IOC Correlation in the IBM QRadar App

One of the most powerful uses of the IntSights App for IBM QRadar is to correlate between IOCs imported from Threat Command and IOCs that are present in the customer IBM QRadar environment (for example, from firewalls and devices). Correlating IOCs, those that are found in both, are much more likely to pose a threat and should be given more attention.

When IOCs match, the following things take place automatically:

  • An alert action is generated in IBM QRadar.
  • You can configure alerts based on various triggers, for example, in which IBM QRadar index the IOC was found, the IOC severity, and reporting feed. You can also determine which actions to run.
  • For more information about alerts, see Configure alerts for correlating events.
  • The IOC is tagged as "IBM QRadar Match" in Threat Command.
  • You can find IOCs with this tag and the time of correlation in the Threat Command Investigation module. For more information, including how to disable this, see View correlated IOCs in Threat Command.

The Correlation Overview page is a dashboard of the matched IOCs.

temporary placeholder

In the figure above, 2 IOCs that were imported from the IntSights app (one file hash and one domain) match indicators that were present in the IBM QRadar environment.

You can filter the page to see correlated IOCs that match selected criteria. After you select filters, click Go to show the filtered view.

From the Correlation Overview page, you can also drill down to see more details on any of the displayed widgets and export data to a PDF.  When you click a widget, you are redirected to the Correlation Details page, with the data of the selected IOCs.

The Correlation Overview page shows the following information:

  • Total Matched IOCs - The number of IOCs correlated with the user’s QRadar events (except IntSights log source) within the provided time-range filter value.
  • Total Matched IOCs by Type - The number of matched IOCs with a bar for each type.
  • Top 10 Tags Linked with Matched IOCs - The count of the top 10 tags linked to the matched IOCs, sorted from highest to lowest.
  • If values are equal then the sorting is based on the last matched time.
  • Top 10 Malwares Linked with Matched IOCs - The count of the top 10 malwares (for example, chches) linked to the matched IOCs, sorted from highest to lowest.
  • If values are equal then the sorting is based on the last matched time.
  • Top 10 Threat Actors Linked with Matched IOCs - The count of the top 10 threat actors (for example, stonepanda) linked to the matched IOCs, sorted from highest to lowest.
  • If values are equal then the sorting is based on the last matched time.

Correlations are synched as follows:

  1. All the new indicators that were imported in the last 35 minutes are searched within the entire IBM QRadar environment.
  2. Indicators that were sent earlier are correlated with all the new data that was imported to the IBM QRadar environment in the last 35 minutes.
  3. A correlation search is performed once every 30 minutes.

To view matched IOCs:

  1. From the QRadar menu, choose IntSights Dashboard > Correlation Overview
  • The Correlation Overview dashboard is displayed.
  1. (Optional) You can filter which correlated IOCs are displayed:
  • To filter for IOCs that match thisDo this
    A specific Threat Command severityClick theIOC Severityfilter and select severities.
    A specific Threat Command feed
  • | Click theReporting Feedsfilter and select feeds.
  • | | A specific log source
  • | Click theTarget Log Sources filter and select a source.
  • | | Correlation occurred in a specific time frame
  • (default: last 3 months) | Click theLast Matched Timefilter and select the time range.
  • |

View IOC correlation details

The Correlation Details page shows more information about matched IOCs.

From this page, you can drill down further, investigate or view an IOC in Threat Command, and view its details in the IBM QRadar logs.

To drill down on IOC details:

  1. Open the Correlation Overview  page.
  2. Click a widget.
  • The Correlation Details page displays the matched IOCs for that widget.
    temporary placeholder
  • The Top 1000 Matched IOCs  area details the top 1000 most recent Matched IOCs. 
  1. (Optional) You can filter which correlated IOCs are displayed by several filter options, then click Go.
  • For each IOC, you can see the Threat Command severity, how many matches, log sources and much more information.
  1. At this point, you can drill down further to see events with the IOC in their payload (see the next step), investigate an IOC, or view the IOC in the Threat Command IOCs page.
  2. To drill down further, click the IOC value.
  • The List of Events page shows further IOC data.
    temporary placeholder

Investigate an IOC

You can run an on-demand investigation on a matched IOC. This shows additional IOC details that were retrieved from a real-time API request.

This feature is enabled only for users with a subscription to the investigation API.

To investigate an IOC:

  1. Open the Correlation Overview  page.
  2. Click a widget. 
  • The Correlation Details page displays the matched IOCs for that widget. 
  1. At the far right of all the IOC details, click Investigate.

View IOC in the IBM QRadar activity logs

You can view the events of all displayed IOCs in the Log Activity tab.

To view the events in the activity logs:

  1. Open the Correlation Overview  page.
  2. Click View in Log Activity.
  • The IOCs are displayed in the QRadar Log Activity tab.

Send an alert

Every time an imported IOC correlates, you can cause an IBM QRadar alert is triggered.  You can configure the alert conditions, such as what generates an alert.

You can customize the following:

  • Trigger conditions (when to create an alert)
  • Trigger actions (what to do when the conditions are met)
  • Aggregation (send only after X matches)
  • Actions: Run a script
  • Actions: Send an email and more

Add an IOC to the whitelist

You can remove "false positives" from the workflow by adding it to the Threat Command whitelist. Whitelisted IOCs are not sent to the IBM QRadar app and will not be considered in correlation matching. Once you've whitelisted an IOC, you can change that status from the Threat Command TIP > Sources > Whitelist. temporary placeholderTo add an IOC to the whitelist:

  1. Open the Log Activity  page.
  2. Select the Threat Command IOC to whitelist. 
  1. Click Whitelist IOC.
    temporary placeholder

A confirmation message is displayed.

View correlated IOCs in Threat Command

Correlated IOCs are given a "IBM QRadar Match" system tag. In addition, each time a correlation is found, a comment is added to the IOC. You can disable this action, too.

You can use the Threat Command Investigation feature to find these IOCs, and you can disable the tagging so the values are not sent to Threat Command.

To find correlated IOCs in Threat Command:

  1. In Threat Command, choose TIP > Investigation.
  2. Select to search for tags.
  1. Type QRadar Match, then press Enter.
    temporary placeholder
  • IOCs that contain this tag are displayed. For simpler representation, this IOC was correlated twice and those comments are illustrated here, too:
    temporary placeholder

You can disable the tagging of alerts, and then that information is not transferred to Threat Command.