QRadar XDR

  • 1.  To experts: if you went back in time how would you learn QRadar (you dont have any experience using siem products)

    User Group Leader
    Posted Sun September 12, 2021 05:01 PM

    if you went back in time how would you learn QRadar (you don't have any experience using siem products) feel free to tell me about articles, courses, blogs, videos you would use to learn

    (I really want to know your opinion about that @Wendy Batten)



    ------------------------------
    Noureldin Ehab
    Software Engineering Student | Cyber Security Enthusiast | Red Team 🔴 | CTF Addict 👾
    Twitter:https://twitter.com/Nouureldin_Ehab
    Linkedin:https://www.linkedin.com/in/noureldin-ehab-a57940190/
    ------------------------------


  • 2.  RE: To experts: if you went back in time how would you learn QRadar (you dont have any experience using siem products)

    Posted Mon September 13, 2021 10:41 AM

    IBM Security Learning Academy has all you need to know. it has some nice road maps with courses content designed based on what you want to learn. 

    Good luck with your learning. 

    ~
    Raj.

    ------------------------------
    raj 5
    ------------------------------



  • 3.  RE: To experts: if you went back in time how would you learn QRadar (you dont have any experience using siem products)

    Posted Mon September 13, 2021 10:50 AM
    Going back in time would not be real productive as the tools change so often.  Instead, learn what is used and how.  The QRadar Use Case Manager app maps a LOT of QRadar content directly to MITRE ATT&CK.  First learning the different attacks teaches you how to look for the attack.  You also have to have the data coming into QRadar, only then can rule development begin.   So if you have an IPS, you can utilize rules that are based on IPS events.  If you don't have them, then the content and rules are of no use to you.  The same applies to all log source types AND control categories.  If you have Access Control (AC) events for instance, then you can utilize AC rules.  

    The other important thing is that the events sent match the content of the rules.  For instance, many windows access denied events occur because someone does not have access to an object.  Knowing that Microsoft Windows tries to browse all content available, means that you know certain types of access denied messages are just normal background noise versus someone brute forcing or scanning content.  Knowing how to interpret the events in the native platform makes it easier to interpret them in QRadar.  Seeing the event in the native user interface often has context that you will not find in a raw event.  Being able to see both and understand both adds tremendous value to your analytical skills.

    ------------------------------
    Frank Eargle
    ------------------------------



  • 4.  RE: To experts: if you went back in time how would you learn QRadar (you dont have any experience using siem products)

    User Group Leader
    Posted Mon September 13, 2021 12:22 PM
    well thank you so much sir, i want to work in the red team but i thought it would be helpful if learned and used siem products like qradar to know how the blue team think

    ------------------------------
    Noureldin Ehab
    Software Engineering Student | Cyber Security Enthusiast | Red Team 🔴 | CTF Addict 👾
    Twitter:https://twitter.com/Nouureldin_Ehab
    Linkedin:https://www.linkedin.com/in/noureldin-ehab-a57940190/
    ------------------------------



  • 5.  RE: To experts: if you went back in time how would you learn QRadar (you dont have any experience using siem products)

    Posted 30 days ago
    Noureldin,
    many useful comments here. Frank is correct about fast change of tools, especially in the SIEM world. On the other hand the principles of IT security infrastructure have not changed at the same pace. Using open source tools is an excellent approach to setup your blue IT world. Start with your own webserver. Setup a firewall in front of the webserver. Run VA scanner from internal and external perimeter and watch the difference in results. Check the network traffic using wireshark. Develop your own penetration scenario, e.g. brute force login, DDoS attack and exploiting a known vulnerabilty. Test it live and have a deep look at what your firewall log, IPS log and SIEM can see using both net and log monitoring.
    The more sophisticated your attack is, the harder it gets to detect. Going back in time does not help explaining recent attacks and countermeasures, but it reduces complexity of your live learning lab and can help to focus on the basics of your security world before you get lost in rocket science.
    BR, Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------