qradar siem jupublic.dhe.ibm.com/software/security/products/qradar/...yn ibm security qradar ú ñ...
TRANSCRIPT
IBM Security QRadar SIEM�� 7.2.7
J�ΓU
IBM
��
b���ΩT�Σ�Σ��ú�ºeA�\¬� 21��yn�zñ�ΩTC
ú�ΩT
�σ≤A�≤ IBM QRadar Security Intelligence Platform 7.2.7 � �ß≥oμ�A����σ≤�≤s���N�εC
© Copyright IBM Corporation 2012, 2016.
�²
QRadar SIEM J��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
� 1 � QRadar SIEM º[ . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Θxí� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1⌠⌠í� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Ωú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1≡� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2°i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Ω�¼� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2�≤Ω�¼� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2y{Ω�¼� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3�}�q (VA) ΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
QRadar SIEM Wh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Σ�� Web s²� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
� 2 � }liμ QRadar SIEM íp . . . . . . . . . . . . . . . . . . . . . . . 5w� QRadar SIEM nΘX��m . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5QRadar SIEM nΘX��m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5QRadar SIEM tm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6⌠⌠Ñh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6�\⌠⌠Ñh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6��≤s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7tm��≤s]w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7¼��≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8¼�y{ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8�J�}�q (VA) ΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
QRadar SIEM �π . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9��tⁿ��@� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9����tⁿ��@� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10°A���m�⌠ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10��sW°A���m�⌠ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Γ�sW°A���m�⌠ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11tmWh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Mú SIM Ω��¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
� 3 � }l�� QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . 13jM�≤ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13xs�≤jM�h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13tm�í�C�ϕ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14jMy{ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15xsy{jM�h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15��÷ϕO�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16jMΩú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16≡��d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17�°≡� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
d�G�� PCI °id�. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18d�G≥≤wxs�jM���q°i . . . . . . . . . . . . . . . . . . . . . . . . . . 18
n� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22ú�í�σ≤�°� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
© Copyright IBM Corp. 2012, 2016 iii
IBM uW⌠pvn� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23⌠pv°��q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Wⁿ�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25T� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25¡� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26C� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26K� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26E� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Q� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Q@� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27QG� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27QT� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Q�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28QC� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29QK� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29QE� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30M. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
