Cyberpr

oof:
Business
Sensitiv
Admin Interview Questions: e
Informa
1. What is Architecture of SIEM (Qradar/Splunk/Azure
tion Sentinel/Log Rhythm.)
2. What is latest version of tool you are working (, Splunk, CrowdStrike, Qualys ….etc)
3. What the EPS value of your customer.
4. How do you integrate Windows/Linux/AWS/Azure…
5. What is the Event retention and Data Retention periods in your client.
6. How many types of backups we have in a SIEM tool (Raw Data, Configuration data)
7. What is the purpose of indexing in SIEM.
8. How does the SIEM tool will differentiate Ip addresses whether it is local or outside of
organization. Qradar
9. What is reference set in a siem tool or purpose of Reference set in a rule logic.
10. What is difference among normalization (Parsing) , Aggregation (Coalescing), Correlation.
11. Port numbers of Syslog-514, Syslog-ng -1514 Win collet agent port- 8413

Splunk port numbers:

pg. 1
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

Admin tasks:
1. Understanding SIEM Architecture or Event Lifecycle
2. Log Source Integration/Trouble shooting.
3. Daily System Health Check.
4. Use case writing and fine-tuning use cases, integration with client.
5. Mapping events, writing custom parsers for unsupported Log sources.
6. Report creation (weekly 52, Monthly 12, Quarterly-4).
7. Dashboard creation, Monitoring.
8. Review L1 work and help in next level of investigation steps.

Admin Guide:

Fundamentals of cyber security CIA:

Purpose of SIEM:

1. Ream time monitoring/Correlation of logs.

2. Compliance (ISO 27001).

Types of Projects in SOC:

A. MSSP:

1.Multiple clients 2. Working dedicated client (Remotely/Client Location)

B. Inhouse Project (captive SOC)

Purpose of SIEM: Real time correlation.

Event: Action/Activity on a device.

Log: Complete information of event occurred.

Alert/offense/Incident/Alarm: If all the rule conditions matched against real time traffic then we
get alert/offense.

SLA:

SOP:

pg. 2
 Cyberpr
oof:
Business
Sensitiv
SPOC: e
Informa
KPI: tion
MTD:

MTR:

OEM: Original Equipment Manufacturer

Skills Required:

SOC tools: SIEM, EDR, Email gateway, Proxy,DLP, VA

OS: Windows, Linux

Networking:

Cyber Attacks & Frameworks:

Cloud: AWS/Azure/GCP

SOAR: Python/shell/bash

SOC Roles By experience:

L1: 1 to 3 yrs

L2:3 to 6 yrs

L3/SME:6 to 10 or 12 yrs

Team Lead:12 to 15 yrs

Manager: 15 to 20 yrs

CISO: 20 to 25+ yrs

VP: 25 Yrs+

SVP: 30+

Security Director: 35+ yrs experience

Daily Health Check:

• Health check on daily basis, storage check (ensure that all the backups that in the retention
time exist)

Use case/rule creation.

• Parsing and mapping events. Writing regular expressions.

• Ensure that QMLA / System Availability Groups are allocated to all the relevant log sources.

• Check for any system errors / messages and fix them.

pg. 3
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

• Log Sources that are in an error condition needs to be sent to the client and to be fixed.

Log source integration/Trouble shooting.

• Participate in client meetings on a weekly basis – If there isn’t any – please speak with the
customer or TAM and schedule.

• Application updates if needed.

• Send recommendations to the customers.

Use case/rule creation

Performing upgrade activities.

Command to get list of users from CLI:

psql -U qradar -c "SELECT U.id, U.username, US.email, UR.name FROM users U LEFT JOIN
user_settings US ON U.id = US.id LEFT JOIN userrole UR ON U.role_id = UR.id ORDER BY UR.name,
U.username ASC;"

pg. 4
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

SIEM Products Comparison:

Qradar Console:

pg. 5
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

Splunk (CISCO) Search Head:

ArcSight (Microfocus) ESM (Enterprise Security Manager) :

pg. 6
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

EXABEAM AA (Advanced Analytics):

pg. 7
 Cyberpr
oof:
Business
Sensitiv
LogRhythm Console: e
Informa
tion

Azure Sentinel Console :

Linux OS Hierarchy:

pg. 8
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

In a typical Linux file system, various folders serve specific purposes and
organize different types of files and data. Here's an overview of the
purpose of each folder under the root hierarchy:

