IBM Qradar Certified Administrator/Analyst

This intermediate level certification is intended for security analysts who wish to validate their comprehensive knowledge of IBM Security QRadar SIEM V7.4.3+.

These security analysts will understand basic networking, basic IT security, SIEM and QRadar concepts. They will also understand how to log in to, navigate within, and explain capabilities of the product using the graphical user interface. Additionally, they will also be able to identify causes of offenses, and access, interpret, and report security information in a QRadar deployment.

Recommended Skills

Prerequisite Knowledge

Knowledge and foundational skills one must possess before acquiring skills measured on the certification test. These foundational skills are NOT measured on the test.

• Knowledge of SIEM concepts

• Knowledge of TCP/IP Networking

• Knowledge of IT Security concepts

• General IT skills (browser navigation etc...)

• Knowledge of Internet security attack types, including but not limited to the MITRE ATT&CK Framework

• Additional features that need additional licenses including but not limited to QRadar Network Insights, QRadar Incident Forensics

Key Areas of Competency

• Offense and log analysis

• Understanding reference data

• Rule and building block understanding

• Searching and reporting, regular and adhoc reports

• Understanding basic QRadar tuning and network hierarchy

• Basic concepts of multi-domain QRadar instances

Details:

1. Triage initial offense

2. Analyze fully matched and partially matched rules

3. Analyze an offense and associated IP addresses

4. Recognize MITRE threat groups and actors

5. Perform offense management

6. Describe the use of the magnitude of an offense

7. Identify events not correctly parsed and their source (Stored events)

8. Outline simple offense naming mechanisms

9. Create customized searches

10. Interpret rules that test for regular expressions

11. Create and manage reference sets and populate them with data

12. Install QRadar Content Packs using the QRadar Assistant App

13. Analyze rules that use Event and Flow data

14. Analyze Building Blocks: Host definition, category definition, Port definition

15. Review and recommend updates to the network hierarchy

16. Review and recommend updates to building blocks and rules

17. Describe the different types of rules, including behavioral, anomaly and threshold rules

18. Investigate Event and Flow parameters

19. Perform AQL query

20. Search & filter logs by specific log source type

21. Configure a search to utilize time series

22. Analyze potential IoCs

23. Break down triggered rules to identify the reason for the offense

24. Recommend changes to tune QRadar SIEM after offense analysis identifies issues

25. Distinguish potential threats from probable false positives

26. Add a reference set based filter in log analysis

27. Investigate the payload for additional details on the offense

28. Recommend adding new custom properties based on payload data

29. Perform "right-click Investigations" on offense data

30. Use the default QRadar dashboard to create, view, and maintain a dashboard based on common searches

31. Use Pulse to create, view, and maintain a dashboard based on common searches

32. Perform an advanced search

33. Explain the different uses for each search type

34. Filter search results

35. Build threat reports

36. Perform a quick search

37. View the most commonly triggered rules

38. Report events correlated in the offense

39. Export Search results in CSV or XML

40. Create reports and advanced reports out of offenses

41. Share reports with users

42. Search using indexed and non-indexed properties

43. Create and generate scheduled and manual reports