iv QRadar SIEM J�ΓU
QRadar SIEM J���
mIBM® Security QRadar® J�ΓUn�z�Dnº�Bw�{��º[AH�zb
����ñ⌡μ�≥�@�C
��¬�
�ΩT«b�td�d��z⌠⌠w��w��z���C Yn���ΓUAz�π
��q⌠⌠≥ª[cP⌠⌠�N���C
�Ní�σ≤
p�p≤s�≤h�Ní�σ≤B�Nσ≤���N����÷ΩTA��\s�
IBM Security í�σ≤�Nσ≤ (http://www.ibm.com/support/docview.wss?rs=0
&uid=swg21612861)C
p��ßΣ�ñ�
p�p��ßΣ�ñ���÷ΩTA��\>Σ�PUⁿ�Nσ≤ (http://www.ibm.com/
support/docview.wss?rs=0&uid=swg21612861)C
}nw�Ω��»z
IT t�w�A�zLwB�����°� �úϕs�O@t�PΩTCúϕs
�iα�P�≤BlaBúϕ���ΩTA]iα�Pla���t�A]A�≤≡
�ΣLt�C S�⌠≤ IT t��ú���Q�@��w�ABS�μ�ú�BA�
w�ΓqiH����wúϕ���s�C IBM t�Bú��A]p�Xk�ε
X�w�Φk�@í�AN�n]tΣL@�{�ABiα�nΣLt�Bú��A
A�α≤���C IBM úO�⌠≤t�Bú��AK≤�N²Q°�K≤⌠≤@
Φ�cN�Dkμ�C
��NG
���{íiα�Pí�k��kW�Φ�A]AP⌠pvBΩ�O@B��ql
qTPxs�÷�k��kWCIBM Security QRadar �HXkΦí�≤Xk��C
�ßPNbϕ�A�k�BkW��hA�ß��d⌠�eúU���{íCQ�
vΦNϕªN�o�w�oXk�� IBM Security QRadar ���PNB\iv��vC
© Copyright IBM Corp. 2012, 2016 v
vi QRadar SIEM J�ΓU
� 1 � QRadar SIEM º[
IBM Security QRadar SIEM O@�⌠⌠w��z¡xAú�¼p¼Aú�����Σ
�C QRadar SIEM ��X��≥≤y{�⌠⌠��Bw��≤�÷�P≥≤Ωú��
}�qC
Yn}l���ú�A�tm≥� QRadar SIEM w�B¼��≤�y{Ω�AH�ú
°iC
Θxí�
b IBM Security QRadar SIEM ñAziHY��°�π�⌠⌠�≤A��⌡μiÑj
MC
Θxí���N�≤ΩTπ���Y�Θx�]�p⌡≡�⌠���m��O
²C��Θxí���⌡μUC@�G
v �d�≤Ω�C
v Y��d�e� QRadar SIEM ��≤ΘxC
v jM�≤C
v zL��itm��í�C�ϕA�°Θxí�C
v �O�PH�π QRadar SIEMC
⌠⌠í�
b IBM Security QRadar SIEM ñAziH�dΓ�D≈ºí�qTÑq@�C
pGw�� e��∩�Ah⌠⌠í����π�p≤��⌠⌠Ω�yq����
Ω�yq��÷ΩTC��⌠⌠í���AziH⌡μUC@�G
v Y��d�e� QRadar SIEM �y{C
v jM⌠⌠y{C
v zL��itm��í�C�ϕA�°⌠⌠í�C
Ωú
QRadar SIEM �zL��Q�y{Ω���}Ω�����Ωú]w�Aq��⌠
⌠°A�MD≈C
Ωú]w�ú�⌠⌠ñC@�w�Ωú]]A�b⌡μ�A���÷ΩTC Ωú]w
�ΩT�≤�÷���Aoi�U≤ε��PC
��Ωú��⌡μUC@�G
v jMΩúC
v �°��wA��ΩúC
v �°wA�Ωú��OΩTC
v �π�P�}C
© Copyright IBM Corp. 2012, 2016 1
≡�
b IBM Security QRadar SIEM ñAziH�d≡�AHPw⌠⌠D�Dn�]C
��≡����°⌠⌠Wo ���≡�A�⌡μUC@�G
v �d⌠⌠W�≡�B�P��a IP �}B⌠⌠μ��º�C
v ���h�⌠⌠��≤�y{PP@��a IP �}�÷pC
v ⌡�≡����U��AH�d�≤Py{�Ω�C
v Pw�P≡���@�≤C
°i
b IBM Security QRadar SIEM ñAziH���q°i���w]°iC
QRadar SIEM ú�w]°id�AziH∩Σ[H�qB�PAy�te� QRadar
SIEM ���C
°id�÷°i�¼��A�p���B�mB⌡μ��⌠⌠°iC ��°i���¿
UC@�G
v ��Bte��z QRadar SIEM Ω��°iC
v ���q°iH�≤@��⌡μC
v Nw�P⌠⌠ΩT�X�μ@°iC
v ���sΦw²w��°id�C
v ���q�x��°i�PC ���P�Q≤N°ite�úP�¬�C
v ]wú �q�w]°i��{C
v HU�μíoG°iC
Ω�¼�
QRadar SIEM �ⁿ�\h�mºU�μí�ΩTAΣñ]Aw��≤B⌠⌠Ω�yq
��y�GC
¼��Ω����T�Dn�qG�≤By{��}�q (VA) ΩTC
�≤Ω�¼�
�≤�UCΘx�ú G⌡≡B⌠��B°A��IJ��t� (IDS) �IJw
t� (IPS) ÑC
jí�Θx��� Syslog qT≤wANΩT�e� QRadar SIEMC QRadar SIEM
]Σ�UCqT≤wG
v �÷⌠⌠�zqT≤w (SNMP)
v Java™ Ω�wsu\α (JDBC)
v w��m�≤μ½ (SDEE)
�w]AQRadar SIEM bY�Sw�íd≥ �¼�Sw���i�OΘxºßAYi
����Θx�C �Q���Θx�ºßAQRadar SIEM �NAϕ��mΣ��
� (DSM) sW�uΘx�v°íñ��z��C
2 QRadar SIEM J�ΓU
÷Mjí� DSM ú]A� Θx�e\αA²��@ DSM �nBtm�/�N
z{í�α�eΘxCtm�] DSM �¼úPºC z�TO DSM tm�H
QRadar SIEM Σ��μí�eΘxCp�tm DSM ��÷ΩTA��\ DSM tm
ΓUC
Y Θx��¼]�p⌠���μ½����e¼≈�ΘxAQRadar SIEM Lk�t
���sWª��uΘx�vMμC ziHΓ�sWo Θx�C p�Γ�sW
Θx���÷ΩTA��\ IBM Security QRadar Θx���ΓUC
¼��Ω����T�Dn�qG�≤By{��}�q (VA) ΩTC
y{Ω�¼�
y{ú�⌠⌠Ω�yq��÷ΩTABª�iHU�μí]]A Flowlog �B
NetFlowBJ-FlowBsFlow � Packeteer��e� QRadar SIEMC
zLPB�ⁿh�y{μíAQRadar SIEM iH��Yμ�α≤�≤H�oΩTiα
≥�����í�C
QRadar QFlow ¼�� ú��π�⌠⌠Ω�yq��{í��AL���{í@��
b�≡�≤C �pApG Internet Relay Chat (IRC) qT≤wb≡ 7500/TCP Wiμ
qTAh QRadar QFlow ¼�� �NΩ�yq�O� IRCA�ú�μ�}l���]
��C NetFlow � J-Flow q�z≡ 7500/TCP W�Ω�yqAúú�⌠≤�÷�
��qT≤w�≤�⌠�wqC
@�ΦM≡�m]A��BDMZB°A����{íμ½�ANetFlow ú��Σ�⌠
���μ½��RΩTC
QRadar QFlow ¼�� �w]w��ABnDΦM≡BSPAN ≡��y�s�� QRadar
SIEM nΘX��mW�i��CϕΦM≡s�� QRadar SIEM nΘX��mW�
Σñ@�⌠⌠��Ay{�RY���}lC�w]AQRadar SIEM �b�z�W
≤≡ 2055/UDP W�° NetFlow Ω�yqCziHⁿúB NetFlow ≡]pGn�
��C
�}�q (VA) ΩT
QRadar SIEM iHqU�≤Ot��y��J�}�qΩTC
�}�qΩTi≤U QRadar Risk Manager �O@�ñ�D≈B}��≡�τb��
}C
QRadar Risk Manager ���}�qΩTA∩⌠⌠W�≡�q�iμ��C
°�}�q�y��¼wAQRadar Risk Manager iHq�y�°A��J�y�GA
��q�����yC
QRadar SIEM Wh
Whi∩�≤By{�≡�⌡μ��CpG�X�����°≤AhWh�ú �
�C
� 1 � QRadar SIEM º[ 3
QRadar SIEM �]t�Wh�≤��U�í�AΣñ]ALh�⌡≡���Bh�
ónJ���τb�Lr⌠⌠í�C p�Wh�÷ΩTA��\ IBM Security QRadar
�zΓUC
UCMμí�Γ�Wh��G
v �qWh∩�≤By{�≡�⌡μ��AH��⌠⌠ñ�º�í�C
v º���Wh∩wxs�y{��≤jM�G⌡μ��AH��⌠⌠ñ≤�o º