1. /bin: Contains essential binary files and commands required for

basic system operations. These are fundamental utilities that are
necessary for the system to function, even during recovery or when
other file systems might not be accessible.
2. /boot: Contains boot-related files, including the Linux kernel, initial
ramdisk (initrd/initramfs) files, and boot loader configuration (e.g.,
GRUB).
3. /dev: Contains device files that represent hardware devices and
interfaces, allowing interaction with them through file-like
interfaces.
4. /etc: Stores system-wide configuration files and startup scripts.
Various applications and services store their configuration files here.
5. /home: Home directories for user accounts. Each user typically has a
subfolder within this directory where their personal files and
configurations are stored.
6. /lib and /lib64: Libraries required by binaries in /bin and /sbin. /lib
contains libraries for 32-bit systems, and /lib64 for 64-bit systems.
7. /media: Historically used to mount removable media devices such as
USB drives and CDs/DVDs. However, modern systems often use
/mnt for temporary mounts and /media for automatic media
mounting.
8. /mnt: Used for temporarily mounting file systems or devices, such as
external drives or network shares.
9. /opt: Optionally installed software packages can be placed here.
These are usually third-party applications that are not part of the
default system installation.

pg. 9
 Cyberpr
oof:
Business
Sensitiv
10. /proc: A virtual file system
e that provides information about
running processes and system Informa
configuration as files and directories.
11. tion
/root: Home directory for the root user, the system
administrator. It is not the same as the root directory ( /).
12. /run: A temporary file system that stores runtime data that
should be available to processes during the system's runtime. Used
to replace the /var/run directory in modern systems.
13. /sbin: Contains essential system binaries and commands used
for system administration tasks. Typically requires superuser (root)
privileges to execute.
14. /srv: Used to store data for services provided by the system.
For example, web servers might store their website data in
subdirectories under /srv.
15. /sys: A virtual file system that provides information and
configuration options for the Linux kernel and devices.
16. /tmp: A temporary directory where applications and users can
store temporary files. Files here are generally cleared on reboot.
17. /usr: Contains user-related binaries, libraries, and data. It's
one of the largest directories in the file system and contains the
majority of user-level programs and tools.
18. /var: Contains variable data files, including logs, spool files,
and temporary data generated by various applications and services

Free online Linux Terminal (CLI):

https://www.tutorialspoint.com/linux_terminal_online.php

DSM: Device support module

Logging levels in a device:

Logging levels, also known as log severity levels or log levels, are used to
categorize and prioritize the importance of log messages generated by
devices, applications, and systems. These levels help system
administrators and developers better understand and respond to events,
errors, and activities happening within a system. Different devices and
software use various log level naming conventions, but the basic
principles are often consistent. Here are the typical logging levels, ranked
from lowest to highest severity:

1. Debug: These logs provide detailed information that is primarily

useful for developers when diagnosing and troubleshooting issues.
Debug logs may include verbose or technical details about the inner
workings of a system.
2. Info (Informational): These logs provide general operational
information about the system, such as start-up messages,

pg. 10
 Cyberpr
oof:
Business
Sensitiv
successful operations, or system
e status updates. They are often
used for routine monitoring and auditing.
Informa
3. tion
Notice: This level indicates noteworthy events that might require
attention but are not critical. Notices typically inform administrators
about events that could impact system behavior or performance.
4. Warning (Warn): Warnings indicate potential issues or situations
that might lead to errors or unexpected behavior in the future.
Administrators should investigate and address warnings to prevent
further problems.
5. Error (Err): Errors signify specific issues or failures that have
occurred but may not critically impact the overall system. Errors
require attention and resolution to ensure proper system
functioning.
6. Critical (Crit): Critical logs indicate severe issues that need
immediate attention, as they may lead to system instability or data
loss. These events demand rapid intervention.
7. Alert: Alerts denote critical conditions that require immediate
action. These events typically require manual intervention or
prompt notification to system administrators.
8. Emergency (Emerg): Emergencies are the highest level of
severity. They indicate catastrophic failures or situations where the
system is unusable or severely compromised. Immediate attention
is crucial to address these events.

Backup and Data:

How many types of data we have in SIEM (Qradar)

Configuration data backup: Postgres database (What ever changes we do on console) - Console

Raw data (Event/Flow) Backup: Ariel Data base (This is called log sources data) – Event Processor

Event/Log/Flow/Offense

Backing up data protecting the 3 rd principle of CIA Triad i.e Availability

3-2-1 backup rule

3 copies of data

2 copies will be online (both copies will be at different places)

1 copy will be completely offline (no internet connection).

