Work with the app on QRadar

Reference tables

The Threat Intelligence EclecticIQ Platform App for IBM QRadar provides five reference tables:

  • eiq_data_ip

  • eiq_data_domain

  • eiq_data_uri

  • eiq_data_hash

  • eiq_data_email

The app ingests content from one or more outgoing feeds set in Install and Configure the app on QRadar and applies them to five different reference tables.

Each table contains Indicator of Compromise (IoC) values in the eiq_value column in their respective reference tables.

Use one of these three ways to view data and related metadata that have been ingested into reference tables:

Method

Description

Use the IBM QRadar CLI

  1. Open the Qradar Command Line Interface (CLI).

  2. Run:

    /opt/qradar/bin/ReferenceDataUtil.sh list <reference_table_name>

    For example, to list the contents of the eiq_data_ip reference table, run:

    /opt/qradar/bin/ReferenceDataUtil.sh list eiq_data_ip

For more information on the QRadar CLI, see IBM QRadar: Command reference for reference data utilities.

Use the IBM QRadar interactive API documentation

Use the QRadar interactive API documentation to retrieve the contents of a reference table:

  1. Open IBM QRadar.

  2. In the navigation menu (☰), click Interactive API Documentation for Developers

  3. In the left navigation menu, set API Version to 7.1.

  4. In the navigation tree, select reference_data > tables > {name}.

  5. Click the GET tab.

  6. Under the Parameters section, in the name row of the table, enter eiq_data_ip into the Value field.

  7. Click Try it out!.

Use the Reference Data Management App

Use the IBM App Exchange Reference Data Management App.

Custom actions

When you set up the app in Install and Configure the app on QRadar, click Create Custom Actions at the bottom of the EclecticIQ Threat Intelligence Platform Configuration Page to deploy custom actions.

You must click Create Custom Actions each time you change the app configuration to update the custom actions with the new configuration.

The app provides six custom actions on deployment:

Action

Description

eiq-sighting_s_ip

Creates an IPv4 (Source) Sighting on the EclecticIQ Platform.

eiq_sighting_d_ip (for Destination IP)

Creates an IPv4 (Destination) Sighting on the EclecticIQ Platform.

eiq_sighting_hash_md5

Creates a MD5 file hash Sighting on the EclecticIQ Platform.

eiq_sighting_email

Creates an Email Sighting on the EclecticIQ Platform.

eiq_sighting_domain

Creates a Domain Sighting on the EclecticIQ Platform.

eiq_sighting_uri

Creates a Sighting on the EclecticIQ Platform.

Right click lookup in the QRadar Platform

To lookup any field in EclecticIQ Platform in QRadar, and get all relevant information on a specific observable:

  1. Right click a field, select More Options.

  2. Click Lookup in EclecticIQ Platform.

    A new window will open. If the field has relating data in the EclecticIQ Platform, this data will be displayed along with metadata and all connected entities.

images/download/attachments/82475493/qradar-lookup-annotated.png

Right click to manually create a new sighting in the QRadar Platform

You can right-click a field in IBM QRadar to create a new sighting on EclecticIQ Platform using the value of that field:

  1. In IBM QRadar, right click a field and select More Options.

  2. Click Create EclecticIQ Sighting.

  3. Change fields values as required.

  4. Click Create Sighting.

images/download/attachments/82475493/qradar-create-sighting.png

Create an event rule based on ingested data

You can create rules using ingested threat intelligence data in IBM QRadar.

This set of instructions creates an event rule that is connected to Destination IPs in log events and ingested IP related to threat intelligence:

  1. In IBM QRadar, click the Offenses tab.

  2. Click Rules > Actions > New Event Rule.images/download/attachments/82475493/qradar-offenses-rules-annotated.png

  3. In the Rule wizard, select Events and click Next.

  4. Under the Test Group menu, locate:

    when Reference Table Key data matches any|all selected event properties and selected reference table column Select operator the value of selected event property

    and click the add button (images/plugins/servlet/confluence/placeholder/unknown-attachment.png ) next to it.

  5. Configure the test rule by clicking on the following parameters and setting these values:

    Parameter

    Value

    Reference Table Key

    eiq_data_ip -> eiq_value

    Selected event properties

    Source IP

    Selected reference table column

    tag_eiq

    Select operator

    Equals

    value

    Enter an EclecticIQ Platform tag name to find values that match that tag name.

    Enter an exact value.

  6. Click Next.

  7. Click Finish.