IBM Security QRadar Version 7.2 - docshare01.docshare.tipsdocshare01.docshare.tips/files/26312/263125071.pdf · About this guide The IBM Security QRadar SIEM Users Guide provides

IBM Security QRadarVersion 7.2.3

Hardware Guide

SC27-6534-00

��

NoteBefore you use this information and the product that it supports, read the information in “Notices” on page 27.

© Copyright IBM Corporation 2014, 2014.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Chapter 1. Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. QRadar appliance overview . . . . . . . . . . . . . . . . . . . . . . 3QRadar QFlow Collector 1201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3QRadar QFlow Collector 1202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3QRadar QFlow Collector 1301 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4QRadar QFlow Collector 1310 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5QRadar 1400 Data Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5QRadar Event Collector 1501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6QRadar Event Processor 1605 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7QRadar Event Processor 1628 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8QRadar Flow Processor 1705 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8QRadar Flow Processor 1728 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9QRadar 1805 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10QRadar Flow Processor 1828 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10QRadar 2100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11QRadar 3105 (All-in-One). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12QRadar 3105 (Console) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13QRadar 3128 (All-in-One). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13QRadar 3128 (Console) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14QRadar Log Manager 1605 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14QRadar Log Manager 1628 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15QRadar Log Manager 2100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16QRadar Log Manager 3105 (All-in-One) . . . . . . . . . . . . . . . . . . . . . . . . . . 16QRadar Log Manager 3105 Console . . . . . . . . . . . . . . . . . . . . . . . . . . . 17QRadar Log Manager 3128 (All-in-One) . . . . . . . . . . . . . . . . . . . . . . . . . . 17QRadar Log Manager 3128 (Console) . . . . . . . . . . . . . . . . . . . . . . . . . . . 18QRadar Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19QRadar Risk Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 3. Appliance Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . 21Integrated Management Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21QRadar 2100, QRadar Event Collector 1501, and all QRadar Flow Processor Appliances . . . . . . . . . . 21

Front panel indicators and features . . . . . . . . . . . . . . . . . . . . . . . . . . 21Back panel indicators and features. . . . . . . . . . . . . . . . . . . . . . . . . . . 22

QRadar Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Front panel indicators and features . . . . . . . . . . . . . . . . . . . . . . . . . . 24Back Panel Indicators and Features . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Privacy policy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33H. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

© Copyright IBM Corp. 2014, 2014 iii

I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34N. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

iv QRadar Hardware Guide

About this guide

The IBM Security QRadar SIEM Users Guide provides information on managingIBM Security QRadar SIEM including the Dashboard, Offenses, Log Activity,Network Activity, Assets, and Reports tabs.

Intended audience

This guide is intended for all QRadar SIEM users responsible for investigating andmanaging network security. This guide assumes that you have QRadar SIEMaccess and a knowledge of your corporate network and networking technologies.

Technical documentation

For information about how to access more technical documentation, technicalnotes, and release notes, see Accessing IBM® Security Documentation TechnicalNote (http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861).

Contacting customer support

For information about contacting customer support, see the Support andDownload Technical Note (http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861).

Statement of good security practices

IT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a lawful comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

© Copyright IBM Corp. 2014, 2014 v

http://www.ibm.com/support/docview.wss?rs=0&uid=swg21614644




vi QRadar Hardware Guide

Chapter 1. Safety Instructions

Review safety guidelines to help ensure your own personal safety and protect yoursystem and working environment from potential damage.

This section includes safety guidelines to help ensure your own personal safetyand protect your system and working environment from potential damage.

Systems are considered to be components in a rack. Thus, the term componentrefers to any system, various peripherals, or supporting hardware.

Observe the following precautions for rack stability and safety:v System rack kits are intended to be installed in a rack by trained service

technicians. Before working on the rack, make sure that the stabilizers aresecured to the rack, extended to the floor, and the full weight of the rack restson the floor. Install front and side stabilizers on a single rack or front stabilizersfor joined multiple racks before working on the rack.

v Installing systems in a rack without the front and side stabilizers installed couldcause the rack to tip over, potentially resulting in bodily injury under certaincircumstances. Therefore, always install the stabilizers before installingcomponents in the rack. After installing system/components in a rack, neverpull more than one component out of the rack on the slide assemblies at onetime. The weight of more than one extended component could cause the rack totip over and may result in serious injury.

v Your system is safety-certified as a free-standing unit and as a component foruse in a rack cabinet using the customer rack kit. The installation of your systemand rack kit in any other rack cabinet has not been approved by any safetyagency. It is your responsibility to ensure that the final combination of systemand rack complies with all applicable safety standards and local electric coderequirements. IBM disclaims all liability and warranties in connection with suchcombinations.

Do not move racks by yourself. Due to the height and weight of the rack, aminimum of two people should accomplish this task.v Always load the rack from the bottom up and load the heaviest item in the rack

first.v Make sure that the rack is level and stable before extending a component from

the rack.v Use caution when pressing the component rail release latches and sliding a

component into or out of a rack; the rails can pinch your fingers.v Do not overload the AC supply branch circuit that provides power to the rack.

The total rack load should not exceed 80 percent of the branch circuit rating.v Ensure that proper airflow is provided to components in the rack.v Do not step on or stand on any component when servicing other components in

a rack.

© Copyright IBM Corp. 2014, 2014 1

2 QRadar Hardware Guide

Chapter 2. QRadar appliance overview

Review information about IBM Security QRadar® to understand hardware andlicense requirements.

Review this overview of QRadar appliances, including capabilities, and licenselimitations.

QRadar QFlow Collector 1201The QRadar QFlowCollector 1201 appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The QRadarQFlowCollector 1201 also supports external flow-based data sources.