�Ω�yq¼�C
½nGπ�D�zs�v����iH��L�iHs�º⌠⌠���WhC z�π
�Aϕ�ñΓv¡A�α�zWhC p����ñΓv¡��÷ΩTA��\ IBM
Security QRadar �zΓUC
Σ�� Web s²�
Yn� IBM Security QRadar ú�ñ�\α��u@Az���Σ�� Web s²�C
ϕzs� QRadar t��A�ú�zΘJ���WPKXC���WPKX��
�z��²tmC
UϕCXFΣ�� Web s²���C
ϕ 1. QRadar ú�Σ�� Web s²�
Web s²� Σ����
Mozilla Firefox 38.0 Extended Support Release
w��σ≤�í�s²��í� 32 ��
Microsoft Internet Explorer
11.0
Google Chrome �s��
4 QRadar SIEM J�ΓU
� 2 � }liμ QRadar SIEM íp
�z��²íp QRadar SIEMAMß�α�⌠ IBM Security QRadar SIEM Dn\
αC
Yníp QRadar SIEMA�z��⌡μUC@�G
v w� QRadar SIEM nΘX��mC
v tm QRadar SIEM w�C
v ¼��≤By{��}�q (VA) Ω�C
v �π QRadar SIEM w�C
w� QRadar SIEM nΘX��m
�z��w� QRadar SIEM nΘX��mA�αs�����C
}lºe
bw� QRadar SIEM �⌠nΘX��mºeATOzπ�G
v i�≤]tΓ��mºnΘX��m�íC
v �[�y��O]w�ⁿ�C
v ∩���G�≤s�Dx� USB ΣL��� VGA π��C
{�
1. N�z⌠⌠�s�����uA�⌠⌠ 1v�≡C
2. NM�q��YíJnΘX��mI�C
3. pGz�ns�DxA�s� USB ΣL��� VGA π��C
4. pGnΘX��mπ��OAhV �⌠@��d�A�qnΘX��m�U�
OAH°ú�OC
5. }�nΘX��m�q�C
QRadar SIEM nΘX��m
QRadar SIEM �⌠nΘX��mO@� 2 U ��[�ⁿ°A�C �⌠]�úú��
[�y��OC
QRadar SIEM nΘX��m]A��⌠⌠�C w∩��⌠A�����uA�⌠⌠
1v��@��z�C
ziHN�lT��°��≤y{¼�C QRadar QFlow ¼�� ú��π⌠⌠��
{í�RA�iHbC�μ�}l�⌡μ�]��C ° QRadar SIEM nΘX��m
wAϕ SPAN ≡��y�s��uA�⌠⌠ 1vH�⌠≤��Ay{�R���}
lCiα�n⌡μBBJA�αb QRadar SIEM �� QRadar QFlow ¼�� �
≤C
p��÷ΩTA��\ IBM Security QRadar �zΓUC
© Copyright IBM Corp. 2012, 2016 5
¡εGQRadar SIEM �⌠nΘX��miμy{�R��¡εO 50 MbpsC �TOb
�°�Wiμy{¼���E�Ω�yqúWX 50 MbpsC
QRadar SIEM tm
zLtm QRadar SIEMAziH�\⌠⌠Ñh��q��≤s��C
{�
1. TO Java ⌡μ��⌠� (JRE) 1.7 � � IBM 64 ��⌡μ��⌠� Java 7.0 �
w�bz�s� QRadar ú��������α�t�WC
2. TOz�b��ⁿΣ�� Web s²�C ��\� 4��yΣ�� Web s²�zC
3. pGz�� Internet ExplorerA���σ≤�í�s²��íC
a. b Internet Explorer Web s²�ñA÷ F12 H}�u}o�uπv°íC
b. ÷@Us²��íA�∩� Web s²����C
c. ÷@Uσ≤�íA�∩� Internet Explorer 7.0 ��C
4. zLΣJt� QRadar Dx IP �}�UC URL nJ QRadar SIEM ���
�G
https://IP Address
�÷º�:
� 4��yΣ�� Web s²�z
Yn� IBM Security QRadar ú�ñ�\α��u@Az���Σ�� Web s²
�C
⌠⌠Ñh
ziH�°÷���\α���úP⌠⌠��A�������I]w����h
ΩT�u²��C
QRadar SIEM ��⌠⌠Ñh⌡μUC@�G
v A�⌠⌠Ω�yq��°⌠⌠í�C
v �°⌠⌠ñ�Sw�Φs��AA�p½⌡μPBDMZ � VoIPC
v �°Ω�yqA��gC@�s��s� D≈�μ�C
v Pw��O�����D≈C
�Fiμ�⌠A��J]tw²wq�Φs��w]⌠⌠ÑhC �\⌠⌠Ñh��T�
��π�C pGz�⌠�]A�π�bw²tmº⌠⌠Ñhñ�⌠⌠d≥Az�Γ�
sWª�C
b⌠⌠Ñhñwq�½≤L�Ω�sb≤⌠�ñC ⌡�≤≥ª[c����Φ⌠⌠d≥
ú�wq�⌠⌠½≤C
�GpGz�t�ú]A�π�⌠⌠ÑhAh���z����⌠�SwÑhC
p��÷ΩTA��\ IBM Security QRadar �zΓUC
�\⌠⌠Ñh
ziH�\⌠⌠ÑhC
6 QRadar SIEM J�ΓU
{�
1. ÷@U�z��C
2. b�²íμñA÷@Ut�tmC
3. ÷@U⌠⌠Ñh��C
4. bW��μñAi} Regulatory_Compliance_ServersC
pG⌠⌠Ñh�]AXW�°A��≤AhiH∩�{���lí���ul≤v
�≤C
5. ÷@U�M� Regulatory_Compliance_ServersC
6. ÷@UsΦ��C
7. YnsW���°A�A�ϕ�UCBJG
a. b IP/CIDR μ�ñAΣJ���°A�� IP �}� CIDR d≥C
b. ÷@U (+) ��C
c. ∩�����°A�½�WzBJC
d. ÷@UxsC
e. ∩zQnsΦ�⌠≤ΣL⌠⌠½��Bz{�C
8. b�z��\αϕWA÷@Uíp�≤C
ziH���s�⌠⌠w�ΩTA���Γ�≤stm�C QRadar SIEM ��t
�tm�ú����⌠⌠Ω�y{�ΦC
��≤s
�� QRadar SIEMAziH�N{�tm�A��πXw≤s�P{��C
QRadar SIEM Dx�s��⌠�⌠⌠A�α�¼≤s��C pGz�Dx�s
��⌠�⌠⌠Ah�tm í≤s°A�Cp�]w��≤s°A���÷ΩTA
��\ IBM Security QRadar ��ΓUC
q IBM Fix Central (www.ibm.com/support/fixcentral/) UⁿnΘ≤sC
≤s�iH]AUC≤s��G
v tm≤s��AΣñ]Atm��≤B�}BQID ∩M�w���ΩT≤s��C
v DSM ≤s��AΣñ]AσRD≤���B�y��≤�qT≤w≤s��C
v Dn≤s��AΣñ]Aw≤s JAR �º����C
v �n≤s��AΣñ]ABuWí� e�w≤s Script º����C
tm��≤s]w
ziH�q QRadar SIEM ≤s��B≤s�¼B°A�tm��≈]w�WvC
{�
1. ÷@U�z��C
2. b�²íμñA÷@Ut�tmC
3. ÷@U��≤s��C
4. b�²íμñA÷@U�≤]wC
5. ∩�≥���C
� 2 � }liμ QRadar SIEM íp 7
6. b��≤s�{íμñA�ⁿw]��C
7. b≤s�¼íμñAtmUC��G
a. btm≤s��Mμ�ñA∩���≤sC
b. �ⁿUC���w]�G
v DSMB�y�BqT≤w≤s��
v Dn≤s��
v �n≤s��
8. Mú��íp�∩�C
�w]A�∩���∩�C pG�∩���∩�Aht�q��π�b÷ϕO��
WAⁿXz�bw�≤s��ºßíp�≤C
9. ÷@UiÑ��C
10. b°A�tmíμñA�ⁿw]��C
11. bΣL]wíμñA�ⁿw]��C
12. ÷@UxsA�÷¼u≤s��v°íC
13. buπCWA÷@Uíp�≤C
¼��≤
zL¼��≤AziHY��d�e� QRadar SIEM �ΘxC
{�
1. ÷@U�z��C
2. b�²íμñA÷@UΩ��� > �≤C
3. ÷@UΘx����C
4. �\Θx��MμA�∩Θx�iμ⌠≤n��≤C p�tmΘx���
÷ΩTA��\ IBM Security QRadar Θx���ΓUC
5. ÷¼uΘx�v°íC
6. b�z��\αϕWA÷@Uíp�≤C
¼�y{
zL¼�y{AziH�dD≈ºí�⌠⌠qTÑq@�C
}lºe
�{�úA�≤ IBM Security Intelligence on CloudCp�p≤b≤Ot�⌠⌠�m]�
pμ½��⌠���W��y{��÷ΩTA��\z����í�σ≤C
{�
1. ÷@U�z��C
2. b�²\αϕñA÷@UΩ��� > y{C
3. ÷@Uy{����C
4. �\y{��MμA�∩y{�iμ⌠≤n��≤C p�tmy{���
÷ΩTA��\ IBM Security QRadar �zΓUC
5. ÷¼uy{�v°íC
8 QRadar SIEM J�ΓU
