IBM QRadar SIEM
The ThreatConnect integration with QRadar enables sending validated and actionable intelligence between the ThreatConnect platform and QRadar through the use of three apps. This integration allows users to identify the most relevant threats, proactively protect their network, and quickly respond to incidents with greater confidence.
With this integration, users can aggregate their logs from QRadar and combine them with their threat intelligence in ThreatConnect. The Platform provides context with the indicators, and enables their security team to better spot abnormal trends and patterns, and to act on them efficiently. Additionally, analysts working in QRadar can view real-time indicator enrichment, add indicators back into ThreatConnect, and record false positives. Users can tie their data to Playbooks, ThreatConnect’s orchestration capability, to automate nearly any cybersecurity task and respond to threats faster – as well as send to other tools in your security stack. With this integration you get:
- Instant Indicator Enrichment
- Hover over an indicator in QRadar to see a real-time summary of what ThreatConnect knows about an indicator
- Actionable Threat Intel
- Lookup and create indicators, or report false positives to ThreatConnect from within QRadar
- Search QRadar Events
- Search QRadar events from matching ThreatConnect indicators using ThreatConnect Playbooks
The following actions are included in the Playbook App:
- Add Indicator(s) to Reference Set – Upload indicators to a specific reference set. The settings in the Advanced Section are only for when a new Reference Set is to be created. If a new Reference Set is to be created these are required fields
- Remove Indicator(s) from Reference Set – Upload indicators to a specific reference set
- Get Offense – Retrieve the details of an offense using its ID
- Update Offense – Update an offense by its ID. Using this action you can update who the offense is signed to, change the closing reason ID, flag to follow up, flag as protected, or update the status
- List Offenses – List all offenses and their details
- Submit Ariel Query – Submit an Ariel search using AQL. Returns a search ID for the executing search
- Retrieve Ariel Query – Retrieve a previously submitted Ariel search by the search ID. The action will fail if the results are not yet ready. If the search completed but there are no results, the value of Fail on No Results will determine if the execution returns an error
- Create Offense Note – Add or update a note on an offense
These apps can be found in the ThreatConnect App Catalog under the names: IBM QRadar (Playbook) IBM QRadar (Custom Trigger), and QRadar Integration (Organization)
