IBM Security

Professional Certification Program

Exam Study Guide

C1000-163: IBM Security QRadar SIEM V7.5

Deployment
Contents
Role Definition .......................................................................................................................................... 4
Key Areas of Competency ......................................................................................................................... 4
Prerequisite Knowledge ............................................................................................................................ 4
Purpose of Exam Objectives .................................................................................................................... 5
Section 1: Deployment Objectives and Use Cases .................................................................................... 6
1.1 Review business needs................................................................................................................... 6
1.2 Determine useful QRadar Apps and Extension Packs ................................................................... 6
1.3 Define QRadar value reporting ...................................................................................................... 7
Section 2: Architecture and Sizing ............................................................................................................ 8
2.1 Determine scope and size requirements for deployment ............................................................ 8
2.2 Plan for placement of appliances .................................................................................................. 9
2.3 Determine requirements for data retention ............................................................................... 10
2.4 Determine QRadar deployment components ............................................................................. 10
2.5 Identify the need for HA and DR.................................................................................................. 11
2.6 Determine licensing requirements .............................................................................................. 12
2.7 Windows collection architecture ................................................................................................. 12
Section 3: Installation and Configuration ............................................................................................... 14
3.1 Install QRadar SIEM ...................................................................................................................... 14
3.2 Apply and update licensing .......................................................................................................... 15
3.3 Apply QRadar system Certificates ............................................................................................... 16
3.4 Backup, recovery, and data retention ......................................................................................... 17
3.5 Conduct initial configuration ....................................................................................................... 18
3.6 Configure authentication and access control .............................................................................. 19
Section 4: Event and Flow Integration .................................................................................................... 21
4.1 Define log sources ........................................................................................................................ 21
4.2 Define and configure flow sources .............................................................................................. 22
4.3 Define custom properties ............................................................................................................ 23
4.4 Install content extensions based on requirements..................................................................... 24
4.5 Identify event parsing requirements ........................................................................................... 24
Section 5: Environment and X-Force Integration.................................................................................... 26
5.1 Configure Assistant App and use it to manage the apps ............................................................ 26
pg. 2
 5.2 Establish X-Force intelligence data integration levels ................................................................ 26
5.3 Configure Use Case Manager ....................................................................................................... 27
5.4 Populate and use the Asset database ......................................................................................... 28
Section 6: System Performance and Troubleshooting............................................................................ 29
6.1 Look for R2R events...................................................................................................................... 29
6.2 Monitor system performance ...................................................................................................... 29
6.3 Check QRadar audit and self-monitoring events ........................................................................ 30
6.4 Check and restart Apps as necessary........................................................................................... 31
6.5 Identify event drops, events going to storage and unknown events ......................................... 31
Section 7: Initial Offense Tuning ............................................................................................................. 33
7.1 Tune noisy rules and CRE events ................................................................................................. 33
7.2 Identify expensive rules and properties ...................................................................................... 33
7.3 Utilize Server Discovery ............................................................................................................... 34
7.4 Update building blocks................................................................................................................. 35
7.5 Manage and use reference data .................................................................................................. 35
Section 8: Migration and Upgrades ........................................................................................................ 37
8.1 Migrate Data................................................................................................................................. 37
8.2 Review upgrade prerequisites ..................................................................................................... 38
8.3 Determine content migration strategy........................................................................................ 38
8.4 Review App Framework considerations (UBI)............................................................................. 39
8.5 Restoring a backup ....................................................................................................................... 40
8.6 Performing QRadar SIEM hardware migration ........................................................................... 41
Section 9: Multi-Tenancy Considerations ............................................................................................... 42
9.1 Define domains and tenants requirements ................................................................................ 42
9.2 Configure items which involve Multi-tenancy ............................................................................ 42

pg. 3
Role Definition
This intermediate level certification is intended for professionals who wish to validate their
comprehensive knowledge of the planning, installation, configuration, performance optimization,
tuning, troubleshooting, and initial system administration tasks for IBM Security QRadar SIEM V7.5. This
includes the apps installed with the product: Use Case Manager, QRadar Assistant, Log Source
Management, and Pulse. This does not include the SaaS offering of QRadar on Cloud (QRoC). Questions
for this exam were developed based upon IBM Security QRadar SIEM V7.5.0 Update Package 5.

Note: The usage of specific apps, apart from those bundled with the product, is out of scope, but the
concept of extending the capability of using apps is in scope. A knowledge of the basic functions of these
key IBM-supported apps should be understood: User Behavior Analytics, QRadar Deployment
Intelligence, Reference Data Management, Threat Intelligence, and QRadar Advisor with Watson,
Network Threat Analytics.

Key Areas of Competency

• Ability to deploy IBM Security QRadar SIEM
• Knowledge of database and directory configuration
• Ability to configure IBM Security QRadar SIEM interfaces and networking for connectivity
• Understanding of QRadar component architecture

Prerequisite Knowledge
Knowledge and foundational skills one must possess before acquiring skills measured on the
certification test. These foundational skills are NOT measured on the test.
• TCP/IP networking
• Unix command line knowledge
• Basic security technologies (including PKI concepts)
• Regular Expression (RegEx)
• Enterprise logging
• Network monitoring using flows
• Working knowledge of cloud environments

pg. 4
Purpose of Exam Objectives

When a certification exam is being developed, a team of Subject Matter Experts work
together to define the job role the certified individual will fill. They define all the tasks
and knowledge that an individual would need to have in order to successfully perform
that role. This creates the foundation for the objectives and measurement criteria,
the foundation of the certification exam. The Certification item writers used these
objectives write questions that appear on the exam.

It is recommended that you review these objectives carefully. Do you know how to
complete the tasks in the objective? Do you know why that task needs to be done? Do
you know what will happen if you do it incorrectly? If you are not familiar with a task,
then work through the objective and perform that task in your own environment. Read
more information about the task. If there is an objective on a task, it is almost certain
that you WILL see questions about it on the actual exam.

After you have reviewed the objectives and completed your own research, don’t
forget to review the free sample questions for this exam on the IBM Certification
website. These sample question come complete with an answer key and will give you
a feel for the type and style of question on the actual exam.

