 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
login
|
 |
 |
 |
||
 |
|
 |
||
 |
 |
 |
|
|
|
|
Three core components of Qradar- • Event Collector component • Event Processor component • Magistrate component (Console only)
The Event Collector component completes a number of Functions • Protocol:
Receives data off of the wire from log source protocols (Syslog, JDBC, OPSEC,
Log File, SNMP…)
• Throttle:Monitors the number of incoming events to the system to
manage input queues and licensing.
• Parsing:Takes the raw events from the source device and parses the
fields as QRadar friendly events.
• Log
source traffic analysis & auto discovery: Applies the parsed event data
(normalized) to the possible DSMs that support automatic discovery.
• Coalescing:Events are parsed and then coalesced based on common
patterns across events. Once 4 events are seen with the same source IP,
destination IP, destination port and username, subsequent messages for up to 10
seconds of the same pattern are coalesced together. This
is done to reduce duplicate data being stored.
• Event
forwarding: Applies routing rules for the system. Such as sending data to
offsite targets, external Syslog systems, JSON systems, other SIEMs, etc. The Event Processor component completes a number of Functions Custom Rules Engine
(CRE):
The Custom Rules Engine (CRE) is responsible for processing events received by
QRadar and comparing them against defined rules, keeping track of systems involved in
incidents over time, generating notifications to users and generating offenses.
• Streaming: Responsible for
sending real-time event data to the Console when a user is viewing events from
the Log Activity tab with Real time (streaming). Streamed events are not
provided from the database.
• Event storage (Ariel): A time
series database for events and flows where data is stored on a minute by minute
basis. Data is stored where the event is processed. Remember, that both
Consoles and 16xx, 17xx, and 18xx can all process events. The Magistrate
Processing Core (MPC) is responsible for correlating offenses with event
notifications from multiple Event Processor (EP) components. Only the Console
will have a Magistrate component.
• Offense
rules: Monitors and takes actions on offenses, such as
generating email notifications.
• Offense
management: Updates active
offenses, ransitioning inactive offenses to active and provides access to
offense information to the user through the Offenses tab.
• Offense storage: Writes offense data to a Postgres database |
|
|
|
|