Event Retention: 30 days (Online Data)

Backup Retention Period: Example:365 days this is(offline data).

Indexing: Fetching important parameters from database tables and showing it in log activity is called
indexing.

Coalescing/Aggregation: SrcIP , DST IP,DST port, Username, QID.

Network Hierarchy: Using which option in Qradar local and remote IP’s are differentiated.

pg. 11
 Cyberpr
oof:
Business
Sensitiv
Command to Take Manual backup of Data e
Informa
/opt/qradar/support/manual_data_backup.sh -b
tion20231220 -manual backup.

DSM (Device Support Module) Guide:

OEM: (Original Equipment Manufacturer)

Log Source integration:

Windows:

Linux:

N/w Devices

Firewalls: Plao alto PA series,

Routers: cisco Aironet , CISCO IOS (Internetworking oper sys)

Switches:

Load Balancer: f5 big ip-ltm

Servers:

Databases:

Cloud:

AV:

EDR: Cisco stealth Watch

Email Gateway: Cisco Ironport

IDPS :

Proxy :

WAF :

DLP : Forcepoint V series,

VPN : Perimeter 81, Cisco VPN,

MFA or 2FA: F5 BIG-IP Access Policy Manager,

Purpose of MFA: To avoid unauthorized access.

Windows Machines integration:

1.Wincollect

2.MSRPC (Microsoft Remote Procedure Call)- Maximum we can collect 100 EPS

3.Syslog

pg. 12
 Cyberpr
oof:
Business
Sensitiv
e
Informa
Qradar Physical Device series: tion
1. QRadar Console (C) Series:
 These are the management interfaces of the QRadar
deployment.
 Responsible for user interface, administration, and
configuration.
 Example: QRadar 3105, 3124, 3148 (numbers are examples
and may not be accurate for current models).
2. Event Processor (EP) Series:
 Responsible for processing incoming event data, parsing it,
and storing it in the database.
 Handles event correlation and analysis.
 Example: QRadar 1501, 1605, 1707 (numbers are examples
and may not be accurate for current models).
3. Flow Processor (FP) Series:
 Handles flow data (network traffic) analysis and processing.
 Important for network visibility and monitoring.
 Example: QRadar 1724, 1732, 1823 (numbers are examples
and may not be accurate for current models).
4. Data Node (DN) Series:
 These are storage appliances responsible for storing event
and flow data.
 Enable QRadar to retain historical data for compliance and
investigation purposes.
 Example: QRadar 2100, 2214, 2222 (numbers are examples
and may not be accurate for current models).
5. Flow Collector (FC) Series:
 Responsible for collecting flow data from network devices and
sending it to Flow Processors.
 Can be used to increase flow processing capacity in larger
deployments.
 Example: QRadar 1724-FC, 1823-FC (numbers are examples
and may not be accurate for current models).
6. All-in-One (AIO) Series:
 Combines multiple QRadar components (Event Processor, Flow
Processor, and Console) into a single appliance.
 Suitable for smaller deployments or remote sites.
 Example: QRadar 3105-AIO, 3124-AIO (numbers are examples
and may not be accurate for current models).

>>>>>>>>>>>>>>>>>>>>>>>>

Qradar Architecture:
Same way Learn Architectures of Splunk, Azure Sentinel, ArcSight, LogRhythm .

pg. 13
 Cyberpr
oof:
Business
Sensitiv
Event collector (parsing/Normalization, Aggregation/Coalescing)
e
Informa
tion

Coalescing Parameters:

QRadar Identifier (QID)

Source IP

Destination IP

Destination port

Username

Event Processor (Correlation)-CRE(Custom Rule Engine)

Uecase(Rule)

Name: Ariel Data Base

Console (Magistrate)-Offense Creation

1,0= Bits

1Bytes=8 Bits

1KB=1024 bytes

1MB=1024 KB

1GB=1024 MB

1TB=1024 GB

1PB=1024 TB

Event Retention: Online Data

pg. 14
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

Backup and Recovery: Offline Data

https://www.ibm.com/docs/en/SS42VS_7.4/pdf/b_qradar_aql.pdf

Parsing/Normalization:-DSM(EC)

Coalescing/Aggregation:

Reducing the duplicates based on 5 parameters.