After that, take the assessment exam. The questions on the assessment exam were
developed at the same time and by the same people who wrote the question on the
actual exam. The assessment exam is weighted to be equally difficult to the actual
test so your results should be predictive of your expected results on the actual test.
While the assessment exam will not tell which questions are answered incorrectly, it
will tell you how you did on a section-by-section basis so you will know where to
focus your further studies.

pg. 5
Section 1: Deployment Objectives and Use Cases
In this initial task, the QRadar deployment specialist, together with the client, analyze and
document the business drivers and use cases that the deployment should address. Based on
detailed use cases, the deployment specialist can develop the appropriate deployment
architecture.
This section accounts for approximately 10% of the exam.
1.1 Review business needs
SUBTASKS:

1.1.1 Ensure business Use Cases are clearly documented

1.1.2 Demonstrate how Use Cases are encoded into Rules and other Security configurations
1.1.3 Determine MITRE tactics and techniques this deployment should address

REFERENCES:
App Host https://www.ibm.com/docs/en/qsip/7.5?topic=deployment-app-host

Backup strategies https://www.ibm.com/docs/en/qsip/7.5?topic=deployment-backup-strategies

Data Nodes and data storage https://www.ibm.com/docs/en/qsip/7.5?topic=deployment-data-nodes-data-storage

Reference data in QRadar https://www.ibm.com/docs/en/qsip/7.5?topic=administration-reference-data-in-qradar

Geographically distributed deployments https://www.ibm.com/docs/en/qsip/7.5?topic=overview-geographically-distributed-deployments

QRadar Network Insights Content Extension https://www.ibm.com/docs/en/qsip/7.5?topic=extensions-qradar-network-insights-content-extension

1.2 Determine useful QRadar Apps and Extension Packs

SUBTASKS:

1.2.1 Discuss Apps needed for compliance and objectives

1.2.2 Identify QRadar components and apps required, for example
1.2.3 Determine the need for an app host based on apps to be installed (UBA/Machine
Learning, QRadar Advisor with Watson)
1.2.4 Identify if event data is to be stored but not correlated and therefore requires a Data
Store license

REFERENCES:
App Hosts https://www.ibm.com/docs/en/qsip/7.5?topic=tasks-app-hosts

pg. 6
 QRadar Assistant app https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-assistant-app

QRadar Threat Intelligence app https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-threat-intelligence-app

QRadar Deployment Intelligence app https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-deployment-intelligence-app

QRadar Network Threat Analytics app https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-network-threat-analytics-app

Apps that are installed by default with QRadar https://www.ibm.com/docs/en/qsip/7.5?topic=overview-apps-that-are-installed-by-default-qradar

Configuring routing rules to use the QRadar https://www.ibm.com/docs/en/qsip/7.5?topic=systems-configuring-routing-rules-use-qradar-data-store

Data Store

1.3 Define QRadar value reporting

SUBTASKS:

1.3.1 Define outputs and reporting to support to demonstrate the ongoing value of the
deployment

REFERENCES:
Cryptomining https://www.ibm.com/docs/en/qsip/7.5?topic=extensions-cryptomining

Endpoint https://www.ibm.com/docs/en/qradar-common?topic=extensions-endpoint

QRadar Pulse app https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-pulse-app

Importing Yara rules https://www.ibm.com/docs/en/qsip/7.5?topic=content-importing-yara-rules

Flow inspection levels https://www.ibm.com/docs/en/qsip/7.5?topic=configuration-flow-inspection-levels

MITRE ATT&CK mapping and visualization https://www.ibm.com/docs/en/qsip/7.5?topic=app-mitre-attck-mapping-visualization

QRadar User Behavior Analytics https://www.ibm.com/docs/en/qradar-common?topic=app-qradar-user-behavior-analytics

QRadar Deployment Intelligence app https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-deployment-intelligence-app

pg. 7
Section 2: Architecture and Sizing
Defining and documenting the deployment architecture creates the underlying basis for
successfully installing QRadar. The architecture defines a clear scope of the project based on
the use cases. Here, the deployment specialist designs the solution and required components,
such as the individual QRadar appliances (physical or virtual). The architecture also addresses
topics such as high availability and disaster recovery, data retention, and licensing.
This section accounts for approximately 16% of the exam.

2.1 Determine scope and size requirements for deployment

SUBTASKS:

2.1.1 Determine QRadar deployment size properly to avoid issues

• Performance Problems
• Inability to satisfy compliance requirements
• Limited security posture and limited threat detection
• Failure to capture critical security data

2.1.2 Define vulnerability information sources

• 3rd party scanners (Nessus, Qualys, etc.)

2.1.3 Determine important deployment factors

• Appliance Disk Types: Mixing HDD and SDD Processors and Data Nodes causes
performance issues
• High Availability: Useful for Event Processors and Console. HA Data Nodes are useful if
expensive compared to a good backup solution
• Disaster Recovery: Requires additional hardware. QRadar configurations replicated
between Console environments
• Other deployment patterns to satisfy specific custom requirements

2.1.4 Weigh advantages, limitations, and differences of installation options

• Hardware appliances
• Virtual Machine
• Cloud platforms

pg. 8
REFERENCES:
QRadar components https://www.ibm.com/docs/en/qsip/7.5?topic=overview-qradar-components

QRadar SEciont05 M7 appliance https://www.ibm.com/docs/en/qsip/7.5?topic=overview-qradar-xx05-m7-appliance

QRadar xx29 M7 appliance https://www.ibm.com/docs/en/qsip/7.5?topic=overview-qradar-xx29-m7-appliance

QRadar xx48 M7 appliance https://www.ibm.com/docs/en/qsip/7.5?topic=overview-qradar-xx48-m7-appliance

Data Nodes and data storage https://www.ibm.com/docs/en/qsip/7.5?topic=deployment-data-nodes-data-storage

Recovery solution for QRadar deployments https://www.ibm.com/docs/en/qsip/7.5?topic=deployments-recovery-solution-qradar

Adding processing capacity to an All-in-One https://www.ibm.com/docs/en/qsip/7.5?topic=capacity-adding-processing-all-in-one-deployment

deployment

Business scenarios for using Disconnected Log https://www.ibm.com/docs/en/qradar-common?topic=overview-business-scenarios-using-disconnected-log-

Collector collector

2.2 Plan for placement of appliances

SUBTASKS:

2.2.1 Identify inter-component communications and how that is affected by network security
zoning restrictions
2.2.2 Ensure intercomponent communications requirements can be satisfied by the
deployment architecture

• Bandwidth
• Latency

2.2.3 Locate appliances to ensure information is flowing in the best manner

• Local collection
• Store and forward

2.2.4 Understand how to architect for Public Cloud environments

• Amazon Web Services

• Microsoft Azure
• IBM Cloud
• IBM Cloud VPC
• Google Cloud Platform

2.2.5 Identify onward routing requirements for connecting event and flow data to 3rd party
systems. (Routing Rules)
pg. 9
REFERENCES:
IBM QRadar Installation Guide (Page 29) https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_siem_inst.pdf

IBM QRadar Installation Guide (Page 3) https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_siem_inst.pdf

IBM QRadar Architecture and Deployment https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_siem_deployment.pdf

Guide (Page 16)

IBM QRadar Architecture and Deployment https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_siem_deployment.pdf

Guide (Page 19)

IBM QRadar Architecture and Deployment https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_siem_deployment.pdf

Guide (Page 43)

Event store and forward https://www.ibm.com/docs/en/qsip/7.5?topic=administration-event-store-forward

2.3 Determine requirements for data retention

SUBTASKS:

2.3.1 Determine Data Node storage requirements

• Data Node
• Event processor
• Flow processor

2.3.2 Document Data retention policies

REFERENCES:
Offboard storage overview https://www.ibm.com/docs/en/qsip/7.5?topic=storage-overview

Data retention https://www.ibm.com/docs/en/qsip/7.5?topic=tasks-data-retention

Data Nodes and data storage https://www.ibm.com/docs/en/qsip/7.5?topic=deployment-data-nodes-data-storage

2.4 Determine QRadar deployment components

SUBTASKS:

2.4.1 Understand the QRadar components that can be used in deployment

• QRadar Console
• QRadar Event Collector
• QRadar Event Processor
• QRadar QFlow Collector
• QRadar Flow Processor
• QRadar Data Node
• QRadar App Host

pg. 10
2.4.2 Define the tasks performed by QRadar All-in-One appliance

• Collects event and network flow data, and then normalizes the data into a data format
that QRadar can use
• Analyzes and stores the data, and identifies security threats to the company
• Provides access to the QRadar web application.

