Lab guide

QRadar reference data collections

and custom rules
Course code LSL0480X
December 2022 edition
NOTICES
This information was developed for products and services offered in the USA.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative
for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not
intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or
service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate
and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document
does not grant you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY
10504-1785
United States of America

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with locallaw:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in
certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these
changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the
program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the
examples include the names of individuals, companies, brands, and products. All names and references for organizations and other business
institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.All names and
associated information for people in this deliverable’s scenarios are fictional. Any match with a real person is coincidental.

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe SystemsIncorporated
in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a world­wide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or
both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware vSphere
are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are trademarks or
registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
© Copyright International Business Machines Corporation 2022.
This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents

Contents ........................................................................................................ iii

Reference data collections and custom rules ................................................... 1
Exercise 1 Creating reference data collections ................................................................. 1
Exercise 2 Creating a custom rule ...................................................................................10
Exercise 3 Testing the rule ...............................................................................................16

© Copyright IBM Corp. 2022

 Exercise 1 Creating reference data collections

Reference data collections and custom rules

In this virtual lab, you create a reference table that contains data about users, user IDs, and their
badges. This reference table is used in a custom rule, which performs rule tests for events that
were sent by a log source of the type Physical Access. The rule test looks up metadata about
users and checks for expired badges. If the rule fires, a rule response writes the username in a
reference set.

Exercise 1 Creating reference data collections

In this exercise, you use the Reference Data Management app to create a reference table. This
reference table has an outer key (or Parent key), which contains the employee usernames. Two
inner keys contain the user IDs and the status of the badge.
1. Log in to the QRadar Console.
• Login: admin
• Password: P@ssw0rd

2. To access the app, click Reference Data Management.

3. Expand the Reference Table section.

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 1
 Exercise 1 Creating reference data collections

4. Click Create New.

5. In the Reference Table Name field, type Employee_badges.

6. Leave the Timeout Type value as the default FIRST_SEEN.

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 2
 Exercise 1 Creating reference data collections

7. Leave the Time to Live field blank.

Note: When you leave the Time to Live field blank, the parameter is set to Forever.

8. In the Key Label field, double-click text to highlight, press backspace to delete, and type
Emp_name.

9. Unless otherwise stated, keep the Default Key Type as ALN (alphanumeric).

10. Double-click Inner Key 1 and press Backspace.

11. Type Emp_ID.

3 .
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 1 Creating reference data collections

12. Click Add Inner Key. Double-click text to highlight, press Backspace, then type badge_status.

13. Click Create.

14. Review the data of the created Reference Table.

In the next steps, you add elements to the reference table by using different methods. Press Tab to
move to the next text field for steps 16, 17, 18.

15. To add a single entry, click Add Entry.

16. In the Emp_name field, type Susan Cameron. Press Tab.

17. In the Emp_ID field, type 046. Press Tab.

18. In the badge_status field, type valid. Press Tab.

4
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 1 Creating reference data collections

19. Click Save.

20. Review the data of the element that you added by expanding the Key entry Susan Cameron.

21. Scroll down using the down arrow key or the scroll bar to see the entire entry.

In steps 22–30, you import elements from a .csv file.

22. Navigate to Places and select Documents.

5
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 1 Creating reference data collections

23. Double-click Import Files folder and double-click the Emp_badges.csv file.

24. Review the structure of the import file.

Note: The first line contains the header keys. The remaining lines follow the structure: Parent
Key, Inner Key, Value. The values are separated by commas.

25. Close the import file and then close the Documents window.

26. Back in the Reference Data Management app, click Import from File.

6
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 1 Creating reference data collections

The Add Entry window opens.

27. Click Drag and drop file here or click to upload.

28. Double-click the Import_files folder, select the import file that you examined, and click Open.

29. Click Save.

7
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 1 Creating reference data collections

30. Observe the additional entries for Anthony Pease and Eric Williams.

Next, you create a reference set.

31. Expand the Reference Set section and click Create New.

32. For Reference Set Name, type Employee_badge_expired.

33. For Timeout Type, select LAST_SEEN.

34. For Time to Live, click “days.” From the drop-down list, select mons.

35. Enter the value 2 in the text field.

Important: You set the Time to Live value to 2 months since last seen. When the data element
expires, QRadar automatically deletes the value from the reference data collection and triggers
an event to track the expiration.