Source ip

Destination IP

Destination port

pg. 15
 Cyberpr
oof:
Business
Sensitiv
Username e
Informa
QID tion
Event Processor:

Correlation (EP)

Storage (Ariel Data Base)- AQL

Command to take manual backup of data

/opt/qradar/support/manual_data_backup.sh -b 20240102(date & Time) -manual backup

Console:

Offense Creation (Magistrate)

Types of data in SIEM:

Config data:

Raw data:

Offense Retention: How many days we need to keep offenses data visible in tool.

Event Retention: How many days we need to keep logs online (in log activity)

Backup Retention Period: How many days we keep logs /Ariel data backup offline.

Core services under SIEM IBM Qradar

https://www.ibm.com/support/pages/qradar-core-services-and-impact-restarting-services

Check whether all these services are active or not

systemctl status tomcat

systemctl status httpd

systemctl status hostcontext

systemctl status hostservices

systemctl status ecs-ec

systemctl restart ecs-ec-ingress

systemctl status ecs-ep

Console:

Magistrate component

pg. 16
 Cyberpr
oof:
Business
Sensitiv
e
Informa
AQL: Ariel Query Language(Qradar)/ArcSight Query
tion Language(ArcSight)/ Advanced Query
Language(Log rhythm)

KQL: Kusteo QL

SPL: Splunk Processing Lan

EQL:Exabeam

>>>>>>>>>>>>>>>>>>

Index Management:

System and License Management:

High Availability: Primary and secondary

Purpose of High Availability: Because Availability is third principle of CIA. To make sure our services
are available to customers/clients at any point of time without any obstacles.

Primary device and secondary device will have a heartbeat connection.

Heartbeat port number is 6065

HA failover Ideal timing: 3 seconds

How Data synchronization happens between primary and secondary in real time :

Because of this Service DRBD (Distributed Replicated Block Devices)

Port number:7788

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Log Source Integration:

On premises

Cloud

pg. 17
 Cyberpr
oof:
Business
Sensitiv
Types of Log sources e
Informa
Windows Servers tion

Linux Servers

Firewalls (Palo Alto, Cisco, Juniper, Fortinet, Checkpoint ,. )

Cloud (Azure, AWS, GCP, IBM Cloud ,… )

Switches, Routers (cisco, Juniper…)

Security Devices (WAF, IDS, IPS, Email Gateways, EDR, Proxy, DLP, VPN, ..)

AD, DC, DHCP, Email Servers, Web servers, Application Servers, Exchange server.

MSSP – Multiple clients

pg. 18
 Cyberpr
oof:
Business
Sensitiv
Dedicated Client e
Informa
Inhouse/Captive SOC tion

What kind of Project we are having MSSP/Inhouse.?

Log Source Troubleshooting Steps:

1.ping (reachability test)

2. Telnet dstip 514(syslog) telnet 192.168.134.79 514

3. traceroute dstip

4. Tcpdump

Command Syntax:

tcpdump -i eth0 host 192.168.1.100 and port 80 -w capture.pcap

tcpdump -i ens192 host 192.168.134.79 and EC Ip port 514 -w capture.pcap

tcpdump -i eth0 host 192.168.1.100(Device) and 192.168.134.85(EC) and port 514

If we are not receiving logs from multiple devices to our event collector, then this service needs to be
restarted

systemctl restart ecs-ec-ingress

Need to check with customer

1. Whether is decommissioned or not.

2. Any cable is removed from the device/ any maintenance activity in Data center.
3. Restart the machine or services.

Syslog restart:

Windows:

Run → services.msc → WinCollect → restart the service

Linux:

systemctl restart rsyslog

Inform server to restart syslog services

net stop KiwiSyslogService

pg. 19
 Cyberpr
oof:
Business
Sensitiv
net start KiwiSyslogService e
Informa
tion

DSM Guide:

EPS calculation= No of Logs received in 24 hours/ 86400

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Dashboard Creation, Reports:

Default
dashboa Items
rd
The Application Overview dashboard includes the following default items:
Applicatio
n
 Inbound Traffic by Country (Total Bytes)
Overview
 Outbound Traffic by Country (Total Bytes)

pg. 20
 Cyberpr
oof:
Business
Sensitiv
Default e
dashboa Items Informa
rd tion
 Top Applications (Total Bytes)
 Top Applications Inbound from Internet (Total Bytes)
 Top Applications Outbound to the Internet (Total Bytes)
 Top Services Denied through Firewalls (Event Count)
 DSCP - Precedence (Total Bytes)