2.4.3 Architect for specific issues

• High EPS
• Long retention
• Fast search
• Processing only EP
• Archive Only DN

2.4.4 Determine environment for app hosts

• Small
• Medium
• Large

REFERENCES:
QRadar components https://www.ibm.com/docs/en/qsip/7.5?topic=overview-qradar-components

What's new in QRadar Network Insights 7.5.0 https://www.ibm.com/docs/en/qsip/7.5?topic=new-qradar-network-insights

Security investigations https://www.ibm.com/docs/en/qsip/7.5?topic=forensics-security-investigations

2.5 Identify the need for HA and DR

SUBTASKS:

2.5.1 Document the system non-functional requirements for availability and ensure the
deployment can fulfill them
2.5.2 Document the system non-functional requirements for deployment using the IBM Data
Sync app and ensure the deployment can fulfill them

2.5.3 Ensure inter-component communications paths support the needs for HA and DR

pg. 11
REFERENCES:
Appliance requirements https://www.ibm.com/docs/en/qsip/7.5?topic=planning-appliance-requirements

Real-time data synchronization https://www.ibm.com/docs/en/qsip/7.5?topic=ha-real-time-data-synchronization

High-availability clusters https://www.ibm.com/docs/en/qsip/7.5?topic=overview-high-availability-clusters

QRadar: High Availability appliances and https://www.ibm.com/support/pages/qradar-high-availability-appliances-and-rsync

Rsync

Installing a QRadar appliance https://www.ibm.com/docs/en/qsip/7.5?topic=installations-installing-qradar-appliance

QRadar console-only disaster failover https://www.ibm.com/docs/en/qsip/7.5?topic=migrating-qradar-console-only-disaster-failover

2.6 Determine licensing requirements

SUBTASKS:

2.6.1 Understand the consequences of, and recovery from, periods of high event or flow traffic.

2.6.2 Determine how License Sizing needs to deal with periods of high event or flow traffic.

REFERENCES:
QRadar: How to view the number of events https://www.ibm.com/support/pages/node/286583
exceeding the Event Processor System (EPS)
licensed limit

License keys https://www.ibm.com/docs/en/qsip/7.5?topic=overview-license-keys

QRadar: Event and flow burst handling https://www.ibm.com/support/pages/qradar-event-and-flow-burst-handling-buffer

(buffer)

2.7 Windows collection architecture

SUBTASKS:

2.7.1 Determine managed or standalone WinCollect based on customer needs.

2.7.2 Understand pros and cons of capabilities of managed WinCollect vs standalone WinCollect

2.7.3 Understand the different methods to install WinCollect

2.7.4 Understand the hardware and software requirements for the WinCollect host
pg. 12
 • Profiles
• RAM
• Cores
• Avg EPS

2.7.5 Understand what type of log sources can be configured for WinCollect agents

2.7.6 Compare Windows collection approaches

• WinCollect vs MSRPC vs WEF vs syslog
• WinCollect on each machine vs set of WinCollect devices using remote polling

REFERENCES:
WinCollect User Guide V7.3.1 https://www.ibm.com/docs/en/SS42VS_SHR/pdf/b_wincollect.pdf

MSEVEN6 protocol https://www.ibm.com/docs/en/qsip/7.5?topic=overview-mseven6-protocol

Hardware and software requirements for the https://www.ibm.com/docs/en/qsip/7.5?topic=wincollect-hardware-software-requirements-host

WinCollect host

QRadar: Agentless Windows Events Collection https://www.ibm.com/support/pages/qradar-agentless-windows-events-collection-using-msrpc-protocol-

using the MSRPC Protocol (MSRPC FAQ) msrpc-faq

pg. 13
Section 3: Installation and Configuration
Based on the architecture documentation and scope, the deployment specialist installs and
configures the QRadar components.
This section accounts for approximately 16% of the exam.

3.1 Install QRadar SIEM

SUBTASKS:

3.1.1 Prepare before beginning installation

1. Mount and cable appliance

2. Collect networking information
3. Acquire RHEL v7.9 64-bit for a software installation
4. Have required license key for your appliance (console only)

3.1.2 Setup XCC on appliances

1. Connect ethernet cable to the XCC dedicated port on the back panel
2. Access the system BIOS settings by pressing F1 when the splash screen is displayed

3.1.3 Select Installation Type

• Appliance installation
• Software installation

3.1.4 Perform appliance installation

1. Enter 'root' for username and accept EULA

2. Select Appliance type
3. Select the appliance assignment
4. Configure Network interface
5. Enter network information
6. Select root password

3.1.5 Perform software installation

1. Install RHEL OS
2. Configure partitions
3. Select the appliance type
4. Enter network information
pg. 14
REFERENCES:
QRadar installations https://www.ibm.com/docs/en/qsip/7.5?topic=installations-qradar

Creating your virtual machine https://www.ibm.com/docs/en/qsip/7.5?topic=installations-creating

System requirements for virtual appliances https://www.ibm.com/docs/en/qsip/7.5?topic=installations-requirements

IP addressing and subnets https://www.ibm.com/docs/en/qsip/7.5?topic=planning-ip-addressing-subnets

Creating a bootable USB drive with Red Hat https://www.ibm.com/docs/en/qsip/7.5?topic=installations-red-hat-enterprise-linux

Linux

Installing a QRadar appliance https://www.ibm.com/docs/en/qsip/7.5?topic=installations-installing-qradar-appliance

Overview of supported virtual appliances https://www.ibm.com/docs/en/qsip/7.5?topic=installations-overview-supported-virtual-appliances

Linux operating system partition properties https://www.ibm.com/docs/en/qsip/7.5?topic=irys-linux-operating-system-partition-properties-qradar-

for QRadar installations on your own system installations-your-own-system

3.2 Apply and update licensing

SUBTASKS:

3.2.1 Log in to QRadar

1. Use url: https://<IP address or hostname>

2. Login as the admin user
3. Click Login

3.2.2 Go to Licensing Configuration

1. Navigate to the Admin tab

2. Under System Configuration, click the System and License Management icon
3. To access licensing, select Licenses in the Display list box

