ansible · IPvSean · May 2, 2020 · Apr 29, 2020
diff --git a/exercises/ansible_security/1.4-qradar/README.md b/exercises/ansible_security/1.4-qradar/README.md
@@ -6,7 +6,7 @@ To showcase how to automate a SIEM in a security environment, this lab contains
 
 The SIEM can be accessed via web UI and via REST API. In this lab the playbooks we write will be interacting with the API in the background. All actions will be verified in the web UI.
 
-## Step 4.1 - Access the web UI
+## Step 4.2 - Access the web UI
 
 Have a first look at the SIEM, and verify that it is actualy working. Point your web broswer towards `https://<qradar-IP>`, where `<qradar-IP>` is the IP address for the `qradar` entry in your `siem` section of your inventory. Next you will be faced with a warning that the vertificate is unsecure since it is self-signed. Please accept this and proceed.
 
@@ -53,7 +53,7 @@ Click on the one called **"Potential DDoS Against Single Host (TCP)"**, note tha
 
 Now that you had a very first glance at QRadar, it is time to look how it can be automated by Ansible.
 
-## Step 4.2 - QRadar modules and Ansible collections
+## Step 4.3 - QRadar modules and Ansible collections
 
 On the most basic level, Ansible automation performs tasks. Those tasks execute modules, which usually work on the corresponding targets, like an API endpoint of a special device or program.
 
@@ -113,7 +113,7 @@ With the collection in place, we can now start to write our playbook.
 >
 > If you want to try this at home: please note that this collection command requires at least Ansible version 2.9!
 
-## Step 4.3 - First example playbook
+## Step 4.4 - First example playbook
 
 In our first example to interface with QRadar we are going to enable/disable a rule. It is a rather small but common change and shows how Ansible and QRadar interact. We will do this in two steps: first we find the rule we want to change, afterwards we apply the change.
 
@@ -268,7 +268,7 @@ In your VS Code online editor, create a new file, `change_qradar_rule.yml` in th
 
 The playbook is now complete: it queries QRadar for the list of rules, and deactives the one we are looking for.
 
-## Step 4.6 - Run the playbook
+## Step 4.5 - Run the playbook
 
 After we completed the playbook, let's execute it:
 
@@ -292,7 +292,7 @@ qradar  : ok=3  changed=1  unreachable=0  failed=0  skipped=0  rescued=0  ignore
 
 As you can see, the playbook denotes a change: the rule was changed. Run the playbook again - it does not report a change anymore, since the rule is now already disabled.
 
-## Step 4.7 - Verfiy changes in UI
+## Step 4.6 - Verfiy changes in UI
 
 To verify that Ansible indeed changed something, we go back to the UI of QRadar. Open the QRadar IP in your web browser. Click on the **Offenses** tab, and from there on the left side click on **Rules**. The long list of rules is displayed. In the search bar on top of this list, enter the following search term: `DDoS`
 Hit enter afterwards to filter the list, so that it only shows few rules which are related to DDOS. At the end, note the rule regarding potential DDOS attacks, and check the state in the **Enabled** column: it is set to **False**!