IBM Security QRadar

Version 7.2.4

Tuning Guide


Note: Before using this information and the product that it supports, read the information in Notices and
Trademarks on page 35.

© Copyright IBM Corp. 2012, 2013 All Rights Reserved US Government Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
 CONTENTS

INTRODUCTION TO IBM SECURITY QRADAR TUNING

Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Technical documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Contacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Statement of good security practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1 OVERVIEW

2 THE DEPLOYMENT PHASE

VA scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
DSM updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Updating DSMs automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Updating DSMs manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Log source detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Displaying log sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Adding log sources manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Establish and configure flow sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
QFlow Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
NetFlow data collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Verifying QFlow Collector data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configuring QFlow Collector devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Verifying NetFlow data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Disabling NetFlow log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Asset profile configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Import assets in CSV format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 THE TUNING PHASE

Server discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Discovering servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
QRadar rules and offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
CRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Viewing the current CRE configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Investigating offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
QRadar building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
 Commonly edited building blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Building block tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Editing a Building Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Tuning Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Tuning false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
False positive rule chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Optimize custom rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating an OR condition within the CRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Improving search performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Adding Indexed Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Enabling quick filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Custom extracted properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Cleaning the SIM model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

A IDENTIFYING NETWORK ASSETS

B GLOSSARY

C NOTICES AND TRADEMARKS

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Privacy policy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

INDEX
 INTRODUCTION TO IBM SECURITY
QRADAR TUNING

This information is intended for use with IBM® Security QRadar® and provides
information on how to tune your QRadar deployment.

Intended audience System administrators responsible for tuning must have administrative access to
IBM Security QRadar and your network devices and firewalls. The system
administrator must have knowledge of your corporate network and networking
technologies.

Technical For information on how to access more technical documentation, technical notes,
documentation and release notes, see the Accessing IBM Security QRadar Documentation
Technical Note.
(http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861)

Contacting For information on contacting customer support, see the Support and Download
customer support Technical Note.
(http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861)

Statement of good IT system security involves protecting systems and information through
security practices prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered,
destroyed, misappropriated or misused or can result in damage to or misuse of
your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security
measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a comprehensive
security approach, which will necessarily involve additional operational
procedures, and may require other systems, products or services to be most
effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR
SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

IBM Security QRadar SIEM Tuning Guide

1 OVERVIEW

This document provides an overview of the steps to setup and tune IBM Security
QRadar SIEM software.

It assumes that your QRadar SIEM system is installed and functional. For more
information on installing QRadar SIEM, see the IBM Security QRadar SIEM
Installation Guide.

Tuning your QRadar SIEM system is completed in two phases; deployment and
tuning. Table 1-1 describes the tasks required to complete each phase.
Table 1-1 Tuning Checklist

Phase Task Complete

Deployment Create your network hierarchy.
Optional. Configure VA Scanners.
Update your Device Support Modules (DSMs).
Detecting Log Sources.
Establish and configure flow sources.
Configure your Asset Profile.
For more information, see The Deployment Phase.
Tuning Discover and validate servers.
Understanding and using rules and offenses.
Populating building blocks.
Tuning false positives.
Optimize Custom Rules
Cleaning the SIM model.
For more information, see The Tuning Phase.

For assistance with tuning your QRadar SIEM system, contact Customer Support.

IBM Security QRadar SIEM Tuning Guide

 2 THE DEPLOYMENT PHASE

In the deployment phase you configure essential network, scanner, log source,
and asset configurations that are required to effectively tune QRadar SIEM.

The network hierarchy is used to determine which hosts are local or remote and
monitor specific logical groups or services in your network, such as marketing,
Demilitarized Zones (DMZs), or Voice Over IP (VOIP).

You must ensure that all internal address spaces, both routable and non-routable,
are defined within your network hierarchy. Failure to do so can result in QRadar
SIEM generating an excessive number of false positives.

Administrators must define the following top-level objects:

• DMZ: Internet facing IP address.
• Virtual Private Network (VPN): IP addresses used for remote access.
• Data centers and server networks.
• Network management and network devices.
• You must configure a weight value 1 - 100 for each network component. A
weight enables QRadar SIEM to determine the severity of the same event
interacting with two different hosts.
Note: Assign higher weight values to servers that contain critical information.
For more information about creating your network hierarchy, see the IBM Security
QRadar SIEM Administration Guide.

VA scanners QRadar SIEM user vulnerability assessment (VA) information to determine offense
threat levels and remove false positives, by correlating event data, network activity,
and behavioral changes.

To schedule scans and maintain your VA data, you can integrate QRadar SIEM
with VA tools such as third-party scanners. Depending on the scanner type,
QRadar SIEM imports scan results from the scanner server or remotely initiates a
scan.

IBM Security QRadar SIEM Tuning Guide

 6 THE DEPLOYMENT PHASE

The results of a scan provide the system and version of each Classless
Inter-Domain Routing (CIDR), server, and port. Scan information describes the
ports that are open and the vulnerabilities on the system.

Ensure that you download and apply the latest scanner plug-ins from the following
location: http://www.ibm.com/support

For more information about configuring VA scanners, see the Vulnerability

Assessment Configuration Guide.

DSM updates QRadar SIEM uses Device Support Modules (DSMs) to log and correlate the data
that is collected from external log sources, such as firewalls, switches, or routers.
DSMs are regularly updated to ensure QRadar SIEM can correctly interpret and
parse security event information that is provided by external devices. DSMs can be
updated both automatically and manually. For more information see, Updating
DSMs automatically and Updating DSMs manually.

Although most QRadar SIEM automatically detects most devices, some devices
require manual or additional configuration. For a list of supported devices and their
specification configuration, see the Configuring DSMs Guide.