3.2.3 Apply License

1. Upload the license key file
2. Select the license, then click Allocate System to License
3. Select the Console system and click Allocate System to License

3.2.4 Show how Licenses are spread

• Across multiple appliances

• Can be re-assigned dynamically (License Pools)

pg. 15
REFERENCES:
License management https://www.ibm.com/docs/en/qsip/7.5?topic=administration-license-management

Viewing license details https://www.ibm.com/docs/en/qsip/7.5?topic=management-viewing-license-details

Exporting license information https://www.ibm.com/docs/en/qsip/7.5?topic=management-exporting-license-information

Distributing event and flow capacity https://www.ibm.com/docs/en/qsip/7.5?topic=management-distributing-event-flow-capacity

3.3 Apply QRadar system Certificates

SUBTASKS:

3.3.1 Understand Certificate Types

• Self-signed certificates
• Internal CA signed certificates
• Public CA / Intermediate CA signed

3.3.2 Understand SSL connections between QRadar components

• (Validate these bullets given QRadar CA in 7.5.0 UP4)

• QRadar uses the web server certificate preinstalled on the Console to establish SSL
connections between components.
• Trusted certificates for QRadar have certain requirements

3.3.3 Understand Certificate requirements

• (Validate these bullets given QRadar CA in 7.5.0 UP4)

• Certificates must be an X.509 certificate using PEM base64 encoding
• Certificates require one of the following extensions: .cert, .cart, .pem, or .der
• Keystore files containing certificates must have the .truststore file extension
• Certificate files are located in /opt/qradar/conf/trusted_certificates

3.3.4 Understand certificates that are signed by an internal certificate authority

1. (Validate these bullets given QRadar CA in 7.5.0 UP4)
2. Submit a certificate signing request (CSR) to your internal CA
3. Copy the CA's root certificate to /etc/pki/ca-trust/source/anchors/ on the QRadar
console.
4. Run the following commands at the SSH command line on the console:

• /opt/qradar/support/all_servers.sh -p /etc/pki/ca-trust/source/anchors/ -r
/etc/pki/ca-trust/source/anchors
• /opt/qradar/support/all_servers.sh -C update-ca-trust
pg. 16
3.3.5 Install a new SSL Certificate

1. The newly signed SSLCertificateFile from either an internal CA, or a public one.
2. The qradar.key private key to generate the Certificate Signing Request (CSR) file.
3. An intermediate certificate, if used by your certificate provider.

3.3.6 Understand Certificate Installation Procedure

1. Login to the Console via SSH

2. Run the command: /opt/qradar/bin/install-ssl-cert.sh
3. When prompted, add the following:

• SSLCertificateFile
• SSLIntermediateCertificateFile (if using an intermediate certificate)
• SSLCertificateKeyFile

REFERENCES:
Installing a new SSL certificate https://www.ibm.com/docs/en/qsip/7.5?topic=certificates-installing-new-ssl-certificate

Creating a multi-domain (SAN) SSL certificate https://www.ibm.com/docs/en/qsip/7.5?topic=sc-creating-multi-domain-san-ssl-certificate-signing-request

signing request

3.4 Backup, recovery, and data retention

SUBTASKS:

3.4.1 Understand Backup Tasks

• By default, QRadar backs up the previous day's configuration and event/flow data

3.4.2 Schedule Nightly Backups

Parameters:
• Backup Repository Path
• Backup Retention Period (days)
• Nightly Backup Schedule
• Managed Hosts (data only)
• Backup Time Limit (min)
• Backup Priority

3.4.3 Perform On-Demand Backups

• For configurations only, an on-demand backup can be run outside the scheduled backup
pg. 17
 • Navigate to System Configuration -> Backup and Recovery
• Click On Demand Backup
• Enter Name and Description (optional) and click Run Backup.
• The progress can be monitored in the Backup Archives section

3.4.4 Set up Data Retention

• Configuring retention buckets

• Managing retention bucket sequence
• Enabling and disabling a retention bucket
• Deleting a Retention Bucket

3.4.5 Restore
REFERENCES:
Restoring data https://www.ibm.com/docs/en/qsip/7.5?topic=data-restoring

Data retention https://www.ibm.com/docs/en/qsip/7.5?topic=tasks-data-retention

Backup strategies https://www.ibm.com/docs/en/qsip/7.5?topic=deployment-backup-strategies

Scheduling nightly backup https://www.ibm.com/docs/en/qsip/7.5?topic=data-scheduling-nightly-backup

Restore QRadar configurations and data https://www.ibm.com/docs/en/qsip/7.5?topic=recovery-restore-qradar-configurations-data

Creating an email notification for a failed https://www.ibm.com/docs/en/qsip/7.5?topic=data-creating-email-notification-failed-backup

backup

Backup and Restore the QRadar Analyst https://www.ibm.com/docs/en/qsip/7.5?topic=recovery-backup-restore-qradar-analyst-workflow

Workflow

Creating an on-demand configuration backup https://www.ibm.com/docs/en/qsip/7.5?topic=data-creating-demand-configuration-backup-archive

archive

3.5 Conduct initial configuration

SUBTASKS:

3.5.1 Categorize hosts using Network Hierarchy

The following objects must be defined:

• Internet facing IP address for a DMZ

• IP addresses used for remote access in Virtual Private Network (VPN) systems.
• Data centers and server networks
• Network devices and network management devices.

3.5.2 Configure VA Scanners

pg. 18
 • Vulnerability Assessment data helps determine threat levels and remove false positives,
by correlating event data, network activity, and behavioral changes
• Depending on the scanner, QRadar imports scan data or initiates a remote scan.
• Scan results provide system version, open ports, and vulnerabilities on scanned systems.

3.5.3 Update DSMs and protocols

• Download DSM and protocols from Fix Central and apply using YUM

3.5.4 Determine the services responsible for the application framework functionality and check
their status
3.5.5 Create Service tokens for use with REST-API and default apps including the Assistant apps

REFERENCES:
QRadar installations https://www.ibm.com/docs/en/qsip/7.5?topic=installations-qradar

Routing options for rules https://www.ibm.com/docs/en/qsip/7.5?topic=data-routing-options-rules

Shared license pool https://www.ibm.com/docs/en/qsip/7.5?topic=capacity-shared-license-pool

Backup strategies https://www.ibm.com/docs/en/qsip/7.5?topic=deployment-backup-strategies

User authentication https://www.ibm.com/docs/en/qsip/7.5?topic=management-user-authentication

Integrated Management Module https://www.ibm.com/docs/en/qsip/7.5?topic=overview-integrated-management-module

Network settings management https://www.ibm.com/docs/en/qsip/7.5?topic=installations-network-settings-management

3.6 Configure authentication and access control

SUBTASKS:

