IBM QRadar User Guide
This document explains how to use the TruSTAR workflow app for IBM QRadar.
You can use the TruSTAR App for IBM QRadar to:
- Automatically or manually submit offenses to TruSTAR
- Manually submit events to TruSTAR.
- Search TruSTAR for all indicators correlated to an IP address of an offense or event.
- Populate the QRadar reference list with indicators from TruSTAR.
- Update TruSTAR indicators in the QRadar reference list to keep them current.
How It Works
From within QRader, you can query TruSTAR enclaves to return IOCs that are stored in one or more QRadar reference sets. You can then use the information in those reference sets to create QRadar rules. When one of those rules is invoked, it creates an event or an offense that you can automatically or manually send to TruSTAR for enrichment. Information obtained from TruSTAR is loaded back into the event or offense in QRadar to support deeper investigation.
- Enclaves: Data repositories in the Station platform. Each data source resides in its own enclave.
- Observable: Artifacts found on a network or operating system that indicate a likely intrusion. Typical observables are virus signatures, IP addresses, MD5 hashes of malware files, URLs, or domain names.
- IOC: Indicator of Compromise. Another term for Observables.
- Event: The log of some particular action on a network device at a point in time.
- Offense: A collection of related events.
- Reference Set: Data stored in a simple list format. In the TruSTAR integration, reference sets contain IOCs from TruSTAR.
Sending Offenses to TruStar
An offense is a collection of related events that have been detected by a QRadar rule. You can send an offense to TruSTAR in two ways:
- Automatic: Use the Enable Auto Submission parameter on the Configuration page to set up automatic submission.
- Manual: Use the QRadar GUI to submit an offense.
After the offense has been submitted to TruSTAR, you can see additional information in the Notes section of the offense:
- A deep link to the report in TruSTAR. You can click on that link to jump to TruSTAR and see report details.
- A Correlated Report Count that shows the number of reports in TruSTAR that have additional enrichment related to that offense.
- Correlated Indicators, with details of the enclave where they are located.
Manually Submitting Offenses to TruSTAR
If you do not have auto-submission configured, you can manually send an offense to TruSTAR using the following procedure:
- Navigate to the Offense tab.
- Double-click Offense to Submit.
- Click Send to TruSTAR to submit the offense.
Sending an Event to TruSTAR
An event is a specific behavior detected by a QRadar rule.
Use the following procedure to send an event to TruSTAR.
- Navigate to the Log Activity tab.
- Double-click on the event that you want to submit to TruSTAR.
- Click Send to TruSTAR to submit the event.
Hunting for IP Information in TruSTAR
You can search in TruSTAR for correlated indicators by specifying an IP address of an Event or Offense. The search can return correlated indicators along with their respective enclaves in TruSTAR.
Use these steps to search TruSTAR for correlated indicators.
- Navigate to the Log Activity tab or the Offense tab.
- Right-click on the IP address you want to search for in TruSTAR. This opens a popup window that displays a list of deep links to correlated indicators.
- Click on any indicator to jump to TruSTAR and see a search for that indicator.
Managing Reference Sets
Reference sets are used to store data such as IOC’s in a simple list format so Qradar users can perform searches, create filters, rule test conditions, and rule responses against them.
Users with QRadar admin access can add, edit, view, or delete reference sets within QRadar. You can also delete FP indicators and set Indicator aging parameters. For more information on managing reference sets refer to QRadar documentation
Updating Reference Sets
A QRadar Admin user can configure the TruSTAR App to automatically collect TruSTAR IOCs as QRadar reference sets by modifying the IOC Feed parameter on the Configuration page.