Version 7.3.3 IBM QRadar ¢â‚¬¢ Internet facing IP address for a DMZ. ¢â‚¬¢ IP addresses used for remote

  • View
    0

  • Download
    0

Embed Size (px)

Text of Version 7.3.3 IBM QRadar ¢â‚¬¢ Internet facing IP address for a DMZ....

  • IBM QRadar Version 7.3.3

    Tuning Guide

    IBM

  • Note

    Before you use this information and the product that it supports, read the information in “Notices” on page 27.

    Product information

    This document applies to IBM® QRadar® Security Intelligence Platform V7.3.3 and subsequent releases unless superseded by an updated version of this document. © Copyright International Business Machines Corporation 2012, 2018. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

  • Contents

    Introduction to QRadar tuning................................................................................v

    Chapter 1. Deployment and application tuning overview........................................1

    Chapter 2. QRadar tuning FAQ................................................................................3

    Chapter 3. Deployment tuning phase......................................................................5 Network hierarchy........................................................................................................................................5 VA scanners..................................................................................................................................................5 DSM updates................................................................................................................................................ 5

    Updating DSMs automatically................................................................................................................ 6 Updating DSMs manually....................................................................................................................... 6

    Log source detection....................................................................................................................................6 Displaying log sources............................................................................................................................7 Adding log sources manually................................................................................................................. 7

    Flow sources................................................................................................................................................ 8 QRadar QFlow Collectors and packet-based sources...........................................................................8 NetFlow flow collectors and external sources...................................................................................... 9 Verifying QRadar QFlow Collector data collection.................................................................................9 Configuring QRadar QFlow Collector devices......................................................................................10 Verifying NetFlow data collection........................................................................................................ 10 Disabling NetFlow log messages......................................................................................................... 10

    Asset profile configuration........................................................................................................................ 11 Asset profile data in CSV format.......................................................................................................... 11

    Chapter 4. Application tuning phase.....................................................................13 Server discovery.........................................................................................................................................13

    Discovering servers.............................................................................................................................. 14 QRadar rules and offenses........................................................................................................................ 14

    Viewing rules that are deployed ......................................................................................................... 15 Investigating offenses ......................................................................................................................... 15

    IBM QRadar building blocks...................................................................................................................... 15 Tuning building blocks......................................................................................................................... 16

    Guidelines for tuning system performance...............................................................................................19 Tuning false positives...........................................................................................................................20 False positives configuration............................................................................................................... 21 Custom rule testing order.................................................................................................................... 21

    Creating an OR condition within the CRE.................................................................................................. 22 Adding filters to improve search performance......................................................................................... 23

    Enabling quick filtering.........................................................................................................................24 Custom properties..................................................................................................................................... 24 Cleaning the SIM model.............................................................................................................................24 Identify network assets............................................................................................................................. 25

    Notices................................................................................................................27 Trademarks................................................................................................................................................ 28 Terms and conditions for product documentation................................................................................... 28 IBM Online Privacy Statement.................................................................................................................. 29 General Data Protection Regulation..........................................................................................................29 Privacy policy considerations ................................................................................................................... 30

    iii

  • Glossary..............................................................................................................31 A................................................................................................................................................................. 31 B................................................................................................................................................................. 31 C..................................................................................................................................................................32 D................................................................................................................................................................. 32 E..................................................................................................................................................................33 F..................................................................................................................................................................33 G................................................................................................................................................................. 33 H................................................................................................................................................................. 34 I.................................................................................................................................................................. 34 K..................................................................................................................................................................35 L.................................................................................................................................................................. 35 M.................................................................................................................................................................35 N................................................................................................................................................................. 36 O................................................................................................................................................................. 36 P..................................................................................................................................................................36 Q................................................................................................................................................................. 37 R...................................................................