6. b�z��\αϕWA÷@Uíp�≤C
�J�}�q (VA) ΩT
zL�J�}�qΩTAziH�O@�ñ�D≈B}��≡�τb��}C
{�
1. ÷@U�z��C
2. b�²\αϕñA÷@UΩ��� > �}C
3. ÷@U�}�q�y���C
4. buπCWA÷@UsWC
5. ΘJ����C
���M≤zQnsW��y��¼C p��÷ΩTA��\ �}�qtmΓ
UC
½nGCIDR d≥ⁿw QRadar SIEM N� ⌠⌠πX��y�GC�pApGz
Qnw∩ 192.168.0.0/16 ⌠⌠i}�yA�ⁿw 192.168.1.0/24 @� CIDR d≥A
hu�πX� 192.168.1.0/24 d≥��GC
6. ÷@UxsC
7. b�z��\αϕWA÷@Uíp�≤C
8. ÷@U�{�}�q�y���C
9. ÷@UsWC
10. ⁿwzQn⌡μ�yºWv��hC
°�y�¼wA�h]A QRadar SIEM �J�y�G���s�y�WvCz
��ⁿwnb�y�Gñ]A�≡C
11. ÷@UxsC
QRadar SIEM �π
ziH�π QRadar SIEMAH�Xz⌠���nC
b�π QRadar SIEM ºeAÑ@�H² QRadar SIEM ��⌠⌠W�°A�Bxs
�≤�y{AH���≥≤{�Wh�≡�C
�z�iH⌡μUC�π@�G
v zLbΘxí��⌠⌠í���tLo� eW����tⁿ��A����≤�
y{��tⁿjMC
v zL���Γ�sW°A���m�⌠Aú�≤���lípM≤�μ��πC
v zL����∩�qWh�º���WhAtm∩�≤By{�≡�¼p���C
v TO⌠⌠ñC@�D≈����≡�ú≥≤�sWhBw��°A��⌠⌠ÑhC
��tⁿ��@�
��bΘxí��⌠⌠í���Wú���tLo�\αAjM�≤�y{��t
ⁿC
Yn����tLo�AziH����tⁿ���tLo� eC
� 2 � }liμ QRadar SIEM íp 9
����tⁿ��@�iα��Ct��αC b�tLo� eW����tⁿ��@
�ºßA�°���pΩ�C
p����z��pΩ���÷ΩTA��\ IBM Security QRadar �zΓUC
����tⁿ��@�
ziHzLbΘxí��⌠⌠í���tLo� eW����tⁿ��A����
≤�y{��tⁿjMC
{�
1. ÷@U�z��C
2. b�²íμñA÷@Ut�tmC
3. ÷@U���z��C
4. b�tjMμ�ñAΣJUC eG
�tLo�
5. ��½kΣ÷@UzQnss����tLo�C
6. ÷@U����C
7. ÷@UxsC
8. ÷@UTwC
9. ∩���G Yn����tⁿ��A�∩�UCΣñ@�∩�G
v ÷@U����C
v ��½kΣ÷@U eA�q\αϕñ∩�����C
U@B
p�u���zv°íñπ�º����ΩTA��\ IBM Security QRadar �zΓ
UC
°A���m�⌠
QRadar SIEM ��������⌠⌠ñ�°A�Aqú�≤���lípA�bo
⌠⌠�≤�≤�μaiμ�πC
YnTONAϕ�WhM��°A��¼AziHsW�O�m�π��}d≥ �
�mCziHΓ�Nú�X�@qT≤w�°A��¼ΘJ�U��uD≈wq�m
�⌠vñC �pANUC°A��¼sW��m�⌠AiHε�i@B�π�P��
nG
v N⌠⌠�z°A�sW� BB:HostDefinitionG⌠⌠�z°A��m�⌠C
v N Proxy °A�sW� BB:HostDefinitionGProxy °A��m�⌠C
v Nfr� Windows ≤s°A�sW� BB:HostDefinitionGfrwq�ΣL≤s°
A��m�⌠C
v N�}�q (VA) �y�sW� BB-HostDefinitionG�}�q�y��� IP �m�⌠C
10 QRadar SIEM J�ΓU
u°A���v\α��Ωú]w�Ω�wA��⌠⌠W���¼�°A�C u°A
���v\α�CX������°A�AziH∩�Qn]Ab�m�⌠ñ�°A
�C
p���°A���÷ΩTA��\ IBM Security QRadar �zΓUC
���m�⌠AziHbΣLWhñ½���SwWh��C ziHzL���m�⌠
�π QRadar SIEM ���B�÷�WhAε��P�C
��sW°A���m�⌠
ziHN°A���sW��m�⌠C
{�
1. ÷@UΩú��C
2. b�²íμñA÷@U°A���C
3. b°A��¼MμñA∩�zQn���°A��¼C
N�l��Od�w]�C
4. ÷@U��°A�C
5. bu��°A�víμñA∩�zQnⁿú�°A�ñΓº��°A���∩�C
6. ÷@U�π∩��°A�C
OϕGziH��½kΣ÷@U⌠≤ IP �}�D≈WAHπ� DNS �RΩTC
Γ�sW°A���m�⌠
pG������°A�AziHΓ�N�°A�sW�Σ∩��uD≈wq�m�
⌠vC
{�
1. ÷@U≡���C
2. b�²íμñA÷@UWhC
3. bπ�MμñA∩��m�⌠C
4. bs�MμñA∩�D≈wqC
�m�⌠�W∩�≤°A��¼C �pABB:HostDefinitionGProxy °A�A
�≤⌠�ñ��� Proxy °A�C
5. YnΓ�sWD≈�⌠⌠A�÷ΓUAXz⌠��∩�uD≈wq�m�⌠vC
6. b�m�⌠μ�ñA÷@U�yϕ�����a IP OUCΣñ@��ß�e�u
��C
7. bΘJ IP �}� CIDR μ�ñAΣJzQnⁿú��m�⌠�D≈W� IP �
}d≥C
8. ÷@UsWC
9. ÷@UúμC
10. ÷@U�¿C
11. w∩zQnsW�C@�°A��¼A½�WzBJC
� 2 � }liμ QRadar SIEM íp 11
tmWh
qΘxí�B⌠⌠í��≡���ñAziHtmWh��m�⌠C
{�
1. ÷@U≡���C
2. ÷ΓUzQn�d�≡�C
3. ÷@Uπ� > WhC
4. ÷ΓUWhC
ziHi@B�πWhC p��πWh��÷ΩTA��\ IBM Security QRadar
�zΓU
5. ÷¼uWhvδFC
6. buWhv��ñA÷@U�@C
7. ∩���G pGzQnεbWX≡�Od�íºßN≡�qΩ�wñ�úA�∩
�O@≡�C
8. ∩���G pGzQnN≡�ⁿú�Y� QRadar SIEM ���A�∩�ⁿúC
Mú SIM Ω��¼
Mú SIM Ω��¼HTOC@�D≈����≡�ú≥≤�sWhBw��°A��
⌠⌠ÑhC
{�
1. ÷@U�z��C
2. buπCWA∩�iÑ > Mú SIM �¼C
3. ∩�∩�G
v nMúAiN≡�]w�D@�ñC
v nMúft∩������≡��∩�Ai÷¼��≡�C
v wMúAi°ú����C
4. ÷@UzTwn½]Ω��¼�HΦ�C
5. ÷@U�≥iμC
6. �¿ SIM ½]Bz{�ºßA½sπzz�s²�C
�G
ϕzMú SIM �¼�A�÷¼��{�≡�C Mú SIM �¼ú�vT{��≤�y
{C
12 QRadar SIEM J�ΓU
� 3 � }l�� QRadar SIEM
Yn}l�� IBM Security QRadar SIEMA�A�p≤�d≡�B��°iBjM�
≤By{�ΩúC
�pAziHzL��Θxí��⌠⌠í���ñ�w]wxsjMAjMΩTC z
]iH���xsz�v��qjMC
�z�iH⌡μUC@�G
v zL��Sw�hjM�≤Ω�A�b�GMμñπ��XjM�h��≤C ∩
�B������≤Ω���μC
v H°��ΦíY��°��dy{Ω�A��⌡μiÑjMHLoπ��y{C �°
y{ΩTAHPwp≤��⌠⌠Ω�yqAH���� ⌠⌠Ω�yqC
v �°��wA��ΩúA��jM⌠�ñ�SwΩúC
v �d⌠⌠W�≡�B�P��a IP �}B⌠⌠μ��º�C
v sΦB��B�{�tew]��q°iC
jM�≤
ziHjM QRadar SIEM bLh 6 �p�ñ¼�����O�≤C
{�
1. ÷@UΘxí���C
2. buπCWA∩�jM > sjMC
3. bu�íd≥víμñAwq�≤jM��íd≥G
a. ÷@U�±C
b. b�±MμñA∩�e 6 �p�C
4. bujM��víμñAwqjM��G
a. b�@�MμñA∩���C
b. b�G�MμñA∩�Ñ≤C
c. b¬h���MμñA∩��OC
d. bCh���MμñA�ⁿw]�⌠≤C
e. ÷@UsWLo�C
5. bu�μwqvíμ�π�MμñA∩��≤W�C
6. ÷@UjMC
�÷u@:
� 18��yd�G≥≤wxs�jM���q°iz
ziHzL�JjM����q�hA��°iC
xs�≤jM�h
ziHxsⁿw��≤jM�hAH����C
© Copyright IBM Corp. 2012, 2016 13
{�
1. ÷@UΘxí���C
2. buπCWA÷@Uxs�hC
3. bjMW�μ�ñAΣJdjM 1C
4. bu�íd≥∩�víμñA÷@U�±C
5. b�±MμñA∩�e 6 �p�C
6. ÷@U]Ab���tjMñC
7. ÷@U]Ab��÷ϕOñC
pG�π�]Ab��÷ϕOñA�÷@UjM > sΦjMAHτ�zObu�
μwqvíμñ∩�F�≤W�C
