Create artifacts and search for matches#

Note

This feature is available in EclecticIQ Intelligence Center Integration for IBM Resilient starting from release 1.1.2.

Manually create sightings from incident artifacts in IBM QRadar SOAR, and push them to EclecticIQ Intelligence Center.

EclecticIQ Intelligence Center Integration for IBM QRadar SOAR supports the following artifact types:

IBM QRadar SOAR artifact

Artifact type JSON field

DNS Name

net.name

Email Body

email

Email Recipient

email.header.to

Email Sender

email.header.sender_address

Email Subject

email.header

IP Address

net.ip

Malware MD5 Hash

hash.md5

Malware SHA-1 Hash

hash.sha1

Malware SHA-256 Hash

hash.sha256

Malware SHA-512 Hash

hash.sha512

URL

net.uri

URI Path

net.uri.path

Create an artifact in the GUI#

To manually create an artifact in the IBM QRadar SOAR GUI:

  1. Open a web browser tab, and log in to IBM QRadar SOAR through the GUI.

  2. In the top navigation bar click List Incidents.

  3. In the All Open Incidents view, click an existing incident to open it.

    Alternatively:

    Create a new incident, and then open it.

  4. In the open incident view, click the Artifacts tab.

  5. In the Artifacts tab, click Add Artifact.

  6. In the Add Artifact view, fill out the input fields as appropriate to create the new artifact.

  7. Click Create to save the artifact.

Auto lookup#

When a new artifact is added to an incident, IBM QRadar SOAR automatically queries the connected Intelligence Center instance to search for qualifying matches.

If the search returns matches – that is, existing observables in the EclecticIQ Intelligence Center – the following events occur:

  • In the Artifacts view, the color of the artifact type value in the Type column changes to red.

  • A warning icon ⚠️ flags the artifact as a detected hit.

In the Artifacts tab, click the detected hit value to open it.

In the open artifact detail view, the information IBM QRadar SOAR retrieves from the connected Intelligence Center instance is listed under EclecticIQ Intelligence Center:

  • Entity N: ${entity_type}: if the matching observable in the EclecticIQ Intelligence Center has relationships with other entities in EclecticIQ Intelligence Center, the relevant entity types, titles or entity aliases, and tags and taxonomy values as retrieved from EclecticIQ Intelligence Center are reported here.

    • N in the row header represents the integer index value of the entity, when an artifact is connected to more than one matching entities in EclecticIQ Intelligence Center.

      It starts from 1.

    • ${entity_type} represents the entity type value as retrieved from EclecticIQ Intelligence Center.

      Example:

      Entity 1: Indicator

The value of this field holds the following information:

  • The entity name or the entity alias.

  • If the entity is tagged in your Intelligence Center, any tags and taxonomy entries are included in round brackets.

    Example:

    ET CNC Shadowserver Reported CnC Server Port 6667 (Admiralty Code - Doubtful, Admiralty Code - Improbable)

  • Last Updated: the timestamp value corresponding to the most recent update of the information in the matching observable.

  • Maliciousness: if the matching observable in your Intelligence Center is flagged for maliciousness, the corresponding value is reported here.

    Allowed values:

    • good

    • bad

    • unknown

  • EclecticIQ Intelligence Center Link: click the link reported here to open the detail pane of the matching source observable in your Intelligence Center.

Create an artifact from the command line#

Note

In a production environment working as expected, you do not need to manually create artifacts from the command line.

This procedure is relevant only in testing and debugging scenarios.

To manually create an artifact through the command line in IBM Resilient:

  1. Open a terminal session and log in to IBM QRadar SOAR with SSH.

  2. Use cURL to create an artifact, and to send it to IBM QRadar SOAR as a JSON payload:

    # All values in the example are dummy
curl -X POST \
    -v \
    --insecure \
    --header "Content-Type: application/json" \
    --data-binary '{"type":"net.ip","value":"1.1.1.1"}' \
    --url 'http://${resilient_circuits_url}:9000/cts/eiq'

    • The type field in the JSON payload accepts one of the supported artifact types for the integration.

    • In the command parameters, replace the ${resilient_circuits_url} placeholder with the IP address previously assigned to host in the [resilient] stanza of the app.config file.