The Compliance Overview dashboard includes the following default items:

 Top Authentications by User (Time Series)

 Top Authentication Failures by User (Event Count)
Complian
 Login Failures by User (real-time)
ce
 Compliance: Username Involved in Compliance Rules (time series)
Overview
 Compliance: Source IPs Involved in Compliance Rules (time series)
 Most Recent Reports


The Network Overview dashboard includes the following default items:

 Top Talkers (real time)

 ICMP Type/Code (Total Packets)
 Top Networks by Traffic Volume (Total Bytes)
Network  Firewall Deny by DST Port (Event Count)
Overview  Firewall Deny by DST IP (Event Count)
 Firewall Deny by SRC IP (Event Count)
 Top Applications (Total Bytes)
 Link Utilization (real-time)
 DSCP - Precedence (Total Bytes)

The System Monitoring dashboard includes the following default items:

 Top Log Sources (Event Count)

System  Link Utilization (real-time)
Monitorin  System Notifications
g  Event Processor Distribution (Event Count)
 Event Rate (Events per Second Coalesced - Average 1 Min)
 Flow Rate (Flows per Second - Peak 1 Min)

The Threat and Security Monitoring dashboard includes the following def

Threat  Default-IDS/IPS-All: Top Alarm Signatures (real-time)

and  Top Systems Attacked (Event Count)
Security  Top Systems Sourcing Attacks (Event Count)
Monitorin  My Offenses
g  Most Severe Offenses
 Most Recent Offenses
 Top Services Denied through Firewalls (Event Count)

pg. 21
 Cyberpr
oof:
Business
Sensitiv
Default e
dashboa Items Informa
rd tion
 Internet Threat Information Center
 Flow Bias (Total Bytes)
 Top Category Types
 Top Sources
 Top Local Destinations

Table 1. Default dashboards

https://www.ibm.com/docs/en/qradar-on-cloud?topic=management-default-dashboards

How To calculate EPS count per day:

How

pg. 22
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

Logs in Windows OS:

What are the standard log levels In any device ?

1.Emergency. Emergency logs are given the numerical value "0". ...

2.Alert. ...

3. Critical. ...

Error. ...

Warning. ...

pg. 23
 Cyberpr
oof:
Business
Sensitiv
Notice. ... e
Informa
Informational. ... tion
Debug

We will inform the device owner (firewall/Server/DB) to select the first 3 logging levels, because upto
Error level device function normally. Only from critical and above the device function stops.

Inactive offenses:

An offense becomes inactive after 5 days in a dormant state. In the inactive state, new events that
trigger the offense rule test do not contribute to the inactive offense. They are added to a new
offense.

Inactive offenses are removed after the offense retention period elapses.

Error State in Logsource:

If we don’t receive events from a logsource to SIEM tool for more than 720 Minutes (12 hours)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Purged means after retention period is over the data will be removed from disk.

Reference set: Collection of same set of data (like ip’s, domains, File hashes, URls’, usernames,

hostanmes,,,,,etc)

Local System Rule: This rule applies to traffic which is specific to that managed host
(EC/Ep/FC/FP/Console)

Global System Rule: This Rules applicable to traffic on all managed hosts (EC/Ep/FC/FP/Console).

Rule (set of conditions/logic): has the ability to create alert/offense/Incident

pg. 24
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

Building Block (set of conditions/logic): It can’t create alert/offense, we are building blocks in our
Rule conditions.

Command to see data storage on managed hosts (like EC,EP, console)

Rule creation:

System rules: These rules are already in the tool when we purchase the products.

Modified Rules: These also part of tool when we purchased the tool license after that we modified
those rules according to our client traffic/ requirement.

User rules: These rules are created by Admins/ Usecase Engineer.

ADMIN Tab:

Extension Management:

Reference set management:

Index management:

Tenant Management:

dSystem and License Management:

pg. 25
 Cyberpr
oof:
Business
Sensitiv
Domain Management: e
Informa
Data Obfuscation Management: tion

Malicious IOC’s Block:

IP address: On Firewall

Domains: IPS or WAF

URL: Proxy

File Hash Values: EDR/WAF/IPS

Authentication:

Security Profile:

Domain Management: ust.com, sbimf.com two companies are sending logs to same console (IP), to
differentiate those 2 companies logs we use domain management.

