Create artifacts and search for matches#
Note
This feature is available in EclecticIQ Intelligence Center Integration for IBM Resilient starting from release 1.1.2.
Manually create sightings from incident artifacts in IBM QRadar SOAR, and push them to EclecticIQ Intelligence Center.
EclecticIQ Intelligence Center Integration for IBM QRadar SOAR supports the following artifact types:
IBM QRadar SOAR artifact |
Artifact type JSON field |
---|---|
DNS Name |
net.name |
Email Body |
|
Email Recipient |
email.header.to |
Email Sender |
email.header.sender_address |
Email Subject |
email.header |
IP Address |
net.ip |
Malware MD5 Hash |
hash.md5 |
Malware SHA-1 Hash |
hash.sha1 |
Malware SHA-256 Hash |
hash.sha256 |
Malware SHA-512 Hash |
hash.sha512 |
URL |
net.uri |
URI Path |
net.uri.path |
Create an artifact in the GUI#
To manually create an artifact in the IBM QRadar SOAR GUI:
Open a web browser tab, and log in to IBM QRadar SOAR through the GUI.
In the top navigation bar click List Incidents.
In the All Open Incidents view, click an existing incident to open it.
Alternatively:
Create a new incident, and then open it.
In the open incident view, click the Artifacts tab.
In the Artifacts tab, click Add Artifact.
In the Add Artifact view, fill out the input fields as appropriate to create the new artifact.
Click Create to save the artifact.
Auto lookup#
When a new artifact is added to an incident, IBM QRadar SOAR automatically queries the connected Intelligence Center instance to search for qualifying matches.
If the search returns matches – that is, existing observables in the EclecticIQ Intelligence Center – the following events occur:
In the Artifacts view, the color of the artifact type value in the Type column changes to red.
A warning icon ⚠️ flags the artifact as a detected hit.
In the Artifacts tab, click the detected hit value to open it.
In the open artifact detail view, the information IBM QRadar SOAR retrieves from the connected Intelligence Center instance is listed under EclecticIQ Intelligence Center:
Entity N: ${entity_type}: if the matching observable in the EclecticIQ Intelligence Center has relationships with other entities in EclecticIQ Intelligence Center, the relevant entity types, titles or entity aliases, and tags and taxonomy values as retrieved from EclecticIQ Intelligence Center are reported here.
N in the row header represents the integer index value of the entity, when an artifact is connected to more than one matching entities in EclecticIQ Intelligence Center.
It starts from 1.
${entity_type} represents the entity type value as retrieved from EclecticIQ Intelligence Center.
Example:
Entity 1: Indicator
The value of this field holds the following information:
The entity name or the entity alias.
If the entity is tagged in your Intelligence Center, any tags and taxonomy entries are included in round brackets.
Example:
ET CNC Shadowserver Reported CnC Server Port 6667 (Admiralty Code - Doubtful, Admiralty Code - Improbable)
Last Updated: the timestamp value corresponding to the most recent update of the information in the matching observable.
Maliciousness: if the matching observable in your Intelligence Center is flagged for maliciousness, the corresponding value is reported here.
Allowed values:
good
bad
unknown
EclecticIQ Intelligence Center Link: click the link reported here to open the detail pane of the matching source observable in your Intelligence Center.
Create an artifact from the command line#
Note
In a production environment working as expected, you do not need to manually create artifacts from the command line.
This procedure is relevant only in testing and debugging scenarios.
To manually create an artifact through the command line in IBM Resilient:
Open a terminal session and log in to IBM QRadar SOAR with SSH.
Use cURL to create an artifact, and to send it to IBM QRadar SOAR as a JSON payload:
# All values in the example are dummy curl -X POST \ -v \ --insecure \ --header "Content-Type: application/json" \ --data-binary '{"type":"net.ip","value":"1.1.1.1"}' \ --url 'http://${resilient_circuits_url}:9000/cts/eiq'
The type field in the JSON payload accepts one of the supported artifact types for the integration.
In the command parameters, replace the
${resilient_circuits_url}
placeholder with the IP address previously assigned to host in the[resilient]
stanza of theapp.config
file.