36. Review your data.

8
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 1 Creating reference data collections

It looks like the following image.

37. Click Create.

Your summary looks like this screen capture.

9
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 2 Creating a custom rule

Exercise 2 Creating a custom rule

In this exercise, you create a custom rule that tests events from log source type Physical Access
by using metadata from the reference table to check whether an employee badge has expired. As
a rule response, the employee name is added to a reference set.

1. Double-click Offenses.

2. Click Rules.

3. From the Actions menu, select New Event Rule.

4. To get to the Rule Test Stack Editor in the Rule wizard, click Next twice.

5. In the Test Group search window, type log.

10
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 2 Creating a custom rule

6. To select the second test group from the top, click the + icon.

7. Click these log source types.

8. Search for Physical Access.

9. Click Add.

10. Click Submit.

11
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 2 Creating a custom rule

11. In the Rule name field, type _Check_expired_badges.

Hint: With this rule test, you ensure that only events that are from the log source type Physical
Access are tested any further. This criteria makes the rule less expensive and saves system
resources.

Now you add a second Rule test to the test stack.

12. In the Test Group search window, double-click the existing text to highlight, press the backspace key,
then type ref.

13. To select the last test group that contains “Reference Table”, click the + icon.

14. Click Reference Table Key, select Employee badges -> Emp name from the drop-down list and
click Submit.

15. Click any selected event properties and search for Username. Select it from the list and click the
Add+ button. Then click Submit.
12
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 2 Creating a custom rule

16. Click selected reference table column.

17. Select badge_status from the drop-down list and click Submit.

18. Click operator and then click Submit to choose the default entry of equals.

19. Click selected event property and type expired in the lower text field as a value to compare
against.

20. Click Submit.

21. Confirm that your rule tests look like this image.

22. Click Next.

23. Click the Severity checkbox and set the severity to 8.

24. Click the Ensure the detected event is part of an offense checkbox and from the drop-down list,
scroll down by using the down arrow key or scroll bar to select Username.

13
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 2 Creating a custom rule

Note: This Rule Action sets the severity of the event that matches all rule tests to 8. Then, it
checks whether this event is part of an offense that is indexed on the Username. If no offense
exists yet, a new offense is created. So, the first event that matches the tests fires the rule and
creates the offense. All other events are assigned to the rule.

25. Check the Dispatch New Event checkbox and type Badge expired for the Event Name, and
User badge expired for the Event Description.
26. Change the Severity under Event details to 8, and the credibility and Relevance to 0.
27. Check Ensure the dispatched event is part of an offense and use the drop-down arrow to select
Username. You must scroll down using the down arrow key or scrollbar.
28. Check Add to a Reference Set and from the drop-down list in the first field, choose Username
(you must scroll down) and from the second drop-down list, choose
Employee_badge_expired-Alphanumeric.

14
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 2 Creating a custom rule

Note: The first entry of the Rule Response dispatches a new event for the purpose of
documentation and assigns it to an offense that is indexed on Username. This offense is the one
that is already created in the Rule action. The second entry in the Rule Response adds the
Username to the reference set Employee_badge_expired. When the element expires, an
expiration event is dispatched from the system.

29. Scroll to the bottom to make sure that Enable this rule if you want to begin watching events
right away is selected.

It is selected by default.

30. Click Next.

31. Click Finish.

15
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 3 Testing the rule

Exercise 3 Testing the rule

In this exercise, you test the rule that you created by replaying events from a Physical Access log
source.
1. On the QRadar Console, double-click the Log Activity tab.
2. Click the Simulate Log Activity button.

3. Observe the events in log activity.

Two events are assigned to an offense, indicated by a red dot.

Hint: Sometimes the red dot does not appear immediately. Click the Pause button or select last
5 min in the View options.

4. To see the offense that was created, double-click Offenses.

16
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
 Exercise 3 Testing the rule

5. To check its details, double click the offense to open it.

Note: Notice that 2 events are assigned to this offense. One comes from the log source of type
Physical Access. The other event comes from the Custom Rule Engine. The Username that is
involved in this offense is Eric Williams.

6. Click Reference Data Management and refresh the Employee_badge_expired Reference Set.

7. Verify that Eric Williams is an element of this reference set.

This concludes the exercises in this lab.

© Copyright IBM Corp. 2022
17
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
© Copyright IBM Corp. 2022