-ec-ingress, which collected event data. But for the Flow Processor, we have the qflow service, which collects flows and then sends them to ecs-ec and ecs-ep for further processing and storage.

Important services running on the Flow Processor are as follows:

  • hostcontext: For the Flow Processor, the 'COMPONENT_PROCESSES' parameter in the /opt/qradar/conf/nva_hostcontext.conf file has different values than in the Event Processor.
  • qflow: This service is responsible for collecting the flows. The Flow Processor does NOT have the ecs-ec-ingress service
  • hostservices: Same as in the Console.

Important note

A single managed host can act as both an Event Processor and Flow Processor. For this to happen, you need to choose the correct option while installing. Usually, on enterprise-level deployments, Event Processors and Flow Processors are kept separate.

Flow Collector

Like an Event Collector, a Flow Collector is used to collect flow data, analyze it, and send it to the Flow Processor or Console for processing.

The Flow Collector has a special service like Flow Processor called qflow, which collects flows. Flow sources are defined on the QRadar Console UI and then the configuration is pushed to managed hosts, thus the Flow Collector understands which flows need to be collected.

Important services running on the Flow Collector are as follows:

  • hostcontext: The subservices of the hostcontext service are as follows:
    • qflow – This service is responsible for collecting flows
    • ecs-ec – This service is responsible for aggregating and analyzing flows
  • hostservices: Same as in the Console

Another important component usually used in huge deployments is the Data Node. Let's see why in the next section.

Getting to know the Data Node

Event and flow data are required for security purposes as well as for compliance. The amount of storage available on the Console and processors might not be enough for compliance.

For example, it may be mandated by Central Banks to keep event and flow data for 2 years. The available storage on processors can store data only for 6 months. In such a scenario, multiple Data Nodes can be added to a processor so that the processed data can be stored.

Adding a Data Node to deployment has two advantages:

  • Increases the storage space for event and flow data
  • Searches are more efficient when Data Nodes are used

Multiple Data Nodes can be attached to a single processor. One Data Node cannot be attached to multiple processors. What this means is that one Data Node will share data with just one processor.

When Data Nodes are added to the deployment, there is a process called data rebalancing that happens. The incoming data in the processor is distributed amongst the Data Nodes that are attached.

If a Data Node goes down (or crashes), the incoming data is not written to the Data Node. Once the Data Node is up, data is again rebalanced between the processor and Data Node. We will touch more on Data Nodes while discussing searches in Chapter 6.

Other QRadar components

Along with the collectors, processors, and Console, we have a few more feature-rich components that we will look at next. Some of the components that we will discuss are managed hosts, while the QRadar Packet Capture component is an unmanaged host.

Let’s get started and discuss each component in detail.

QRadar Network Insights

QRadar Network Insights (QNI) is another QRadar component that is used for capturing flow data. Now, it might be interesting to know why we have QNI when we already had a Flow Collector and Flow Processor, which were also meant to capture flow data.

The Flow Collector and Flow Processor have a service called qflow, which is responsible for collecting flow data. qflow captures the first 64 bytes of the packet and not the complete payload. This is done to extract important information from packet data. If complete packet data is saved on the Flow Processor, the amount of network packet data would be so huge that it would fill up the Flow Processor in days, if not hours. So, it is practical to capture the first 64 bytes of packet information and store it.

QNI as an appliance (we will learn what an appliance is and how it is different from software installs in Chapter 2,) has special hardware to capture huge chunks of data, process that data, extract metadata, and send it to the processor for storage. So, if the same packet capture is sent to QNI, it can capture more data than qflow will capture with the first 64 bytes of information. For example, if the payload contains information that a user tried to access Facebook or tried to upload a file on Dropbox, QNI be able to capture the hash of the file that is uploaded (if available in the payload). This hash value can then be used by QRadar to determine whether it is a known threat by comparing the hash value of the file to the threat intelligence feeds it has.

In short, QNI provides us with more detailed information about the same packet capture compared to the information if Flow Collector/Processor is used using qflow.

In a single deployment, there can be multiple QNIs installed. QNI captures the packets and sends the information/insights to the processor/Console in IPFIX format. As the insights from QNI are more detailed, granular rules can be created, providing better security coverage.

