User Guide: TruSTAR for IBM QRadar
This document explains how to use the TruSTAR Workflow App for IBM QRadar.
You can use the TruSTAR App for IBM QRadar to:
- Automatically or manually submit offenses to TruSTAR
- Manually submit events to TruSTAR.
- Search TruSTAR for all Indicators correlated to an IP address of an offense or event.
- Populate the QRadar reference list with Indicators from TruSTAR.
- Update TruSTAR Indicators in the QRadar reference list to keep them current.
How It Works
From within QRadar, you can query TruSTAR enclaves to return Indicators that are stored in one or more QRadar reference sets. You can then use the information in those reference sets to create QRadar rules.
When one of those rules is invoked, it creates an event or an offense. You can automatically or manually send those events or offenses to TruSTAR for enrichment. Any information obtained from TruSTAR is loaded back into the event or offense in QRadar for deeper investigation.
Sending Offenses to TruStar
An offense is a collection of related events that have been detected by a QRadar rule. You can send an offense to TruSTAR in two ways:
- Automatic: Use the Enable Auto Submission parameter on the Configuration page to set up automatic submission.
- Manual: Use the QRadar GUI to submit an offense.
After the offense has been submitted to TruSTAR, you can see additional information in the Notes section of the offense:
- A link to the Intel Report in TruSTAR. Click the link to jump to the TruSTAR Web App and view report details.
- A Correlated Report Count that shows the number of Intel Reports in TruSTAR that have additional enrichment related to that offense.
- Correlated Indicators, with details of the Enclaves where those Indicators are located.
Manually Submitting Offenses to TruSTAR
If you do not have auto-submission configured, you can manually send an offense to TruSTAR using the following procedure:
- Navigate to the Offense tab.
- Double-click Offense to Submit.
- Click Send to TruSTAR to submit the offense.
Sending an Event to TruSTAR
An event is a specific behavior detected by a QRadar rule.
Use the following procedure to send an event to TruSTAR.
- Navigate to the Log Activity tab.
- Double-click on the event that you want to submit to TruSTAR.
- Click Send to TruSTAR to submit the event.
Hunting for IP Information in TruSTAR
You can search in TruSTAR for correlated indicators by specifying an IP address of an Event or Offense. The search can return correlated Indicators along with their respective enclaves in TruSTAR.
Use these steps to search TruSTAR for correlated Indicators.
- Navigate to the Log Activity tab or the Offense tab.
- Right-click on the IP address you want to search for in TruSTAR. This opens a popup window that displays a list of links to correlated Indicators.
- Click any Indicator to jump to the TruSTAR Web App and see a detailed view of that Indicator.
Managing Reference Sets
Reference sets are used to store data such as Indicators in a simple list format so you can perform searches, create filters, rule test conditions, and rule responses against them.
Users with QRadar admin access can add, edit, view, or delete reference sets within QRadar. You can also delete FP indicators and set Indicator aging parameters. For more information on managing reference sets, refer to the QRadar documentation
Updating Reference Sets
A QRadar Admin user can configure the TruSTAR Workflow App to automatically collect TruSTAR Indicators as QRadar reference sets by modifying the IOC Feed parameter on the Configuration page.