View hardware information and requirements for the IBM Security QRadar QFlowCollector 1201 in the following table:

Table 1. QRadar QFlow Collector 1201

Description Value

Network traffic 1 Gbps

Interfaces Five 10/100/1000 Base-T network monitoring interfaces

Two 10 Gbps SFP + ports

One 10/100/100 Base-T QRadar management interface

One 10/100 Base-T integrated management module interface

Memory 16 GB, 4 x 4GB 1600 MHz RDIMM

Storage 2 x 2.5 inch 600 GB 10 K rpm SAS, 600 MB total (Raid 1)

Power supply Dual Redundant 550 W AC

Dimensions 28.9 inches deep x 16.9 inches wide x 1.7 inches high

Includedcomponents

QRadarQFlow Collector

For diagrams and information about the front and back panel of this appliance, see“QRadar 2100, QRadar Event Collector 1501, and all QRadar Flow ProcessorAppliances” on page 21.

QRadar QFlow Collector 1202The QRadar QFlow Collector 1202 appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The IBM SecurityQRadar QFlow Collector 1202 also supports external flow-based data sources.



Description Value



Table 2. QRadar QFlow Collector 1202 (continued)

Description Value

Interfaces Napatech Network Adapter, providing four 1 Gbps 10/100/1000Base-T network interfaces








Includedcomponents


Napatech Network Adaptor





Description Value


Interfaces Napatech Network Adapter, providing four 1 Gbps 1000 Base SXMulti-Mode Fiber network monitoring interfaces








Includedcomponents








Description Value


Interfaces Napatech Network Adapter for fiber, providing two 10 Gbps SFP +network monitoring interfaces







Includedcomponents




QRadar 1400 Data NodeThe IBM Security QRadar Data Node 1400 appliance provides scalable data storagesolution for QRadar deployments. The QRadar Data Node enhances data retentioncapabilities of a deployment as well as augment overall query performance.TheQRadar

View hardware information and requirements for the QRadarData Node DataNode1805 in the following tables:

Table 5. QRadar Data Node when used with XX05 appliances

Description Value

Interfaces Two 10/100/1000 Base-T network monitoring interfaces




Memory 64 GB 8x 8 GB 1600 MHz RDIMM

Chapter 2. QRadar appliance overview 5

Table 5. QRadar Data Node when used with XX05 appliances (continued)

Description Value

Storage Storage: 9 x 3.5 inch 1 TB 7.2 K rpm NL SAS, 9 TB total, 6.2 TB usable(Raid 5)



Includedcomponents

QRadar Data Node appliance

Table 6. QRadarData Node when used with XX28 appliances

Description Value

Interfaces One 2-port Emulex 8Gb FC

Two 10/100/1000 Base-T network monitoring interface




Memory 128 GB, 8 x 16 GB 1866 MHz RDIMM8

Storage 40 TB or larger dedicated event storage: 12 x 3.5 inch 4 TB SAS 7.2 Krpm, 48 TB total, 40 TB usable (Raid 6)



Includedcomponents

QRadar

QRadar Event Collector 1501The IBM Security QRadar Event Collector 1501 appliance is a dedicated eventcollector. By default, a dedicated event collector collects and parses event fromvarious log sources and continuously forwards these events to an event processor.You can configure the QRadar Event Collector 1501 appliance to temporarily storeevents and only forward the stored events on a schedule. A dedicated eventcollector does not process events and it does not include an on-board eventprocessor.

View hardware information and requirements for the QRadar 1501 in the followingtable:

Table 7. QRadar 1501

Description Value

Basic license 15,000 EPS





One 10/100 Base-T integrated management module interfac


Table 7. QRadar 1501 (continued)

Description Value





Includedcomponents Event Collector


QRadar Event Processor 1605The QRadar Event Processor 1605 appliance is a dedicated event processor thatyou can use to scale your QRadar deployment to manage higher EPS rates. TheQRadar Event Processor 1605 appliance includes an on-board event collector, eventprocessor, and internal storage for events.

The IBM Security QRadar Event Processor 1605 is a distributed event processorappliance and requires a connection to a IBM Security QRadar 3105 or QRadar3128 appliance.

View hardware information and requirements for the QRadar Event Processor 1605in the following table:

Table 8. QRadar Event Processor 1605

Description Value


Upgraded license 20,000 EPS





Memory Memory: 64 GB 8x 8 GB 1600 MHz RDIMM

Storage Storage: 9 x 3.5 inch 1 TB 7.2 K rpm NL SAS, 9 TB total, 6.2 TB usable(Raid 5)



Includedcomponents

Event Collector

Event Processor

For diagrams and information about the front and back panel of this appliance, see“QRadar Appliances” on page 24.


QRadar Event Processor 1628The IBM Security QRadar 1628 appliance is a dedicated event processor that youcan use to scale your QRadar deployment to manage higher EPS rates. The QRadarEvent Processor 1628 appliance includes an on-board event collector, eventprocessor, and internal storage for events.

The QRadar Event Processor 1628 is a distributed event processor appliance andrequires a connection to a IBM Security QRadar 3128 Console appliance.


Table 9. QRadar 1628 Event Processor overview

Description Value




Two 10/100/1000 Base-T network monitoring interfaces

One 10/100/100 Base-T IBM Security QRadar management interface




Storage 12 x 3.5 inch 4 TB SAS 7.2 K rpm, 48 TB total, 40 TB usable (Raid 6)

Power supply Dual Redundant 900 W AC Power Supply


Includedcomponents

Event Collector

Event Processor

For diagrams and information on the front and back panel of this appliance, see“QRadar Appliances” on page 24.

QRadar Flow Processor 1705The QRadar Flow Processor 1705 appliance is a flow processor that you can deploywith the QRadar 3105 appliance to increase storage. The QRadar Flow Processor1705 includes an on-board event processor, and internal storage.

View hardware information and requirements for the QRadar Flow Processor 1705in the following table:

Table 10. QRadar Flow Processor 1705

Description Value

Basic license100,000 FPM

Upgraded license600,000 FPM, depending on traffic types

Network objects 1,000


Table 10. QRadar Flow Processor 1705 (continued)

Description Value






Storage 9 x 3.5 inch 1 TB 7.2 K rpm NL SAS, 9 TB total, 6.2 TB usable (Raid 5)



Includedcomponents

Flow processor


QRadar Flow Processor 1728The IBM Security QRadar 1728 appliance is a flow processor that you can deploywith the QRadar 3128 appliance to increase storage. The QRadar Flow Processor1728 includes an on-board event processor, and internal storage.