QRadar Incident Forensics

Till now, we have talked about managed hosts, which are deployed in the QRadar environment for collecting and processing data in terms of events and flows. When it comes to forensics and deep diving into a security incident, QRadar Incident Forensics (QRIF) comes into the picture.

A security incident, such as financial fraud, would require an in-depth investigation of all activities that took place over a period of time. QRIF helps in reconstructing network sessions from the packet capture available.

For example, last Friday night, someone in a bank environment downloaded a script on the server and ran it. After a while, some of the accounts were compromised and a transfer of funds took place. From events and flows, a preliminary analysis can be done. But if there was complete packet capture available from the span port on the switch where the server was connected, QRIF could recover and reconstruct the complete session based on the source and destination IP address (or any other query), and a web session showing the exact actions of the threat actor can be seen.

QRadar Packet Capture

If QRIF can reconstruct the complete sessions, it will require complete packet captures to be stored from the time of the incident. This is where QRadar Packet Capture (QPCAP) comes into the picture. QPCAP is not a managed host. This can be placed in the network where the capture port of QPCAP can collect the network packets and store them. Network packets can fill up QPCAP very quickly. So, it has large storage space and special hardware for direct I/O disk access.

Typically, QPCAP is configured to capture and store network packet data for 7 days. If needed, multiple packet captures can be used as per the requirement.

QRadar Vulnerability Manager

Along with event data and flow data, another important aspect of information from the point of view of security is the vulnerability data of the assets in the environment. Administrators should have information on the assets available and how vulnerable these assets are. QRadar Vulnerability Manager (QVM) performs active and passive scans on the assets in the network.

For example, a QVM scan can be run periodically to understand whether the patching of all Microsoft servers is completed. It helps in determining the security posture of an organization.

QVM is a complete asset management tool right from discovering assets to running remediation reports for those assets. For this, QVM seamlessly integrates with other products such as BigFix and IBM SiteProtector.

Figure 1.3 – Assets tab

Figure 1.3 – Assets tab

In the preceding figure, the assets database can be seen. Each asset will have a unique ID, domain information, and vulnerability information associated with it.

Figure 1.4 – Vulnerabilities tab

Figure 1.4 – Vulnerabilities tab

In the preceding figure, a scan is run twice over a period. There are eight assets that were scanned both times, but the number of vulnerabilities is different. This indicates that over a period of time, new vulnerabilities were found for the same assets.

QRadar Risk Manager

QRadar Risk Manager (QRM) is a managed host that collects configuration information from the network devices in the environment. This information is then pictorially depicted in the form of network topology.

For example, in a typical data center, there are multiple network devices such as routers, firewalls, intrusion prevention devices, and so on. QRM pulls the configuration details from all the network devices and creates network topology graphs. It can also simulate any changes in the policies by calculating the risk to the environment.

Figure 1.5 – Risks tab

Figure 1.5 – Risks tab

QRM can integrate with QVM. Risk policies can be defined on QRM. To give an example of a risk policy in QRM, a policy can be defined to find out whenever there is web traffic, but it is not HTTPS traffic. That means, whenever there is web traffic on HTTP, the policy triggers, and the information related is collected by QRM. This information is useful to change the vulnerability risk scores of the assets involved. Whenever risk scores are changed in QVM, alerts can be generated via email or dashboard alerts to get higher visibility on the high-risk assets.

The Risk Manager tab shows information about the network devices in the environment. In the upcoming versions of QRadar, QRM and QVM will be part of a single appliance and will be sold as a single solution. But the fundamentals of both QRM and QVM remain the same, as discussed in this chapter.

QRadar App Host

On QRadar, just like on our Android or Apple phones, there are applications, or apps, that can be installed. These applications enhance the usability of QRadar and also provide additional features. All the QRadar apps are publicly available on the QRadar App Exchange portal. Here is the link to the portal: https://exchange.xforce.ibmcloud.com/hub.

In the Understanding the Console section, we covered so many services and tasks that are running on the Console. Installing multiple apps on the Console will add computational overhead in terms of CPU cycles, memory utilization, and the disk space required by the apps. For this reason, we have a component called App Host, where the Console offloads all the apps.