MSSP Environment:

Tenant Management:

pg. 26
 Cyberpr
oof:
Business
Sensitiv

Use Case Creation & Fine Tuning: e

Informa
tion
Types of rules:

>DSM

>UDSM

>What to do for devices which are not supported by SIEM

>Log source addition (windows, Linux, router, switch, firewall,

Database,Server,WAF,IPS,EDR,Proxy,VPN…)

>DSM Editor.

>Analysis of different offenses

>Upgrade activity (precheck, post check)

https://www.ibm.com/docs/en/qsip/7.4?topic=upgrading-preparation-checklist-qradar-upgrades

Usecase: Suspicous/ abnormal situations in a device/code/network

Rule: is nothing but set of conditions written to identify the suspicious behavior in a
device/code/network.

To check latest version about Qradar :

https://www.ibm.com/community/qradar/home/software/

Data Received from Log sources:

Parsed: DSM

Unknown:

Stored:

pg. 27
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion
Parsed events:

QRadar collects, parses, and categorizes the event to the proper log source.

Unknown events:

The event is collected and parsed, but cannot be mapped or categorized to a specific log source. The
Event Name and the Low-Level Category are set as Unknown. Log sources that aren't automatically
discovered are typically identified as Unknown Event Log until a log source is manually created in the
system. When an event cannot be associated to a log source, the event is assigned to a generic log
source. You can identify these events by searching for events that are associated with the SIM
Generic log source or by using the Event is Unparsed filter.

Stored events:

The event cannot be understood or parsed by QRadar. When QRadar cannot parse an event, it writes
the event to disk and categorize the event as Stored in Ariel Database.

How do we use DSM editor to normalize data

How to write Regex (rubular)

Regex: (REGular Expression) for extracting hostname from below payload:

<190>date=2023-08-31 time=06:00:23 devname="N4-MB-DC4-4403-FG401E-GHIF01"

devid="FG4H1ETB20902424" eventtime=1693458023541415265 tz="+0100" logid="1059028704"
type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=53340
srcip=10.11.5.10 srccountry="Reserved" dstip=13.107.42.20 dstcountry="United States"
srcport=51065 dstport=443 srcintf="MB-AZURE-DEV" srcintfrole="lan" dstintf="N4-TRANSIT"
dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=433 poluuid="ff99e2d2-3d67-
51ec-bc38-893f032d70ae" policytype="policy" sessionid=2176834452 applist="g-default"
action="pass" appcat="Cloud.IT" app="Microsoft.Azure.DevOps.Services"

pg. 28
 Cyberpr
oof:
Business
Sensitiv
hostname="dev.azure.com" incidentserialno=226666751
e url="/" msg="Cloud.IT:
Informa scertcname="dev.azure.com"
Microsoft.Azure.DevOps.Services" apprisk="medium"
tion
Jose Bravo: (DSM Editor videos)

For assigning high and low level categories we need to check the payload for below keyloads and
assign them manually.

Click on Extract property and then we will popup:

pg. 29
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion
Normalization/Parsing (converting unstructured data to structed data)- EC (DSM-Device support
module)

Upgrade Process:
1.Prechecks

2.Upgrade

3.Post checks

What is the latest version Siem/EDR/Email gateway/AV/DLP/Proxy you are using right now.

SFS: Minor upgrade (7.5.0 update 5 to 7.5.0 update pack7)

ISO: Major upgrade/version upgrade (7.4.0 to 7.5.0 update 7 )

What is the latest version of that tool you have mentioned in your CV. Always get to know.

Make sure all error messages are fixed

Real time events are coming without any error

pg. 30
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

3. Same we need to check for flows (Network Activity)

4. Make sure no deploy changes are there in the console.

5. Auto Update check whether updates are happening or not

pg. 31
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

6Look for data backup, config backup whether they are working or not.

7. System and license management. Make sure all primary devices in HA are “Active” and
secondary devices should be in “standby”

Incase if secondary is active , primary device is in standby mode we should fix this issue then
we should go for upgrade.
Steps for Switching a primary HA host to active:
https://www.ibm.com/docs/en/qsip/7.4?topic=management-switching-primary-ha-host-
active

8. We need to take screenshot of all users before upgrade and compare the data after upgrade
whether both data is same or not.

pg. 32
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

9. We should take OnDemand backup for Config data before upgrade just in case if any failure
happens we should not lose configuration changes made on console.

