Lab2-Using the QRadar SIEM Dashboard PDF

Preview

Summary

LAB 2: CSF-4613 Security Intelligence: Using the QRadar SIEMDashboard.Student Name: Click or tap here to enter text.Student ID: Click or tap here to enter text.Lab Objectives: Create a new dashboard and add items to the dashboard.Lab Requirements: QRadar VM & Windows Server 2003 VM.Introduction:...

Description

CSF-4613

Security Intelligence

Lab 2

LAB 2: CSF-4613 Security Intelligence: Using the QRadar SIEM Dashboard. Student Name: Click or tap here to enter text. Student ID: Click or tap here to enter text.

Lab Objectives: Create a new dashboard and add items to the dashboard. Lab Requirements: QRadar VM & Windows Server 2003 VM. Introduction: The Dashboard is the default view when you log in to QRadar SIEM. It provides a workspace environment that supports multiple dashboards to display views of network security, activity, or data that QRadar SIEM collects. The Dashboard tab provides five default dashboards focused on threat and security, network activity, application activity, system monitoring, and compliance. Each dashboard shows a default set of items. The dashboard items act as launch points to navigate to more detailed data. Create a custom dashboard to focus on your network security responsibilities. Creating a new dashboard: To create a new dashboard and add items to the dashboard, perform the following steps: 1. Power ON both virtual machines (QR & Win). Note: Play the VMs ahead of time, because it takes QRadar about 7 – 10 minutes to boot and get ready to work on. 2. Log in to the Windows server. (Username: administrator & password object00) 3. Open a PuTTY session on the QRadar SIEM server. Use the procedure “Logging in to the QRadar SIEM server VM” used in lab 1. 4. Generate events using PuTTY command line, type the following command:

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 2

5. Log in to the QRadar SIEM console by opening Firefox browser, then click on “Login To QRadar” button.

6. Click the New Dashboard icon.

7. In the Name field, type your name – Student ID. E.g. Ayman-H00111222. In the description field, type My Dashboard. Then click OK.

Note: A new custom dashboard is empty by default. Therefore, you must add items to the dashboard.

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 2

8. To add items to the new dashboard, from the Add Item list, select the following items: I. Network activity > Flow Searches > Top Application II. Offenses > Offenses > Most Recent Offense III. Log Activity > Event Searches > Event Rate (EPS) You should have the same items on your new dashboard as shown below:

9. You can arrange the dashboard items by dragging each to the appropriate location on the dashboard. 10. Arrange your dashboard items as shown below

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 2

11. Take a screenshot of your new dashboard after arranged as shown above, and paste it below: Note: If you move a dashboard item while arranging its location and it disappeared, press F5 on the keyboard to refresh the whole page to show the item.

End of the lab 

Review Questions: The following questions are based on this lab activity and week 5 PowerPoint. Q1. List below the six default dashboards that are available in IBM security QRadar. (You may answer this question from the QRadar interface) Click or tap here to enter text.

Q2. Why do you create custom dashboards rather than using the default dashboard? Click or tap here to enter text.

Q3. Which of the following IBM QRadr tabs that Query and display events? A. B. C. D.

☐ Network Activity ☐ Log Activity ☐ Offenses ☐ Assets

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 2

Q4. In IBM QRadar, the displayed dashboard, events and flows refresh every _____ unless you click Pause. A. B. C. D.

☐ One hour ☐ One minute ☐ One second ☐ One day

Instructor/ Student Lab Manual

Ayman Ahmed...