Updating DSMs You can automatically download and install DSM updates to QRadar SIEM.
automatically
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Step 3 Click the Auto Update icon.
Step 4 On the navigation menu, click Change Settings.
Step 5 From the Auto Update Schedule pane, select the DSM update frequency:
a Frequency - Select the frequency that you want to receive updates.
b Hour - Select the time of day that you want to receive updates.
c Week Day - Select this option if you select Weekly as the update frequency.
d Day of the Month- Select this option if you select Monthly as the update
frequency.
Step 6 From the Update Types pane, select Auto Install from the DSM, Scanner,
Protocol Updates list box.
Step 7 Click Save.
For more information about configuring DSM updates, see the IBM Security
QRadar SIEM Administration Guide.

Updating DSMs You can manually install DSM updates at any time irrespective of the automatic
manually update schedule.

IBM Security QRadar SIEM Tuning Guide

 Log source detection 7

Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Step 3 Click the Auto Update icon.
Step 4 On the navigation menu, click Check for Updates.
Step 5 From the toolbar, select Install > DSM, Scanner, Protocol Updates.
Step 6 Click OK.

Log source QRadar SIEM attempts to automatically detect log sources that send syslog
detection messages to an Event Collector.

For more information about which devices support automatic detection, see the
DSM Configuration Guide.

Log sources are detected when QRadar SIEM receives a specific number of
identifiable syslog messages. A Traffic Analysis function processes syslog
messages. The Traffic Analysis function identifies the DSMs installed on the
system and assigns the appropriate DSM to the log source. Automatically
discovered log sources are displayed in the Log Sources window. For more
information, see Displaying log sources.

QRadar SIEM might not automatically detect log sources with low activity levels.
These devices must be added manually. For more information, see Adding log
sources manually.

Note: DSMs are used to interpret log source data. To receive log source data, you
must ensure that the correct DSMs are installed in QRadar SIEM. For more
information, see DSM updates.

For more information about automatically detecting log sources, see the DSM
Configuration Guide.

Displaying log You can display the log sources that are automatically discovered.
sources
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the Log Sources icon.

Adding log sources You can manually add log sources that QRadar SIEM does not detect
manually automatically.

IBM Security QRadar SIEM Tuning Guide

 8 THE DEPLOYMENT PHASE

Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the Log Sources icon.
Step 4 On the toolbar, click Add.
Step 5 Configure the parameters. For more information about the Log Source parameters,
see the DSM Configuration Guide.
Step 6 Click Save.
Step 7 On the Admin tab, click Deploy Changes.

Establish and Flow information is used to detect threats and activity that would otherwise be
configure flow missed by relying only on event information.
sources Flows provide network traffic information and can be sent simultaneously to
QRadar SIEM in various formats, including flowlog files, NetFlow, J-Flow, sFlow,
and Packeteer.

NetFlow, J-Flow, and sFlow are protocols that collect flow data from network
devices, such as routers, and send this data to QRadar SIEM. NetFlow, J-Flow,
and sFlow are configured in a similar way, but each is deployed according to the
protocol that each network device supports.

Note: If you are collecting NetFlow, J-Flow, or sFlow data, verify that QRadar
SIEM is collecting complete flow sets. Incomplete or missing flows can make it
difficult to analyze network activity.

QFlow Collectors QRadar SIEM captures traffic from mirror, span, or tap ports within your network by
using an IBM Security QRadar QFlow Collector.

The QFlow Collector is enabled by default, while the mirror, span, or tap port is
connected to a monitoring interface on your QRadar SIEM appliance. Common
mirror port locations include core, DMZ, server, and application switches.

The QFlow Collector provides full application detection of network traffic

regardless of the port on which the application is operating. For example, if the
Internet Relay Chat (IRC) protocol is communicating on port 7500 TCP, the QFlow
Collector identifies the traffic as IRC and provides a packet capture of the
beginning of the conversation. This differs from NetFlow and J-Flow, which
indicate that there is traffic on port 7500 TCP without identifying the protocol.

NetFlow data Netflow must be configured to send data to the nearest QFlow Collector or Flow
collection Processor appliance.
You must configure NetFlow to send data as quickly as possible by configuring the
external network device’s ip-cache flow timeout value to one. Ensure that ingress

IBM Security QRadar SIEM Tuning Guide

 Establish and configure flow sources 9

and egress traffic is forwarded from the router (not all routers can do this). If you
are configuring a router that only provides a sample of data, and then configure the
router to use the lowest possible sampling rate, without increasing the load on the
switch. When sampling is used, the whole conversation is not tracked. Use
sampling only for initial testing.

To ensure your NetFlow configuration is functioning correctly, you must validate

your QRadar SIEM NetFlow Data. For more information, see Verifying NetFlow
data collection.

Verifying QFlow You can verify that your QFlow Collector is receiving network flow data.
Collector data
collection Procedure
Step 1 Click the Network Activity tab.
Step 2 From the Network Activity toolbar, select Search > New Search.
Step 3 In the Search Parameters pane, add a flow source search filter:
a From the first list down, select Flow Source.
b From the third list box, select your QFlow interface name.
Step 4 Click Add Filter.
Step 5 In the Search Parameters pane, add a protocol search filter.
a From the first list box, select Protocol.
b From the third list box, select TCP.
Step 6 Click Add Filter.
Step 7 Click Filter.

What to do next
If the Source Bytes or Destination Bytes column displays a large volume of
results with zero bytes, your network tap or span port might not be correctly
configured. You must verify your QFlow configuration. For more information, see
Configuring QFlow Collector devices.

Configuring QFlow You can verify that your QFlow Collector is operational.
Collector devices
About this task
If you are running dynamic routing protocols, traffic might follow different paths to
and from a host. If you have more than one traffic path or route at the locations
where you are collecting flow data, check with your network administrator to
ensure that you are collecting flows from all routers that the traffic can traverse.

IBM Security QRadar SIEM Tuning Guide

10 THE DEPLOYMENT PHASE

Procedure
1 Ensure that span or tap ports are configured correctly to process both received and
transmitted packets.
2 To ensure visibility into both sides of any asymmetric routes, select the Enable
Asymmetric Flows check box on the flow source configuration.

