We are pleased to announce that we have just upgraded the IBM QRadar Advisor with Watson (QRAW) application to the IBM Security App Exchange. Our goal with QRAW is to leverage AI, MITRE ATT&CK and advanced analytics to act as a force multiplier for analytics during SOC investigations. You can download it by clicking here.
We’ve added two great new features in this release of Advisor. The first feature simplifies one of the most important and easily overlooked stages of the setup process. One of the most valuable features with QRadar Advisor with Watson (QRAW) is that it automatically mines through all your security data around the entities involved in an offense, looking for evidence of the potential source and activities of the threat. So even if the offense was triggered from an anti-virus event, QRAW will automatically data mine through your proxy logs, end point logs, firewall logs, flow and any other data for that entity looking for additional breadcrumbs of evidence that it can then use to piece together what happened before and after the offense and try to figure out the source of the threat. QRAW does this by building custom on-the-fly searches that leverage your Custom Event Properties (CEPs). However, for this data mining to be fully enabled the CEPs that you have created in QRadar need to be mapped into a ‘QRAW type’ so that it knows what they are (e.g. a domain vs. a hash). The mapping of CEPs into QRAW is very important as it allows QRAW to retrieve all the relevant data for analysis by Watson for Cyber Security and will give you a greater amount of value and important insights into the investigation. While this mapping process is easy and straightforward, it can be a significant task for a deployment that has a large number of CEPs, and in the rush to get QRAW up and going it is often overlooked.
QRAW version 2.5 will analyse your CEPs and automatically provide suggestions of CEPs that should be mapped into QRAW and what QRAW types they should be mapped to. All you have to do is click a button once to accept them all. If at a later stage you add new CEPs, just rerun the setup procedure and QRAW will suggest mappings for the new ones as well.
This will greatly simplify the setup procedure and ensure that you are getting the maximum value from QRAW. If you are a current QRAW user, once you upgrade to v2.5, you can go back to the configuration screen to see if there any new CEP mapping suggestions that may have overlooked. It is definitely worth doing!
Another feature in v2.5 that we are very excited about is the inclusion of local to local (L2L) nodes with associated MITRE ATT&CK tactics in the QRAW knowledge graph and threat analysis. This new feature will allow you to have a more complete picture of a threat’s actions in your environment as it will now detect and show lateral movement after initial persistence in the environment. Within its knowledge graph QRAW will show how the threat has attempted to move from the initial infected nodes to others in your environment and what MITRE tactics and techniques have been utilised in the process.
A good example of this would be a hacker gaining access to your network by landing malware on one endpoint and then looking for and moving laterally to other high value servers, for example a domain controller, in your environment. The initial endpoint would likely have an offense, but servers involved in the lateral movement attempts may not. Importantly QRAW leverages QRadar MITRE ATT&CK mappings of its use cases to re-construct the attack pattern. So even if you have added your own lateral movement use cases, if they are associated with the MITRE ATT&CK tactics using Use Case Manager, Advisor will automatically include them in its investigation.
In the example above we can see that the threat has made attempts to move laterally to three other servers in the environment after gaining persistence on the first compromised host.
We are very excited about these two new QRAW features and hope you are too!
Authored by Jason Leger, Offering Manager, QRadar Advisor with Watson.