8. ÷@UTwC
U@B
tm�í�C�ϕC p��÷ΩTA��\ytm�í�C�ϕzC
�÷u@:
ytm�í�C�ϕz
ziHπ�¼�í�í�C�ϕAΣNϕ�XSw�ííjjM�O²C
tm�í�C�ϕ
ziHπ�¼�í�í�C�ϕAΣNϕ�XSw�ííjjM�O²C
{�
1. b�ϕ�DCñA÷@Utm��C
2. bn�s��MμñA∩���a IP]�@p��C
3. b�ϕ�¼MμñA∩��í�CC
4. ÷@U���í�CΩ�C
5. ÷@UxsC
6. ÷@U≤s��Ω�C
7. Loz�jM�GG
a. ��½kΣ÷@UznLo��≤C
b. ÷@U≥≤�≤W��Lo�� <Event Name>C
8. Ynπ�÷���W����≤MμA�qπ�Mμñ∩����W�C
9. τ�z�jMb÷ϕO��WOiúG
a. ÷@U÷ϕO��C
b. ÷@Us�÷ϕO��C
c. bW�μ�ñAΣJd�q÷ϕOC
d. ÷@UTwC
e. bsW��MμñA∩�Θxí� > �≤jM > djM 1C
14 QRadar SIEM J�ΓU
�G
wxs�≤jM��Gπ�bu÷ϕOvñC
�÷u@:
� 13��yxs�≤jM�hz
ziHxsⁿw��≤jM�hAH����C
jMy{
ziHY�jMB�°��dy{Ω�Cz]iH⌡μiÑjMAHLoπ��y
{C �°y{ΩTAHPwp≤��⌠⌠Ω�yqAH����≥⌠⌠Ω�yqC
{�
1. ÷@U⌠⌠í���C
2. buπCWA÷@UjM > sjMC
3. bu�íd≥víμñAwqy{jM�íd≥G
a. ÷@U�±C
b. b�±MμñA∩�e 30 �C
4. bujM��víμñAwqz�jM�hC
a. b�@�MμñA∩�y{ΦVC
b. b�G�MμñA∩�Ñ≤C
c. b�T�MμñA∩� R2LC
d. ÷@UsWLo�C
5. bu�μwqvíμ�π�MμñA∩���{íC
6. ÷@UjMC
�G
�π����Lh 30 ��y{ΦV������ (R2L) ���y{AH�÷��{í
μ�∩o y{iμ��C
xsy{jM�h
ziHxsⁿw�y{jM�hAH����C
{�
1. b⌠⌠í���uπCWA÷@Uxs�hC
2. bjMW�μ�ñAΣJWdjM 2C
3. b�±MμñA∩�e 6 �p�C
4. ÷@U]Ab��÷ϕOñ�]Ab���tjMñC
5. ÷@UTwC
U@B
��÷ϕO��C p��÷ΩTA��\� 16��y��÷ϕO��zC
�÷u@:
� 3 � }l�� QRadar SIEM 15
y��÷ϕO��z
ziHzL��xs�y{jM�hA��÷ϕO��C
��÷ϕO��
ziHzL��xs�y{jM�hA��÷ϕO��C
{�
1. b⌠⌠í�uπCWA∩��tjM > djM 2C
2. τ�z�jMO]Abu÷ϕOvñG
a. ÷@U÷ϕO��C
b. bπ�÷ϕOMμñA∩�d�q÷ϕOC
c. bsW��MμñA∩�y{jM > djM 2C
3. tmz�÷ϕO�ϕG
a. ÷@U]w��C
b. ��tm∩�A�≤w�s��B�π��½≤��B�ϕ�¼��ϕñπ�
��íd≥C
4. Yn�d�ϕñ�eπ��y{A�÷@Ub⌠⌠í�ñ�°C
�G
u⌠⌠í�v���π��X�í�C�ϕ����GC p��í�C�ϕ��÷Ω
TA��\ IBM Security QRadar ��ΓUC
�÷u@:
� 15��yxsy{jM�hz
ziHxsⁿw�y{jM�hAH����C
jMΩú
ϕzs�Ωú���A�π��uΩúv����J⌠⌠ñ��w���ΩúC Ynδ
��MμAziHtmjM��AHπ�zQn�d�Ωú]w�C
÷≤o�@�
��jM\αjMD≈]w�BΩú��OΩTC �OΩTú�≤h�Ω�A�p
⌠⌠W� DNS ΩTB���nJ� MAC �}C
{�
1. ÷@UΩú��C
2. b�²íμñA÷@UΩú]w�C
3. buπCWA÷@UjM > sjMC
4. pGzQnⁿJwxs�jMAh⌡μUCBJG
a. ∩���G bs�MμñA∩�zQnπ�bi��wxsjMMμñ�Ωúj
Ms�C
b. ∩�UCΣñ@�∩�G
v bΣJwxs�jM�qMμñ∩�μ�ñAΣJzQnⁿJ�jMWC
16 QRadar SIEM J�ΓU
v bi��wxsjMMμñA∩�zQnⁿJ�wxsjMC
c. ÷@UⁿJC
5. bujM��víμñAwqz�jM�hG
a. b�@�MμñA∩�zQnjM�Ωú��C �pAD≈W�B�}�I�
��N���C
b. b�G�MμñA∩�zQn�≤jM��ó�C
c. b��μ�ñAΣJPjM���÷�SwΩTC
d. ÷@UsWLo�C
e. w∩zQnsW�jM�h�C@�Lo�A½�WzBJC
6. ÷@UjMC
d
z�¼�q�Aí��búϕQ� CVE ID CVE-2010-000C YnPwípñO�⌠
≤D≈e÷D��úϕQ��≡�A�⌡μUCBJG
1. qjM���MμñA∩��}í��C
2. ∩� CVEC
3. Yn�°e÷D��Sw CVE ID ≡�º��D≈�MμA�ΣJUCⁿOG
2010-000
p��÷ΩTA��\ Open Source Vulnerability Database (http://osvdb.org/) � (Na-
tional Vulnerability Database (http://nvd.nist.gov/)C
≡��d
��≡���AziH�d⌠⌠W�≡�B�P��a IP �}B⌠⌠μ��º�C
QRadar SIEM iH���≤�y{PP@≡���P⌠⌠o �≤ñ�≤h�⌠⌠Wº
��a IP �}�÷pC ziH��a�d⌠⌠ñ�C@�≡�C
�°≡�
ziH�d≡�B�P��a IP �}B⌠⌠μ��⌠⌠º�C
{�
1. ÷@U≡���C
2. ÷ΓUzQn�d�≡�C
3. buπCWA∩�π� > ��aC ziH�dC@���aAHPw��aOw
ⁿl�ϕ{Xi�μ�C
4. buπCWA÷@U�≤C
�G
u�≤Mμv°í�π�P≡��÷p����≤C ziHjMB���Loo �
≤C
� 3 � }l�� QRadar SIEM 17
d�G�� PCI °id�
��°i��AziH��B���sΦ°id�C
÷≤o�@�
��uΣIdú� (PCI)v°id�C
{�
1. ÷@U°i��C
2. Mú⌠�D@�ñ°i�∩�C
3. bs�MμñA∩���� > PCIC
4. ∩�MμW���°id�G
a. ÷@UMμW��@�°iC
b. zL÷ϕ Shift ΣA�÷@UMμW��ß@�°iA∩���°id�C
5. b�@MμñA∩��½�{C
6. s�ú �°iG
a. qú�°i�μñ�Mμ A∩�zQn�°º°i��íWOC
b. bμí�μñA÷@UzQn�°�°iμí��C
d�G≥≤wxs�jM���q°i
ziHzL�JjM����q�hA��°iC
÷≤o�@�
��zb� 13��yjM�≤zñ����≤�y{jM��°iC
{�
1. ÷@U°i��C
2. b�@MμñA∩���C
3. ÷U@BC
4. tm°i�{C
a. ∩�CΘ∩�C
b. ∩�uP�@vBuP�GvBuP�TvBuP��v�uP�¡v∩�C
c. ��MμA∩� 8:00 �W C
d. TOw∩�O - Γ�ú°i∩�C
e. ÷U@BC
5. tm°iGmG
a. bΦVMμñA∩�εVC
b. ∩�tΓ��ϕxs��GmC
c. ÷U@BC
6. b°i�Dμ�ñAΣJd°iC
7. tm��ϕxs�G
a. b�ϕ�¼MμñA∩��≤/ΘxC
18 QRadar SIEM J�ΓU
b. b�ϕ�Dμ�ñAΣJd�≤jMC
c. bN�≤/Θx¡ε�eX�MμñA∩� 10C
d. b��¼MμñA∩�∩�°°�C
e. ÷@Ue 24 �p����Ω�C
f. b�≤°i�≥ªMμñA∩�djM 1C
���djM 1wxsjMñ�]w��N e�J�l��ñC
g. ÷@Uxsxs���Ω�C
8. tm���ϕxs�G
a. b�ϕ�¼MμñA∩�y{C
b. b�ϕ�Dμ�ñAΣJdy{jMC
c. bNy{¡ε�eX�MμñA∩� 10C
d. b��¼MμñA∩�∩�°°�C
e. ÷@Ue 24 �p����Ω�C
f. bi��wxsjMMμñA∩�djM 2C
���djM 2wxsjMñ�]w��N e�J�l��ñC
g. ÷@Uxsxs���Ω�C
9. ÷U@BC
10. ÷U@BC
11. ∩�°iμíG
a. ÷@U PDF � HTML �∩�C
b. ÷U@BC
12. ∩�°iteqDG
a. ÷@U°iD�xC
b. ÷@Uqll≤C
c. bΘJ°i��aqll≤�}μ�ñAΣJz�qll≤�}C
d. ÷@U]A°i@��≤C
e. ÷U@BC
13. �¿�u°ivδF�Ω�G
a. b°ií�μ�ñAΣJd��í�C
b. ÷@UO - bδF�¿�⌡μ°iC
c. ÷@U�¿C
14. ��ú�°i�μñ�Mμ�A∩�°i��íWOC
�÷u@:
� 13��yjM�≤z
ziHjM QRadar SIEM bLh 6 �p�ñ¼�����O�≤C
� 3 � }l�� QRadar SIEM 19
20 QRadar SIEM J�ΓU