Verifying NetFlow To ensure your NetFlow configuration is functioning correctly, you must validate
data collection your QRadar SIEM NetFlow Data. Netflow should be configured to send data to
the nearest QFlow Collector or Flow Processor appliance.

About this task

By default, QRadar SIEM listens on the management interface for NetFlow traffic
on port 2055 UDP. You can assign additional NetFlow ports if necessary.

Procedure
Step 1 Click the Network Activity tab.
Step 2 From the Network Activity toolbar, select Search > New Search.
Step 3 In the Search Parameters pane, add a flow source search filter.
a From the first list box, select Flow Source.
b From the third list box, select your NetFlow router’s name or IP address.
Note: If your NetFlow router is not displayed in the third list box, QRadar SIEM
might not detect traffic from the router. For further assistance, contact Customer
Support.
Step 4 Click Add Filter.
Step 5 In the Search Parameters pane, add a protocol search filter.
a From the first list box, select Protocol.
b From the third list box, select TCP.
Step 6 Click Add Filter.
Step 7 Click Filter.

What to do next
Locate the Source Bytes and Destination Bytes columns. If either column
displays a large volume of results with zero bytes, your NetFlow configuration
might be incomplete. You must verify your NetFlow configuration.

Disabling NetFlow You can disable NetFlow log messages to prevent them from consuming log file
log messages space.

About this task

If your NetFlow router is configured to sample flows, the following message can be
logged in your QRadar SIEM log file. This message indicates that the sequence

IBM Security QRadar SIEM Tuning Guide

 Asset profile configuration 11

number on the packet was missed. If the number of missed flows is consistent with
your sampling rate then, you can ignore this message.

Nov  3 16:01:03 qflowhost \[11519\] qflow115: \[WARNING\]

default_Netflow: Missed 30 flows from 10.10.1.1
(2061927611,2061927641)

Procedure
Step 1 Click the Admin tab.
Step 2 On the Admin toolbar, click Deployment Editor.
Step 3 Right-click the component that is specified in the error message and select
Configure.
Step 4 On the toolbar, click Advanced.
Step 5 From the General Settings expansion list, identify the Verify NetFlow Sequence
Numbers field, and select No from the list box.
Step 6 Click Save.
Step 7 Click the Saves recent changes and closes editor icon to close the Deployment
Editor.
Step 8 Click Deploy Changes.

Asset profile QRadar SIEM automatically discovers the assets on your network, which are
configuration based on passive QFlow data and vulnerability data. QRadar SIEM then builds an
asset profile that displays the services running on each asset.

Asset profile data is used for correlation purposes to help reduce false positives.
For example, if an attack attempts to exploit a specific service running on a specific
asset, QRadar SIEM determines if the asset is vulnerable to this attack by
correlating the attack against the asset profile.

Note: Log sources, flow data or VA scanners must be configured for asset profiles
to be displayed in the user interface.

You can define specific IP addresses (servers) as assets by importing existing

assets in Comma-Separated Value (CSV) format. For more information, see
Import assets in CSV format. Adding an asset profile enables you to identify an IP
address by name and provide a description and weight for the asset.

For more information about managing assets, see the IBM Security QRadar SIEM
Administration Guide.

Import assets in CSV You can import asset profile data in CSV format.
format
When you import asset profile data in CSV format, the file must be in the following
format:

IBM Security QRadar SIEM Tuning Guide

12 THE DEPLOYMENT PHASE

ip,name,weight,description

The following table describes the parameters that you must configure:
Table 2-2 Asset profile import CSV format parameters

Parameter Description
IP Specifies any valid IP address in the dot decimal format, for
example, 192.168.5.34.
Name Specifies the name of the asset up to 255 characters in length.
Commas are not valid in this field and invalidate the import process,
for example, WebServer01.
Weight Specifies a number from 0 to 10, which indicates the importance of
the asset on your network. A value of 0 denotes low importance,
while 10 denotes a very high importance.
Description Specifies a textual description for this asset up to 255 characters in
length. This value is optional.

Examples of Acceptable CSV Entries

The following entries can be included in a CSV file:

• 192.168.5.34,WebServer01,5,Main Production Web Server
• 192.168.5.35,MailServ01,0,
The CSV import process merges any asset profile information that is stored in your
QRadar SIEM system.

For more information about configuring assets, see the IBM Security QRadar
SIEM Administration Guide.

IBM Security QRadar SIEM Tuning Guide

 3 THE TUNING PHASE

In the tuning phase, you discover servers, investigate offenses, modify building
blocks, tune false positives, optimize custom rules, and improve search
performance. Before you tune QRadar SIEM, you must wait 24 hours to enable
QRadar SIEM to detect the servers on the network, store events and flows, and
create offenses based on existing rules.

Server discovery QRadar SIEM automatically discovers and classifies servers in your network,
providing a faster initial deployment and easier tuning when network changes
occur.

The Server Discovery function uses the asset profile database to discover many
types of servers on your network. This function lists automatically discovered
servers and enables you to select which servers you want to include in building
blocks. For more information, see QRadar building blocks.

For more information on server discovery, see the IBM Security QRadar SIEM
Administration Guide.

Note: To discover servers, QRadar SIEM must receive vulnerability assessment

(VA) scanner data or flow traffic. Server Discovery uses this data to configure port
mappings in the asset profile. For more information on VA, see the Vulnerability
Assessment Configuration Guide.

QRadar SIEM uses building blocks to tune the system and allow additional
correlation rules to be enabled. This reduces the number of false positives
detected by QRadar SIEM, and helps you to identify business critical assets. For
more information on false positives, see Tuning false positives.

Administrators must determine which servers to discover.

Authorized servers
You can enable the Server Discovery function to add authorized infrastructure
servers to a selected building block. The Server Discovery function selects the
correct building block or rule for discovered servers and enables QRadar SIEM to
monitor these servers while suppressing false positives that are specific to the
server category.