View hardware information and requirements for the QRadar 1728 Flow processorin the following table:

Table 11. QRadar 1728 Flow Processor overview

Description Value

Basic license 100,000 FPM

Upgraded license 1,200,000 FPM











Includedcomponents

Flow Processor



QRadar 1805The IBM Security QRadar 1805 appliance is a combine Event Processor and FlowProcessor that you can use to scale your QRadar deployment to manage moreevent and flows. The QRadar 1805 includes an on-board Event Processor, andinternal storage.

View hardware information and requirements for the IBM Security QRadar 1805 inthe following table:

Table 12. IBM Security QRadar 1805 overview

Description Value


1,000 EPS

Upgraded license 200,000 FPM

5,000 EPS


Log sources 750









Includedcomponents

Event processor

Flow processor


QRadar Flow Processor 1828The IBM Security QRadar 1828 appliance is a flow processor that you can deploywith the IBM Security QRadar 3128 appliance to increase storage. The IBM SecurityQRadar Flow Processor 1828 includes an on-board event processor, and internalstorage.

View hardware information and requirements for the QRadar 1828 Flow processorin the following table:

Table 13. QRadar 1828 Flow Processor overview

Description Value

Basic license 25,000 FPM,

1000 EPS


Table 13. QRadar 1828 Flow Processor overview (continued)

Description Value


15,000


Log Sources 750










Includedcomponents

Flow Processor


QRadar 2100The IBM Security QRadar 2100 appliance is an all-in-one system that combinesNetwork Behavioral Anomaly Detection (NBAD) and Security Information andEvent Management (SIEM) to accurately identify and appropriately prioritizethreats that occur on your network.

View hardware information and requirements for the IBM Security QRadar 2100 inthe following table:

Table 14. IBM Security QRadar 2100 overview

Description Value


1000 EPS

Upgraded license50,000 FPM

Network objects 1000

Log sources 750







Table 14. IBM Security QRadar 2100 overview (continued)

Description Value

Storage 6 x 2.5 inch 500 GB 7.2K rpm SATA, 3 TB total, 1.5 TB usable (Raid 10)



Includedcomponents

Event Collector

Event Processor

Single QRadar QFlow Collector

Additional QRadar QFlow Collectors are sold separately.


QRadar 3105 (All-in-One)The IBM Security QRadar 3105 (All-in-One) appliance is an all-in-one QRadarsystem that can profile network behavior and identify network security threats.


Table 15. QRadar 3105 overview

Description Value


1000 EPS


5,000 EPS


Log sources 750









Includedcomponents

Event Collector

Event Processor for processing events and flows

Internal storage for events and flows


The QRadar 3105 (All-in-One) appliance eequires external QRadar QFlowCollectors for layer 7 network activity monitoring.


QRadar 3105 (Console)Understand and expand the capacity of the IBM Security QRadar 3105(All-in-One).

You can expand the capacity of the QRadar 3105 (All-in-One) beyond license-basedupgrade options by upgrading to the QRadar 3105 (Console) appliance and addingone or more of the following appliances:v “QRadar Event Processor 1605” on page 7v “QRadar Flow Processor 1705” on page 8v “QRadar 1805” on page 10

The QRadar 3105 (Console) appliance you can use to manage a distributeddeployment of Event Processors and Flow Processors to profile network behaviorand identify network security threats.


QRadar 3128 (All-in-One)The IBM Security QRadar 3128 (All-in-One) appliance is an all-in-one QRadarsystem that can profile network behavior and identify network security threats.

View hardware information and requirements for the QRadar 3128 (All-in-One) inthe following table:

Table 16. QRadar 3128 (All-in-One)

Description Value


1000 EPS


15,000 EPS

Network objects Up to 1,000, depending on the license

Log sources 750 (add more devices with a licensing option)



One 10/100/100 Base-T QRadarr management interface






Table 16. QRadar 3128 (All-in-One) (continued)

Description Value



Includedcomponents

Event Collector



The QRadar 3128 (All-in-One)equires external QRadar QFlow Collectors for layer 7network activity monitoring.


QRadar 3128 (Console)Understand expansion options for the IBM Security QRadar

You can expand the capacity of the QRadar3128 (All-in-One) appliance beyondlicense-based upgrade options by upgrading to the QRadar 3128 (Console)appliance and adding one or more of the following appliances:v “QRadar Log Manager 1628” on page 15v “QRadar Flow Processor 1728” on page 9v “QRadar Flow Processor 1828” on page 10

The QRadar 3128 (Console) appliance you can use to manage a distributeddeployment of Event Processors and Flow Processors to profile network behaviorand identify network security threats.


QRadar Log Manager 1605The IBM Security QRadar Log Manager 1605 appliance is a dedicated EventProcessor that you can use to scale your QRadar deployment to manage higherEPS rates. The QRadar1605 appliance includes an on-board Event Collector, EventProcessor, and internal storage for events.

The QRadar Log Manager 1605 is a distributed Event Processor appliance andrequires a connection to a QRadar Log Manager 3105 appliance.

View hardware information and requirements for the QRadar Log Manager 1605 inthe following table:

Table 17. QRadar Log Manager 1605

Description Value



Table 17. QRadar Log Manager 1605 (continued)

Description Value










Includedcomponents

Event Collector

Event Processor


QRadar Log Manager 1628The IBM Security QRadar Log Manager 1628 appliance is a dedicated EventProcessor that you can use to scale your QRadar Log Manager deployment tomanage higher Event Per Second (EPS) rates. The QRadar Log Manager 1628appliance includes an on-board Event Collector, Event Processor, and internalstorage for events.

The QRadar Log Manager 1628 is a distributed Event Processor appliance andrequires a connection to a QRadar Log Manager 3105 appliance.