3.6.1 Understand how to choose authentication integration

• LDAP
• SAML
• System authentication
• RADIUS authentication
• TACACS

3.6.2 Define User Roles

pg. 19
3.6.3 Separate access to functions based on User Roles

• Admin
• Delegated Administration
• Offenses
• Log Activity
• Network Activity
• Assets
• Reports
• Risk Manager/Vulnerability Manager/Forensics
• IP Right Click Menu Extensions
• Platform Configuration
• QRadar Log Source Management
• Default Apps (Pulse, QRadar Assistant, QRadar Use Case Manager)

3.6.4 Define Security Profiles

3.6.5 Create a User Account
The following parameters are required:
• User Name
• User Description
• Email
• New Password
• Confirm New Password
• User Role
• Security Profile
• Override System Inactivity Timeout
• Tenant
• Local-only account

REFERENCES:
User authentication https://www.ibm.com/docs/en/qsip/7.5?topic=management-user-authentication

Configuring LDAP authentication https://www.ibm.com/docs/en/qsip/7.5?topic=authentication-configuring-ldap

SAML single sign-on authentication https://www.ibm.com/docs/en/qsip/7.5?topic=authentication-saml-single-sign

Configuring RADIUS authentication https://www.ibm.com/docs/en/qsip/7.5?topic=authentication-configuring-radius

Multiple LDAP repositories https://www.ibm.com/docs/en/qsip/7.5?topic=authentication-multiple-ldap-repositories

pg. 20
Section 4: Event and Flow Integration
After all QRadar components have been successfully deployed, it is time to add and configure
the organization’s log and flow sources. This includes automatically discovered and manually
configured log sources as well as any custom properties or content extensions to satisfy the
client’s use cases.
This section accounts for approximately 13% of the exam.

4.1 Define log sources

SUBTASKS:

4.1.1 Choose an appropriate protocol for a given log source type

4.1.2 Integrate LogSources with Syslog Protocols

• Integrate a log source using syslog

• Show Basic parsing of a syslog header

4.1.3 Describe how parsing order affects log understanding

4.1.4 Choose appropriate protocols for log sources integration

• Difference between pull and push log sources

4.1.5 Describe DSM updating

• AutoUpdate
• FixCentral
• yum

4.1.6 Understand log source autodetection

4.1.7 Configure manual log sources

REFERENCES:
IBM QRadar Administration Guide https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_qradar_admin_guide.pdf

pg. 21
 DSM Editor overview https://www.ibm.com/docs/en/qsip/7.4?topic=qradar-dsm-editor-overview

DSM Editor overview https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-dsm-editor-overview

Property configuration in the DSM Editor https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-property-configuration-in-dsm-editor

Configuring Log Source Autodetection for Log https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-configuring-log-source-autodetection-log-source-

Source types types

4.2 Define and configure flow sources

SUBTASKS:

4.2.1 Show difference between various Flow sources

• NetFlow
• J-Flow
• sFlow
• QFlow
• Packeteer
• IPFIX
• Napatech Interface
• Network Interface

4.2.2 Connect flow sources to SPAN/Mirror ports on a switch

4.2.3 Describe QRadar flows in Cloud environments

4.2.4 Describe flow concepts

• What a flow represents

• Direction
• Superflows
• Aggregation

4.2.5 Describe flow pipeline

pg. 22
REFERENCES:
sFlow https://www.ibm.com/docs/en/qsip/7.5?topic=sources-sflow

Flow capacity limits https://www.ibm.com/docs/en/qsip/7.5?topic=aggregation-flow-capacity-limits

Verifying NetFlow data collection https://www.ibm.com/docs/en/qsip/7.5?topic=sources-verifying-netflow-data-collection

4.3 Define custom properties

SUBTASKS:

4.3.1 Identify custom properties imported from extension packs

4.3.2 Tune performance of property extraction, including optimization and indexing

4.3.3 Understand different property types

• AQL
• Calculated
• Extracted

4.3.4 Understand extraction mechanisms

• CEF
• LEEF
• Name Value Pair
• JSON
• Regular Expression (RegEx)
• XML
• Generic list

4.3.5 Understand usage of Custom Properties in Rules and Searches

4.3.6 Describe when Property autodetection can be used

4.3.7 Configure obfuscation for sensitive data

pg. 23
REFERENCES:
Uninstalling a content extension https://www.ibm.com/docs/en/qsip/7.5?topic=content-uninstalling-extension

Methods of importing and exporting content https://www.ibm.com/docs/en/qsip/7.5?topic=content-methods-importing-exporting

Defining custom properties by using custom https://www.ibm.com/docs/en/qsip/7.5?topic=cefp-defining-custom-properties-by-using-custom-property-

property expressions expressions

4.4 Install content extensions based on requirements

SUBTASKS:

4.4.1 Determine the necessary logs and flows to collect to support the required apps

4.4.2 Understand which security content can be in extension packs

• Content types
o Apps
o Rules
o Properties
o Ref data
o Dashboards
o etc.

4.4.3 Understand methods for installing content

• Assistant app
• Extension Management interface
• REST-API
• CLI

REFERENCES:
QRadar content extensions https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-content-extensions

Installing extensions by using Extensions https://www.ibm.com/docs/en/qsip/7.5?topic=extensions-installing-by-using-management

Management

4.5 Identify event parsing requirements

SUBTASKS:

pg. 24
4.5.1 Identify supported and unsupported log source types

4.5.2 Understand the DSM editor capability (not usage)

• mapping new log source types

• overriding or enhancing existing log source types

4.5.3 Understand custom log source types

4.5.4 Identifying log source events that are not parsing and need to be custom

• stored
• unknown

4.5.5 Define DSM/event mappings log source types, event ID, event category to QID

4.5.6 Describe QID low-level category, high-level category, and severity

REFERENCES:
DSM Editor overview https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-dsm-editor-overview

Properties in the DSM Editor https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-properties-in-dsm-editor

Creating an event map and categorization https://www.ibm.com/docs/en/qsip/7.5?topic=mapping-creating-event-map-categorization

Configuring property autodetection for log https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-configuring-property-autodetection-log-source-types

source types

pg. 25
Section 5: Environment and X-Force Integration
The deployment specialist configures the included QRadar apps to function properly within the
organization’s environment as well as setting up the IBM X-Force Threat Intelligence Feeds. The
deployment specialist also leads the client to properly populate and use the asset database (to
the extent that has been identified in the use cases and scope of the project).
This section accounts for approximately 6% of the exam.