10. Take the logsource count screenshot

11. Take a screenshot of EPS count

pg. 33
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

12. Send an email to analyst team, client about upgrade time and date and mention in the email
that don’t login to console until we send confirmation email.

Check whether all these services are active or not

systemctl status tomcat

systemctl status httpd

systemctl status hostcontext

systemctl status hostservices

systemctl status ecs-ec

systemctl status ecs-ep

systemctl status ariel_proxy_server (on console)

systemctl status ariel_query_server (event processor/collector)

Qradar file path to get error logs for different services

/var/log/qradar.error

Check for diskspace on each device by running this command

/opt/qradar/support/all_servers.sh -C "df -h"

pg. 34
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

Make sure the usage is below 90%.

13. Make sure all Managed hosts are in same version. Run this command to check version
details. /opt/qradar/support/all_servers.sh -C -k

Process to upgrade:

https://www.ibm.com/docs/en/qsip/7.4?topic=upgrading-qradar-siem

pg. 35
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

[root@localhost log]# df -h

Filesystem Size Used Avail Use% Mounted on

devtmpfs 2.9G 0 2.9G 0% /dev

tmpfs 2.9G 12K 2.9G 1% /dev/shm

tmpfs 2.9G 8.9M 2.9G 1% /run

tmpfs 2.9G 0 2.9G 0% /sys/fs/cgroup

/dev/mapper/centos-root 243G 22G 222G 10% /

/dev/sda1 1014M 189M 826M 19% /boot

tmpfs 581M 0 581M 0% /run/user/

Linux folder color meanings:

Blue: Directory or folders

Green: Executable or recognized data file

Cyan or Sky Blue: Symbolic link file

Yellow with black background: Device

Magenta or Pink: Graphic image file

Red: Archive file

pg. 36
 Cyberpr
oof:
Business
Sensitiv
Red with black background: Broken link e
Informa
tion

https://www.ibm.com/support/pages/qradar-troubleshooting-disk-space-usage-problems

To check QRadar Version:

pg. 37
 Cyberpr
oof:
Business
Sensitiv
What is the latest version currently Available: e
Informa
https://www.ibm.com/community/qradar/home/software/
tion
Services which runs in backend to run qradar SIEM properly

https://www.ibm.com/support/pages/qradar-core-services-and-impact-restarting-services

nmap -sV 192.168.56.101

Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-22 10:13 EDT

Nmap scan report for 192.168.56.101

Host is up (0.0047s latency).

Not shown: 997 filtered tcp ports (no-response)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4 (protocol 2.0)

443/tcp open ssl/http Apache httpd

514/tcp open shell?

Index management:

Index management allows you to control database indexing, which can optimize search performance
for frequently used criteria. The system supports multiple indexed properties. Properties that can be
indexed in the system are listed below.

Network Hierarchy:

Using this option in qradar , local and remote IP’s are differentiated

pg. 38
 Cyberpr
oof:
Business
Sensitiv
20/06/23 e
Informa
tion
Windows:

Win collect Agent

Snare Agent

MSRPC (When we don’t to use any kind agent to collect logs)

Linux:

Configuring Linux® OS to forward events by using the syslog protocol.

Procedure

Log in to your Linux OS device, as a root user.

Open the /etc/syslog.conf file and add the following facility information:

authpriv.*@<ip_address>

where:

pg. 39
 Cyberpr
oof:
Business
Sensitiv
<ip_address> is the IP address of IBM® QRadar®.
e
Informa
tion
Save the file.

Restart syslog by typing the following command:

service syslog restart

Log in to the QRadar Console.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Use case: scenario (abnormal situation/activity in a

Rule: the logic what we write to monitor those suspicious activity

Event and flow:

Event: any action on a single device

Flow: which involves 2 or more devices

Rule (set of conditions/logic): has the ability to create alert/offense/Incident

Building Block (set of conditions/logic): It can’t create alert/offense

Firewall Deny & Drop:

Deny: Sender will acknowledgement

Drop: you don’t receive any acknowledgement

Log retention:

pg. 40
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

Magnitude:

Severity

Credebility

Releavance

https://www.ibm.com/docs/en/qradar-on-cloud?topic=management-offense-prioritization

Reference set:

Rule Wizard:

pg. 41
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

>>>>>>>>>>>>>>>>

19/06/23

Agenda:

Upgrade Process

Issue we get while doing upgrade

Log source integration:

DSM-Supported device we can follow the steps from DSM guide

pg. 42
 Cyberpr
oof:
Business
Sensitiv
Non supported device then we need to write regex
e for the device to fetch the properties from the
log. Informa
tion
Log source health check , Report Creation

Evaluate L1 Analyst analysis as well.

