The Threat Intelligence EclecticIQ Platform App for IBM QRadar provides five reference tables:
The app ingests content from one or more outgoing feeds set in Install and Configure the app on QRadar and applies them to five different reference tables.
Each table contains Indicator of Compromise (IoC) values in the eiq_value column in their respective reference tables.
Use one of these three ways to view data and related metadata that have been ingested into reference tables:
Use the IBM QRadar CLI
For more information on the QRadar CLI, see IBM QRadar: Command reference for reference data utilities.
Use the IBM QRadar interactive API documentation
Use the QRadar interactive API documentation to retrieve the contents of a reference table:
Use the Reference Data Management App
Use the IBM App Exchange Reference Data Management App.
When you set up the app in Install and Configure the app on QRadar, click Create Custom Actions at the bottom of the EclecticIQ Threat Intelligence Platform Configuration Page to deploy custom actions.
You must click Create Custom Actions each time you change the app configuration to update the custom actions with the new configuration.
The app provides six custom actions on deployment:
Creates an IPv4 (Source) Sighting on the EclecticIQ Platform.
eiq_sighting_d_ip (for Destination IP)
Creates an IPv4 (Destination) Sighting on the EclecticIQ Platform.
Creates a MD5 file hash Sighting on the EclecticIQ Platform.
Creates an Email Sighting on the EclecticIQ Platform.
Creates a Domain Sighting on the EclecticIQ Platform.
Creates a Sighting on the EclecticIQ Platform.
Right click lookup in the QRadar Platform
To lookup any field in EclecticIQ Platform in QRadar, and get all relevant information on a specific observable:
Right click a field, select More Options.
Click Lookup in EclecticIQ Platform.
A new window will open. If the field has relating data in the EclecticIQ Platform, this data will be displayed along with metadata and all connected entities.
Right click to manually create a new sighting in the QRadar Platform
You can right-click a field in IBM QRadar to create a new sighting on EclecticIQ Platform using the value of that field:
In IBM QRadar, right click a field and select More Options.
Click Create EclecticIQ Sighting.
Change fields values as required.
Click Create Sighting.
Create an event rule based on ingested data
You can create rules using ingested threat intelligence data in IBM QRadar.
This set of instructions creates an event rule that is connected to Destination IPs in log events and ingested IP related to threat intelligence:
In IBM QRadar, click the Offenses tab.
Click Rules > Actions > New Event Rule.
In the Rule wizard, select Events and click Next.
Under the Test Group menu, locate:
when Reference Table Key data matches any|all selected event properties and selected reference table column Select operator the value of selected event property
and click the add button ( ) next to it.
Configure the test rule by clicking on the following parameters and setting these values:
Reference Table Key
eiq_data_ip -> eiq_value
Selected event properties
Selected reference table column
Enter an EclecticIQ Platform tag name to find values that match that tag name.
Enter an exact value.