IBM Security
QRadar SIEM Foundations

Reports

3 IBM Security
Reporting introduction
• A QRadar SIEM report is a means of scheduling and automating one or more
saved searches
• QRadar SIEM reports perform the following tasks
̶ Present measurements and statistics derived from events, flows, and offenses
̶ Provide users the ability to create custom reports
̶ Can brand reports and distribute them
• Predefined report templates serve a multitude of purposes, such as the following
examples
̶ Regulatory compliance
̶ Authentication activity
̶ Operational status
̶ Network status
̶ Executive summaries

4 IBM Security
Reports tab
You can search and sort report templates in a similar way as events and flows

5 IBM Security
• QRadar SIEM and extensions provide many report templates
̶ Before you create a new template, check the installed templates and the templates provided by
extensions available on the IBM App Exchange
Finding a report
Search:
Display report templates whose title,
description, group name, or author
user name matches the search
criteria
Reporting
Groups:
Display report
templates of a
reporting group
Hide Inactive Reports:
Disable to display all
inactive report templates
IBM App Exchange:
QRadar SIEM administrators can add
more report templates by
downloading and installing
extensions
© COPYRIGHT IBM CORPORATION 2017
5

6 IBM Security
Running a report
Toggle scheduling:
Toggle the active and
inactive state of the
selected template
Run Report on Raw Data:
Generate a report on raw
data if QRadar SIEM has not
captured the required time-
series data
Run Report:
Generate a report for the
selected report template
immediately, regardless of its
schedule or active/inactive
state
Delete Generated
Content:
Delete any generated
report for the selected
template
© COPYRIGHT IBM CORPORATION 2017
6

7 IBM Security
Running a report

8 IBM Security
Selecting the generated report
Estimated 34 seconds until
the report is generated
Select a generated report from the
list and click the PDF icon to view it
© COPYRIGHT IBM CORPORATION 2017
8

9 IBM Security
Viewing a report

10 IBM Security
Creating a new report template
• To watch specific firewall activity in a daily report, create a custom report template

11 IBM Security
Choosing a schedule
The schedule determines when the
report runs and the default data range
to use; for example, when you select
Weekly, the previous week's data
(Sunday-Saturday) is selected

12 IBM Security
Choosing a layout
• QRadar SIEM uses containers to segregate report pages so that different data sets
can show on the same report page

13 IBM Security
Defining report contents

14 IBM Security
Configuring the upper chart

15 IBM Security
Configuring the upper chart (continued)

16 IBM Security
Configuring the lower chart

17 IBM Security
Configuring the lower chart (continued)

18 IBM Security
Verifying the layout preview

19 IBM Security
Choosing a format
You can select any or all of the
available formats for reports

20 IBM Security
Distributing the report

21 IBM Security
Adding a description and assigning the group
• You can organize reports by
groups much like rules and log
sources
• You can use reporting groups to
sort report templates by
purpose, such as a specific
regulatory or executive
requirement

22 IBM Security
Verifying the report summary

23 IBM Security
Viewing the generated report

24 IBM Security
Best practices when creating reports
• For comparison and review, present network traffic charts and event tables together
• Consider the purpose of the report and choose the least number of page containers
that is necessary to communicate the data
• Do not choose a small page division for a graph that might contain a large number of
objects
• Executive summary reports use one-page or two-page divisions to simplify the report
focus

25 IBM Security
Best practice reports for Compliancy purposes
• Usage of Service accounts
• Usage of privileged user accounts
• Account management actions: Creation, deletion, modification
• Authorized access to sensitive data
• Audit modification actions
• Log collection completion
• User authentications
• Software and machine patch management

26 IBM Security
Best practice reports for Monitoring purposes
• Behavioral change in Service account authentication or usage
• Unauthorized acces to sensitive data
• Behavioral change in access to sensitive data
• Change in machine network behaviour
• Audit trail clearance
• Log collection failures
• Virus checker alerts
• Endpoint management alerts
• Critical resource patch failure

ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU