IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Suppress Threat Source lookups on certain incident types

  • 1.  Suppress Threat Source lookups on certain incident types

    Posted Wed January 22, 2020 05:58 PM
    Edited by Ryan Terry Wed January 22, 2020 06:00 PM
    Does anyone know of anyway to suppress all artifacts from doing Threat Source lookups on incidents with a particular Incident Type? For instance, we may create an incident for a specific malware threat like emotet, which includes all known IOC's as artifacts from many cyber threat intel sources such as the FBI. We do this to take advantage of the Related Incidents feature to determine if past or future security incidents have any artifacts that correlate with the particular Threat Intel incident. We do not want artifacts from these threat intel incident types to check against VirusTotal. IBM X-Force and other Threat Sources within Resilient.

    I know we could use a different IOC store such as MISP and check all Resilient artifacts against it, but we are trying to keep things more simple where possible.

    ------------------------------
    Ryan Terry
    ------------------------------


  • 2.  RE: Suppress Threat Source lookups on certain incident types

    Posted Thu January 30, 2020 05:30 AM

    Hi Ryan,

    I do not know of any logic to support this use case. I think it would be possible to create a different organization for these special type of incidents and disable threat sources there. 

    Hope this helps.

    Regards,



    ------------------------------
    Mark Scherfling
    ------------------------------