Recently, IBM Resilient has published a new integration with QRadar: QRadar Functions for Resilient, available now in the IBM Security App Exchange. This integration brings the power and flexibility of workflow functions that connect to QRadar to automate your incident response plan. This post is part of a series describing the integrations with QRadar.
This fully packaged integration contains functions, workflows, and rules to run the workflows. It also includes a custom data table to add to layouts, providing full visibility within the Resilient platform. All these components can easily be modified and extended for your own purposes in Resilient’s graphical designer.
How QRadar Functions Improve Response
When responding to all types of security alert and incident, the QRadar SIEM will very often have logs with relevant information on the user activity, network traffic or other behavior. Many IR analysts keep a notepad with searches that can unlock this information.
Search Automation
By automating these searches, under the right conditions, you can dramatically reduce the time and effort needed to investigate an alert. Automation can provide the answers within seconds to questions such as: Which other users have downloaded from this suspicious URL? What else connected to this machine around the time of this event? And many more.
This integration provides a function for QRadar search, which allows users to manually or automatically run arbitrary QRadar Ariel queries directly from Resilient workflows at any time after an incident is created. Search results can be added to the incident as artifacts, as notes, put directly into a custom data table, or used in any other way.
The search function has wide parameters, and can execute a search based on username, IP address, or the offense ID generated in QRadar.
Reference Data
Additional functions include managing and connecting QRadar reference data with Resilient. These functions allow workflows to read and write reference set items, and then update Resilient artifacts or tasks appropriately.
QRadar reference sets can then drive the SIEM rule behavior, based on activity within the Resilient response process.
A simple example use case for this integration is when a security team has two reference sets of “Suspect IPs” and “Blocked IPs” to distinguish levels of danger. The newly packaged functions that “add” or “delete” a reference set item can be used in rules to transfer items between these lists. This also creates a “paper-trail” of updated notes on each incident artifact as the functions are executed.
Below is a screenshot of the Resilient platform with the newly added QRadar functions:
Incident Escalation
This package complements the existing Resilient integration with the QRadar platform, which allows incidents to be escalated from QRadar into the Resilient Incident Response Platform (IRP), and generate a detailed, incident-specific response plan. This latest extension is much more flexible and delivers the newest Resilient v30 capabilities and automation for search and reference sets functionality.
Enhanced features of Resilient v30:
This new extension has taken full advantage of the new features incorporated in Resilient’s v30 platform.
The new workflow features in v30 allow customers to build dynamic playbooks and automation workflows that call QRadar in a completely flexible and customizable way.
With v30, this automation can search for log data, search reference sets, and update reference sets – such as adding IP addresses to a watch list - at any appropriate stage in the workflow.
Workflows can be called manually or automatically, and the function results can be used in myriad ways to enrich the incident – for example by adding artifacts or data-table rows, or even by using the results for automatic decision-making.
The newly published integration along with its documentation can be found on the IBM Security App Exchange.
Download from App Exchange:
https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4
Watch the introductory video on YouTube:
https://youtu.be/3U8cmMdKCy4
If you have any questions and comments about this new release, please comment here or post a new message under the Discussion tab in the Community.
#QRadar#Resilient