Configure Correlation in the IBM QRadar App

The IntSights App for IBM QRadar comes with these default rules:

  • IntSights Source IP Rule and IntSights Destination IP Rule
  • These rules check whether the source (or destination) IP address of all incoming events exists in the "IntSights_IOC_IpAdresses" reference set. Every correlation will generate an offense that is visible in the QRadar Offenses tab.
  • The rules are disabled, by default. To enable them, see Enable rules.
  • IntSights File Hash Rule, IntSights Email Address Rule, IntSightsURL Rule, and IntSightsDomain Rule

These rules also check whether the respective property of all the incoming events are present in the respective reference set or not. If yes, the rule will create offenses.

Create custom properties

Before you can use custom properties in rules, you must create them and enable their use.

To create custom properties:

  1. From the IBM Radar console, choose Admin > Custom Event Properties.
  2. Double-click the property name to enable.
  3. In the Property Definition section of the Custom Event Properties dialog, select Enable for use in Rules, Forwarding Profiles and Search Indexing.
    temporary placeholder
  1. Click Save.

The property can be used as event property filters.

Edit predefined rules

In addition to the default IP rules, there are predefined rules for the other IOC types. You can use custom event properties then edit those rules to meet your requirements.

To edit a rule:

  1. From the IBM Radar console, choose Offenses > Rules.
  2. Search the rules list for intsights, then double-click the rule to edit.
  3. From the Action drop-down menu, click New Event Rule
  • The Rule Wizard is displayed with default valus for the selected rule.
  • For example, for the File Hash rule, the values in section A and section B are prefilled:
    temporary placeholder
  1. Click the text in section A.
  • You will now define the event property to match.
  1. In the Select event property dialog, select an event to search for.
    temporary placeholder
  • Example: To find file hashes that are in Threat Command events, select the custom property you created for file hashes, then click Add.
  • If you don't see the custom event property that you defined, it may not be enabled.
  • For more information, see Enable custom properties.
  1. Click Submit.
  • The predefined words in section A are replaced with the custom property that you selected.
  1. Click Next.
  • The Rule Wizard: Rule Response dialog is displayed.
  1. Configure the rule actions:
    1. In the Rule Action dialog, select Ensure the detected event is part of an offense (step F).
  • A drop-down opens with more fields. 
    temporary placeholder
    1. In the Index offense based on field, select the event property that was previously selected (step G).
  • Example: Select File Hash (custom).
  • Whenever this rule gets triggered, an offense will be created or updated for the selected event property. 3. (Optional) Select other actions to take place each time the rule is triggered.
  1. Click Finish.
  • The rule is disabled by default.
  1. To enable the rule, see Enable rules.

Any new event that matches the rule criteria will trigger the rule and create the defined offense.

Enable rules

Rules must be enabled in order to operate.

To enable or disable a rule:

  1. From the IBM Radar console, choose Offenses > Rules.
  2. Search for intsights.
  • Matching rules are displayed
  1. Select a rule, then from the Actions menu, select Enable/Disable.
  2. Confirm the action.

The rule is enabled (or disabled).

Configure alerts for correlating events

The supplied "IntSights Correlation Alert" offense rule monitors correlated events. This rule (disabled by default) sends only QRadar notification. To use the rule, you must enable it, and you can configure it to send email messages, too.

To enable the "IntSights Correlation Alert" rule, follow the steps described in Enable rules.

To get email notifications for triggered offenses:

  1. Ensure that a QRadar email server is configured. For more information, see
  2. Configure the IntSights email template, described in Configure email notifications.
  3. Update the rules, described in Add email templates in rules.

To filter the rule to get notified only in certain situations, see Add filters in rules.