All Fundamental Series Microsoft Cisco Security VMware Oracle RedHat Project Management EC-Council AWS

Koenig/Security Incidents and event management with qradar (Advanced)

Overview Schedule & Fees Course Benefits Student Feedback FAQ Course Modules

Security Incidents and event management with qradar (Advanced) Certification Training Course Overview

Security Information and Event Management with QRadar provides deep visibility into network, user, and application activity. It provides collection, normalization, correlation, and secure storage of events, flows, assets, and vulnerabilities. Suspected attacks and policy breaches are highlighted as offenses. In this class, you learn to navigate the user interface and how to investigate crimes. You hunt and examine the data from which QRadar SIEM concluded a suspicious activity. Hands-on exercises reinforce the skills learned.

Audience: This basic class is suited for security analysts, security technical architects, offense managers, network administrators, and system administrators.

Security Incidents and event management with qradar (Advanced) (16 Hours) Download Course Contents

Live Online Training Fee On Request

Group Training Date On Request	1-on-1 Training (GTR) 4 Hours 8 Hours Week Days Weekend Start Time : At any time 12 AM 12 PM Training Schedule: GTR=Guaranteed to Run

Customers who bought this course also bought

Advance Database Security Testing Training Course

Android Application Testing Training Course

JavaScript Bootcamp Course

Search Engine Optimization (SEO) Training Course

Unit Testing Courses

Veritas NetBackup 7.7: Advanced Administration/DP0134 Course

Course Modules

Module 1: Using administration tools

QRadar SIEM reminder
Admin tab
Advanced list options
About the deployment editor
Host Context overview
Configuring Host Context
Adding a managed host
Deployment Editor: Configuring collectors
Auto update overview
Configuration auto updates: Basic tab
Configuring auto updates: Advanced tab
System and license management
Uploading and allocating a license
Reverting an allocation unlocks a license
Replacing a license by allocating a new one
Activating a license
Exporting license key information
Web-based System Administration Interface
QRadar Console Settings
QRadar System Settings
Global System Notifications
Managing custom offense close reasons
Authorized services
Using authorized services
Authorized services URLs

Module 2: Creating the network hierarchy

Network hierarchy overview
QRadar SIEM network hierarchy
Network hierarchy recommendations
Adding a network hierarchy
Building a group node versus leaf node
Remote networks and services overview
Adding a remote networks object
Managing remote services
Adding remote services

Module 3: Updated administration tools

Asset profiles overview
Server discovery overview
Importing and exporting assets
Viewing scanners
Reference Set overview
Reference Set elements
Index management overview
Enabling indexes

Module 4: Managing users

User account overview
Creating user roles
Security profile overview
Security profile: Permission Precedence tab
Security profile: Networks and Log Sources tab
Editing a security profile
Configuring authentication

Module 5: Managing data

Introduction to data backups
Creating an on-demand configuration backup
Creating a backup schedule
Restoring backup archives
Using event and flow retention buckets
Configure an event retention bucket
Configuring flow retention buckets

Module 6: Collecting log and flow records

Collecting data: Data sources
Log sources through traffic analysis
Adding log sources
Adding log source extensions
Log source parsing order
Flow data overview
Adding a flow source
Adding a flow source with asymmetric routing
Flow source aliases
Adding a flow source alias

Module 7: Collecting Windows log records

About Windows log collection agents
WinCollect
Adaptive Log Exporter (ALE)
Snare agent
WMI protocol
Installing WinCollect
Creating an authorized service for the WinCollect agent
Installing the WinCollect agent software
Applying the machine name, Service Token, and console IP
Adding a log source to the WinCollect agent
Installing an Adaptive Log Exporter (ALE) agent
Configuring the ALE agent
Configuring the destination

Module 8: Managing custom log sources

Custom log sources
Required tools
Integrating unsupported Log Sources
Obtaining a sample log
Obtaining a log sample from a remote location
Uploading the LSX_Template.xml file
Creating a universal DSM log source
Testing the universal DSM log source
Mapping the unknown log records
Example of a LEEF log record event category
Creating a regular expression to extract the log source EventID from a LEEF event
Creating an appropriate regular expression
Common regular expressions
Regular expression recommendations
Using capture groups
Inserting regular expression patterns in the LSX
Cleaning the LSX template
Testing modifications to the LSX document
About QRadar Identifiers (QIDS)
Creating a new QID entry with qidmap_cli.sh
Mapping the Log Source ID to custom QIDs
Mapping Log Source Event IDs to existing QIDs
Testing the mapping
Points to remember about mapping