IBM Security QRadar SIEM Tuning Guide

14 THE TUNING PHASE

Multiple building blocks

Servers might be present in multiple categories. You must enable QRadar SIEM to
place these servers in multiple building blocks. For example, active directory
domain controllers might be identified as both Windows and DNS servers.

Identify authorized servers

After reviewing the server discovery list, not all the servers displayed in the list
might be familiar to you. These servers might be located in another business unit
or operate within a testing or staging environment. If you identify these servers as
authorized, then add them to the building block. For more information, see QRadar
building blocks.

Categorize servers
You can enable QRadar SIEM to categorize unauthorized servers or servers
running unauthorized services into a related building block. For more information,
see Table 3-1. If categorizing servers generates an excessive number of offenses,
then use the Server Discovery function to place the servers in a building block.

Discovering servers The server discovery function uses the QRadar SIEM Asset Profile database to
discover different server types based on port definitions.

About this task

Server discovery enables you to select which servers to add to a server type
building block. This feature makes the discovery and tuning process simpler and
faster by providing a fast mechanism to insert servers into building blocks.

Procedure
Step 1 Click the Assets tab.
Step 2 On the navigation menu click Server Discovery.
Step 3 From the Server Type drop-down list box, select the server type you want to
discover. The default is Database Servers.
Step 4 Select the option to determine the servers you want to discover:
• All - Search all servers in your deployment with the currently selected server
type.
• Assigned - Search servers in your deployment that have been previously
assigned to the currently selected server type.
• Unassigned - Search servers in your deployment that have not been
previously assigned.
Step 5 From the Network list box, select the network you want to search.
Step 6 Click Discover Servers.
Step 7 Click Approve Selected Servers.
Step 8 In the Matching Servers table, select the check box or boxes of all the servers you
want to assign to the server role.

IBM Security QRadar SIEM Tuning Guide

 QRadar rules and offenses 15

What to do next
If you want to modify the search criteria, click either Edit Ports or Edit Definition.

For more information on discovering servers, see the IBM Security QRadar SIEM
Administration Guide.

QRadar rules and The configuration rule that is defined in the Custom Rules Engine (CRE) is used to
offenses generate offenses.

CRE The CRE displays the rules and building blocks that are used by QRadar SIEM.
Rules and building blocks are stored in two separate lists, because they function
differently. The CRE provides information about how the rules are grouped, the
types of tests the rule performs, and the responses each rule generates. For more
information on viewing your CRE configuration, see Viewing the current CRE
configuration

For more information on Rules and Offenses, see the IBM Security QRadar SIEM
Users Guide.

Rules A rule is a collection of tests that perform an action when certain conditions are
met.

Each rule can be configured to capture and respond to a specific event, sequence
of events, flow sequence, or offense. The actions that can be triggered can include
sending an email or generating a syslog message. A rule can reference multiple
building blocks by using the tests found in the function sections of the test groups
within the Rule Editor. For more information on building blocks, see QRadar
building blocks.

Offenses As event and flow data passes through the CRE, it is correlated against the rules
that are configured and an offense is generated based on this correlation.

Offenses are displayed using the Offenses tab. For more information on offenses,
see Investigating offenses.

Viewing the current You can view the rules that are deployed in your QRadar SIEM.
CRE configuration
About this task
Double-click any rule to display the Rule Wizard. This displays the tests associated
with each rule and enables you to configure the response to each rule.

Procedure
Step 1 Click the Offenses tab.
Step 2 On the navigation menu click Rules.

IBM Security QRadar SIEM Tuning Guide

16 THE TUNING PHASE

For more information on your CRE configuration, see the IBM Security QRadar
SIEM Users Guide.

What to do next
To determine which rules are most active in generating offenses, from the rules
page click Offense Count to reorder the column. This displays the rules which are
generating offenses in descending order.

Investigating QRadar SIEM generates offenses by testing event and flow conditions. To
offenses investigate QRadar SIEM offenses you must view the rules that created the
offense.

Procedure
Step 1 Click the Offenses tab.
Step 2 On the navigation menu click All Offenses.
Step 3 Double-click the offense you are interested in.
Step 4 From the All Offenses Summary toolbar, select Display > Rules.
Step 5 From the List of Rules Contributing to Offense pane, double-click the Rule
Name you are interested in.
Note: The All Offenses Rules pane can display multiple Rule Names, since the
offense generated by QRadar SIEM might have been triggered by a series of
different tests.

For more information on investigating offenses, see the IBM Security QRadar
SIEM Users Guide.

QRadar building Building blocks group commonly used tests, to build complex logic, so they can be
blocks used in rules.

Building blocks use the same tests as rules, but have no actions associated with
them and are often configured to test groups of IP addresses, privileged
usernames, or collections of event names. For example, you might create a
building block that includes the IP addresses of all mail servers in your network,
then use that building block in another rule, to exclude those hosts. The building
block defaults are provided as guidelines, which should be reviewed and edited
based on the needs of your network.

You can configure the host definition building blocks (BB:HostDefinition) to enable
QRadar SIEM to discover and classify additional servers on your network. If a
particular server is not automatically detected, you can manually add the server to
its corresponding host definition building block. This ensures that the appropriate
rules are applied to the particular server type. You can also manually add entire
address ranges as opposed to individual devices.

IBM Security QRadar SIEM Tuning Guide

 QRadar building blocks 17

Commonly edited You can reduce the number of offenses generated by high volume traffic servers,
building blocks such as proxy servers and virus servers. For more information, see Building block
tuning.

To reduce the number of offenses, administrators must edit the following building
blocks:
• BB:HostDefinition: VA Scanner Source IP
• BB:HostDefinition: Network Management Servers
• BB:HostDefinition: Virus Definition and Other Update Servers
• BB:HostDefinition: Proxy Servers
• BB:NetworkDefinition: NAT Address Range
• BB:NetworkDefinition: TrustedNetwork

Building block tuning You can edit building blocks to reduce the number of false positives generated by
QRadar SIEM. For more information on false positives, see Tuning false
positives.
You can edit building blocks if you have certain server types present on the
networks that you want to monitor. If you do not have these server types on the
networks, then you can choose to skip this step. For more information, see Editing
a Building Block.
To edit building blocks, you must add the IP address or IP addresses of the server
or servers into the appropriate building blocks.
For more information, see the IBM Security QRadar SIEM Administration Guide.
Also, see Identifying Network Assets.

