Conduct Comprehensive Investigations on QRadar Offenses with CFTR
Category: Analytics and SIEM, Data Enrichment and Threat Intelligence
Cyware Products Used:
Respond
Orchestrate
Third-Party Integrations Used:
IBM QRadar SIEM: To monitor and detect security threats based on the QRadar correlation rule engine (CRE).
AbuseIPDB: To enrich malicious IP addresses.
Problem Statement
Security Information and Event Management (SIEM) systems help security teams to collect, analyze, and store security incidents and events. SIEM solutions receive large number of alerts everyday and require data analysis to process the data for further investigation. It also requires a large degree of expert human intervention oversight to determine if the security events are false positives or actual incidents that require investigation.
Solution
An ideal combination of SIEM and Security, Orchestration, Automation, and Response (SOAR) platforms helps manage incident response much faster by removing the arduous manual incident prioritization and response process.
The IBM QRadar SIEM solution monitors and detects security threats based on the QRadar correlation rule engine (CRE). The solution generates offenses that require the attention of a security analyst. The offenses are further onboarded to the Respond by taking advantage of Orchestrate (CO) playbooks to allow security analysts to conduct comprehensive investigations.
How do we solve this problem?
The QRadar Offense Onboarding playbook retrieves all the latest offenses triggered in the QRadar application every 10 minutes. The offenses are retrieved from different domains of the QRadar application. Domains in QRadar are used to segment the network organizations into different domains to ensure that relevant information is available only to users that need it.
Map Relevant Information: The playbook maps the following information.
The playbook maps the domain information for every offense retrieved from QRadar to Business Units in Respond to ensure that relevant information is available to users that need it.
The playbook also maps offense names with offense types to add more context to the incident. This information is updated as incident type in Respond.
Retrieve Indicators: The playbook now creates a QRadar Ariel Query Language (AQL) query to retrieve the source IP address, destination IP address, destination port, username, and payload information between a specific time range.
Correlation: The information received from the offense is now collated with business units and offense types to create an incident in Respond.
Enrich Indicators: Enrich the IPs identified in the offense using the AbuseIPDB tool and update the Respond incident with the enriched information.
Update QRadar Offense: To ensure bidirectional sync of information, the playbook updates the respective offense details on QRadar with the Respond incident ID.
Send Email: The playbook sends an email to security teams about the Respond incident with all the initial findings. This helps analysts to start with the investigation based on incident severity.
Solution Benefits
Respond Quickly and Accurately
The solution automatically gathers information and prioritizes incidents using playbooks to help security teams assess, prioritize and respond to incidents faster.
Streamline Incident Onboarding Process
Security teams can automatically gather data from SIEM, perform analysis to identify priority and criticality, and automatically generate incidents for investigation. This streamlines the process by removing the need for a human to notice the relevant security data, identify it as a security incident, and manually set up an incident in the system.
Respond faster and more efficiently
By automating manual tasks, security teams can allow their analysts to focus on high-value investigations.