User Guide: TruSTAR for IBM QRadar
This document explains how to use the TruSTAR Workflow App for IBM QRadar.
You can use the TruSTAR App for IBM QRadar to:
- Automatically or manually submit offenses to TruSTAR
- Manually submit events to TruSTAR
- Search TruSTAR for all Indicators correlated to an IP address of an offense or event
- Populate the QRadar reference list with Indicators from TruSTAR
- Update TruSTAR Indicators in the QRadar reference list to keep them current
How It Works
From within QRadar, you can query TruSTAR Enclaves to return Indicators that are stored in one or more QRadar reference sets. You can then use the information in those reference sets to create QRadar rules.
When one of those rules is invoked, it creates an event or an offense. You can automatically or manually send those items to TruSTAR for enrichment. Any information obtained from TruSTAR is loaded back into the QRadar item so that you can further investigate.
Sending Offenses to TruStar
An offense is a collection of related events that have been detected by a QRadar rule. You can send an offense to TruSTAR in two ways:
- Automatic: Use the Enable Auto Submission parameter on the Configuration page to set up automatic submission.
- Manual: Use the QRadar GUI to submit an offense.
After the offense has been submitted to TruSTAR, you can see additional information in the Notes section of the offense:
- A link to the Intelligence Report in TruSTAR. Click the link to jump to the TruSTAR Web App and view report details.
- A Correlated Report Count that shows the number of Intelligence Reports in TruSTAR that have additional enrichment related to that offense.
- Correlated Indicators, with details of the Enclaves where those Indicators are located.
Manually Submitting Offenses to TruSTAR
If you do not have auto-submission configured, you can manually send an offense to TruSTAR.
- Navigate to the Offense tab.
- Double-click Offense to Submit.
- Click Send to TruSTAR to submit the offense.
Sending an Event to TruSTAR
You can send an event detected by a QRadar rule to TruSTAR for enrichment.
- Navigate to the Log Activity tab.
- Double-click on the event that you want to submit to TruSTAR.
- Click Send to TruSTAR to submit the event.
Hunting for IP Information in TruSTAR
You can search in TruSTAR for Indicators by specifying the IP address of an Event or Offense. The search can return correlated Indicators along with their respective Enclaves in TruSTAR.
- Navigate to the Log Activity tab or the Offense tab.
- Right-click on the IP address you want to search for in TruSTAR. This opens a popup window that displays a list of links to correlated Indicators.
- Click any Indicator to jump to the TruSTAR Web App and see a detailed view of that Indicator.
Managing Reference Sets
Reference sets are used to store data such as Indicators in a simple list format so you can perform searches, create filters, rule test conditions, and rule responses against them.
Users with Admin access in QRadar can add, edit, view, or delete reference sets. You can also delete FP indicators and set Indicator aging parameters. For more information on managing reference sets, refer to the QRadar documentation
Updating Reference Sets
A QRadar Admin user can configure the TruSTAR Workflow App to automatically collect TruSTAR Indicators as QRadar reference sets by modifying the IOC Feed parameter on the Configuration page.