IBM Security QRadar SOAR

 View Only
  • 1.  Informational / Non Malicious Artifact Hits

    IBM Champion
    Posted Wed March 10, 2021 11:42 AM

    All,

    I'd like to raise awareness on an RFE that I think would be incredibly helpful for artifacts / threat services within Resilient. I would really like to be able to create non malicious / informational hits for an artifact that wouldn't cause the artifact to be highlighted in red, similar to this RFE.

    Use case 1 - Informational Hits:

    I would like to create a CTS for URLs that returns our proxy appliance's category for the given URL. However, I don't want the artifact to show it has a malicious hit which would highlight the artifact in red.

    Along the same idea I think it would be nice to return non malicious hits so the analyst knows that the artifact ran through the given threat service. For example, if a URL has a VirusTotal score of 0/83 I would still like to return a 'non malicious hit' that would contain that score and a link to the full report. As an analyst when I see this I have confirmation that the artifact was ran though the CTS and it was found to be non malicious. Then if I look into an artifact and I don't see a VirusTotal hit I would know the CTS must be working on it so I should check back in a couple of minutes.

    Use case 2 - CTS errors:

    If you create a CTS you have to consider what should be done when an error occurs (the 3rd party API you're interacting with responds with a 400/500, etc). If you don't return a hit the analyst would think the artifact value is not malicious. Currently I think it makes the most sense to return a hit that states ~ 'the CTS encountered an error, please lookup yourself'. However, I think it'd be even better if within the CTS response we could flag that an error occurred and then within Resilient the artifact would be highlighted in a different color, letting the analyst know at a glance that there was a problem and they need to potentially lookup the artifact value themselves to determine if it's malicious or not.



    The RFE has been out there for awhile, so I figured I'd generate some buzz and support for it.

    Let me know what you think about it, or any other use cases you can think of!



    ------------------------------
    Liam Mahoney
    ------------------------------


  • 2.  RE: Informational / Non Malicious Artifact Hits

    Posted Tue March 16, 2021 05:37 AM

    Would you consider wrap the URL category as workflow function so you can put the enrichment result in incident artifact description, or summary field (v39) or tags (v40) from the Org artifact without a hit? Currently CTS approach will always trigger a hit. 

    Regarding non-malicious hit, we can take this into consideration, but I am not sure if this is a common need. Some customers might not want to flood enrichment result with non-malicious ones.

    If we provide last successful lookup time, Would that be helpful? A recent scan without a report could imply it's not malicious. Furthermore, the last scan time might also be useful as a hint for your use case 2? That means you won't get a successful last scan date if CTS is in 400/500 status.



    ------------------------------
    Leo Kuo
    ------------------------------



  • 3.  RE: Informational / Non Malicious Artifact Hits

    IBM Champion
    Posted Tue March 16, 2021 10:23 AM
    Leo,

    I see what you're saying about wrapping it in a function, that's definitely a possibility I will explore further.

    That's fair enough, although the designer of the CTS could make the decision of whether the CTS should return non malicious hits or not to solve that problem.

    That's a great idea! I would add that I'd like to see the last successful lookup time per CTS that's turned on. This could get a little tricky with certain CTSes only supporting certain artifact types. I definitely like that idea though, it would solve our issue of signaling whether a given artifact was successfully looked up.

    Thanks for the ideas Leo!


    ------------------------------
    Liam Mahoney
    ------------------------------