There are a few options here:
- Set a time-to-live (TTL) on the reference set to it expires data that is more than 24-48 hours hold. Not really an answer here, but thought I'd mention this as I'm not sure how large the reference data set is.
- You could create a right-click action potentially to look up information. For example, the Recorded Future app for QRadar has a feature like this where you can get extra IOC information from the app's Recorded Future tab. This could be done as a right-click or it could be an app that runs within QRadar that can search, then enhance with extra info (See the screen caps as an example Recorded Future for QRadar).
- Another option might be to use the QRadar Lookups Content Extension. This app has some bundled AQL custom functions that can look at flat files or run searches. I do not think this option would be faster than a reference set when reading files, but you might be able to query remote endpoints for external data this way, instead of using a reference set.
Other users here might have other ideas though.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Thu April 27, 2023 09:57 AM
From: Benjamin Yabre
Subject: usage of IOC in Qradar
Hello,
I have ingested a third party IOC into Qradar for usage with some rules.
I have created reference set table to contains thoses IOC but thoses Reference size keeps increasing in less than few days.
I would like to know if there is way for QRadar provide not ingest the IOC but use an API to check correlation with IOC without ingesting them into a reference set table.
Thanks
------------------------------
Benjamin Yabre
------------------------------