After receiving a veritable tidal wave of 2019 year in review emails from other vendors, I figured I'd contribute to the conversation by putting together a list of what I consider to be the essential apps and extensions for QRadar to prepare for 2020. These apps aid the SOC in a variety of ways, whether it be visibility, use case planning, operational improvements or artificial intelligence.
1) QRadar Use Case Manager (formerly Tuning App):
Scaling SIEM use cases and configuring new detection rules often be challenging and time-consuming. QRadar Use Case Manager takes the guesswork out of enabling and tuning rule sets to ensure QRadar is optimally configured to detect threats through the attack chain. Use Case Manager includes a rule explorer for flexible reports related to individual rules and analytics that provide tuning and configuration recommendations unique to your environment. Use Case Manager can map pre-defined rule sets to the MITRE ATT&CK framework, and map custom rules to MITRE ATT&CK tactics and techniques.
Download from the IBM Security App Exchange
2) QRadar User Behavior Analytics (UBA):
Insiders are responsible for more than 50% of data breaches and 90% of organizations feel vulnerable to insider threats. QRadar User Behavior Analytics analyzes user activity to detect malicious insiders and determine if a user’s credentials have been compromised. Security analysts can easily see risky users, view their anomalous activities and drill down into the underlying log and flow data that contributed to a user’s risk score. UBA leverages out of the box behavioral rules and customizable machine learning (ML) models to add user context to network, log, vulnerability and threat data to more quickly and accurately detect attacks.
Learn more about QRadar User Behavior Analytics
3) Threat Intelligence App:
SOCs are managing multiple threat intelligence sources from ISACs and various public and vendor-provided feeds. Make threat intelligence actionable with the Threat Intelligence app, which imports feeds in the open-source STIX/TAXII format and makes the intel available to QRadar for correlation, enrichment, searching and reporting. With the base QRadar license, you gain access to world-class X-Force threat intelligence which provides insights with data from more than 46B+ categorized URLs and 1B+ malware indicators.Download the Threat Intelligence App
Sign up for the X-Force Exchange
4) Log Source Manager:
The QRadar Log Source Management app is a new, completely redesigned interface for viewing, creating, editing and deleting log sources. Bulk create and configure log sources and log source groups using an easy to use wizard. The Log Source Manager also enables testing of log source configurations to ensure configuration parameters are correct.
Download from the IBM Security App Exchange
5) QRadar Assistant:
Don't you ever wish you had a helping hand to help manage your QRadar app ecosystem? QRadar Assistant app helps you manage your app and content extension inventory, view app and content extension recommendations and discover new QRadar resources. See if your QRadar environment is 'Watson Ready' and begin a 30 day trial of QRadar Advisor with Watson.Download from the IBM Security App Exchange
6) QRadar Advisor with Watson:
SOC teams feel the pressures of lack of cybersecurity talent and job fatigue and are often unable to manage the enormous volume of insights day-to-day leaving the business vulnerable to unaddressed security threats. QRadar Advisor with Watson automates routine SOC tasks, finds commonalities across investigations and provides actionable feedback to analysts, freeing them up to focus on more important elements of the investigation and increase analyst efficiency. Download and begin a 30-day free trial
7) QRadar Cloud Visibility: With the organizations employing a number of public and private cloud environments, monitoring and securing infrastructure has become more difficult as the perimeter moves outside of the 4 walls. With QRadar Cloud Visibility, gain instant visibility into a variety of IaaS environments including Amazon Web Services (AWS), Azure and IBM Cloud. QRadar detects potential misconfigurations, such as an open AWS S3 bucket, and quickly alerts analysts to close the vulnerability.
8) QRadar Pulse: Understanding the performance of your security analytics tools and security posture at a glance is often difficult without the right visualization tools. QRadar Pulse visualizes offenses, network data, threats, malicious user behavior, and cloud environments in geographical maps, a built-in 3D threat globe, and auto-updating charts. Pulse is perfect for a quick overview of your current end-to-end security environment on a single display or on multiple displays in your Security Operations Center.
9) QRadar Content Packs for Compliance:
Compliance driven use cases are not typically the most attractive when compared to some advancements in threat detection, however, it remains one of the most foundational uses of SIEM technology. QRadar is a trustworthy technology partner with the experience and resources to help address security and regulatory risk, as well as report on compliance adherence. IBM provides out-of-the-box compliance packages for GDPR, FISMA, SOX, HIPAA, ISO 27001, PCI and more.
Browse Compliance Content on the IBM Security App Exchange
10) IBM Resilient / QRadar Integration:
Keeping secure is more than just actioning alerts, how teams respond is a major factor in an organization's security posture. IBM Security Resilient's QRadar integration allows analysts to simplify and streamline the process of escalating and managing incidents. When offenses are escalated from IBM QRadar into Resilient, the SOAR platform generates a detailed, incident-specific response plan that enables team members to quickly respond.
Learn more about IBM Security Resilient
Download from the IBM Secuirty App Exchange
Let me know in the comments if I missed any of your favorite apps!