In the following figure, we can see how different components fit together. The QRadar Console is the most important component to which other components are connected for command and control (except QPCAP).

Figure 1.6 – Sample QRadar deployment showing multiple components

Figure 1.6 – Sample QRadar deployment showing multiple components

From Chapter 8 onward, we will discuss at length all the important QRadar apps that can be installed on QRadar.

Summary

This first chapter was all about understanding the different IBM QRadar components. Being a highly scalable product, it is imperative that we know which components are to be used to scale the solution. We also understood how the event and flow data is handled in QRadar by different QRadar components. With that, you now have an idea of the basic architecture of QRadar components and how they fit together.

In the next chapter, we will learn how these components work together.

Left arrow icon Right arrow icon

Key benefits

  • Get to grips with QRadar architecture, components, features, and deployments
  • Utilize IBM QRadar SIEM to respond to network threats in real time
  • Learn how to integrate AI into threat management by using QRadar with Watson

Description

This comprehensive guide to QRadar will help you build an efficient security operations center (SOC) for threat hunting and need-to-know software updates, as well as understand compliance and reporting and how IBM QRadar stores network data in real time. The book begins with a quick introduction to QRadar components and architecture, teaching you the different ways of deploying QRadar. You’ll grasp the importance of being aware of the major and minor upgrades in software and learn how to scale, upgrade, and maintain QRadar. Once you gain a detailed understanding of QRadar and how its environment is built, the chapters will take you through the features and how they can be tailored to meet specifi c business requirements. You’ll also explore events, flows, and searches with the help of examples. As you advance, you’ll familiarize yourself with predefined QRadar applications and extensions that successfully mine data and find out how to integrate AI in threat management with confidence. Toward the end of this book, you’ll create different types of apps in QRadar, troubleshoot and maintain them, and recognize the current security challenges and address them through QRadar XDR. By the end of this book, you’ll be able to apply IBM QRadar SOC’s prescriptive practices and leverage its capabilities to build a very efficient SOC in your enterprise.

Who is this book for?

This book is for security professionals, SOC analysts, security engineers, and any cybersecurity individual looking at enhancing their SOC and SIEM skills and interested in using IBM QRadar to investigate incidents in their environment to provide necessary security analytics to responsible teams. Basic experience with networking tools and knowledge about cybersecurity threats is necessary to grasp the concepts present in this book.

What you will learn

  • Discover how to effectively use QRadar for threat management
  • Understand the functionality of different QRadar components
  • Find out how QRadar is deployed on bare metal, cloud solutions, and VMs
  • Proactively keep up with software upgrades for QRadar
  • Understand how to ingest and analyze data and then correlate it in QRadar
  • Explore various searches, and learn how to tune and optimize them
  • See how to maintain and troubleshoot the QRadar environment with ease

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 28, 2023
Length: 198 pages
Edition : 1st
Language : English
ISBN-13 : 9781801076029
Category :
Concepts :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Jun 28, 2023
Length: 198 pages
Edition : 1st
Language : English
ISBN-13 : 9781801076029
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 93.97 120.97 27.00 saved
Effective Threat Investigation for SOC Analysts
€28.99 €41.99
Practical Threat Detection Engineering
€30.99 €44.99
Building a Next-Gen SOC with IBM QRadar
€33.99
Total 93.97 120.97 27.00 saved Stars icon
Banner background image

