IBM Security QRadar

 View Only

Ingesting IBM Cloud Security and Command Center Network Insights into QRadar

By Matthew Dobbs posted Thu April 29, 2021 08:06 AM

  
IBM Security and Command Center Network Insights can continuously analyze your Virtual Private Cloud (VPC) network interface flow logs to detect any suspicious activity by using learned patterns and threat intelligence. These alerts can be ingested into the QRadar for comprehensive visibility into enterprise data across on-premises and cloud-based environments from behind a single pane of glass.

Instructions for ingesting IBM Cloud Security and Command Center into QRadar.

Use Case
As a SOC Analyst using QRadar, I need to be aware when an IBM Cloud Network Insights alert is triggered. When severity and magnitude thresholds are exceeded an Offense will be generated in QRadar. 

Example
When IBM Cloud VPC flow logs contain an IP address that matches a known malicious IP, an alert is generated in IBM Cloud Security Network Insights.  QRadar receives this alert with the IP data (IPs, ports, packet count), information about the asset, and the reason the alert was generated. The QRadar event details conditions are met that will result in an Offense being generated. 
The threshold for Botnet CNC reliability is met for the offending IP address:
X-Force Exchange Categorization
  • Anonymization Services(43%)
  • Malware(43%)
  • Botnet Command and Control Server(83%)
  • Cryptocurrency Mining(43%)

Response
Existing or new responses can be used as part of your Security Orchestration and Automation Response (SOAR) policy. Such as:

- The data provided by IBM Cloud Network Insights information can be correlated as part of a new or existing QRadar Advisor with Waston investigation.
- An automated response to block the offending IP address via IBM Cloud network access policy.
- Generate a new case in IBM Security Case Management for IBM Cloud Pak

References
IBM Cloud Security and Command Center Network Insights
0 comments
12 views

Permalink