IBM Cloud Pak for Security

 View Only



LinkedIn Share on LinkedIn

Better visibility with Trend Micro Vision One and QRadar XDR Connect

By RoseAnn Guttierrez posted Wed February 09, 2022 10:45 AM

  

Hi Security Community!  We have some exciting news on a recently added extension on the IBM Security App Exchange.  Trend Micro has created a Vision One UDI (Universal Data Insights) connector for QRadar XDR Connect.  UDI connectors are based on STIX-shifter, an Open Source project under the Open Cybersecurity Alliance (OCA). STIX-shifter utilizes the STIX2 standard to communicate and translate queries into STIX patterns.

Trend Micro is also one of the first organizations to incorporate the STIX-shifter code into its Vision One product creating an integration with QRadar SIEM.  It’s an excellent example of how open standards can drive collaboration and expand the security ecosystem.

Here is an example scenario where federated search would be helpful.

A user clicks an email link and inadvertently downloads malware onto their machine.  The Extended Detection and Response (XDR) tool, part of Trend Micro Vision One, identifies the download as malicious and prevents it from executing the malicious file. It also looks for that same email in other users accounts, and quarantines it to stop the impact across the organization.

In a typical Security Operations Center (SOC), a security analyst would have to use multiple tools to determine if other users also clicked on the malicious link or if this was an isolated occurrence. 

Here is a small example of the types of activities that might occur:

  • Reviewing proxy logs for the URL.
  • Researching any additional IOCs associated with the malicious URL.
  • Searching the email server to identify other users that received the email.
  • Using a sandbox to execute the malicious file.
Using IBM QRadar XDR Connect’s Data Explorer, a security analyst can take information like the hash of the malicious file, source URL, source IP address, and email subject from this type of event to run a search in one tool instead of many.
   


QRadar XDR Connect utilizes UDI connectors to run federated searches across your environment. That translates into one search query that can be understood by multiple data sources (ex.  Trend Micro, Splunk, Azure, AWS, etc..) wherever they reside, giving your team the insights they need without having to search through multiple tools.

Learn more:


#IntegrationJunction
0 comments
23 views

Related Content

Permalink