Running QRadar bootcamps for about 10 years now, quite often I was asked, why it is so complex and if there is an easy way to speedup the learning curve. Now there are good and bad news for you.
GOOD News 1st. There is a way out there for speeding up
BAD News 2nd. Its not as easy as you may want it to be
If you are new to QRadar start at QRadar 101 https://www.ibm.com/community/qradar/. Download the free community edition at https://www.ibm.com/community/qradar/ce/ and install it to your PC as virtual machine. Use another VM as your life logsource, e.g. Ubuntu desktop. Find out how easy it can be integrated. Then define your virtual network as a new flow source and monitor your life traffic in and out your network interface. Search the community for all your FAQ first. Most of them have been answered already. Dont be a fool and ask for something being discussed many times before.
Most of us look at QRadar as a blackbox, cause we will probably never see the code itself. However there is no need to do so. We just want to get an idea of its components and how they work together. If you got some software development experience this helps a lot :-)
QRadar basically consists of two components. The backend CMS called hostcontext and the frontend webserver which is tomcat. As all GUI client data is parsed from your browser via frontend webserver to backend CMS and back again, many of what you already know about state-of-the-art web based applications applies to QRadar as well. However QRadar is somewhat different and comes with a couple of features that may confuse beginners. Before we get there lets have a look at the CMS 1st (picture 1)
This seems to be relatively straight forward. Service is up and running. If we use the -l option we can look at the inner service structure. There is plenty of server based Java code used by the CMS. The other part of Java code you can see in your browser context being executed while working with the GUI (picture 2).
The other important code part are apps. Traditionally they have not existed at all. Starting with release 7.2 the REST API was introduced and the new SDK was released to enable you developing your own apps.
QRadar runs as many apps as you have memory and power available. Please use an app host. QRadar apps run in dedicated containers of their own and thus are independent from CMS. When you install an app it will get an unique id assigned to it. The state of each app is stored in psql and can be monitored using the psql query shown in picture 3.
Typically apps will ask CMS using REST API for data stored in ARIEL proprietary database. Thats where all the data from your >1000 logsources get securely stored. You can use REST API for your own scripts to talk to the headless CMS. This allows for communicating with QRadar from outside without any need to use the browser and is ideally suited for any kind of automatic collaboration (picture 4) with 3rd party apps.
REST API can easily be tried out using the GUI and comes back with ready made curl commands for your own SecDevOps processes.
Before I promised to talk about QRadar features. One is that IP address of tomcat host where the GUI resides cannot easily be changed. As it is bound to the backend CMS you better install a fresh copy. Now why is that?
We use this as an example to have a closer look at the inner parts of the application. Of course we use CLI to do so. Nearly 100% of all config data is stored in Postgres database. Whenever you do a change in your admin GUI the application checks your input against what is already stored in the database. If your changes are validated successfully, it will be rolled out by CMS to all components. This requires admin interaction asking the user to deploy changes made. Lets have a look at the database tables in psql (picture 5). The psql command asks for all tables in database. More than 1000 tables! Thats a huge database. Now we ask for the IP address of the managed host (picture 6). Of course this should match your ifconfig output. You are in deep shit if not! Here is the 100$ question you now can answer yourself:
Can the IP address easily be changed in db? As you already assumed it cannot. Not saying it cant be done. Just complex. So please take care and contact support if you are uncertain.
Next time you click a Java script button in the GUI and impatiently watch your 100 config changes being deployed, before blaming it for the time consuming procedure you better think twice and just enjoy watching QRadar working for you without complains in most cases!
„The end" who of you still remembers this fantastic Beatles song from the Abbey Road album 1969? The original version can be found at https://www.youtube.com/watch?v=1AN7S7n8VdM
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------