Table 18. QRadar Log Manager 1628

Description Value













Table 18. QRadar Log Manager 1628 (continued)

Description Value

Includedcomponents

Event Collector

Event Processor


QRadar Log Manager 2100The IBM Security QRadar Log Manager 2100 appliance is an all-in-one system thatthat provides Security Information and Event Management (SIEM) to accuratelyidentify and appropriately prioritize threats that occur on your network.

View hardware information and requirements for the IBM Security QRadar LogManager 2100 in the following table:

Table 19. IBM Security QRadar Log Manager 2100 overview

Description Value

Basic license 1000 EPS

Log sources 750






Storage 6 x 2.5 inch 500 GB 7.2K rpm SATA, 3 TB total, 1.5 TB usable (Raid 10)



Includedcomponents

Event Collector

Event Processor

IBM Security QRadar Log Manager 2100 includes external flow collection.

Additional QRadar QFlow Collectors are sold separately.


QRadar Log Manager 3105 (All-in-One)The IBM Security QRadar Log Manager 3105 (All-in-One) appliance is an all-in-onesystem that you can use to manage and store events from various network devices.



Table 20. QRadar Log Manager 3105 overview

Description Value


1000 EPS


5,000 EPS


Log sources 750









Includedcomponents

Event Collector



You can upgrade your license to migrate your QRadar Log Manager 3105(Base) toQRadar 3105 (Base). For more information about migrating QRadar Log Managerto QRadar, see the Migrating QRadar Log Manager to QRadar SIEM Technical Note.

The QRadar 3105 (All-in-One) appliance eequires external QRadar QFlowCollectors for layer 7 network activity monitoring.


QRadar Log Manager 3105 ConsoleYou can expand the capacity of the QRadar Log Manager (Base) appliance beyondlicense-based upgrade options by upgrading to the QRadar Log Manager 3128(Console) appliance. You must also add one or more QRadar Log Manager 1605 orQRadar Log Manager1628 appliances.

The QRadar Log Manager 3105 (Console) appliance manages a distributeddeployment of Event Processors to collect and process events. You can upgradeyour license from QRadar Log Manager 3105 to QRadar 3105

QRadar Log Manager 3128 (All-in-One)The IBM Security QRadar Log Manager 3128 (All-in-One) appliance is an all-in-onesystem that you can use to manage and store events from various network devices.


View hardware information and requirements for the QRadar Log Manager 3128(All-in-One) in the following table:

Table 21. QRadar Log Manager 3128 (All-in-One)

Description Value


Network objects Up to 1,000, depending on the license

Log sources 750 (add more devices with a licensing option)



One 10/100/100 Base-T QRadarr management interface







Includedcomponents

Event Collector

Event Processor

Internal storage for events

You can upgrade your license to migrate your QRadar Log Manager 3128 (Base)appliance to QRadar 3128 (Base). For more information about migrating QRadarLog Manager to QRadar SIEM, see the Migrating QRadar Log Manager to QRadarSIEM Technical Note.


QRadar Log Manager 3128 (Console)Expand and upgrade the IBM Security QRadar Log Manager 3128 (Console).

You can expand the capacity of the QRadar Log Manager 3128 (Base) appliancebeyond license-based upgrade options by upgrading to the QRadar Log Managerr3128 (Console) appliance and adding one or more of the following appliances:v “QRadar Log Manager 1605” on page 14v “QRadar Event Processor 1628” on page 8

You can upgrade your license to migrate your QRadar Log Manager 3128(Console) appliance to QRadar Log Manager 3128 (Console). For more informationabout migrating QRadar Log Manager to QRadar Log Manager, see the MigratingQRadar Log Manager to QRadar SIEM Technical Note .

The QRadar Log Manager 3128 (Console) appliance manages a distributeddeployment of Event Processors to collect and process events.



QRadar Vulnerability ManagerThe IBM Security QRadar Vulnerability Manager appliance scans and reports onnetwork vulnerabilities. QRadar Vulnerability Manager provides a vulnerabilitymanagement workflow that is fully integrated with QRadar SIEM and is availableas a software option, appliance, and virtual appliance.

QRadar Vulnerability Manager provides the following capabilities:v Scans inside and outside your network, network infrastructure, servers, and end

points for bad configurations, weak settings, unpatched products, and other keyweaknesses.

v Uses network usage, threat environment, security configuration information,virtual patch, and patch availability to bring real context to vulnerabilitymanagement, which drives efficient remediation processes

v Integrates all vulnerability information from external systems to provide a singleview.

v Full integration with the QRadar asset profile database to provide intelligentevent-driven scans.

v Unlimited QRadar Vulnerability Manager discovery scansv Use of hosted scanner for DMZ scanning

The QRadar Vulnerability Manager appliance supports:

Table 22. QRadar Vulnerability Manager overview

Description Value

Basic license 255 assets

Upgraded license 32,768









Includedcomponents

QRadar Vulnerability Manager

QRadar Vulnerability Manager requires external QRadar QFlow Collectors for layer7 network activity monitoring.



QRadar Risk ManagerThe IBM Security QRadar Risk Manager appliance delivers a fully integrated riskmanagement, vulnerability prioritization, and automated configuration solutionthat is integrated into the QRadar platform. QRadar Risk Manager enables tightlyintegrated features in QRadar SIEM that enhance incident management, log andnetwork activity searches, threat visualization, and reports.

QRadar Risk Manager provides the following capabilities:

The QRadar Risk Manager appliance supports:

Table 23. QRadar Risk Manager overview

Description Value

Network objects Maximum of 50 with the basic license









Includedcomponents

QRadar Vulnerability Manager

QRadar Risk Manager requires external QRadar QFlow Collectors for layer 7network activity monitoring.



Chapter 3. Appliance Diagrams

View the diagrams and descriptions for the back and front panels of yourappliance. These diagrams are representations of an IBM Security QRadarappliance. Your system might vary, depending on the version of appliance youpurchased.

