Visão Geral

QRadar SIEM oferece uma visão profunda da atividade da rede, do utilizador e da aplicação. Fornece recolha, normalização, correlação e armazenamento seguro de eventos, fluxos, ativos e vulnerabilidades. As suspeitas de alegados ataques e violações de políticas são destacadas como ofensas. Neste curso, aprende-se a atravessar a interface do utilizador e investigar as infracções. Os participantes são treinados para procurar e analisar a informação a partir da qual o QRadar SIEM conclui uma atividade suspeita. Os exercícios práticos reforçam as competências aprendidas.

Objetivo

Após concluir o Curso Security Incidents and Event Management with QRadar, você será capaz de:

• Descrever como o QRadar SIEM recolhe dados para detectar actividades suspeitas
• Navegar e personalizar o painel de bordo do QRadar SIEM
• Investigar suspeitas de ataques e violações de políticas
• Pesquisar, filtrar, agrupar e analisar dados de segurança
• Investigar as vulnerabilidades e serviços dos bens
• Localizar regras personalizadas e inspeccionar acções e respostas de regras
• Use o QRadar SIEM para criar relatórios
• Utilize gráficos e aplique filtros avançados para examinar actividades específicas no seu ambiente

Publico Alvo

• Analistas de Segurança
• Arquitectos Técnicos de Segurança
• Gestores de ofensas
• Administradores de rede
• Administradores de sistema

Pre-Requisitos

• Conhecimentos básicos de Netwrok e administração de servidores.
  

Informações Gerais

Carga Horária: 16h

• Se noturno este curso é ministrado de Terça-feira à sexta-feira, das 19h às 23h
• Se aos sábados este curso é ministrado das 9h às 18h
• Se in-company por favor fazer contato para mais detalhes.

Formato de entrega:

• 100% on-line ao vivo, via Microsoft Teams na presença de um instrutor/consultor ativo no mercado.
• Nota: não é curso gravado.

Lab:

• Laboratório + Exercícios práticos  

Materiais

Conteúdo Programatico

Introduction to IBM Security QRadar SIEM

1. Purposes of QRadar SIEM
2. QRadar SIEM and the IBM Security Framework
3. Identifying suspected attacks and policy breaches
4. Providing context
5. Key QRadar SIEM capabilities
6. QRadar SIEM Console

How QRadar SIEM collects security data

1. Normalizing log messages to events
2. Event collection and processing
3. Flow collection and processing
4. Reporting
5. Asset profiles
6. Active scanners
7. QRadar Vulnerability Manager scanner
8. Gathering asset information

Using the QRadar SIEM dashboard

1. Navigating the Dashboard tab
2. Dashboard overview
3. Default dashboard
4. QRadar SIEM tabs
5. Other menu options
6. Context-sensitive help
7. Dashboard refresh
8. Dashboard variety
9. Creating a custom dashboard
10. Managing dashboard items

 Investigating an offense that is triggered by events

1. Introduction to offenses
2. Creating and rating offenses
3. Instructor demonstration of offense parameters
4. Selecting an offense to investigate
5. Offense Summary window
6. Offense parameters
7. Top 5 Source IPs
8. Top 5 Destination IPs
9. Top 5 Log Sources
10. Top 5 Users
11. Top 5 Categories
12. Last 10 Events
13. Last 10 Flows
14. Annotations
15. Offense Summary toolbar
16. Lesson 4 Acting on an offense
17. Offense actions
18. Offense status and flags

Investigating the events of an offense

1. Navigating to the events
2. List of events
3. Event details: Base information
4. Event details: Reviewing the raw event
5. Event details: Additional details
6. Returning to the list of events
7. Filtering events
8. Applying a Quick Filter to the payload
9. Using another filter option
10. Grouping events
11. Grouping events by low-level category
12. Removing grouping criteria
13. Viewing a range of events
14. Monitoring the scanning host
15. Saving search criteria
16. Event list using the saved search
17. About Quick Searches
18. Using alternative methods to create and edit searches
19. Finding and loading a saved search
20. Search actions
21. Adding a saved search as a dashboard item
22. Saving a search as a dashboard item
23. Enabling time-series data
24. Selecting the time range
25. Displaying 24 hours in a dashboard item
26. Modifying items in the chart type table

Using asset profiles to investigate offenses

1. About asset profiles
2. Creating asset profiles
3. Navigating from an offense to an asset
4. Assets tab
5. Asset summary
6. Vulnerabilities

Investigating an offense that is triggered by flows

1. About flows
2. Network Activity tab
3. Grouping flows
4. Finding an offense
5. Offense parameters
6. Top 5 Source and Destination IPs
7. Top 5 Log Sources
8. Top 5 Categories
9. Last 10 Events
10. Last 10 Flows
11. Annotations
12. Base information
13. Source and destination information
14. Layer 7 payload
15. Additional information
16. Creating a false positive flow or event
17. Tuning a false positive flow or event

Using rules and building blocks

1. About rules and building blocks
2. About rules
3. About building blocks and functions
4. Navigating to rules
5. Finding the rules that fired for an event or flow
6. Finding the rules that triggered an offense
7. Rule Wizard demonstration
8. Rule Wizard
9. Rule actions
10. Rule response

Creating QRadar SIEM reports

• Reporting introduction
• Reporting demonstration
• Reports tab
• Finding a report
• Running a report
• Selecting the generated report
• Viewing a report
• Reporting demonstration
• Creating a new report template
• Choosing a schedule
• Choosing a layout
• Defining report contents
• Configuring the upper chart
• Configuring the lower chart
• Verifying the layout preview
• Choosing a format
• Distributing the report
• Adding a description and assigning the group
• Verifying the report summary
• Viewing the generated report
• Best practices when creating reports

Performing advanced filtering

1. Filtering demonstration
2. Flows to external destinations
3. Remote to Remote flows
4. Scanning activity
5. Applications not running on the correct port
6. Data loss
7. Flows to suspect Internet addresses
8. Filtering on custom rules and building blocks
9. Grouping by custom rules
10. Charts on Log and Network Activity tabs: Grouping
11. Charts on Log and Network Activity tabs: Time range
12. Capturing time-series data
13. Viewing time series charts: Zooming to focus