Table of Contents

17 Chapters
Part 1: Understanding Different QRadar Components and Architecture Chevron down icon Chevron up icon
Chapter 1: QRadar Components Chevron down icon Chevron up icon
Chapter 2: How QRadar Components Fit Together Chevron down icon Chevron up icon
Chapter 3: Managing QRadar Deployments Chevron down icon Chevron up icon
Part 2: QRadar Features and Deployment Chevron down icon Chevron up icon
Chapter 4: Integrating Logs and Flows in QRadar Chevron down icon Chevron up icon
Chapter 5: Leaving No Data Behind Chevron down icon Chevron up icon
Chapter 6: QRadar Searches Chevron down icon Chevron up icon
Chapter 7: QRadar Rules and Offenses Chevron down icon Chevron up icon
Part 3: Understanding QRadar Apps, Extensions, and Their Deployment Chevron down icon Chevron up icon
Chapter 8: The Insider Threat – Detection and Mitigation Chevron down icon Chevron up icon
Chapter 9: Integrating AI into Threat Management Chevron down icon Chevron up icon
Chapter 10: Re-Designing User Experience Chevron down icon Chevron up icon
Chapter 11: WinCollect – the Agent for Windows Chevron down icon Chevron up icon
Chapter 12: Troubleshooting QRadar Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(12 Ratings)
5 star 83.3%
4 star 16.7%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




GUNDERSTONE Jul 20, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
IBM QRadar acts as an aggregator, integrating data from various security products, correlating it, and using artificial intelligence and machine learning to generate valuable insights, alerts, and reports for various stakeholders. These stakeholders range from analysts and security administrators to government agencies, law enforcement, and executive management.As a professional in the training and security industry who is new to this software, the author provides clear and concise guidance on its features. By the end of the book, you'll have a solid understanding of how to make the most of this tool.This book is a perfect guide to the capabilities of QRadar. It breaks down the features and processes for the proper deployment of QRadar and how to leverage it to get the best results. It delves into the fundamental principles upon which QRadar is constructed, elucidating its architecture, services, and diverse components. It provides a comprehensive understanding of how different stakeholders can leverage QRadar, including its custom-built solutions known as QRadar apps, developed by IBM for various security products.The book concludes with the author's personal experience with QRadar, offering valuable tips for maximizing QRadar's potential within your organization's security framework.Overall, this book presents a complete perspective on QRadar, shedding light on its use in securing your organization.
Amazon Verified review Amazon
Dwayne Natwick Jun 29, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Are you wondering where to start when creating a security operations center with IBM QRadar? Packt Publishing's Building a Next-Gen SOC with IBM QRadar by Ashish Kothekar provides end to end guidance on setup and use of QRadar. All of the tools and components are provided with easy to follow explanations and processes. This is the book for anyone that is using QRadar. And if you want to try QRadar, Ashish explains how to obtain the free community version.
Amazon Verified review Amazon
Austin Gettel Sep 14, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book claims that it is for Security Analysts, System Admins, Security Architects, and executives alike, and it absolutely is. This resource needs to be read by everyone in Cybersecurity that works with QRadar or wants to learn more about the tool. The executive will learn all about the licensing structure and the requirements to scale to fit their enterprise's needs. All while giving the details needed for the Security Architect and System Admin to implement. But this book should not be over looked by analysts either, as they can get amazing understanding of the different components. Analysts and Executives will both gain invaluable insight in the different apps that can be implemented to increase the security of the enterprise, and make the life of the Security Analyst's so much better!I've worked with QRadar for over a year now, and I always would come away with more questions than answers after talking to the Security Engineer. They had so much knowledge of QRadar I thought I would never be able to get to their level. After reading this book and learning about the components of QRadar, I shocked my engineer coworkers at our last meeting with how much I learned. I was talking to them on a whole new level, even making suggestions for improvements.I really have to recommend this book for students and anyone transitioning into Cybersecurity, Just what you'll learn about one of the most used SIEM's in the industry would make it worth the price tag. What really makes this invaluable is the step by step instructions to download and install QRadar in your own homelab. This experience will get you so much further than in interviews with a hiring manager than any college degree or certification will ever do!
Amazon Verified review Amazon
esgar jimenez Jul 03, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is a perfect guide to the capabilities of QRadar. It breaks down the features and processes for thebproper deployment of QRadar and how to leverage it to get the best results. As a cybersecurity professional the importance of threat hunting is immeasurable. If you want to enhance yoyr understanding of QRadar and better your companies security posture this book is the way to go to improve your SOC.
Amazon Verified review Amazon
Brandon Lachterman Jul 05, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
As a security professional that had never gotten to touch this software before, the author truly takes you through what you need to know in a simple but effective manor, and youre left with a good understanding of how you can utilize this amazing software.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.