What is the difference between an unknown event and a stored event?

Parsed Logs:

When events aren’t parsed correctly, they appear on the Log Activity tab as one of the following
event types:

Unknown events

The event is collected and parsed, but cannot be mapped or categorized to a specific log source. Log
sources that aren't automatically discovered are typically identified as an unknown event log until a
log source is manually created in the system. When an event cannot be associated to a log source,
the event is assigned to a generic log source. You can identify these events by searching for events
that are associated with the SIM Generic log source or by using the Event is Unparsed filter.

Stored events

The event cannot be understood or parsed by QRadar. When QRadar cannot parse an event, it writes
the event to disk and categorizes the event as stored.

What ever events which are going to store category for these we need write regex (regular
Expressions)

https://rubular.com/

What are the services under QRadar:

systemctl status tomcat

systemctl status httpd

pg. 43
 Cyberpr
oof:
Business
Sensitiv
systemctl status hostcontext e
Informa
systemctl status hostservices tion
systemctl status ecs-ec

systemctl status ecs-ep

Services under hostcontext:

The hostcontext is the primary service that runs on each managed host and controls core QRadar
processes. To verify the status of the hostcontext service, type:

systemctl status hostcontext

What is hostcontext:

Hostcontext is responsible for listening for deployment requests from the QRadar Console, reporting
deployed status, downloading configurations replication processes (every 60 seconds), reporting host
status, and High Availability (HA) host status. Administrators should be aware that hostcontext is the
manager of other core QRadar services. A restart of hostcontext starts and stops the following
services:

Accumulator

Ariel_query_server (Managed hosts)

ECS (event pipeline for event and flow data)

ECS-EC (Protocols, license Throttling, Routing, DSM Parsing, Traffic analysis, Coalescing, Forwarding)

ECS-EP (Event Throttling, CRE, Magistrate, Event Storage, Offense Analyzer, Host Profiler, Event
Streaming)

Note: QRadar 7.3.1 added the service ecs-ec-ingress to QRadar to allow event collection outside
of service restarts.

Historical Correlation server

Ha_manager

Offline Forwarder

Scaserver (X-Force URL and IP reputation updates)

QFlow (Flows / Network Activity data)

VIS (scanners)

Reporting executor (Console)

pg. 44
 Cyberpr
oof:
Business
Sensitiv
Asset Profiler (Console) e
Informa
Tunnel Services (Console) tion
Ariel_proxy_server (Console)

Restarting hostcontext

Hostcontext does NOT restart ecs-ec-ingress. When required the ecs-ec-ingress service can be
restarted independent of hostcontext. Due to these features, administrators can restart hostcontext
without impacting event collection. Performing a Deploy Change restarts the hostcontext, which can
affect the services that are running on appliances. Restarting hostcontext might cause an
interruption in these services listed here:

Accumulator

Ariel_query_server (Managed hosts)

Historical Correlation server

Offline Forwarder

Scaserver (X-Force URL and IP reputation updates)

QFlow (Flows / Network Activity data)

VIS (scanners)

Reporting executor (Console)

Asset Profiler (Console)

Tunnel Services (Console)

Ariel_proxy_server (Console)

Ariel Query to fetch the EPS count(24 hours):

SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of Events in

Interval", SUM(eventcount) / 300 AS "EPS in Interval" FROM events GROUP BY "Log Source" ORDER
BY "EPS in Interval" DESC LAST 1 days

pg. 45
 Cyberpr
oof:
Business
Sensitiv
e
Informa
tion

Second method is last 24 hours logs select the filter from log activity and then take the total count.

EPS= Total events count in last 24 hours/86400

>We call.

Event collector Flow Collector

Event Processor Flow Processor

Console

All above devices managed hosts.

>Push, Pull mechanism.

Push mechanism (except windows all devices follow push mechanism)

Pull mechanism (All windows devices follow this Pull mechanism- QRadar itself request logs from the
windows machine)

pg. 46