IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force® research, enables organizations to effectively manage risk and defend against emerging threats. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 35 billion security events per day in more than 130 countries, and holds more than 3,000 security patents.
The bi-directional integration between ThreatConnect and IBM Resilient allows users to send, search and associate contextualized intelligence collected in ThreatConnect to artifacts in IBM Resilient. With the Playbook Apps & Templates, users can automatically take the following actions:
Create IBM Resilient Artifact
Create IBM Resilient Attachment
Create IBM Resilient Incident
Create IBM Resilient Note
Get IBM Resilient Artifact
Search IBM Resilient
These apps can be found in the App Catalog under the names: Create IBM Resilient Artifact, Create IBM Resilient Attachment, Create IBM Resilient Incident, Create IBM Resilient Note, Get IBM Resilient Artifact, and Search IBM Resilient
The ThreatConnect integration with QRadar enables sending validated and actionable intelligence between the ThreatConnect platform and QRadar through the use of three apps. This integration allows users to identify the most relevant threats, proactively protect their network, and quickly respond to incidents with greater confidence.
With this integration, users can aggregate their logs from QRadar and combine them with their threat intelligence in ThreatConnect. The Platform provides context with the indicators, and enables their security team to better spot abnormal trends and patterns, and to act on them efficiently. Additionally, analysts working in QRadar can view real-time indicator enrichment, add indicators back into ThreatConnect, and record false positives. Users can tie their data to Playbooks, ThreatConnect’s orchestration capability, to automate nearly any cybersecurity task and respond to threats faster - as well as send to other tools in your security stack. With this integration you get:
Instant Indicator Enrichment
Hover over an indicator in QRadar to see a real-time summary of what ThreatConnect knows about an indicator
Actionable Threat Intel
Lookup and create indicators, or report false positives to ThreatConnect from within QRadar
Search QRadar Events
Search QRadar events from matching ThreatConnect indicators using ThreatConnect Playbooks
The following actions are included in the Playbook App:
Add Indicator(s) to Reference Set - Upload indicators to a specific reference set. The settings in the Advanced Section are only for when a new Reference Set is to be created. If a new Reference Set is to be created these are required fields
Remove Indicator(s) from Reference Set - Upload indicators to a specific reference set
Get Offense - Retrieve the details of an offense using its ID
Update Offense - Update an offense by its ID. Using this action you can update who the offense is signed to, change the closing reason ID, flag to follow up, flag as protected, or update the status
List Offenses - List all offenses and their details
Submit Ariel Query - Submit an Ariel search using AQL. Returns a search ID for the executing search
Retrieve Ariel Query - Retrieve a previously submitted Ariel search by the search ID. The action will fail if the results are not yet ready. If the search completed but there are no results, the value of Fail on No Results will determine if the execution returns an error
Create Offense Note - Add or update a note on an offense
These apps can be found in the ThreatConnect App Catalog under the names: IBM QRadar (Playbook) IBM QRadar (Custom Trigger), and QRadar Integration (Organization)