Integrated Management ModuleOn the back panel of each appliance type, the serial connector and ethernetconnectors can be managed using the Integrated Management Module (IMM). Youcan configure the IMM to share an ethernet port with the IBM Security QRadarmanagement interface; however, you can configure the IMM in dedicated mode toreduce the risk of losing the IMM connection when the appliance is restarted. Toconfigure the IMM, you must access the System BIOS settings by pressing the F1key when the IBM splash screen is displayed. For further instructions on how toconfigure the IMM, see theIntegrated Management Module User's Guide that islocated on the CD that was shipped with your appliance.

QRadar 2100, QRadar Event Collector 1501, and all QRadar FlowProcessor Appliances

Review the information about the front and back panel features for appliances toconfirm proper connectivity and functionality.v “QRadar 2100” on page 11v “QRadar 3105 (All-in-One)” on page 12v “QRadar QFlow Collector 1202” on page 3v “QRadar QFlow Collector 1301” on page 4v “QRadar QFlow Collector 1310” on page 5v “QRadar Event Collector 1501” on page 6v “QRadar Log Manager 2100” on page 16

Front panel indicators and featuresReview IBM Security QRadar appliance front panel indicators and features toconfirm that your appliances are functioning properly.

The following figure shows the front panel indicators and features of the QRadarCore Appliances 4380.


The following table describes the front panel features.

Table 24. Front Panel Features of QRadar Core Appliances 4380

Features Description

Hard Disk Drive Activity LED Indicates when the hard disk drive is active.This light is green. When this LED flashes,the hard disk is in use.

Hard Disk Drive Status LEDs Indicates the status of the drive. This light isamber, and indicates the following statuses:

video connector Connect a VGA monitor to this connector.The video connectors on the front and rearof the server can be used simultaneously.

Drive Bays Hard disk bays are numbered 0 through 7starting at the upper left drive bay.

Back panel indicators and featuresReview the IBM Security QRadar back panel indicators and features to confirmthat your appliances are functioning properly.

The following figure shows the back panel features of the QRadar Core Appliances4380.

The following table describes the back panel features.

Figure 1. Front panel indicators and features of the QRadar Core Appliances 4380.

Figure 2. Back panel features of the QRadar Core Appliances 4380


Table 25. QRadar Core Appliances 4380 back panel indicators and features


Slot 1, PCI Express or PCI-X Insert a low-profile PCI Express or PCI-Xadapter into this slot. You can purchase anoptional PCI Express or PCI-X riser cardassembly with bracket if you want to installa PCI adapter in this slot.

Slot 2, PCI Express or PCI-XInsert a half-length, full-height PCI Expressor PCI-X adapter into this slot. Standardmodels of the server come with one PICExpress riser-card assembly that is installedin this slot. You can purchase an optionalPCI-X riser-card assemble with bracket ifyou want to install a PCI-X adapter in thisslot.

If your appliance is shipped with anuninstalled Napatech Network Adapter, youcan install the adapter in Slot 2. For moreinformation about how to install a NapatechNetwork Adapter, see the Installing aNapatech Network Adapter Technical Note .

USB Connectors Connect a USB device, such as a USB mouseand keyboard to any of these connectors.Two more USB connectors are available onthe front panel.

Power Supplies Supports two power supplies.

Power Cord Connectors Connect the power cord to this connector.

serial connector Connect a 9-pin serial device to thisconnector. The serial port is shared with theintegrated management module (IMM). TheIMM can take control of the shared serialport to perform text console redirection andto redirect serial traffic, using Serial overLAN (SOL).

Ethernet Connectors Use either of these connectors to connect theserver to a network. When you use theEthernet 1 connector, the network can beshared with the IMM through a singlenetwork cable.

System Management Ethernet Connector Use this connector to connect yourmanagement interface.

NMI buttonUse the NMI button to troubleshootsoftware and device driver errors when youuse certain operating systems.

v Use this button only if directed to do soby qualified support personnel.

Press this button to force a Non-MaskableInterrupt (NMI) to the microprocessor. Use apen or the end of a straightened paper clipto press the button.

Chapter 3. Appliance Diagrams 23

QRadar AppliancesReview the information about the front and back panel features for appliances toconfirm proper connectivity and functionality.v “QRadar 1400 Data Node” on page 5v “QRadar Event Processor 1605” on page 7v “QRadar Flow Processor 1705” on page 8v “QRadar Flow Processor 1728” on page 9v “QRadar 2100” on page 11v “QRadar 3105 (All-in-One)” on page 12v “QRadar 3105 (Console)” on page 13v “QRadar 3128 (All-in-One)” on page 13v “QRadar 3128 (Console)” on page 14v “QRadar Log Manager 1605” on page 14v “QRadar Log Manager 1628” on page 15v “QRadar Log Manager 3105 (All-in-One)” on page 16v “QRadar Log Manager 3105 Console” on page 17v “QRadar Log Manager 3128 (All-in-One)” on page 17v “QRadar Log Manager 3128 (Console)” on page 18v “QRadar Vulnerability Manager” on page 19v QRadar Risk Manager

Front panel indicators and featuresThe front panel contains indicators and features.

The following figure shows the front panel indicators and features of QRadar andall IBM Security QRadar Core Appliances 4379.

The following table describes the front panel features.

Table 26. Front Panel Features of IBM Security QRadar Core Appliances 4379


Hard Disk Drive Activity LED Indicates when the hard disk drive is active.This light is green. When this LED isflashing, the hard disk is in use.

Figure 3. Front panel indicators and features


Table 26. Front Panel Features of IBM Security QRadar Core Appliances 4379 (continued)


Hard Disk Drive Status LEDs Indicates the status of the drive. This light isamber, and indicates the following statuses:

Drive Bays Hard disk bays are numbered 0 through 7starting at the upper left drive bay.

video connector Connect a monitor to this connector. Thevideo connectors on the front and rear of theserver can be used simultaneously.

USB Connectors Connect a USB device, such as a USB mouseand keyboard to any of these connectors.Two more USB connectors are available onthe back panel.

Power Control Button Press this button to manually turn on andoff the server, or to work the server from areduced-power state.

