IBM® QRadar® is a SIEM platform that provides situational awareness and compliance support. QRadar uses a combination of flow-based network knowledge, security event correlation, and asset-based vulnerability assessment.
This integrations will allow to automatically crosscheck all the log sources already onboarded into QRadar against Maltiverse Threat Intelligence feeds for IP, Hostnames, URL's and file Hashes related fields. That will automatically trigger new alerts pointing out to possible Security IncidentsIt enables you to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers.
Reference Set Mapping
In order to configure Maltiverse Feeds into QRadar Threat Intelligence APP it is needed to map each maltiverse feed with a reference set and then create a Rule to generate offenses whenever there is a match. The following table relates the most relevant Collections with a recommendation of a reference set to map with and an explanation of the rule logic:
|Collection (Maltiverse Feed)||Observable Type||Reference Set||Rule Logic|
|Command and Controls||IPv4 Address||Botnet C&C IPs||when any of Destination IP are contained in any of Botnet C&C IPs|
|Command and Controls||Domain Name||Malware Hostnames||when any of Domain are contained in any of Malware Hostnames|
|Malware Distribution||IPv4 Address||Malware IPs||when any of Destination IP are contained in any of Malware IPs|
|Malware Distribution||Domain Name||Malware Hostnames||when any of Domain are contained in any of Malware Hostnames|
|Malware Distribution||URL||Malware URLs||when any of Request URL are contained in any of Malware URLs|
|Malware||File Hash||Malware Hashes SHA||when any of File Hash are contained in any of Malware Hashes SHA|
|Phishing||URL||Phishing URLs||when any of Request URL are contained in any of Phishing URLs|
|Malicious URLs||URL||Malicious URLs||when any of Request URL are contained in any of Malicious URLs|