Table 3-1 provides the list of building blocks that you can edit.
Table 3-1 List of recommended building blocks to edit.

Building Block Description

BB:NetworkDefinition: Edit the and where either the source or destination IP is
NAT Address Range one of the following test to include the IP addresses of the
Network Address Translation (NAT) servers.
Only edit this building block if you have detection in the
non-NATd address space. Editing this building block means
that offenses are not created for attacks targeted or sourced
from this IP address range.

IBM Security QRadar SIEM Tuning Guide

18 THE TUNING PHASE

Table 3-1 List of recommended building blocks to edit.

Building Block Description

BB:HostDefinition: Network management systems create traffic, such as ICMP
Network Management (Internet Control Message Protocol) sweeps, to discover
Servers hosts. QRadar SIEM might consider this threatening traffic.
To ignore this behavior and define network management
systems, edit the and when either the source or
destination IP is one of the following test to include the IP
addresses of the following servers:
• Network Management Servers (NMS).
• Other hosts that normally perform network discovery or
monitoring.
BB:HostDefinition: Edit the and when either the source or destination IP is
Proxy Servers one of the following test to include the IP addresses of the
proxy servers.
Edit this building block if you have sufficient detection on the
proxy server. Editing this building block prevents offense
creation for attacks targeted or sourced from the proxy server.
This is useful when hundreds of hosts use a single proxy
server and that single IP address of the proxy server may be
infected with spyware.
BB:HostDefinition: VA Vulnerability assessment products launch attacks that can
Scanner Source IP result in offense creation. To avoid this behavior and define
vulnerability assessment products or any server that you want
to ignore as a source, edit the and when the source IP is
one of the following test to include the IP addresses of the
following scanners:
• VA Scanners
• Authorized Scanners
BB:HostDefinition: Edit the and when either the source or destination IP is
Virus Definition and one of the following test to include the IP addresses of virus
Other Update Servers protection and update function servers.
BB:Category Edit the and when the source is located in test to include
Definition: Countries geographic locations which should be prevented from
with no Remote accessing your network. This enables the use of rules, such
Access as anomaly: Remote Access from Foreign Country to
create an offense when successful logins have been detected
from remote locations.
BB:ComplianceDefinit Edit the and when either the source or destination IP is
ion: GLBA Servers one of the following test to include the IP addresses of
servers used for GLBA (Gramm-Leach-Bliley Act)
compliance. By populating this building block you can use
rules such as Compliance: Excessive Failed Logins to
Compliance IS, which create offenses for compliance and
regulation based situations.

IBM Security QRadar SIEM Tuning Guide

 QRadar building blocks 19

Table 3-1 List of recommended building blocks to edit.

Building Block Description

BB:ComplianceDefinit Edit the and when either the source or destination IP is
ion: HIPAA Servers one of the following test to include the IP addresses of
servers used for HIPAA (Health Insurance Portability and
Accountability Act) Compliance. By populating this building
block, you can use rules, such as Compliance: Excessive
Failed Logins to Compliance IS, which creates offenses for
compliance and regulation based situations.
BB:ComplianceDefinit Edit the and when either the source or destination IP is
ion: SOX Servers one of the following test to include the IP addresses of
servers used for SOX (Sarbanes-Oxley Act) Compliance. By
populating this building block, you can use rules, such as
Compliance: Excessive Failed Logins to Compliance IS,
which creates offenses for compliance and regulation based
situations.
BB:ComplianceDefinit Edit the and when either the source or destination IP is
ion:PCI DSS Servers one of the following test to include the IP addresses of
servers used for PCI DSS (Payment Card Industry Data
Security Standards) Compliance. By populating this building
block, you can use rules such as Compliance: Excessive
Failed Logins to Compliance IS, which creates offenses for
compliance and regulation based situations.
BB:NetworkDefinition: Edit the and when either the source or destination IP is
Broadcast Address one of the following test to include the broadcast addresses
Space of your network. This removes false positive events that might
be caused by the use of broadcast messages.
BB:NetworkDefinition: Edit the and when the local network is test to include
Client Networks workstation networks that users are operating.
BB:NetworkDefinition: Edit the when the local network is test to include any server
Server Networks networks.
BB:NetworkDefinition: Edit the and when the local network is test to include the IP
Darknet Addresses addresses that are considered a Darknet. Any traffic or events
directed towards a Darknet is considered suspicious as no
hosts should be on the network.
BB:NetworkDefinition: Edit the and when the any IP is a part of any of the
DLP Addresses following test to include the remote services that might be
used to obtain information from the network. This can include
services, such as webmail hosts or file sharing sites.
BB:NetworkDefinition: Edit the and when the local network test to include networks
DMZ Addresses that are considered to be part of the network’s DMZ.
BB:PortDefinition: Edit the and when the destination port is one of the
Authorized L2R Ports following test to include common ports that are allowed
outbound on the network.
BB:NetworkDefinition: Edit the and when the local network is to include the remote
Watch List Addresses networks that are considered to be on a watch list. This
enables you to identify when events occur with hosts of
interest.

IBM Security QRadar SIEM Tuning Guide

20 THE TUNING PHASE

Table 3-1 List of recommended building blocks to edit.

Building Block Description

BB:FalsePositive: Edit this building block to include any categories you want to
User Defined Server consider false positives for hosts defined in the
Type False Positive BB:HostDefinition: User Defined Server Type building block.
Category
BB:FalsePositive: Edit this building block to include any events you want to
User Defined Server consider false positives for hosts defined in the
Type False Positive BB:HostDefinition: User Defined Server Type building block.
Events
BB:HostDefinition: Edit this building block to include the IP address of your
User Defined Server custom server type. After you have added the servers you
Type must add any events or categories that you want to consider
false positives to this server as defined in the
BB:FalsePositives: User Defined Server Type False Positive
Category or the BB:False Positives: User Defined Server
Type False Positive Events building blocks.