Module 9: Using rules

About QRadar SIEM rules
About QRadar SIEM Building Blocks
Using Building Blocks
Combining Building Blocks to capture specific events or flows
Linking tests
Linking tests in the correct order
The custom rule engine (CRE)
Attack scenario example
Detecting the attack with a rule

Module 10: Creating rules

Creating rules overview
Rule that captures account creation
Rule that captures access to sensitive data
Rule that captures account deletion
Combining rules to capture a sequence of events
Using time-series and anomaly rules
Conficker example
Creating a search to accumulate data
Creating a time series for the search
Creating an anomaly rule
A CRE event is the default response
Creating a custom rule to catch the pattern
Custom rule response and action

Module 11: Managing false positives

False positive overview
Example 1: Suspicious access to sensitive data
Example 2a: Botnet access: Determining the rule
Example 2b: Searching for contributing events
Example 2c: False positive wizard.
Example 3a: Capturing events first, deciding later
Example 3b: Finding rules with high offense counts
Example 3c: Using the rule to capture events in a report
Example 3d: Analyzing the report
Example 4a: Analyzing offenses by category
Example 4b: Listing the offenses by category § Example 4c: Finding the first rule that triggered
Example 4c: Finding the first rule that triggered
Example 4d: Determining a strategy to eliminate the false positive
Example 4e: Modifying the appropriate Building Blocks
Example 4f: Fine tune the rule that triggered the offense
Tuning guidelines
Commonly edited Building Blocks
Tuning by changing rules
Adjusting and enabling additional rules

Module 12: Using Reference Maps in rules

Reference Maps overview
Reference Maps use cases
Using Reference Maps on the command line
Using ReferenceDataUtil.sh
Using Reference Maps in the user interface
Using Reference Maps in searches
Sample use case of Reference Map of Sets
Creating a Reference Map of Sets
Creating a CRE rule
Creating a group by search
Alternative to a CRE rule
Creating an ADE rule
Managing the Reference Map of Sets
Using the CRE response
Deleting records from the command line

Download Course Contents

Request More Information

Request a call back?

Course Prerequisites

Qradar Foundation

Upon Completion of this Course, you will accomplish following:-

Identify the role and capabilities of the QRadar SIEM licensed program.
Describe how QRadar SIEM collects data and performs vulnerability assessment.
Find out how to navigate and customize the dashboard tab.
Determine how to investigate the data incorporated in an offense and react to an offense.
Discover how to detect, filter, and group events in society to gain vital insights about the crime.
Discover how to make and edit a search that monitors the events of suspicious hosts.
Learn how asset profiles are created and updated, and how to apply them every bit part of an offense investigation.
Determine how to investigate the flows that give to an offense, create and tune false positives, and investigate superfluous.
Discover how to find custom rules in the QRadar SIEM console, assign actions and responses to the rule, and how to configure rules.
Determine how to utilize charts and use advanced filters to analyze specific activities in your surroundings.

Give an edge to your career with Other Technologies certification training courses. Students can join the classes for Security Information and Event Management with QRadar (Administration) at Koenig Campus located at New Delhi, Bengaluru, Shimla, Goa, Dehradun, Dubai & Instructor-Led Online.

Top Trending Technologies

IT Security and Cybersecurity Certification Courses

System Administration Training and Certification Courses

Security Testing Training & Certification Courses

DevOps Certification and Training Courses

Database Management Certification Training Courses

Server Administration Training & Certification Courses

Linux Certification Training Courses

Web Development Courses & Certification Training

Microsoft .Net Course and Certification Training

Compliance Certification Training Courses

FAQ's

Yes, fee excludes local taxes.

We offer below courses: Certified Ethical Hacker V11 -CEH-v11 - CompTIA-SY0-601-Security+ - CompTIA Cybersecurity Analyst (CySA+) - CND V2 - Certified Threat Intelligence Analyst (CTIA) - EC-Council Certified Incident Handler (ECIH V2) - ISTQB-Performance Test Foundation Level - Certified Penetration Testing Professional - CPENT - EC-Council Disaster Recovery Professional v3 - Security Incident and Event Management -