IBM Security QRadar

I installed Watson on Qradar. I found that Watson can help me investigate each offense by using mixed infomation on cloud and local. Am I correct?

But What's about respones? After offenses are shown, what should I do for next? I try to find out the solution in order to save time Can Watson help or give me a guidelines?

For example:
If someone contact to C&C server. administrator should block that IP address/URL on Firewall or Proxy first then use antivirus or endpoint scan on client device.
But what's going on if offense is new for me and I don't know how to handle its

Please share me your idea 
Thank you in advance

------------------------------
MAC Strater
------------------------------

Hi

Watson will mine the local IOC's as part of the offense investigation and then send them to the cloud and investigate. This cloud information contains structured and unstructured data which it has ingested/learned over time. Watson will then investigate the local IOC's against this cloud information and come back with the key insights for your analysts to investigate. 
In terms of response, Watson can help, It can lead how you should respond. For example Watson might say that this is this is the threat actor and campaign involved and based on this you will know what to do. For guided incident response you should look into Resilient which is tightly integrated with QRadar. Here is a quick video Jose Bravo done that is worth looking at - https://www.youtube.com/watch?v=Pop85sl4fWQ

------------------------------
SHANE LUNDY
------------------------------

Original Message:
Sent: Mon September 30, 2019 07:57 AM
From: MAC Strater
Subject: Qradar and Watson integration

I installed Watson on Qradar. I found that Watson can help me investigate each offense by using mixed infomation on cloud and local. Am I correct?

But What's about respones? After offenses are shown, what should I do for next? I try to find out the solution in order to save time Can Watson help or give me a guidelines?

For example:
If someone contact to C&C server. administrator should block that IP address/URL on Firewall or Proxy first then use antivirus or endpoint scan on client device.
But what's going on if offense is new for me and I don't know how to handle its

Please share me your idea 
Thank you in advance

------------------------------
MAC Strater
------------------------------

1) have you installed the QRadar Assistant application from the App Exchange for your deployment of QRadar?  (It is highly recommended as it can assess if your deployment is well tuned enough to get full value of QRAW (QRadar Advisor with Watson). 

2) Once the assistant confirms your deployment is mature enough QRAW can add a lot of value by researching the offenses that come out of QRadar.

As you know it can align these incidents to the MITRE ATT&CK chain.

That is best practice , I hope this helps.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------

Original Message:
Sent: Mon September 30, 2019 07:57 AM
From: MAC Strater
Subject: Qradar and Watson integration

I installed Watson on Qradar. I found that Watson can help me investigate each offense by using mixed infomation on cloud and local. Am I correct?

But What's about respones? After offenses are shown, what should I do for next? I try to find out the solution in order to save time Can Watson help or give me a guidelines?

For example:
If someone contact to C&C server. administrator should block that IP address/URL on Firewall or Proxy first then use antivirus or endpoint scan on client device.
But what's going on if offense is new for me and I don't know how to handle its

Please share me your idea 
Thank you in advance

------------------------------
MAC Strater
------------------------------

I always wanted to use custom script action to take action when there is a match. 
for example when there is a malicious traffic, want the script to login to source ip and run a command to grab info about the application causing the traffic plus initiate an AV scan or clear the browser cache. Had made some work but couldn't see success.   If any one aware of a location we can copy working scripts from kindly share.

To your question sorry not explored Watson so don't know whether it does the same or more?

------------------------------
s 3k
------------------------------

Original Message:
Sent: Mon September 30, 2019 07:57 AM
From: MAC Strater
Subject: Qradar and Watson integration

I installed Watson on Qradar. I found that Watson can help me investigate each offense by using mixed infomation on cloud and local. Am I correct?

But What's about respones? After offenses are shown, what should I do for next? I try to find out the solution in order to save time Can Watson help or give me a guidelines?

For example:
If someone contact to C&C server. administrator should block that IP address/URL on Firewall or Proxy first then use antivirus or endpoint scan on client device.
But what's going on if offense is new for me and I don't know how to handle its

Please share me your idea 
Thank you in advance

------------------------------
MAC Strater
------------------------------