IBM Security QRadar Version 7.3.2 User Guide IBM Note Before you use this information and the product that it supports, read the information in “Notices” on page 199. Product information This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unless superseded by an updated version of this document. © Copyright International Business Machines Corporation 2012, 2019. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Introduction......................................................................................................... ix Chapter 1. What's new for QRadar users................................................................ 1 New features and enhancements in QRadar V7.3.2...................................................................................1 New features and enhancements in QRadar V7.3.1...................................................................................2 New features and enhancements in QRadar V7.3.0...................................................................................3 Chapter 2. Capabilities in your IBM QRadar product............................................... 5 Supported web browsers ............................................................................................................................6 Enabling document mode and browser mode in Internet Explorer........................................................... 7 IBM QRadar login......................................................................................................................................... 7 RESTful API ................................................................................................................................................. 7 User interface tabs.......................................................................................................................................7 Dashboard tab........................................................................................................................................ 8 Viewing offenses that occur on your network from the Offenses tab...................................................8 Log activity tab........................................................................................................................................9 Using the Network Activity tab to investigate flows............................................................................10 Assets tab............................................................................................................................................. 11 Reports tab........................................................................................................................................... 12 Using the QRadar Risk Manager appliance..........................................................................................13 QRadar common procedures.................................................................................................................... 13 Viewing notifications............................................................................................................................ 13 Refreshing and pausing QRadar.......................................................................................................... 14 Investigating IP addresses.................................................................................................................. 15 System time..........................................................................................................................................17 Updating user preferences...................................................................................................................17 Chapter 3. Dashboard management..................................................................... 19 Default dashboards....................................................................................................................................19 Custom dashboards...................................................................................................................................21 Flow search items................................................................................................................................ 21 Adding offense-related items to your dashboard............................................................................... 22 Log activity............................................................................................................................................22 System summary..................................................................................................................................23 Risk Monitoring Dashboard..................................................................................................................24 Monitoring policy compliance.............................................................................................................. 24 Monitoring risk change.........................................................................................................................25 Vulnerability Management items......................................................................................................... 26 System notification...............................................................................................................................27 Internet threat information center...................................................................................................... 27 Creating a custom dashboard....................................................................................................................28 Investigating log or network activity......................................................................................................... 28 Configuring dashboard chart types........................................................................................................... 29 Removing dashboard items.......................................................................................................................29 Detaching a dashboard item......................................................................................................................30 Renaming a dashboard ............................................................................................................................. 30 Deleting a dashboard.................................................................................................................................30 Managing system notifications..................................................................................................................31 Adding search-based dashboard items to the Add Items list..................................................................31 iii Chapter 4. Offense management.......................................................................... 33 Offense prioritization................................................................................................................................. 33 Offense chaining........................................................................................................................................ 33 Offense indexing........................................................................................................................................ 34 Offense indexing considerations......................................................................................................... 34 Example: Detecting malware outbreaks based on the MD5 signature.............................................. 35 Offense retention.......................................................................................................................................35 Protecting offenses.............................................................................................................................. 36 Unprotecting offenses..........................................................................................................................36 Offense investigations............................................................................................................................... 36 Selecting an offense to investigate......................................................................................................37 Investigating an offense by using the summary information..............................................................39 Investigating events.............................................................................................................................43 Investigating flows............................................................................................................................... 43 Offense actions.......................................................................................................................................... 44 Adding notes.........................................................................................................................................44 Hiding offenses.....................................................................................................................................45 Showing hidden offenses....................................................................................................................