Note: You can include a CIDR range or subnet in any of the building blocks instead
of listing the IP addresses. For example:192.168.1/24 includes addresses
192.168.1.0 to 192.168.1.255. You can also include CIDR ranges in any of the
BB:HostDefinition building blocks.

Editing a Building You can edit a building block

Block
Procedure
Step 1 Click the Offenses tab.
Step 2 On the navigation menu, click Rules.
Step 3 From the Display drop-down list box, select Building Blocks.
Step 4 Double-click the building block you want to edit. See Table 3-1 for a list of building
blocks that you can populate with your network information.
Step 5 Update the building block as required.
Step 6 Click Finish.

Tuning How you tune QRadar SIEM depends on different scenarios and whether you have
Methodology one target or many targets within your network.
To ensure reliable system performance, administrators must consider the following
best practice guidelines:
• Disable rules that produce numerous unwanted offenses.
• To tune CRE rules, increase the rule threshold by doubling the numeric
parameters and time interval.
• Consider modifying rules to consider local rather than remote network context.

IBM Security QRadar SIEM Tuning Guide

 Tuning Methodology 21

• When you edit a rule with the attach events for the next 300 seconds option
enabled, wait 300 seconds before closing the related offenses.
For more information, see the IBM Security QRadar SIEM Users Guide.

The following table provides information on how to tune false positives according
to these differing scenarios:

Table 3-2 Tuning methodology

Scenario One Target Many Targets
One attacker, one Use the False Positive Wizard to tune Use the False Positive Wizard to tune specific event.
event this specific event.
One attacker, Use the False Positive Wizard to tune Use the False Positive Wizard to tune the category.
many unique the category.
events in the
same category
Many attackers, Use the False Positive Wizard to tune Edit building blocks using the Custom Rules Editor to
one event the specific event. tune specific event.
Many attackers, Use the False Positive Wizard to tune Edit building blocks using the Custom Rules Editor to
many events in the category. tune the category.
the same
category
One attacker, Investigate the offense and determine Investigate the offense and determine the nature of
many unique the nature of the attacker. If the the attacker. If the offense or offenses can be tuned
events in different offense or offenses can be tuned out, out, edit building blocks using the Custom Rules
categories edit building blocks using the Custom Editor to tune categories for the host IP.
Rules Editor to tune categories for the
host IP.
Many attackers, Edit building blocks using the Custom Edit building blocks using the Custom Rules Editor to
many unique Rules Editor to tune the categories. tune the categories.
events in different
categories

Tuning false You can tune false positive events and flows to prevent them from creating
positives offenses.

About this task

You must have appropriate permissions for creating customized rules to tune false
positives. For more information on roles and permissions, see the IBM Security
QRadar SIEM Administration Guide.

Procedure
Step 1 Click the Log Activity tab, or alternatively click the Network Activity tab.
Step 2 Select the event or flow you want to tune.
Step 3 Click False Positive.
Note: If you are viewing events or flows in streaming mode, you must pause
streaming before you click False Positive.

IBM Security QRadar SIEM Tuning Guide

22 THE TUNING PHASE

Step 4 Select one of the following Event or Flow Property options:

• Event/Flow(s) with a specific QID of <Event>
• Any Event/Flow(s) with a low-level category of <Event>
• Any Event/Flow(s) with a high-level category of <Event>
Step 5 Select one of the Traffic Direction options:
• <Source IP Address> to <Destination IP Address>.
• <Source IP Address> to Any Destination
• Any Source to <Destination IP Address>
• Any Source to any Destination
Step 6 Click Tune.
Note: QRadar SIEM prevents you from selecting Any Events/Flow(s) and Any
Source To Any Destination. This creates a custom rule and prevents QRadar
SIEM from creating offenses.
For more information on tuning false positives, see the IBM Security QRadar SIEM
Users Guide.

False positive rule The rule FalsePositive: False Positive Rules and Building Blocks is the first
chains rule to execute in the CRE. When it loads, all of its dependencies are loaded and
tested.

If the rule is successfully matched in QRadar SIEM, the rule drops the detected
event or flow. This stops the event or flow from progressing through the CRE and
prevents the flow or event from creating an offense.

When creating false positive building blocks within QRadar SIEM, administrators
must review the following information.

Naming conventions
Use a methodology similar to the default rule set, by creating new building blocks
with the following naming convention:

<CustomerName>-BB:False Positive: All False Positive Building

Blocks.

Where: <CustomerName> is a name that you assign to the false positive building
block.

False positive building blocks

Building blocks must contain the test and when a flow or an event matches any
of the following rules. This test is a collection point for false positive building
blocks and enables you to quickly find and identify customizations.

IBM Security QRadar SIEM Tuning Guide

 Optimize custom rules 23

When the <CustomerName>-BB:False Positive: All False Positive Building

Block is created, add it to the test in the rule FalsePositive: False Positive Rules
and Building Blocks.

When the new false positive building block is created, you can create new building
blocks to match the traffic that you want to prevent from creating offenses. Add
these building blocks to the <CustomerName>-BB:False Positive: All False
Positive Building block.

Note: To prevent events from creating offenses, you must create a new building
block that matches the traffic that you are interested in. Save this as a building
block <CustomerName>-BB:False Positive: <name of rule>, then edit
<CustomerName>-BB:False Positive: All False Positive building blocks, to
include the rule that you created.
CAUTION: If you add a rule or building block that includes a rule to the
FalsePositive: False Positive Rules and Building Blocks rule, the rule you have
added will execute before the event is dropped by the CRE and could create
offenses by overriding the false positive test.

Optimize custom When building custom rules, you must optimize the order of the testing to ensure
rules that the rules do not impact CRE performance.