n�
�ΩTYw∩ IBM bⁿΩ�ú�ºú�PA�}oC
bΣLΩa�a�ñAIBM úúo�ú��σ≤�ú�ºU�ú�BA�\αC�ó
ϕa� IBM �NϕAH�oϕa�eú��ú�MAº�÷ΩTC�σ≤bú
� IBM �ú�B{í�A�Aúϕ��t�uα�� IBM �ú�B{í�AC
un�I� IBM ºz]úvA⌠≤\α�ϕºú�B{í�A�i�N IBM º
ú�B{í�ACúLA⌠≤D IBM ºú�B{í�AA�����μtd@
�º�⌠Mτ�d⌠C
�σ≤�í�ºDD eAIBM iα��ΣMQ�MQ��Cú��σ≤úNϕ��
o MQ��vC ziH�úX�vd Aτ�H�G
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
pGO�÷����r� (DBCS) ΩT��vd A�ó �bΩ� IBM z]úí
�A��úX�vd Aτ�H�G
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
IBM Hu{¼vú��Aúú�⌠≤���q�ºO� (]A²ú¡≤iΓ��
�XSw���O�)C � a�bSwμ÷WAú�\�ú���t��O�A]�A
o�n�ú@wAXzC
�ΩTñiα���NW���LΩW��C ]�AIBM �w��qF�N�qß
� e�Js�ñC IBM H��∩i�/��≤�X���ú��ú��/�{íAút
μq�C
�ΩTñ⌠≤∩D IBM ⌠�� z���AIBM ∩�⌠��úú�⌠≤O�Co
⌠��ú��Ω�úO IBM �ú��Ω� eApGn��o ⌠��Ω�Az�
�μßIC
IBM oHU� IBM {�Aϕ�Φí���¼Q�ßú��⌠≤ΩTAL�∩Q�
ßtdC
pG�{íº≥�vH�F (i) b�O���{íMΣL{í]]A�{í�ºíμ½
ΩTAH� (ii) �¼���μ½�ΩTA]�n�÷�ΩTA�ó G
© Copyright IBM Corp. 2012, 2016 21
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785US
o ΩTi�Aϕ°��oAbY ípU�IOΦo��C
IBM ≥≤ IBM �ßX�BIBM Ω�{í�vX���Φº⌠≤PÑX��°�Aú
��σ≤�ú���v{íPΣ��A���vΩ�C
C���αΩ���ßd��≤í���CΩ��α�Giα��Sw�tm�@
�°≤úPC
�σ≤�ú�ºD IBM ú�ΩTA��ú�����A�ΣoG�n��ΣL�}�
DCIBM ����Lo ú�A]LkT{o D IBM ú��⌡μ�αB�e��⌠
≤∩ú��ΣLDiO��L�C�÷D IBM ú���αD���ó �ú��
��C
�÷ IBM ��V�⌠≤n�ANϕ IBM ���M��A�iα≤��²n��
ípU�����M�C
π���� IBM �μ� IBM ����sΓ�AiH��≤útμq�C gP�º
�μiP�úPC
�ΩTt�Θ��B@���Ω�M°id�C �D¿iαa�πí�Ad�]AF
�HB�qB�PMú��WC ��o WúOΩc�Ap�⌠≤�ⁿΩ�°��
��W�a}ºBA���XC
��
IBMBIBM �x� ibm.com® O International Business Machines Corp. b@�\h�
���U�����U��CΣLú��AWiαO IBM �ΣL�q���CIBM
����sMμibUC⌠}W� ″Copyright and trademark information ñΣ�G
www.ibm.com/legal/copytrade.shtmlC
Java M��H Java �≥ª�����xO Oracle �]��Σl�q�����U�
�C
MicrosoftBWindowsBWindows NT � Windows �xO Microsoft Corporation bⁿΩ
�/�ΣLΩa�a����C
ú�í�σ≤�°�
o X�����\ivOϕ�UC°����C
22 QRadar SIEM J�ΓU
A��
o °�O IBM ⌠��⌠≤��°��W°�C
�H��
Q�ßiH½εo X��AH�≤Q�ß�H�D����A�Od��vQn�
°�CDg IBM �\iAQ�ßúo¼Bπ��s@o X���Σñ⌠≤í�
�l @C
����
Q�ßiHb°� í½εB¼Mπ�o X��A�Od��vQn�°�C
Dg IBM �σPNAQ�ßúob°�ís@o X���l @A�½εB
¼�π�o X���Σñ⌠≤í�C
vQ
úF�\ivñ�T��ºv¡A�∩X����t⌠≤ΩTBΩ�BnΘ�ΣL
z]úA�T�⌠t��⌠≤ΣLv¡BnΘ��v�vQC
IBM OdH��μM�b���ºv¡�vQAϕX�������≤ΣQq]� IBM
Pw��Aú�Aϕϕ�Wzⁿ�C
úD��ϕu@�A�ºk�W�]]A��ⁿΩXfk�W��AhQ�ßúo
UⁿBXf�AXf�ΩTC
IBM úO�o X�� e��T�CIBM Hu{¼vú��Aúú�⌠≤�
��q�ºO� (]A²ú¡≤iΓ���XSw���O�)C
IBM uW⌠pvn�
IBM nΘú�]]AnΘYA (SaaS) �MΦ�nΘAYunΘú�PAv�i
α�� Cookie �ΣL�N¼�ú���ΩTAH�U≤∩@δ���ΘτB�q
P@δ����¼���≤ΣL��Cb\hípUAunΘ����vú�¼�⌠
≤�H�OΩTC ���í�unΘ����v�U≤²zα¼��H�OΩTC p
G�unΘ����v�� Cookie ¼��H�OΩTAhHUúX�������
Cookie ��÷ΩTC
°íp�tmwAunΘú�PAviα��Ñq@� Cookie ¼�C�����
Ñq@� IDA�≤Ñq@��zM�OC o Cookie iH��A²Oo]NRúª
����\αC
pG��unΘ����víp�tm²z��ßα≈zL Cookie �ΣL�NAq@
δ���¼��H�OΩTAh���dA�≤��Ω�¼�º⌠≤k��z�v�
Xk��AΣñ]Aq��PN�⌠≤�DC
p�w∩o ���U��N]Σñ]A Cookie������÷ΩTA��\ Cook-
ies, Web Beacons and Other Technologies ñ� IBM ⌠pv�h]⌠}� http://
www.ibm.com/privacy �AH� IBM �uW⌠pv°�]⌠}� http://www.ibm.com/
privacy/details�AH�uIBM nΘú��nΘ@�A⌠pv°�v]⌠}� http://
www.ibm.com/software/info/product-privacy�C
n� 23
⌠pv°��q
IBM nΘú�]]AnΘYA (SaaS) �MΦ�nΘAYunΘú�PAv�i
α�� Cookie �ΣL�N¼�ú���ΩTAH�U≤∩@δ���ΘτB�q
P@δ����¼���≤ΣL��Cb\hípUAunΘ����vú�¼�⌠
≤�H�OΩTC ���í�unΘ����v�U≤²zα¼��H�OΩTC p
G�unΘ����v�� Cookie ¼��H�OΩTAhHUúX�������
Cookie ��÷ΩTC
°íp�tmwAunΘú�PAviα��Ñq@� Cookie ¼�C�����
Ñq@� IDA�≤Ñq@��zM�OC o Cookie iH��A²Oo]NRúª
����\αC
pG��unΘ����víp�tm²z��ßα≈zL Cookie �ΣL�NAq@
δ���¼��H�OΩTAh���dA�≤��Ω�¼�º⌠≤k��z�v�
Xk��AΣñ]Aq��PN�⌠≤�DC
p�w∩o ���U��N]Σñ]A Cookie������÷ΩTA��\ Cook-
ies, Web Beacons and Other Technologies ñ� IBM ⌠pv�h]⌠}� http://
www.ibm.com/privacy �AH� IBM �uW⌠pv°�]⌠}� http://www.ibm.com/
privacy/details�AH�uIBM nΘú��nΘ@�A⌠pv°�v]⌠}� http://
www.ibm.com/software/info/product-privacy�C
24 QRadar SIEM J�ΓU
Wⁿ��
�Wⁿ��ú� IBM Security QRadar SIEM nΘ�
ú��NyMwqC
�Wⁿ��ñ��UCμ¼��G
v ��\ ��zqD�n�Ny����n�NyA
�qYg���≈X�μíC
v t��\ ²z���÷�∩�NyC
p�ΣLNyMwqA��\ IBM Terminology ⌠�
]bs°íñ}��C
yT�z y��z y¡�z � 26��y�z �
26��yC�z � 26��yK�z � 26��yE
�z � 26��yQ�z � 27��yQ@�z �
27��yQG�z � 28��yQT�z � 28��
yQ��z � 29��yQC�z � 29��yQK
�z � 29��yQE�z � 29��yAz � 29
��yCz � 29��yDz � 29��yFz � 30