Power Supply LED Indicated the status of the power supply.This light is green and indicates thefollowing statuses:

Locator LED Use this blue LED to visually locate theserver among other servers in the rack. Youcan use the IBM Systems Director to lightthis LED remotely. This LED is controlled bythe IMM.

System Error LED When this amber LED is lit, a system erroroccurred. This LED is controlled by theIMM.

Back Panel Indicators and FeaturesBack panel diagrams for IBM Security QRadar appliances.

The following figure shows the back panel features of the QRadar Core Appliances4379.

The following table describes the back panel features.

Figure 4. Back panel features of the QRadar Core Appliances 4379

Chapter 3. Appliance Diagrams 25

Table 27. Back Panel Features of the QRadar Core Appliances 4379


Power Supplies Supports two power supplies.

Power Cord Connectors Connect the power cord to this connector.

USB Connectors Connect a USB device, such as a USB mouseor keyboard, to either of these connectors.

Ethernet Connectors Use any of these connectors to connect theserver to a network. When you use theEthernet 1 connector, the network can beshared with the IMM through a singlenetwork cable.

serial connector Connect a 9-pin serial device to thisconnector. The serial port is shared with theintegrated management module (IMM). TheIMM can take control of the shared serialport to perform text console redirection andto redirect serial traffic, using Serial overLAN (SOL).

NMI buttonUse the NMI button to troubleshootsoftware and device driver errors when youuse certain operating systems.

v Use this button only if directed to do soby qualified support personnel.

Press this button to force a Non-MaskableInterrupt (NMI) to the microprocessor. Use apen or the end of a straightened paper clipto press the button.

System Management Ethernet Connector Use this connector to connect yourmanagement interface.

video connector Connect a VGA monitor to this connector.The video connectors on the front and rearof the server can be used simultaneously.


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation170 Tracer Lane,Waltham MA 02451, USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corporation in the United States, other countries,or both. If these and other IBM trademarked terms are marked on their firstoccurrence in this information with a trademark symbol (® or ™), these symbols


indicate U.S. registered or common law trademarks owned by IBM at the time thisinformation was published. Such trademarks may also be registered or commonlaw trademarks in other countries. A current list of IBM trademarks is available onthe Web at Copyright and trademark information (www.ibm.com/legal/copytrade.shtml).

Java™ and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows NT, and the Windows logo are trademarks of MicrosoftCorporation in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marksof others.

Privacy policy considerationsIBM Software products, including software as a service solutions, (“SoftwareOfferings”) may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, to tailor interactions withthe end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may usesession cookies that collect each user’s session id for purposes of sessionmanagement and authentication. These cookies can be disabled, but disabling themwill also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, See IBM’s Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details thesection entitled “Cookies, Web Beacons and Other Technologies” and the “IBMSoftware Products and Software-as-a-Service Privacy Statement” athttp://www.ibm.com/software/info/product-privacy.

Notices 29

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/privacy

http://www.ibm.com/privacy/details

http://www.ibm.com/software/info/product-privacy


Glossary

This glossary provides terms and definitions forthe IBM Security QRadar SIEM software andproducts.

The following cross-references are used in thisglossary:v See refers you from a nonpreferred term to the

preferred term or from an abbreviation to thespelled-out form.

v See also refers you to a related or contrastingterm.

For other terms and definitions, see the IBMTerminology website (opens in new window).

“A” “B” “C” “D” on page 32 “E” on page 32 “F”on page 32 “G” on page 33 “H” on page 33 “I”on page 33 “L” on page 33 “M” on page 34 “N”on page 34 “O” on page 34 “P” on page 35 “Q”on page 35 “R” on page 35 “S” on page 36 “T” onpage 36 “V” on page 36 “W” on page 37

Aaccumulator

A register in which one operand of anoperation can be stored and subsequentlyreplaced by the result of that operation.

active systemIn a high-availability (HA) cluster, thesystem that has all of its services running.

Address Resolution Protocol (ARP)A protocol that dynamically maps an IPaddress to a network adapter address in alocal area network.

administrative shareA network resource that is hidden fromusers without administrative privileges.Administrative shares provideadministrators with access to all resourceson a network system.

anomalyA deviation from the expected behavior ofthe network.

application signatureA unique set of characteristics that are

derived by the examination of packetpayload and then used to identify aspecific application.

ARP See Address Resolution Protocol.

ARP RedirectAn ARP method for notifying the host if aproblem exists on a network.

ASN See autonomous system number.

asset A manageable object that is eitherdeployed or intended to be deployed inan operational environment.

autonomous system number (ASN)In TCP/IP, a number that is assigned toan autonomous system by the samecentral authority that assigns IPaddresses. The autonomous systemnumber makes it possible for automatedrouting algorithms to distinguishautonomous systems.

Bbehavior

The observable effects of an operation orevent, including its results.

CCIDR See Classless Inter-Domain Routing.

Classless Inter-Domain Routing (CIDR)A method for adding class C InternetProtocol (IP) addresses. The addresses aregiven to Internet Service Providers (ISPs)for use by their customers. CIDRaddresses reduce the size of routing tablesand make more IP addresses availablewithin organizations.

client A software program or computer thatrequests services from a server.

cluster virtual IP addressAn IP address that is shared between theprimary or secondary host and the HAcluster.

coalescing intervalThe interval at which events are bundled.Event bundling occurs in 10 second


http://www-306.ibm.com/software/globalization/terminology/

http://www-306.ibm.com/software/globalization/terminology/

intervals and begins with the first eventthat does not match any currentlycoalescing events. Within the coalescinginterval, the first three matching eventsare bundled and sent to the eventprocessor.

Common Vulnerability Scoring System (CVSS)A scoring system by which the severity ofa vulnerability is measured.

consoleA display station from which an operatorcan control and observe the systemoperation.

content captureA process that captures a configurableamount of payload and then stores thedata in a flow log.

credentialA set of information that grants a user orprocess certain access rights.

credibilityA numeric rating between 0-10 that isused to determine the integrity of anevent or an offense. Credibility increasesas multiple sources report the same eventor offense.

CVSS See Common Vulnerability ScoringSystem.

