IBM QRadar

Integrating Threat Intelligence into QRadar

Threat Intelligence & QRadar involves taking external threat information on known IOC’s (Indicators of compromise) and pulling these threat intelligence feeds into QRadar for use in rules, searching, dashboards and reporting.

Overview

There are various ways to get Threat Intelligence into QRadar. Firstly via the IBM Threat Intelligence App downloaded from the IBM App Exchange and can be configured to manage threat intelligence feeds in QRadar using the configuration guide on the IBM Knowledge Center. 

Additionally, our Business Partners have created various App’s on the IBM App Exchange. Maybe you pay for “Recorded Future”, “Anomoli” or “Kaspersky” Threat Intelligence feeds and you want to integrate them into QRadar. Explore these integrations or lots of other Business Partner integrations to integrate this threat Intelligence easily into QRadar.
Or the QRadar always on threat feed with IBM XForce Exchange. Once you have a license for QRadar you have access to this Threat Intelligence free of charge to use in our rules, searches, reports and dashboards.

In this blog I’m going to highlight our Threat Integration between Xforce Exchange and QRadar and walk through building a Pulse dashboard for you to easily download, integrate and visualize.

If you are looking for OOTB rules to use with the Xforce Threat Feed please download and install this content IBM Security Threat Content

Getting started

Firstly, the X-Force Threat Intelligence feed must be enabled in QRadar. To enable the X-Force feed in QRadar you can navigate to the Admin section of QRadar and enable the feed to ‘Yes’ in the “System Settings” under “System Configuration”.

 Now you can import this dashboard to QRadar Pulse to get you started. Download here X-Force_-_IP_Categorization.json

 For more info on how to import a Pulse Dashboard click here.

Visualizing your X-Force data in a Pulse Dashboard

In the screenshot above. I’ve created 4 widgets to show information relating to the Xforce feed.

1. Malware, Command & Control DESTINATION IP’s Seen in Network Last 24 Hours (Top left widget), is a flat globe that shows any Source IP, Destination IP connection that are local (your network) to remote (outside your network) and categorizing the Destination IP’s score against the Threat Intelligence feed from Xforce. For each connection over the last 24 hours I’ve colour coded the lines based on how severe the connection is based on the XForce Threat feed for Malware & Command and Control Servers (Light Red > 80, Dark red between 60-80, Orange between 35 – 60, Yellow between 15-35 and Green < 15). I’ll go into more detail on this widget a little later.

2. Top Destination IP’s Seen in Network Malware, Command & Control, (Top right widget), shows the same information as widget in #1, however, it is viewed in a table format. I’ve ordered the destination IP’s by their Malware score showing the most serve connection at the top and colour coded again based on the thresholds above in widget #1.

3. Spam, Scanning IPs, Anonymisation Services, DESTINATION IPs Seen on Network Last 24 Hours, (Bottom left Widget), enhances widget #1 to showcase Bots, Scanning IP’s, Spam and Anonymization Services.

4. Top Destination IP’s Seen in Network Spam, Scanning IPs, Bots, Anonymisation Service,(Bottom Right Widget), shows the same information as widget #3 in a table format.. I’ve ordered this widget to show the total event counts against Bots, Scanning IP’s, Spam and Anonymization Services and colour coded the table with the same thresholds (Light red > 80, Dark red between 60-80, Orange 35 – 60, Yellow 15-35 and Green < 15).

Analyzing the Malware, Command & Control DESTINATION IP’s Seen in Network Last 24 Hours widget #1

We’ve created the widget using AQL, QRadar’s Advanced Query Language, and as of QRadar 7.3.2 you can easily create saved searches through the QRadar UI and convert to AQL.

Let’s take a look at the AQL for this widget.

1. We do a geo look up on the destination IP and Source IP so we can plot the coordinates on the map. GEO::LOOKUP(destinationip, 'geo_json') as 'Destination_IP', GEO::LOOKUP(sourceip, 'geo_json') as 'Source_IP'

2. We get the Xforce category for the IP know by Xforce. XFORCE_IP_CATEGORY(destinationip) as XForceIPCategory
3. Next we get the XForce IP confidence for Malware and Command and Control servers for these destination IP’s. XFORCE_IP_CONFIDENCE('Malware', destinationip) as MalwareConfidence, XFORCE_IP_CONFIDENCE('Botnet Command and Control Server', destinationip) as C2Confidence

4. We are only looking at events going from our network to a remote destination. WHERE eventdirection = 'L2R'

5. We are ordering the results based on the malware score known by Xforce - ORDER BY MalwareConfidence DESC

Next, we will plot this data set using the Geographic Chart Type and set the thresholds by defining the Threshold Type and Threshold.

Summary

It’s very easy to get Threat Intelligence into QRadar as mentioned above and you can use the Xforce IP category & Xforce IP reputation functions to show how it relates to your network. I would highly recommend using Pulse to visualize Threat Intelligence from X-Force and create and adjust the widgets in the Pulse Dashboard to suit your needs.

Stay Tuned

I’ll add to this blog and create another dashboard for the XFORCE_URL_CATEGORY.

Thanks for reading….