5.1 Configure Assistant App and use it to manage the apps

SUBTASKS:

5.1.1 Obtain an X-Force Exchange API token (including knowing when to do this)

5.1.2 Demonstrate the capabilities of the Assistant app

• App installation
• Installing extensions using an admin level authorized service token

REFERENCES:
QRadar Assistant app https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-assistant-app

Configuring the QRadar Assistant app https://www.ibm.com/docs/en/qradar-common?topic=app-configuring-qradar-assistant

Running the Assistant app in offline mode https://www.ibm.com/docs/en/qradar-common?topic=app-running-assistant-in-offline-mode

5.2 Establish X-Force intelligence data integration levels

SUBTASKS:

5.2.1 Troubleshoot the X-Force reputation feeds

• Internet access:
• URLS
• IP
• Ports to support X-Force integration

5.2.2 Configuring X-Force feeds through a proxy

5.2.3 Compare different levels of integration

pg. 26
 • SDK
• TI app
• ATPF

5.2.4 Distinguish different types of threat content that leverage X-Force

• Ransomware
• Cryptomining
• Data Exfiltration
• Endpoint protection

5.2.5 Understand the feature Am I Affected

5.2.6 Leverage Right Click integration with X-Force Exchange

REFERENCES:
QRadar: X-Force IP category shows blank for https://www.ibm.com/support/pages/node/6955775
rule condition

QRadar: X-Force Frequently Asked Questions https://www.ibm.com/support/pages/qradar-x-force-frequently-asked-questions-faq

(FAQ)

Exploring the X-Force Exchange Am I Affected https://www.ibm.com/support/pages/exploring-x-force-exchange-am-i-affected-feature

feature

5.3 Configure Use Case Manager

SUBTASKS:

5.3.1 Visualize threat coverage across the MITRE ATT&CK framework

5.3.2 Configure the Use Case Explorer in QRadar Use Case Manager

5.3.3 Analyze Predefined report content templates

5.3.4 Describe MITRE ATT&CK tactics

pg. 27
REFERENCES:
Configuring QRadar Use Case Manager https://www.ibm.com/docs/en/qsip/7.5?topic=manager-configuring-qradar-use-case

Assigning user permissions for QRadar Use https://www.ibm.com/docs/en/qsip/7.5?topic=manager-assigning-user-permissions-qradar-use-case

Case Manager

5.4 Populate and use the Asset database

SUBTASKS:

5.4.1 Import vulnerability assessment information into QRadar

5.4.2 Use the Assets tab to run scans on selected assets

5.4.3 Configure and import Vulnerability Scan results

5.4.4 Import CMDB data using a CSV file import

REFERENCES:
Asset profiles https://www.ibm.com/docs/en/qsip/7.5?topic=management-asset-profiles

Creating identity exclusion searches https://www.ibm.com/docs/en/qsip/7.5?topic=searches-creating-identity-exclusion

Vulnerability assessment scanner overview https://www.ibm.com/docs/en/dsm?topic=guide-vulnerability-assessment-scanner-overview

pg. 28
Section 6: System Performance and Troubleshooting
The deployment specialist performs initial system performance and troubleshooting,
demonstrating the use of appropriate tools to perform these tasks. This does not entail ongoing
support but is focused on the scope defined in the project objectives and architecture.
This section accounts for approximately 13% of the exam.

6.1 Look for R2R events

SUBTASKS:

6.1.1 Understand Network Hierarchy configuration

6.1.2 Utilize UCM app to discover and analyze R2R traffic

6.1.3 Create AQL searches related to R2R traffic

REFERENCES:
Reviewing your network hierarchy https://www.ibm.com/docs/en/qradar-common?topic=tuning-reviewing-your-network-hierarchy

Reviewing your network hierarchy https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qapps_Tuning_review_network_hierarchy.html

6.2 Monitor system performance

SUBTASKS:

6.2.1 Understand system performance monitoring tools

6.2.2 Describe how to interpret QRadar system notifications

6.2.3 Monitor system load averages

REFERENCES:
Disk usage system notifications https://www.ibm.com/docs/en/qsip/7.5?topic=notifications-disk-usage-system

pg. 29
 QRadar: Apps and memory resource https://www.ibm.com/support/pages/qradar-apps-and-memory-resource-limitation
limitation

System health information https://www.ibm.com/docs/en/qsip/7.5?topic=management-system-health-information

QRadar: Troubleshooting disk space usage https://www.ibm.com/support/pages/qradar-troubleshooting-disk-space-usage-problems

problems

Accumulator is falling behind https://www.ibm.com/docs/en/qsip/7.5?topic=appliances-accumulator-is-falling-behind

QRadar: How to monitor and check if the CPU https://www.ibm.com/support/pages/qradar-how-monitor-and-check-if-cpu-bound-or-overloaded

is bound or overloaded

6.3 Check QRadar audit and self-monitoring events

SUBTASKS:

6.3.1 Understand audit logs

• QRadar SIEM User's interaction

• SIM Audit-2 Log source
• Actions recorded
• Audit log file and archiving

6.3.2 Check login attempts to the console

• /var/log/audit
• /var/log/qradar.log
• /var/log/qradar.error
• /var/log/qradar-sql.log

6.3.3 Check audit and logs are free from indications of common deployment issues.

• Fail/Complete back up
• System Notifications
• Unknown events
• SIM Audit-2 Events
• General Information events

REFERENCES:
Audit logs https://www.ibm.com/docs/en/qsip/7.5?topic=files-audit-logs

Log files https://www.ibm.com/docs/en/qsip/7.5?topic=administration-log-files

Viewing the audit log file https://www.ibm.com/docs/en/qsip/7.5?topic=logs-viewing-audit-log-file

Collecting log files https://www.ibm.com/docs/en/qsip/7.5?topic=management-collecting-log-files

pg. 30
 Getting Help: What information should be https://www.ibm.com/support/pages/getting-help-what-information-should-be-submitted-qradar-service-
submitted with a QRadar service request? request

QRadar: How to use the defect inspector to https://www.ibm.com/support/pages/qradar-how-use-defect-inspector-identify-reported-

identify reported issues? issues#:~:text=The%20Defect%20Inspector%20is%20a,experiencing%20a%20previously%20reported%20issue.

6.4 Check and restart Apps as necessary

SUBTASKS:

6.4.1 Identify where apps are running

6.4.2 Check the status of an app

• qappmanager
• recon
• Interactive API for developer

6.4.3 Restart an app

• Interactive API for developers

• Restart apphost
• qappmanager

REFERENCES:
QRadar: App troubleshooting before opening https://www.ibm.com/support/pages/node/716891
a support case

QRadar apps overview https://www.ibm.com/docs/en/qsip/7.5?topic=apps-qradar-overview

QRadar apps troubleshooting https://www.ibm.com/docs/en/qradar-common?topic=overview-qradar-apps-troubleshooting

QRadar: How to use Recon to troubleshoot https://www.ibm.com/support/pages/qradar-how-use-recon-troubleshoot-qradar-applications

QRadar applications

FAQs about apps https://www.ibm.com/docs/en/qradar-common?topic=overview-faqs-about-

apps#qradarapps__dl_qfp_yxq_l4b

6.5 Identify event drops, events going to storage and unknown events
SUBTASKS:

6.5.1 Identify Unknown events

• Are log source autodiscovered

• Are log sources supported

pg. 31
6.5.2 Describe the limitations of the autodetect process

• Misidentification
• Failure to identify
• Not all log source types are supported for autodetection

6.5.3 Determine causes of dropped events in the pipeline

6.5.4 Determine why some events are being routed directly to storage

REFERENCES:
Troubleshooting DSMs https://www.ibm.com/docs/en/qsip/7.5?topic=problems-troubleshooting-dsms

Troubleshooting DSMs https://www.ibm.com/docs/en/qsip/7.5?topic=management-troubleshooting-dsms

Unable to determine associated log source https://www.ibm.com/docs/en/qsip/7.5?topic=appliances-unable-determine-associated-log-source

QRadar: How to view the number of events https://www.ibm.com/support/pages/qradar-how-view-number-events-exceeding-event-processor-system-

exceeding the Event Processor System (EPS) eps-licensed-limit
licensed limit

pg. 32
Section 7: Initial Offense Tuning
As defined in the scope, project objectives and architecture, the deployment specialist
performs initial tuning of offenses and guides the client on how to best approach this task going
forward.
This section accounts for approximately 10% of the exam.

