What this book covers

Chapter 1, QRadar Components, explains all the QRadar components, what the different QRadar services are, and which services run on which components. This chapter will help you understand how QRadar is designed and how different components provide different functionalities.

Chapter 2, How QRadar Components Fit Together, looks at the QRadar console, which is the central component around which other components fit together; depending on the requirement, other QRadar components can be added to the console. Also, we will explain in detail what different types of deployments exist – namely, all-in-one deployment and distributed deployment.

Chapter 3, Managing QRadar Deployments, deals with installing, upgrading, and scaling QRadar as and when required. We also discuss licensing requirements in QRadar.

Chapter 4, Integrating Logs and Flows in QRadar, discusses the practical aspects of ingesting data in QRadar. There are various ways in which different types of events and flow data are ingested, which are described in detail in this chapter.

Chapter 5, Leaving No Data Behind, explores how data is handled by QRadar. The majority of the shortcomings when working with QRadar occur while ingesting data. We will also discuss the DSM Editor, a tool to ingest data that is not supported out of the box.

Chapter 6, QRadar Searches, discusses how searches work and how they can be tuned in QRadar. SIEM is only as efficient as the searches performed on it. We will also discuss the different types of searches in QRadar and how data accumulation works in it.

Chapter 7, QRadar Rules and Offenses, delves into one of the most fundamental aspects of QRadar, which is rules and offenses. We will discuss the different types of rules, how to run rules for historical data called historical correlation, how offenses are generated, and finally, how to fine-tune and manage rules and offenses.

Chapter 8, The Insider Threat – Detection and Mitigation, examines how UBA can be used to detect an insider threat in your organization. IBM has a public portal where apps are published, which can be downloaded and installed on QRadar. Some of these apps are created by IBM, while other vendors have come up with apps for their own applications. IBM UBA is one such app developed by IBM for insider threat management.

Chapter 9, Integrating AI into Threat Management, discusses three QRadar apps – the QRadar Assistant app, QRadar Advisor for Watson, and QRadar Use Case Manager. We will also discuss the practical use of these apps.

Chapter 10, Re-Designing User Experience, explores how to use apps to improve the user experience. IBM QRadar needed an overhaul when it came to user experience. Hence, IBM devised apps such as IBM QRadar Pulse and IBM Analyst Workflow to change the way QRadar can be managed, which we will look at in this chapter.

Chapter 11, WinCollect – the Agent for Windows, focuses on how to install, manage, upgrade, and fine-tune Wincollect agents, one of many in-built features from IBM QRadar. Wincollect is an agent for the Windows operating system and collects events from Windows machines. It can also poll events from other Windows machines where it is not installed and send them to QRadar.

Chapter 12, Troubleshooting QRadar, examines the pain points and solutions to many of the issues in QRadar, based on years of experience working with it. There are tips and tricks as well as a list of frequently asked questions about QRadar. This chapter should help you become a pro user of QRadar.