The tests in a rule are executed in the order in which they are displayed in the user
interface. The most memory intensive tests for the CRE are the payload and
regular expression searches. To ensure that these tests run against a smaller
subset of data and execute faster, you must first include one of the following tests:

• when the event(s) were detected by one or more of these log source types
• when the event QID is one of the following QIDs
• when the source IP is one of the following IP addresses
• when the destination IP is one of the following IP addresses
• when the local IP is one of the following IP addresses
• when the remote IP is one of the following IP addresses
• when either the source or destination IP is one of the following IP
addresses
• when the event(s) were detected by one of more of these log sources
Note: You can further optimize QRadar SIEM by exporting common tests to
building blocks. Building Blocks execute per event as opposed to multiple times if
tests are individually included in a rule.

For more information on optimizing custom rules, see the IBM Security QRadar
SIEM Users Guide.

IBM Security QRadar SIEM Tuning Guide

24 THE TUNING PHASE

Creating an OR You can create a conditional OR test within the CRE.

condition within the
CRE About this task
As you add more tests to a rule, each test can only be an AND or AND NOT
conditional test. To create an OR condition within the CRE you must place each
separate set of conditions into a building block and then create a new rule or
building block that utilizes the And When An Event Matches Any Of The
Following Rules rule. This ensures that both Building Blocks are loaded when the
test is applied.

Procedure
Step 1 Click the Offenses tab.
Step 2 On the navigation menu, click Rules.
Step 3 From the Actions list box, select one of the following options:
• New Event Rule - Select this option to configure a rule for events.
• New Flow Rule - Select this option to configure a rule for flows.
• New Common Rule - Select this option to configure a rule for events and flows.
• New Offense Rule - Select this option to configure a rule for offenses.
Step 4 Read the introductory text. Click Next.
You are prompted to choose the source from which you want this rule to apply. The
default is the rule type you selected on the Offenses tab.
Step 5 If required, select the rule type you want to apply to the rule. Click Next.
Step 6 Locate the when an event matches any/all of the following rules test and click
the + icon beside the test.
Step 7 On the and when an event matches any of the following rules test, click rules.
Step 8 From the Select the rule(s) to match and click ‘Add’ field, select multiple
building blocks by holding down the Ctrl key and click Add +.
Step 9 Click Submit.

IBM Security QRadar SIEM Tuning Guide

 Improving search performance 25

Improving search When you are searching Event or Flow information, you can improve performance
performance by adding filters to search indexed fields.

About this task

Table 3-3 provides information about the fields that are indexed:
Table 3-3 Log Viewer and Flow Viewer Indexed Fields

QRadar SIEM Tab Indexed Filter

Log Activity tab Username
(Events) Source or Destination IP
Destination Port
Has Identity
Device Type
Device ID
Category
Matches Custom Rule
Network Activity tab Application
(Flows) Source or Destination IP
Destination Port

Note: You can monitor the performance of your search by expanding the Current
Statistics option on the Search page. This displays the volume of data loading
from data files and indexes. If your search does not display a count in the index file
count then add an indexed filter to the search. For more information, see Adding
Indexed Filters.

Adding Indexed Indexed filters can be added to both log activity and network activity data.
Filters
Procedure
Step 1 Click the Log Activity tab, or alternatively click the Network Activity tab.
Step 2 On the toolbar, click Add Filter.
Step 3 From the first list box, select an index filter. See Table 3-3.
Step 4 From the second list box, select the modifier that you want to use.
Step 5 Type or select the information for your filter. The controls that are displayed
depend on the index filter you selected in Step 3.
Step 6 Click Add Filter.

IBM Security QRadar SIEM Tuning Guide

26 THE TUNING PHASE

Enabling quick You can enable the Quick Filter property to optimize event and flow search times.
filtering
About this task

For QRadar SIEM 7.0 MR3 installations and above, you can enable Quick Filters.
This option must be enabled in the System Settings page. You can use the Quick
Filter option to search event and flow payloads by typing your exact free text
search criteria.

Procedure
Step 1 Log in to QRadar.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click System Configuration.
Step 4 Click the Index Management icon.
Step 5 In the Quick Search field, type Quick Filter.
Step 6 Select the Quick Filter property you want to index.
You can identify the event and flow Quick Filter properties using the value in the
Database column.
Step 7 On the toolbar, click Enable Index.
A green dot indicates that the payload index is enabled.
Step 8 Click Save.
Step 9 Click OK.

Results
The selected Quick Filter properties are indexed. If a list includes event or flow
properties, indexed property names are appended with the following text:
[Indexed].

Custom extracted The Custom Extracted Properties function in QRadar SIEM is used to expand
properties normalized fields by adding numerous custom fields for reports, searches, and the
CRE, for example, to extract proxy URLs, virus names, or secondary usernames.

Administrators must review the following information:

• You must restrict your custom extracted properties to a particular log source
type or individual log source.

• If your extracted property is only applicable to certain events, you can reduce
the workload on QRadar SIEM by limiting the extracted property to that event
type.

• By using the extracted properties function to optimize rules, reports and

searches, the custom property can be used by the custom rules engine. This
moves the processing of the extracted property to the time when the event is

IBM Security QRadar SIEM Tuning Guide

 Cleaning the SIM model 27

collected, as opposed to when it is searched. By default, custom extracted

properties are processed when they are searched or displayed. Enabling the
optimize feature for an extracted property minimizes the search time against
the property.

• The extracted property field is not indexed, but if an event matches the prop-
erty, it stores an index to the offset and length of the property which reduces
the amount of data that must be searched.

Cleaning the SIM When the tuning process is complete then clean the SIM model to ensure that
model QRadar SIEM only displays recent offenses.

About this task

Cleaning the SIM model ensures that offenses are based on the most current
rules, discovered servers, and network hierarchy. When you clean the SIM model,
all existing offenses are closed. This does not affect existing events and flows.
Note: False positive offenses might have occurred before you performed the
tuning tasks. Clean the SIM model to ensure each host on the network creates
new offenses based on the current configuration.

