Expert Labs Security Specialists for IBM QRadar SIEM are often called in if customers are facing problems or critical situations.
Often, one of the lessons learned is that changes in the environment are made directly into the production environment and were not tested in a test environment.
And if there is a test environment, is it professionally managed, so that test and production are an exact copy - not a fork?
Besides increasing reliability and uptime of the system, very often a non- touch-production system is required to be compliant to any internal and external regulations and risk management mechanisms.
Why is it so that in professional IT more or less every server is thoroughly tested and documented, while so many QRadar SIEM environments are not - we often see IT specialists editing live in the production environment?
Here is some information on how to get a Test -> Production - or even Test -> Staging -> Production chain done:
Starting a test environment from scratch, the QRadar SIEM Community Edition can be used. https://www.ibm.com/community/101/qradar/ce/ . It can be updated to the latest UP. If needed, it can be updated to a licensed installation, too. True, the usage is limited to 100 Events per second (EPS), and to 5,000 flows per minute (FPM), but it is a start for free.
Alternatively, there is the QRadar non-Production Software Install license. It should start with 100 EPS and 15,000 FPM, could be larger. Probably a QRadar Software Node Install license is required.
Or you have a MVS licensing. For details, please contact your QRadar License Sales or TechSales - or mailto:qradar.community@ibm.com
For sizing guidelines, look here: https://www.ibm.com/docs/en/qsip/7.5?topic=planning-system-requirements-virtual-appliances
Second, events and / or log sources / integrations need to be available - to test what needs to be tested. This activity is based on customer specifics - sometimes data be used ‘as is’ or it needs to be anonymized for the test cases.
Thirdly, changes to the ruleset need to be documented in the appropriate way, in best case externally to a file or to a repository. Based on customer requirements, Expert Labs can design a solution for you.
Lastly, the transfer of the rule set to production needs to be bullet proof reliable, semi-automatic and allowing to version the Content Paks. For this, the IBM QRadar Content Transfer App is available.
For a Proof of Concept, IBM Expert Labs does provide temporary licenses. More Information can be found here: https://community.ibm.com/community/user/blogs/jens-uwe-fimmen/2024/06/06/ibm-security-qradar-premier-apps. To get to a ‘no-touch’ production environment, often one initial complete run through of ‘staging’ is required, then only the deltas / changes are being transferred.
Summing it up: Yes, it is work but can be done. If you like to investigate this topic deeper, contact qradar.community@ibm.com or tels.apps@ibm.com.