7.1 Tune noisy rules and CRE events

SUBTASKS:

7.1.1 Create searches to identify rules which trigger frequently

7.1.2 Understand the Offense index and use that to minimize relevant Offenses

7.1.3 Demonstrate how to implement an AllowList or a DenyList

7.1.4 Suppress rules with the Response Limiter

REFERENCES:
Reviewing building blocks https://www.ibm.com/docs/en/qradar-common?topic=tuning-reviewing-building-blocks

Reviewing your network hierarchy https://www.ibm.com/docs/en/qradar-common?topic=tuning-reviewing-your-network-hierarchy

Tuning the active rules that generate offenses https://www.ibm.com/docs/en/qradar-common?topic=tuning-active-rules-that-generate-offenses

7.2 Identify expensive rules and properties

SUBTASKS:

7.2.1 Check the rule performance visualization in the Rules display

7.2.2 Show when the rule measurements are taken

7.2.3 Understand the Support tooling

• /opt/qradar/support/findExpensiveCustomRules.sh
• /opt/qradar/support/findExpensiveCustomProperties.sh

pg. 33
7.2.4 Identify poorly written RegEx

7.2.5 Demonstrate the importance of Rule Filter ordering

7.2.6 Show when Global correlation is required and the drawbacks when in use

REFERENCES:
Rule performance visualization https://www.ibm.com/docs/en/qsip/7.5?topic=rules-rule-performance-visualization

QRadar Use Case Manager app https://www.ibm.com/docs/en/qradar-common?topic=apps-qradar-use-case-manager-app

Reviewing building blocks https://www.ibm.com/docs/en/qradar-common?topic=tuning-reviewing-building-blocks

Reviewing your network hierarchy https://www.ibm.com/docs/en/qradar-common?topic=tuning-reviewing-your-network-hierarchy

Tuning the active rules that generate offenses https://www.ibm.com/docs/en/qradar-common?topic=tuning-active-rules-that-generate-offenses

7.3 Utilize Server Discovery

SUBTASKS:

7.3.1 Describe when to use Server Discovery

• Flows required
• or VA Scanner data

7.3.2 Show how Server discovery updates the default Building Blocks from the contents of the
Asset Database
7.3.3 Demonstrate how to execute Server Discovery

7.3.4 Understand when Server Discovery should be repeated

REFERENCES:
Server discovery https://www.ibm.com/docs/en/qsip/7.5?topic=phase-server-discovery

IBM QRadar Administration Guide https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_qradar_admin_guide.pdf

Discovering servers https://www.ibm.com/docs/en/qsip/7.5?topic=sd-discovering-

servers#t_tuning_guide_tuning_discovering_servers

pg. 34
7.4 Update building blocks
SUBTASKS:

7.4.1 Show how building blocks are combined to provide 'OR'

7.4.2 Design building blocks filter order to optimize evaluation

7.4.3 Describe the evaluation order of Rules and building blocks

7.4.4 Identify and describe the special "False Positive" building block

7.4.5 Combine common filters into building blocks, where appropriate.

REFERENCES:
Tuning building blocks https://www.ibm.com/docs/en/qsip/7.5?topic=blocks-tuning-building

IBM QRadar building blocks https://www.ibm.com/docs/en/qsip/7.5?topic=phase-qradar-building-blocks

7.5 Manage and use reference data

SUBTASKS:

7.5.1 Choose reference data type to use

• What data to be stored

• How the data is to be used

7.5.2 Use reference data for filtering

• Custom Rules
• Searches
• AQL queries

7.5.3 Use reference data for augmentation.

pg. 35
 • Custom Rules
• Searches
• AQL queries

7.5.4 Manage reference data and contents

• Rule Responses
• REST-API
• Reference Data Management app
• GUI

REFERENCES:
Reference data in QRadar https://www.ibm.com/docs/en/qsip/7.5?topic=administration-reference-data-in-qradar

Types of reference data collections https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-types-reference-data-collections

Exporting elements from a reference set https://www.ibm.com/docs/en/qsip/7.5?topic=overview-exporting-elements-from-reference-set

Creating reference data collections by using https://www.ibm.com/docs/en/qsip/7.5?topic=rdiq-creating-reference-data-collections-by-using-command-

the command line line

pg. 36
Section 8: Migration and Upgrades
In case the project objectives and scope contain QRadar migration and/or upgrades, the
deployment specialist has to investigate several migrations or upgrade related topics, such as
data and content migration, app framework use cases, and other upgrade prerequisites.
This section accounts for approximately 10% of the exam.

8.1 Migrate Data

SUBTASKS:

8.1.1 Transfer Event and flow data to new appliance

• Using sycnAriel.sh
• Manually using rsync or scp

8.1.2 Ensure that the destination appliance has enough space to move the data located under
/store/ariel

• df -h /store/ariel

8.1.3 Set up RSA keys

• add source appliance .ssh/id_rsa.pub to destination appliance .ssh/authorized_keys

8.1.4 Modify IP tables

8.1.5 Run syncAriel.sh

• sh syncAriel.sh -i IP address

8.1.6 Plan Ariel data migration strategy

8.1.7 Describe the optional Configuration for data migration

pg. 37
 • Appliances can use cross-over cables if the appliances are located in the same data
center to expedite the transfer of events and flows information.
• Appliances on a slower network connection can expand on the rsync examples to limit
the transfer rate between appliances.

REFERENCES:
QRadar: Replacing a QRadar Managed Host https://www.ibm.com/support/pages/node/279273
(16xx, 17xx, 18xx appliance) in your
deployment

QRadar: Replacing a Console appliance in a https://www.ibm.com/support/pages/node/280727

deployment using a new IP address or
hostname

Script to sync /store/ariel from one system to https://www.ibm.com/support/pages/system/files/inline-files/syncAriel_2.sh

another

8.2 Review upgrade prerequisites

SUBTASKS:

8.2.1 Understand how to verify interim fix and patch levels for all systems in a deployment

8.2.2 Verify you have enough space in the QRadar Console

8.2.3 Check installation prerequisites

• Product documentation
• Release Notes

REFERENCES:
Release of QRadar 7.5.0 SFS (7.5.0-QRADAR- https://www.ibm.com/support/pages/node/6524688
QRSIEM-20211220195207)

IBM Qradar Upgrade Guide https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_qradar_upgrade.pdf

Upgrading QRadar SIEM https://www.ibm.com/docs/en/qsip/7.5?topic=upgrading-qradar-siem

Preparation checklist for QRadar upgrades https://www.ibm.com/docs/en/qsip/7.5?topic=upgrading-preparation-checklist-qradar-upgrades

QRadar: Viewing interim fix and patch levels https://www.ibm.com/support/pages/qradar-viewing-interim-fix-and-patch-levels-all-systems-deployment

for all systems in a deployment

8.3 Determine content migration strategy

SUBTASKS:
pg. 38
8.3.1 Ensure TLS certificates are transferred to target system and installed correctly.