Ddatabase leaf object

A terminal object or node in a databasehierarchy.

datapointA calculated value of a metric at a pointin time.

Device Support Module (DSM)A configuration file that parses receivedevents from multiple log sources andcoverts them to a standard taxonomyformat that can be displayed as output.

DHCP See Dynamic Host Configuration Protocol.

DNS See Domain Name System.

Domain Name System (DNS)The distributed database system thatmaps domain names to IP addresses.

DSM See Device Support Module.

duplicate flowMultiple instances of the same datatransmission received from different flowsources.

Dynamic Host Configuration Protocol (DHCP)A communications protocol that is used tocentrally manage configurationinformation. For example, DHCPautomatically assigns IP addresses tocomputers in a network.

Eencryption

In computer security, the process oftransforming data into an unintelligibleform in such a way that the original dataeither cannot be obtained or can beobtained only by using a decryptionprocess.

endpointThe address of an API or service in anenvironment. An API exposes an endpointand at the same time invokes theendpoints of other services.

external scanning applianceA machine that is connected to thenetwork to gather vulnerabilityinformation about assets in the network.

Ffalse positive

A test result classed as positive (indicatingthat the site is vulnerable to attack), thatthe user decides is in fact negative (not avulnerability).

flow A single transmission of data passing overa link during a conversation.

flow logA collection of flow records.

flow sourcesThe origin from which flow is captured. Aflow source is classified as internal whenflow comes from hardware installed on amanaged host or it is classified as externalwhen the flow is sent to a flow collector.

forwarding destinationOne or more vendor systems that receiveraw and normalized data from logsources and flow sources.


FQDNSee fully qualified domain name.

FQNNSee fully qualified network name.

fully qualified domain name (FQDN)In Internet communications, the name ofa host system that includes all of thesubnames of the domain name. Anexample of a fully qualified domain nameis rchland.vnet.ibm.com.

fully qualified network name (FQNN)In a network hierarchy, the name of anobject that includes all of thedepartments. An example of a fullyqualified network name isCompanyA.Department.Marketing.

Ggateway

A device or program used to connectnetworks or systems with differentnetwork architectures.

HHA See high availability.

HA clusterA high-availability configurationconsisting of a primary server and onesecondary server.

Hash-Based Message Authentication Code(HMAC)

A cryptographic code that uses a cryptichash function and a secret key.

high availability (HA)Pertaining to a clustered system that isreconfigured when node or daemonfailures occur so that workloads can beredistributed to the remaining nodes inthe cluster.

HMACSee Hash-Based Message AuthenticationCode.

host contextA service that monitors components toensure that each component is operatingas expected.

IICMP See Internet Control Message Protocol.

identityA collection of attributes from a datasource that represent a person,organization, place, or item.

IDS See intrusion detection system.

Internet Control Message Protocol (ICMP)An Internet protocol that is used by agateway to communicate with a sourcehost, for example, to report an error in adatagram.

Internet Protocol (IP)A protocol that routes data through anetwork or interconnected networks. Thisprotocol acts as an intermediary betweenthe higher protocol layers and thephysical network. See also TransmissionControl Protocol.

Internet service provider (ISP)An organization that provides access tothe Internet.

intrusion detection system (IDS)Software that detects attempts orsuccessful attacks on monitored resourcesthat are part of a network or host system.

intrusion prevention system (IPS)A system that attempts to denypotentially malicious activity. The denialmechanisms could involve filtering,tracking, or setting rate limits.

IP See Internet Protocol.

IP multicastTransmission of an Internet Protocol (IP)datagram to a set of systems that form asingle multicast group.

IPS See intrusion prevention system.

ISP See Internet service provider.

Kkey file

In computer security, a file that containspublic keys, private keys, trusted roots,and certificates.

LL2L See Local To Local.

Glossary 33

L2R See Local To Remote.

LAN See local area network.

LDAP See Lightweight Directory AccessProtocol.

leaf In a tree, an entry or node that has nochildren.

Lightweight Directory Access Protocol (LDAP)An open protocol that uses TCP/IP toprovide access to directories that supportan X.500 model and that does not incurthe resource requirements of the morecomplex X.500 Directory Access Protocol(DAP). For example, LDAP can be used tolocate people, organizations, and otherresources in an Internet or intranetdirectory.

live scanA vulnerability scan that generates reportdata from the scan results based on thesession name.

local area network (LAN)A network that connects several devicesin a limited area (such as a singlebuilding or campus) and that can beconnected to a larger network.

Local To Local (L2L)Pertaining to the internal traffic from onelocal network to another local network.

Local To Remote (L2R)Pertaining to the internal traffic from onelocal network to another remote network.

log sourceEither the security equipment or thenetwork equipment from which an eventlog originates.

log source extensionAn XML file that includes all of theregular expression patterns required toidentify and categorize events from theevent payload.

Mmagistrate

An internal component that analyzesnetwork traffic and security eventsagainst defined custom rules.

magnitudeA measure of the relative importance of aparticular offense. Magnitude is a

weighted value calculated from relevance,severity, and credibility.

NNAT See Network Address Translation.

NetFlowA Cisco network protocol that monitorsnetwork traffic flow data. NetFlow dataincludes the client and server information,which ports are used, and the number ofbytes and packets that flow through theswitches and routers connected to anetwork. The data is sent to NetFlowcollectors where data analysis takes place.

Network Address Translation (NAT)In a firewall, the conversion of secureInternet Protocol (IP) addresses toexternal registered addresses. This enablescommunications with external networksbut masks the IP addresses that are usedinside the firewall.

network hierarchyA type of container that is a hierarchicalcollection of network objects.

network layerIn OSI architecture, the layer thatprovides services to establish a pathbetween open systems with a predictablequality of service.

network objectA component of a network hierarchy.

network weightThe numeric value applied to eachnetwork that signifies the importance ofthe network. The network weight isdefined by the user.