��yHz � 30��yIz � 30��yLz � 30
��yMz � 30��yNz � 30��yOz � 30
��yQz � 30��yRz � 30��ySz � 30
��yTz � 31��yWz
T�
ljM (sub-search)ib@��¿�jM�Gñ⌡μjMd �
\αC
l⌠⌠ (subnet)��\l⌠⌠ (subnetwork)C
l⌠⌠ (subnetwork, subnet)���p�W�ls�A²�Mμ¼s��
⌠⌠C
l⌠⌠Bn (subnet mask)∩≤⌠�⌠⌠l⌠⌠A32 ��Bn�≤�O
IP �}�D≈í�ñ�l⌠⌠�}��C
��
Θx�� (log source)ú �≤Θx�w�]��⌠⌠]�C
Θx��� (log source extension)]t�O����≤ eº�≤�����
�Wϕ�í¼�� XML �C
�e�� (content capture)�≤��itm���tⁿqAMßNΩ�
xsby{Θxñ�Bz{�C
¡�
���� (Local To Local, L2L)Pq@���⌠⌠�t@���⌠⌠� í
Ω�yq�÷C
���� (Local To Remote, L2R)Pq@���⌠⌠�t@���⌠⌠� í
Ω�yq�÷C
ia� (credibility)0-10 ºí���±vA�≤Pw�≤�≡�
��π�Cbh��°i�P�≤�≡�
�Aia��W[C
�ß� (client)�≤nD°A�ú�A�nΘ{í�q
úC
í�y�m (external scanning appliance)s��⌠⌠AH¼�⌠⌠ñΩú��÷�}
ΩT�≈�C
Dn HA D≈ (primary HA host)s�� HA O��DnqúC
D�x (console)@ iHqñε�[εt�@��π�
�C
D≈⌠�wq (host context)�≤�°�≤�AAHTOC��≤pw
�δB@C
[K (encryption)bqúw�ñA�Bz{��≤NΩ�α½
�Lkδ��μíAq�lΩ�Lk�
oA�u��KBz{��oC
© Copyright IBM Corp. 2012, 2016 25
��
@��}�t� (Common Vulnerability Scor-ing System, CVSS)
�q�}Y½����t�C
��tⁿΩ� (payload data)]tb IP y{ñ���{íΩ�]úF�Y
��zΩTH�C
�Dt��X (autonomous system number,ASN) b TCP/IP ñAOⁿ�ⁿú IP �}��P�
zñ�ⁿú��Dt���XC�Dt��
Xi²���etΓk�O�Dt�C
μ� (behavior)@���≤�i[ε�GA]AΣ�GC
�n HA D≈ (secondary HA host)s�� HA O��RqúCpGDn HA
D≈óA�n HA D≈�ßDn HA D
≈�d⌠C
C�
≡� (offense)����°�°≤�e�Tº�ú ��
≤C�pA≡�Nú��hOwHI�⌠
⌠O�Dⁿ≡���÷ΩTC
@�ñ�t� (active system)b¬i�� (HA) O�ñAOⁿπ����
b⌡μ�A�t�C
�}�RqT≤w (Address Resolution Proto-col, ARP)
�≤N IP �}��∩M���⌠⌠ñ�⌠⌠
t�d�}�qT≤wC
¡ (identity)�Ω������XANϕ�HB�
�B�m���C
t�°� (system view)H°�Φíe{�¿t��Dn�ⁿ�zD
≈C
�π⌠�W� (fully qualified domain name,FQDN)
b⌠�⌠⌠qTñAOⁿD≈t��WA
]A⌠�W���lWC�pA�π⌠
�W� rchland.vnet.ibm.comC
�π⌠⌠W� (fully qualified network name,FQNN)
b⌠⌠ÑhñAOⁿ]A��í��½≤W
C�pA�π�⌠⌠W�
CompanyA.Department.MarketingC
K�
≈�� (key file)bqúw�ñA]t�}≈�BpK≈�B
H⌠�����C
E�
�÷� (relevance)⌠⌠W�≤B���≡���∩vT�qC
½sπzp�� (refresh timer)Γ��w����o� í�mA�≤≤s
{μ⌠⌠í�Ω�C
½��y{ (duplicate flow)qúPy{�¼���PΩ��Θ�h�
Ω�C
H⌠xsw�� (truststore file)]tH⌠ΩΘº�}≈��≈�Ω�w�C
IJ �t� (intrusion detection system, IDS)�nΘ�≤��∩�≤⌠⌠�D≈t�@í
��ⁿ�°Ω����≡��¿\≡�C
IJw�t� (intrusion prevention system, IPS)�≤���τbcNí��t�C�≈
εiαA�LoBl��]wtv¡εC
�Rt� (standby system)b@�ñ�t�ó�A����¿@�ñ
�t�CpGw�� ��gAh�q@�
ñ�t��gΩ�C
�O (magnitude)Sw≡���∩½n���qC�OO��
�÷�BY½��ia�pΓ�[v�C
Q�
¬i�� (high availability, HA)PO�t��÷A�t��b�I��n{
íó�iμ½stmAHKu@qiH½
ste�O�ñ��l�IC
26 QRadar SIEM J�ΓU
σR�� (parsing order)���iwqΘx�]@�@δ IP �}�
D≈W�º½n����Θx�wqC
y{ (flow)bμ��ízL�����μ@Ω��ΘC
y{Θx (flow log)y{O²��XC
y{�� (flow sources)qñ��y{��Cy{�by{�
ⁿ�zD≈Ww��wΘ���� íAb
y{�e�y{¼������íC
qT≤w (protocol)@�WhA�≤εqT⌠⌠ñΓ�HW�
m�t�ºí�Ω�qT��eC
Q@�
Wh (rule)@�°≤í»zíAi²qút��O÷Y
���a⌡μ����C
�y� (scanner)jM Web ��{í �nΘ�}����w
�{íC
�ε (recon)��\�εC
�ε (reconnaissance, recon)¼�⌠⌠Ω�¡��÷ΩT�ΦkCiH�
�⌠⌠�y�ΣL�Ns⌠⌠Ω��≤
MμAMßVΣⁿúY½�h�C
��⌠⌠ (local area network, LAN)�≤s�¡ε��]pμ@jH��Θ�ñ
����mBiHs��≤j⌠⌠�⌠⌠C
º� (anomaly)P⌠⌠w�μ���tC
�p� (accumulator)@��s�AYB�@�B�iHxs
bΣñAHß�BΓ��G��N�BΓ
�C
�AD≈tmqT≤w (Dynamic Host Configu-ration Protocol, DHCP)
�≤�ñ�ztmΩT�qT≤wC�pA
DHCP ���N IP �}ⁿú�⌠⌠ñ�q
úC
��ϕ (reference table)�ϕμñ�Ω�O²Nwⁿú�¼���Σ
∩M�ΣL��ΣAMßA∩M�μ��C
��� (reference set)q⌠⌠W��≤�y{l �μ���M
μC�pAIP �}MμA�����WM
μC
��∩M (reference map)N��Σ��∩M���Ω�O²A�pA
N���W∩M�s� IDC
��∩M� (reference map of sets)N@���Σ∩M�h���Ω�O²C�
pANS\����Mμ∩M�@�D≈C
QG�
°i (report)bd �zñA⌡μd �NμíM��Σ
ñ�ú �μí�Ω�C
°iíj (report interval)itm��ííjAb�íj�⌠�A�≤
Bz��N��w���≤�y{Ω��
e�DxC
¡I (leaf)b≡¼�cñAOⁿS�l������
IC
}±ít�¼s (OSI)�X�≤μ½ΩT�uΩ����� (ISO)v
���º}±ít�¼pC
}±{íX�}Ω�w (Open Source Vulnerabil-ity Database, OSVDB)
�⌠⌠w��s���}±{íXΩ�wA
iú��÷⌠⌠w��}��NΩTC
HW (violation)ñL�H��q�h��@C
L�O�í⌠��e (Classless Inter-DomainRouting, CIDR)
�≤sW�O Cu⌠�⌠⌠qT≤w (IP)v
�}�ΦkCo �}ú��u⌠�⌠⌠A
��� (ISP)v����CCIDR �}
iε��eϕ�jpA��≤h IP �}b�
� i�C
Wⁿ�� 27
QT�
���� (Remote To Local, R2L)q��⌠⌠���⌠⌠�íΩ�yqC
���� (Remote To Remote, R2R)qY���⌠⌠�t@���⌠⌠�íΩ
�yqC
hD (gateway)�≤s�π�úP⌠⌠[c�⌠⌠�t��
�m�{íC
�Θ�εqT≤w (Transmission Control Proto-col, TCP)
⌠�⌠⌠�⌠≤ϕ��≤⌠�⌠⌠qT≤w
�u⌠�⌠⌠u{u@p� (IETF)v��ñ
���qT≤wCTCP b�]μ½�qT⌠
⌠���⌠⌠�μ¼s�t�ñú�Fia
�D≈∩D≈qT≤wCt��\⌠�⌠⌠
qT≤w (Internet Protocol)C
