The focus of this Blueprint publication is to highlight the early threat detection capabilities of IBM® QRadar® and to show how to proactively start a cyber-resilience workflow in response to a cyberattack or malicious user actions.
The workflow uses IBM's Copy Services Manager as orchestration software to start IBM Spectrum Virtualize for Public Cloud (SV4PC) Safeguarded Copy functions. The IBM SV4PC Safeguarded Copy function creates an immutable copy of the data in an air-gapped form on the same IBM SV4PC on Azure for isolation and eventual quick recovery.
This document describes the steps that are involved to enable and forward IBM SV4PC audit logs to IBM QRadar. It also describes how to create various rules to determine a threat, and configure and start a suitable response to the detected threat in IBM QRadar. This document also explains how to register a storage system and create a scheduled task by using IBM Copy Services Manager.
Finally, this document also describes deploying IBM QRadar and SV4PC on Azure. A use case for protecting the MS SQL database (DB) volume that was created on IBM SV4PC is included. Upon threat detection on a database volume, Safeguarded Copy is started for IBM SV4PC volume. The Safeguarded Copy creates an immutable copy of the data. The same data volume can be recovered or restored by using IBM's Copy Services Manager.