Procedure
Step 1 Click the Admin tab.
Step 2 From the Admin toolbar, select Advanced > Clean SIM Model.
Step 3 Select the Hard Clean option.
Step 4 Select the Are you sure you want to reset the data model? check box.
Step 5 Click Proceed.
Note: This process may take several minutes, depending on the volume of data in
your system.
Step 6 When the SIM reset process is complete, refresh your browser.
Note: If you attempt to navigate to other areas of the user interface during the SIM
reset process, an error message is displayed.

IBM Security QRadar SIEM Tuning Guide

 A IDENTIFYING NETWORK ASSETS

Use this reference to identify network assets that you might want to include in
building blocks.

Table 5-4 Identifying Network Assets

Category How to Identify and Examples Building Block

NAT Address IP addresses and/or CIDR blocks used for BB-NetworkDefinition: NAT Address Range.
Network Address Translation (NAT). These
are commonly configured on firewalls and
routers.
Network and Altiris, BindView, CA Unicenter, BB-HostDefinition:Network Management
Desktop CiscoWorks, Dell OpenManage, HP Servers.
Management OpenView, IBM Director, Marimba, McAfee
Servers ePolicy Orchestrator, Norton Antivirus
server, Tivoli, Sitescope, Sophos server,
SMS, What's Up Gold
Proxy Servers In-Line PaloAlto firewalls, Sidewinder, ISA, BB-HostDefinition: Proxy Servers.
Bluecoat, Microsoft Proxy Server, Squid,
Websense, Wingate
Server CIDRs used by data centers or server BB-HostDefinition: Server Networks.
Networks populations.
Vulnerability/ Acunetix, CyberCop Scanner, Foundstone, BB-HostDefinition: VA Scanner Source ID.
Security HackerShield, ISS Internet Scanner,
Scanners Nessus, Retina, nCircle, Nmap.

IBM Security QRadar SIEM Tuning Guide

 C NOTICES AND TRADEMARKS

What’s in this appendix:

• Notices
• Trademarks

This section describes some important notices, trademarks, and compliance

information.

Notices This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information,
contact the IBM Intellectual Property Department in your country or send inquiries,
in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:

IBM Security QRadar SIEM Tuning Guide

36

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express
or implied warranties in certain transactions, therefore, this statement may not
apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those
Web sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of
enabling: (i) the exchange of information between independently created programs
and other programs (including this one) and (ii) the mutual use of the information
which has been exchanged, should contact:
IBM Corporation
170 Tracer Lane,
Waltham MA 02451, USA

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some
measurements may have been estimated through extrapolation. Actual results
may vary. Users of this document should verify the applicable data for their specific
environment.

Information concerning non-IBM products was obtained from the suppliers of those
products, their published announcements or other publicly available sources. IBM
has not tested those products and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the

IBM Security QRadar SIEM Tuning Guide

 Trademarks 37

capabilities of non-IBM products should be addressed to the suppliers of those

products.

All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.

This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual
business enterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and color illustrations
may not appear.

Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “Copyright and
trademark information” at www.ibm.com/legal/copytrade.shtml.

The following terms are trademarks or registered trademarks of other companies:

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.

Privacy policy IBM Software products, including software as a service solutions, (“Software
considerations Offerings”) may use cookies or other technologies to collect product usage
information, to help improve the end user experience, to tailor interactions with the
end user or for other purposes. In many cases no personally identifiable
information is collected by the Software Offerings. Some of our Software Offerings
can help enable you to collect personally identifiable information. If this Software
Offering uses cookies to collect personally identifiable information, specific
information about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may use
session cookies that collect each user’s session id for purposes of session
management and authentication. These cookies can be disabled, but disabling
them will also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customer
the ability to collect personally identifiable information from end users via cookies
and other technologies, you should seek your own legal advice about any laws

IBM Security QRadar SIEM Tuning Guide

38

applicable to such data collection, including any requirements for notice and
consent.

For more information about the use of various technologies, including cookies, for
these purposes, See IBM’s Privacy Policy at http://www.ibm.com/privacy and
IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details the section
entitled “Cookies, Web Beacons and Other Technologies” and the “IBM Software
Products and Software-as-a-Service Privacy Statement” at
http://www.ibm.com/software/info/product-privacy.

IBM Security QRadar SIEM Tuning Guide

INDEX

flow sources 8
A
adding
indexed filters 25
asset profile
F
false positives
configuring 11
rule chains 22
assets
tuning 21
identifying 29
flow sources
importing in CSV format 11
configuring 8

B G
best practices
glossary 31
tuning 13
building blocks
commonly edited 17
editing 20 I
tuning 17 importing
assets 11
indexed filters
C adding 25
investigating
configuring
offenses 16
asset profile 11
flow sources 8
qflow devices 9
vulnerability assessment scanners 5 L
custom event properties 26 log messages
custom extracted properties 26 netflow 10
custom flow properties 26 log source
custom rules adding manually 7
optimizing 23 detection 7
custom rules engine (CRE)
creating OR conditions 24
viewing configuration 15 M
manually
adding a log source 7
D installing DSMs 6
detecting
log sources 7
device support modules (DSMs) 6 N
automatic download 6 netflow
manually installing 6 data validation 10
updating 6 log messages 10
discovering network assets
network assets 29 identifying 29
downloading
DSM updates 6
O
offenses
E investigating 16
editing optimizing
building blocks 20 custom rules 23
establishing reports 26

IBM Security QRadar SIEM Tuning Guide

 40 INDEX

Q
qflow
validating data 9
qflow data collection
validating 9
qflow devices
configuring 9

R
report
optimization 26
rule chains
false positives 22

S
scanners
configuring 5
searches
improving performance 25
SIM model
cleaning 27

T
tuning
best practices 13
building blocks 17
false positives 21
methodology 20

U
updating
device support modules (DSMs) 6

V
validating
netflow data 10
qflow data collection 9
viewing
custom rules engine (CRE) configuration 15
vulnerability assessment scanners
configuring 5

IBM Security QRadar SIEM Tuning Guide