IBM

The bi-directional integration between ThreatConnect and IBM Resilient allows users to send, search and associate contextualized intelligence collected in ThreatConnect to artifacts in IBM Resilient. With the Playbook Apps & Templates, users can automatically take the following actions:

• Create IBM Resilient Artifact
• Create IBM Resilient Attachment
• Create IBM Resilient Incident
• Create IBM Resilient Note
• Get IBM Resilient Artifact
• Search IBM Resilient

These apps can be found in the App Catalog under the names: Create IBM Resilient Artifact, Create IBM Resilient Attachment, Create IBM Resilient Incident, Create IBM Resilient Note, Get IBM Resilient Artifact, and Search IBM Resilient

The ThreatConnect integration with QRadar enables sending validated and actionable intelligence between the ThreatConnect platform and QRadar through the use of three apps. This integration allows users to identify the most relevant threats, proactively protect their network, and quickly respond to incidents with greater confidence.

With this integration, users can aggregate their logs from QRadar and combine them with their threat intelligence in ThreatConnect. The Platform provides context with the indicators, and enables their security team to better spot abnormal trends and patterns, and to act on them efficiently. Additionally, analysts working in QRadar can view real-time indicator enrichment, add indicators back into ThreatConnect, and record false positives. Users can tie their data to Playbooks, ThreatConnect’s orchestration capability, to automate nearly any cybersecurity task and respond to threats faster - as well as send to other tools in your security stack. With this integration you get:

• Instant Indicator Enrichment
  • Hover over an indicator in QRadar to see a real-time summary of what ThreatConnect knows about an indicator
• Actionable Threat Intel
  • Lookup and create indicators, or report false positives to ThreatConnect from within QRadar
• Search QRadar Events
  • Search QRadar events from matching ThreatConnect indicators using ThreatConnect Playbooks

The following actions are included in the Playbook App:

• Add Indicator(s) to Reference Set - Upload indicators to a specific reference set. The settings in the Advanced Section are only for when a new Reference Set is to be created. If a new Reference Set is to be created these are required fields
• Remove Indicator(s) from Reference Set - Upload indicators to a specific reference set
• Get Offense - Retrieve the details of an offense using its ID
• Update Offense - Update an offense by its ID. Using this action you can update who the offense is signed to, change the closing reason ID, flag to follow up, flag as protected, or update the status
• List Offenses - List all offenses and their details
• Submit Ariel Query - Submit an Ariel search using AQL. Returns a search ID for the executing search
• Retrieve Ariel Query - Retrieve a previously submitted Ariel search by the search ID. The action will fail if the results are not yet ready. If the search completed but there are no results, the value of Fail on No Results will determine if the execution returns an error
• Create Offense Note - Add or update a note on an offense

These apps can be found in the ThreatConnect App Catalog under the names: IBM QRadar (Playbook) IBM QRadar (Custom Trigger), and QRadar Integration (Organization)

The IBM X-Force app consists of multiple apps that can all be found in the ThreatConnect App Catalog under the following names:

• Get DNS Records with IBM X-Force - returns live and passive DNS records for the given Address, Host, or URL Indicator.
• Get IP Report with IBM X-Force - returns an IP report for the given Address Indicator.
• Get Malware FileHash with IBM X-Force  - returns a malware report for the given File Indicator.
• Get Url Report with IBM X-Force - returns a URL report for the given URL Indicator.
• Get Whois with IBM X-Force -  returns a WHOIS report for the given Host Indicator.

The Polarity IBM QRadar integration enables analysts to quickly search IPs in QRadar, allowing analysts to quickly query QRadar for IPs related to the events. Allowing for much faster triage and response.

Examples

IBM QRadar Data Overview

• Summary Tags: When an analyst runs a search in IBM QRadar analysts can quickly see the destination of the IP, any categories that the IP triggered and the severity of the event.
• Event Information: When drilling into the details of the QRadar integration analysts can quickly see additional information about the event(s) associated with the IP that was looked up. Analysts can quickly discover the status, description, severity, when it started and when it was last updated.
• Additional Context: Analysts can not only get context about the event, but also additional information, such as destinations of the indicator, rules violated or caught, categories and log sources.

The Polarity - IBM Resilient (IBM SOAR) integration quickly searches Resilient for indicators listed in notes and incidents. Enabling analysts to quickly understand if an indicator is related to an incident, so they can take action or just have the necessary awareness of the indicator.

The integration can search across artifacts, incidents, tasks and notes. Incident and tasks searches are full text searches against all fields. Artifact searches are exact match searches against the artifact's value. Note searches are full text searches against the content of the note.

If a result is found, the integration will display information about the related incident. Incidents are deduplicated so that an incident is only shown a single time, even if it has multiple matches.

The Polarity - IBM X-Force Exchange integration searches CVEs and different indicators to provide analysts quick insights into the vast knowledge that X-Force Exchange has. When searching for a CVE, analysts can get a quick picture of what the CVE is an how it can be exploited. When searching for indicators analysts can quickly have an understanding of the risk associated with it and if there are any categories associated. Enabling analysts to have a better understanding of the indicator and how it might affect their network(s).

Examples

IBM X-Force Exchange Data Overview - CVEs

• Summary Tags: When searching for a CVE in X-Force Exchange analysts can quickly know what the CVE is by the name of it.
• CVE Details: When looking at the details of the CVE, analysts can quickly get a complete picture of that CVE. From if it is exploitable, its description, what occurs if the CVE is affecting the network, risk level and even a link back out to IBM.
• CVSS Information: Not only do analysts get an understanding of the details, but they can also get a complete CVSS understanding. From user interactions, privileges secured, access abilities, to how it affects integrity and availability.
• Platforms Affected: Finally analysts can get a complete picture as to what different platforms the vulnerability is known to affect.

IBM X-Force Exchange Data Overview - Indicators

• Summary tags: When searching for indicators in X-Force Exchange analysts will be able to quickly understand the risk associated with the indicator and if there are any categories that have been assigned to it.
• Pivot to X-Force Exchange: When drilling into the details of the indicator, analysts can quickly pivot out to X-Force for more context.
• Categories and Risk: Analysts can also get a better understanding of the categories and risk associated with the indicators.