Contenu connexe


Qradar - Reports.pdf

  1. IBM Security QRadar SIEM Foundations
  2. Reports
  3. 3 IBM Security Reporting introduction • A QRadar SIEM report is a means of scheduling and automating one or more saved searches • QRadar SIEM reports perform the following tasks ̶ Present measurements and statistics derived from events, flows, and offenses ̶ Provide users the ability to create custom reports ̶ Can brand reports and distribute them • Predefined report templates serve a multitude of purposes, such as the following examples ̶ Regulatory compliance ̶ Authentication activity ̶ Operational status ̶ Network status ̶ Executive summaries
  4. 4 IBM Security Reports tab You can search and sort report templates in a similar way as events and flows
  5. 5 IBM Security • QRadar SIEM and extensions provide many report templates ̶ Before you create a new template, check the installed templates and the templates provided by extensions available on the IBM App Exchange Finding a report Search: Display report templates whose title, description, group name, or author user name matches the search criteria Reporting Groups: Display report templates of a reporting group Hide Inactive Reports: Disable to display all inactive report templates IBM App Exchange: QRadar SIEM administrators can add more report templates by downloading and installing extensions © COPYRIGHT IBM CORPORATION 2017 5
  6. 6 IBM Security Running a report Toggle scheduling: Toggle the active and inactive state of the selected template Run Report on Raw Data: Generate a report on raw data if QRadar SIEM has not captured the required time- series data Run Report: Generate a report for the selected report template immediately, regardless of its schedule or active/inactive state Delete Generated Content: Delete any generated report for the selected template © COPYRIGHT IBM CORPORATION 2017 6
  7. 7 IBM Security Running a report
  8. 8 IBM Security Selecting the generated report Estimated 34 seconds until the report is generated Select a generated report from the list and click the PDF icon to view it © COPYRIGHT IBM CORPORATION 2017 8
  9. 9 IBM Security Viewing a report
  10. 10 IBM Security Creating a new report template • To watch specific firewall activity in a daily report, create a custom report template
  11. 11 IBM Security Choosing a schedule The schedule determines when the report runs and the default data range to use; for example, when you select Weekly, the previous week's data (Sunday-Saturday) is selected
  12. 12 IBM Security Choosing a layout • QRadar SIEM uses containers to segregate report pages so that different data sets can show on the same report page
  13. 13 IBM Security Defining report contents
  14. 14 IBM Security Configuring the upper chart
  15. 15 IBM Security Configuring the upper chart (continued)
  16. 16 IBM Security Configuring the lower chart
  17. 17 IBM Security Configuring the lower chart (continued)
  18. 18 IBM Security Verifying the layout preview
  19. 19 IBM Security Choosing a format You can select any or all of the available formats for reports
  20. 20 IBM Security Distributing the report
  21. 21 IBM Security Adding a description and assigning the group • You can organize reports by groups much like rules and log sources • You can use reporting groups to sort report templates by purpose, such as a specific regulatory or executive requirement
  22. 22 IBM Security Verifying the report summary
  23. 23 IBM Security Viewing the generated report
  24. 24 IBM Security Best practices when creating reports • For comparison and review, present network traffic charts and event tables together • Consider the purpose of the report and choose the least number of page containers that is necessary to communicate the data • Do not choose a small page division for a graph that might contain a large number of objects • Executive summary reports use one-page or two-page divisions to simplify the report focus
  25. 25 IBM Security Best practice reports for Compliancy purposes • Usage of Service accounts • Usage of privileged user accounts • Account management actions: Creation, deletion, modification • Authorized access to sensitive data • Audit modification actions • Log collection completion • User authentications • Software and machine patch management
  26. 26 IBM Security Best practice reports for Monitoring purposes • Behavioral change in Service account authentication or usage • Unauthorized acces to sensitive data • Behavioral change in access to sensitive data • Change in machine network behaviour • Audit trail clearance • Log collection failures • Virus checker alerts • Endpoint management alerts • Critical resource patch failure
  27. @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU