IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to exploit Crowdstrike IOC ingested into Qradar

    Posted Thu April 20, 2023 10:44 AM

    I have installed Corwdstrike app to ingest their IOC to Qradar.
    I would like to know how to exploit these IOC with my rule.
    can someone help me with the steps ?
    Thanks



    ------------------------------
    Benjamin Yabre
    ------------------------------


  • 2.  RE: How to exploit Crowdstrike IOC ingested into Qradar

    Posted Fri April 21, 2023 02:48 AM

    Hi Benjamin,
    are you aware of logrun? For a first test it is useful. If you know how the logs should look like or if you can get them somewhere or find logs been similar and change them slightly like having the md5 for which the rule is designed it is quite helpful. 
    Have a great day!
    Martin



    ------------------------------
    Martin Schmitt
    ------------------------------

    Original Message


  • 3.  RE: How to exploit Crowdstrike IOC ingested into Qradar

    Posted Mon April 24, 2023 08:25 AM

    Hi Martin, I don't know logrun.
    I was able to make it work.
    I had issues with the customs event properties which was not actived for it.
    Thanks 



    ------------------------------
    Benjamin Yabre
    ------------------------------

    Original Message


Related Content