�eWh (routing rule)@�°≤Ab�≤Ω�í¼Σ�h�A�⌡
μ°≤�Hß�e��XC
Ω�w¡I½≤ (database leaf object)Ω�wÑhñ��≈½≤��IC
�I (datapoint)��I��q��p�C
Ωú (asset)wíp�Qnb@�⌠�ñíp�i�z½
≤C
�mΣ��� (Device Support Module, DSM)@�tm�A�≤σRqh�Θx��¼
��≤A�Nª�α½�i@�ΘXπ��
����[cμíC
Q��
�q¼�²s�qT≤w (Lightweight DirectoryAccess Protocol, LDAP)
@�}±íqT≤wAª�� TCP/IP ú
�Σ� X.500 �¼��²�s�vABú�
�P≤�°� X.500u�²s�qT≤w
(DAP)v���DC�pAziH��
LDAP b⌠�⌠⌠� í⌠⌠�²ñMΣH
B���ΣLΩ�C
∩M��� (reference map of maps)NΓ���Σ∩M�h���Ω�O²C�
pAN��{í������∩M��
IPC
�z@� (administrative share)∩L�zM�v����⌠��⌠⌠Ω�C
�z@���z�ú�⌠⌠t�W��Ω�
�s�vC
�P (false positive)k�����Mw�I�≡�����G
]ⁿX⌠�e÷D�≡��Ω�WLI�≡
�]úO�}�C
{� (credential)�≤�P����Bz{�Sws�v�Ω
T�C
�I (endpoint)⌠�ñ API �A��}CAPI �}�IA
�BP�IsΣLA��IC
�} (vulnerability)@�t�Bt�nΘ���nΘ�≤ �w
�n�C
Ω��y (live scan)i��Ñq@�Wq�y�Gñú °i
���}�yC
⌠}α½ (Network Address Translation, NAT)b⌡≡ñAOⁿNw��u⌠�⌠⌠qT
≤w (IP)v�}α½�ín²��}Co
�iPí⌠⌠iμqTA²�Bnb⌡
≡ ��� IP �}C
⌠�W�t� (Domain Name System, DNS)�≤N⌠�W∩M� IP �}��íΩ�
wt�C
⌠⌠½≤ (network object)⌠⌠Ñh��≤C
⌠⌠Ñh (network hierarchy)@�xs��¼AO⌠⌠½≤�Ñhí�
XC
⌠⌠h (network layer)b OSI [cñAOⁿú�A�hAibπ
�iw�A�Φ�}±ít�ºí��⌠
C
⌠�⌠⌠A���� (Internet service provider,ISP) iú�⌠�⌠⌠s�v���C
28 QRadar SIEM J�ΓU
⌠�⌠⌠qT≤w (Internet Protocol, IP)�≤zL⌠⌠�¼p⌠⌠�eΩ��qT≤
wC�qT≤w�@�¬qT≤whPΩΘ
⌠⌠ºí�CCt��\�ΘεqT≤
w (Transmission Control Protocol)C
⌠�⌠⌠�εTºqT≤w (Internet Control Mes-sage Protocol, ICMP)
hD���⌠�⌠⌠qT≤wA�≤P�
D≈qTA�pA°iΩ�]ñ��C
QC�
EW (burst)eJ�≤�y{tv≡M@WA��vy{
��≤tvWX¡εC
pXíj (coalescing interval)�X�≤�íjCH 10 ϕ�íjiμ�≤
�XABHP⌠≤�epX�≤ú����
@��≤}lCbpXíj AeT���
�≤��X��e��≤Bz�C
��{í�� (application signature)�@�Φ�A��]��tⁿ��dl A
Mß�≤�OSw���{íC
QK�
α���a (forwarding destination)�≤qΘx��y{��¼�lM�W
���@�HW���t�C
O�Ω� IP �} (cluster virtual IP address)bDn��nD≈P HA O�ºí@�� IP
�}C
�÷⌠⌠�zqT≤w (Simple Network Manage-ment Protocol, SNMP)
@�qT≤wA�≤�°�í⌠⌠ñ�t�
��mCbu�zΩTw (MIB)vñwq�
xsⁿ�z�m��÷ΩTC
°Ω¼Tº�OX (Hash-Based Message Authen-tication Code, HMAC)
��[K�°Ωτ���K≈��[KXC
≈��� (offsite target)�≈Dn�x�q�≤ε��¼�≤�Ω
�y{��mC
≈��� (offsite source)�≈Dn�x��mA�≤N�W�Ω�α
���≤¼��C
QE�
Y½� (severity)�∩��a�P��÷���qC
A
ARP ½s�V (ARP Redirect)b⌠⌠sbD�Aq�D≈�@� ARP
ΦkC
ARP ��\�}�RqT≤w (Address Resolu-
tion Protocol)C
ASN ��\�Dt��X (autonomous system
number)C
C
CIDR ��\L�O í⌠��e (Classless Inter-
Domain Routing)C
CVSS ��\@��}��t� (Common Vulner-
ability Scoring System)C
D
DHCP ��\�AD≈tmqT≤w (Dynamic Host
Configuration Protocol)C
DNS ��\⌠�Wt� (Domain Name Sys-
tem)C
DSM ��\�m��� (Device Support Mod-
ule)C
F
FQDN ��\�π⌠�W (fully qualified domain
name)C
FQNN ��\�π⌠⌠W (fully qualified net-
work name)C
Wⁿ�� 29
H
HA O� (HA cluster)�Dn°A��@��n°A��¿�¬i
��tmC
HA ��\¬i��C
HMAC ��\°Ω¼Tº�OX (Hash-Based Mes-
sage Authentication Code)C
I
ICMP ��\⌠�⌠⌠εTºqT≤w (Internet
Control Message Protocol)C
IDS ��\IJ��t� (intrusion detection sys-
tem)C
IP h½�e (IP multicast)Nu⌠�⌠⌠qT≤w (IP)vΩ�]�Θ�
t��AH�¿μ@h½�es�C
IP ��\⌠�⌠⌠qT≤w (Internet Proto-
col)C
IPS ��\IJwt� (intrusion prevention sys-
tem)C
ISP ��\⌠�⌠⌠A��� (Internet service
provider)C
L
L2L ��\����� (Local To Local)C
L2R ��\����� (Local To Remote)C
LAN ��\��⌠⌠ (local area network)C
LDAP ��\q¼�²s�qT≤w (Light-
weight Directory Access Protocol)C
M
Magistrate�≤��wq��qWh�R⌠⌠Ω�yq
�w��≤� í�≤C
N
NAT ��\⌠}α½ (Network Address Transla-
tion)C
NetFlow�≤�°⌠⌠Ω�yqy{Ω�� Cisco ⌠
⌠qT≤wCNetFlow Ω�]A�ß�M°
A�ΩTB���≡AH�zLs��⌠⌠
�μ½�M⌠��y�����M�]�
�CΩ��e�iμΩ��R� NetFlow ¼
��C
O
OSI ��\}±ít�¼s (open systems inter-
connection)C
OSVDB��\}±{íX�}Ω�w (Open Source
Vulnerability Database)C
Q
QID ∩M (QID Map)���[c�≤�OC��@��≤A�N
�≤∩M�CÑM¬Ñ��AHPw�÷p
M���≤�ΦíC
R
R2L ��\����� (Remote To Local)C
R2R ��\����� (Remote To Remote)C
S
SNMP ��\�÷⌠⌠�zqT≤w (Simple Net-
work Management Protocol)C
SOAP @�q¼ XML ¼qT≤wA�≤bD�
ñ��í⌠�ñμ½ΩTCSOAP iH�
≤d ���ΩTA�Is⌠�⌠⌠ñ�A
C
superflow]th�π��ⁿ eºy{AHzLε�
xsΘ¡εW[Bzeq�μ@y{C
T
TCP ��\�ΘεqT≤w (Transmission Con-
trol Protocol)C
30 QRadar SIEM J�ΓU
W
whois °A� (whois server)�≤��wn²⌠�⌠⌠Ω���÷ΩT
]p⌠�W� IP �}tm��°A�C
Wⁿ�� 31
32 QRadar SIEM J�ΓU
��
����HñσrA�σrA�S
ϕ��º���CC
e��fWⁿ�� 25
© Copyright IBM Corp. 2012, 2016 33
34 QRadar SIEM J�ΓU
IBM®
Printed in Taiwan