Ooffense

A message sent or an event generated inresponse to a monitored condition. Forexample, an offense will provideinformation on whether a policy has beenbreached or the network is under attack.

offsite sourceA device that is away from the primarysite that forwards normalized data to anevent collector.


offsite targetA device that is away from the primarysite that receives event or data flow froman event collector.

Open Source Vulnerability Database (OSVDB)Created by the network securitycommunity for the network securitycommunity, an open source database thatprovides technical information onnetwork security vulnerabilities.

open systems interconnection (OSI)The interconnection of open systems inaccordance with standards of theInternational Organization forStandardization (ISO) for the exchange ofinformation.

OSI See open systems interconnection.

OSVDBSee Open Source Vulnerability Database.

Pparsing order

A log source definition in which the usercan define the order of importance for logsources that share a common IP addressor host name.

payload dataApplication data contained in an IP flow,excluding header and administrativeinformation.

primary HA hostThe main computer that is connected tothe HA cluster.

protocolA set of rules controlling thecommunication and transfer of databetween two or more devices or systemsin a communication network.

QQID Map

A taxonomy that identifies each uniqueevent and maps the events to low-leveland high-level categories to determinehow an event should be correlated andorganized.

RR2L See Remote To Local.

R2R See Remote To Remote.

recon See reconnaissance.

reconnaissance (recon)A method by which informationpertaining to the identity of networkresources is gathered. Network scanningand other techniques are used to compilea list of network resource events whichare then assigned a severity level.

reference mapA data record of direct mapping of a keyto a value, for example, a user name to aglobal ID.

reference map of mapsA data record of two keys mapped tomany values. For example, the mappingof the total bytes of an application to asource IP.

reference map of setsA data record of a key mapped to manyvalues. For example, the mapping of a listof privileged users to a host.

reference setA list of single elements that are derivedfrom events or flows on a network. Forexample, a list of IP addresses or a list ofuser names.

reference tableA table where the data record maps keysthat have an assigned type to other keys,which are then mapped to a single value.

refresh timerAn internal device that is triggeredmanually or automatically at timedintervals that updates the current networkactivity data.

relevanceA measure of relative impact of an event,category, or offense on the network.

Remote To Local (R2L)The external traffic from a remotenetwork to a local network.

Remote To Remote (R2R)The external traffic from a remotenetwork to another remote network.

report In query management, the formatted datathat results from running a query andapplying a form to it.

Glossary 35

report intervalA configurable time interval at the end ofwhich the event processor must send allcaptured event and flow data to theconsole.

routing ruleA condition that when its criteria aresatisfied by event data, a collection ofconditions and consequent routing areperformed.

rule A set of conditional statements thatenable computer systems to identifyrelationships and run automatedresponses accordingly.

Sscanner

An automated security program thatsearches for software vulnerabilitieswithin web applications.

secondary HA hostThe standby computer that is connectedto the HA cluster. The secondary HA hostassumes responsibility of the primary HAhost if the primary HA host fails.

severityA measure of the relative threat that asource poses on a destination.

Simple Network Management Protocol (SNMP)A set of protocols for monitoring systemsand devices in complex networks.Information about managed devices isdefined and stored in a ManagementInformation Base (MIB).

SNMPSee Simple Network ManagementProtocol.

SOAP A lightweight, XML-based protocol forexchanging information in adecentralized, distributed environment.SOAP can be used to query and returninformation and invoke services acrossthe Internet.

standby systemA system that automatically becomesactive when the active system fails. If diskreplication is enabled, replicates data fromthe active system.

subnetSee subnetwork.

subnet maskFor internet subnetworking, a 32-bit maskused to identify the subnetwork addressbits in the host portion of an IP address.

subnetwork (subnet)A network that is divided into smallerindependent subgroups, which still areinterconnected.

sub-searchA function that allows a search query tobe performed within a set of completedsearch results.

superflowA single flow that is comprised ofmultiple flows with similar properties inorder to increase processing capacity byreducing storage constraints.

system viewA visual representation of both primaryand managed hosts that compose asystem.

TTCP See Transmission Control Protocol.

Transmission Control Protocol (TCP)A communication protocol used in theInternet and in any network that followsthe Internet Engineering Task Force (IETF)standards for internetwork protocol. TCPprovides a reliable host-to-host protocol inpacket-switched communication networksand in interconnected systems of suchnetworks. See also Internet Protocol.

truststore fileA key database file that contains thepublic keys for a trusted entity.

Vviolation

An act that bypasses or contravenescorporate policy.

vulnerabilityA security exposure in an operatingsystem, system software, or applicationsoftware component.


Wwhois server

A server that is used to retrieveinformation about a registered Internetresources, such as domain names and IPaddress allocations.

Glossary 37


Index

Aappliance descriptions 3appliance diagrams 21

Ddescription

QRadar Vulnerability Manager 20descriptions

Integrated Management Module 21QFlow 1201 3QFlow 1202 3QFlow 1301 4QFlow 1310 5QRadar 1400 Data node 5QRadar 1501 6QRadar 1605 7QRadar 1628 8QRadar 1705 8QRadar 1728 9QRadar 1805 10

descriptions (continued)QRadar 1828 10QRadar 2100 11QRadar 2100 Light 12QRadar 3105 (Base) 12QRadar 3105 (Console) 13QRadar 3124 (Base) 13, 18QRadar 3124 (Console) 14QRadar Log Manager 1605 14QRadar Log Manager 1628 15QRadar Log Manager 2100 16QRadar Log Manager 2100 Light 16QRadar Log Manager 3105 (Base) 16QRadar Log Manager 3124

(Console) 18QRadar Vulnerability Manager 19

diagramsQFlow appliance back panel 22QFlow appliance front panel 21QRadar 2100 back panel 22QRadar 2100 front panel 21QRadar appliance back panel 25QRadar appliance front panel 24

Gglossary 31

Iintroduction v

Nnetwork administrator v

Ppanel features and indicators 21

Ssafety instructions 1


Documents

IBM Security QRadar Version 7.2 - docshare01.docshare.tipsdocshare01.docshare.tips/files/26312/263125071.pdf · About this guide The IBM Security QRadar SIEM Users Guide provides