8.3.2 Determine content migration strategy

• Config backup/restore
• Content Management Tool (CMT)

8.3.3 Describe how to transfer data for pull (active) protocols

• Encrypted authentication information

• Event collector identification in the new environment

REFERENCES:
Searching for specific content items to export https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_qradar_admin_guide.pdf

Archiving Data Node content https://www.ibm.com/docs/en/qsip/7.5?topic=nodes-archiving-data-node-content

Methods of importing and exporting content https://www.ibm.com/docs/en/qsip/7.5?topic=content-methods-importing-exporting

Restore QRadar configurations and data https://www.ibm.com/docs/en/qsip/7.5?topic=recovery-restore-qradar-configurations-data

8.4 Review App Framework considerations (UBI)

SUBTASKS:

8.4.1 Describe how to stop the apps

8.4.2 Ensure there is enough disk space on the console's /store partition for the App Host’s app
data.

8.4.3 Migrate App Host to new appliance

8.4.4 After app migration, check certificates

8.4.5 Understand how to update Root CA and intermediate files for apps

pg. 39
REFERENCES:
QRadar: Migrating an App Host from one https://www.ibm.com/support/pages/node/6414807
deployment to another

Multitenancy in UBA https://www.ibm.com/docs/en/qradar-common?topic=app-multitenancy-in-uba

QRadar: Starting and stopping an application https://www.ibm.com/support/pages/qradar-starting-and-stopping-application-api

from the API

Managing installed extensions https://www.ibm.com/docs/en/qradar-common?topic=app-managing-installed-extensions

8.5 Restoring a backup

SUBTASKS:

8.5.1 Take an On Demand backup

8.5.2 Transfer backup file to the target system

8.5.3 Restore the config backup from the old appliance to the new appliance when performing
Console Migration

8.5.4 Stop QRadar services on old appliance after restoring a config backup on a new console

8.5.5 Restart hostcontext service on all managed hosts after restoring a config backup on a new
console

8.5.6 Perform full deploy

REFERENCES:
Scheduling nightly backup https://www.ibm.com/docs/da/qsip/7.5?topic=data-scheduling-nightly-backup

Backup and recovery https://www.ibm.com/docs/sr/qsip/7.5?topic=administration-backup-recovery

Backup and recovery https://www.ibm.com/docs/sr/qsip/7.5?topic=administration-backup-recovery

Restore QRadar configurations and data https://www.ibm.com/docs/en/qsip/7.5?topic=recovery-restore-qradar-configurations-data

Creating an on-demand configuration backup https://www.ibm.com/docs/en/qsip/7.5?topic=data-creating-demand-configuration-backup-archive

archive

QRadar: Replacing a Console appliance in a https://www.ibm.com/support/pages/qradar-replacing-console-appliance-deployment-using-new-ip-

deployment using a new IP address or address-or-hostname
hostname

pg. 40
8.6 Performing QRadar SIEM hardware migration
SUBTASKS:

8.6.1 Check appliance version compatibility

8.6.2 Describe how to reinstall QRadar version

REFERENCES:
Restoring a backup archive https://www.ibm.com/docs/en/qsip/7.5?topic=data-restoring-backup-archive

Replacing a QRadar managed host https://www.ibm.com/docs/en/qsip/7.5?topic=scenarios-replacing-qradar-managed-host

Applying and allocating a QRadar SIEM license https://www.ibm.com/docs/en/qsip/7.5?topic=migration-applying-allocating-qradar-siem-license-key

key

Restoring a backup archive created on a https://www.ibm.com/docs/en/qsip/7.5?topic=data-restoring-backup-archive-created-different-qradar-

different QRadar system system

Replacing a QRadar Console with an appliance https://www.ibm.com/docs/en/qsip/7.5?topic=qshms-replacing-qradar-console-appliance-that-uses-new-

that uses a new IP address ip-address

pg. 41
Section 9: Multi-Tenancy Considerations
The deployment specialist needs to be skilled to support an organization that needs to
implement a QRadar multi-tenant deployment.
This section accounts for approximately 6% of the exam.

9.1 Define domains and tenants requirements

SUBTASKS:

9.1.1 Assess the need for multitenancy

9.1.2 Address the issues with overlapping IP address ranges

9.1.3 Design/show data separation capabilities between tenants

9.1.4 Describe domain segmentation options

• Event and flow collectors

• Flow sources
• Log sources and log source groups
• Custom properties
• Scanners

REFERENCES:
Domains and log sources in multitenant https://www.ibm.com/docs/en/qsip/7.5?topic=management-domains-log-sources
environments

Provisioning a new tenant https://www.ibm.com/docs/en/qsip/7.5?topic=management-provisioning-new-tenant

Monitoring license usage in multitenant https://www.ibm.com/docs/en/qsip/7.5?topic=management-monitoring-license-usage

deployments

Multitenant management https://www.ibm.com/docs/en/qsip/7.5?topic=administration-multitenant-management

Overlapping IP addresses https://www.ibm.com/docs/en/qsip/7.5?topic=segmentation-overlapping-ip-addresses

Guidelines for defining your network https://www.ibm.com/docs/en/qsip/7.5?topic=hierarchy-guidelines-defining-your-network

hierarchy

9.2 Configure items which involve Multi-tenancy

SUBTASKS:
pg. 42
9.2.1 Show how multitenancy Data Retention operates

9.2.2 Use per-tenant throttles to manage EPS spikes in MSS environments

9.2.3 Describe managing multitenant apps using Assistant app

9.2.4 Describe how Network Hierarchy configuration works with domains

9.2.5 Define Security Profiles using domains for multitenancy

REFERENCES:
User roles in a multitenant environment https://www.ibm.com/docs/en/qsip/7.5?topic=mm-user-roles

Domains and log sources in multitenant https://www.ibm.com/docs/en/qsip/7.5?topic=management-domains-log-sources

environments

Monitoring license usage in multitenant https://www.ibm.com/docs/en/qsip/7.5?topic=management-monitoring-license-usage

deployments

Retention policies for tenants https://www.ibm.com/docs/en/qsip/7.5?topic=management-retention-policies-tenants

Domain definition and tagging https://www.ibm.com/docs/en/qsip/7.5?topic=segmentation-domain-definition-tagging

pg. 43