Ground truth is one of the most important sources informing threat intelligence. A key source of this truth is what’s happening in the SIEM- QRadar in this case. Knowing this, we needed a way to the correlate data in QRadar with intelligence in the form of Indicators in ThreatConnect. This Playbook was created to provide a statistical event count, along with a snapshot of the top 5 events by frequency; memorializing the results in an attribute on an Indicator.
For more information, check out this blog post: /qradar-tag-search/