SOC Integration Guide - v1.0

SOC Integration guide for
IBM Security QRadar Advisor with Watson
Course code LSD0060X

October 2020
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative
for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not
intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or
service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate
and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document
does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing

IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in
certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the
examples include the names of individuals, companies, brands, and products. All names and references for organizations and other
business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental. All
names and associated information for people in this deliverable’s scenarios are fictional. Any match with a real person is coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated
in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds,
owner of the mark on a worldwide basis.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or
both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware vSphere
are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are trademarks
or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
© Copyright International Business Machines Corporation 2020.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Materials may not be reproduced in whole or in part without the prior written permission of IBM.
ii
Contents
Introduction .............................................................................................................................................. 1
Where does QRAW fit in the threat management process?.............................................................. 2
Tier one analyst ........................................................................................................................................ 3
Set up automatic investigations ........................................................................................................ 3
Use Offense Priority AI Model............................................................................................................ 4
Provide AI Evaluation feedback ........................................................................................................ 4
Let QRAW gather context and correlate threat intelligence ......................................................... 5
Use Offense Disposition Analysis ...................................................................................................... 7
Tier two analyst ........................................................................................................................................ 8
View blocked or allowed connections .............................................................................................. 8
Determine whether malware ran or not ........................................................................................... 9
Data mining ......................................................................................................................................... 10
Add data to watch lists...................................................................................................................... 11
Investigate users with UBA integration.......................................................................................... 12
Tier three analysts ................................................................................................................................. 15
Export investigation results to other products.............................................................................. 15
The STIX export ............................................................................................................................... 16
The CSV export ................................................................................................................................ 17
The Reference Set export .................................................................................................................. 18
Active threat hunting/IOC investigation ......................................................................................... 18
Analyze Mitre ATT&CK coverage ..................................................................................................... 20
Other QRAW features that can be used to improve SOC process: ................................................ 22
Incorporate local threat intel ........................................................................................................... 24
iii
SOC Integration guide for IBM Security QRadar Advisor with Watson
Introduction
IBM Security QRadar Advisor with Watson (QRAW) can help drive significant improvements in
your SOC operations. QRadar Advisor with Watson can tap into accurate and comprehensive
data to investigate any offense, asset, user, or user activity. QRadar Advisor with Watson can
substantially improve analysts’ productivity, increase their effectiveness, and reduce the time
and effort it takes to collect data and investigate offenses and users. However, integrating the
information and insights from QRAW into well-established SOC processes might not be
straight forward.
This document is intended to give guidance on how QRAW can help analysts. It provides
specific examples of how to integrate data, information, and insights into current SOC
operations. It assumes that your QRadar environment is tuned and QRAW is configured
properly.
There are five sections to this document:
• Where does QRAW fit in the threat management process

• Tier 1 analyst: Defines the typical role of a Tier 1 analyst and highlights specific ways
that QRAW can assist them
• Other features in QRAW that can be used to improve SOC operations
1
Where does QRAW fit in the threat management process?
This image is a high-level picture of the events of a cyber threat. QRadar lives in the Detection
area. QRadar brings in all of the information in a particular environment and runs correlation,
analytics, and anomaly detection. It narrows down and prioritizes what is important for an
analyst to see. Where QRadar Advisor starts to play and where Watson for Cybersecurity really
helps is in the Investigation and Qualification section. This section is where you must manually
assess information, which requires knowledgeable analysts. Particularly Tier one, Tier two, and
Tier three analysts who perform different duties and must make different decisions along the
path of the investigation. The goal here is to try to make an informed and confident decision to
continue to automate the process through orchestration to the Incident Response phase. This
work guides the decision for an Incident Response team so that they can act. But the decisions
and qualification must happen in the middle section. And that's what Advisor does.
2
Tier one analyst
The initial investigation starts with the Tier one analyst. This stage is the triage function for
most organizations. The Tier one analyst monitors what types of events come out of the SIM
solution, QRadar in this particular case. They triage the information and look for evidence. They
try to answer questions: Is this something that needs to be investigated? Is it something that
we determine to be a false positive? Do we need to go back and recommend tuning a rule
because this data is too noisy? Tier one analysts are responsible for the data collection aspect
to gather all the information necessary so that the Tier two analysts can start right away with
their investigation.
Set up automatic investigations
So how does Advisor specifically help conduct this? Being able to decide at the Tier one level
is crucial. Most organizations have less than 15 minutes to decide on whether this investigation
needs to get escalated to the next level of the SOC. You start by automatically analyzing,
evaluating, and assigning a priority to the alerts that come out of QRadar. The capability to have
that information already preanalyzed so an analyst can look at what Watson determines is a
huge time-saving effort. The following link walks you through how to set up automatic
investigations:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_SHR/com.ibm.Watsonapp.doc/
t_Qapps_advisor_auto_analysis.html
3
Use Offense Priority AI Model
QRAW also uses AI to automate the first step in the offense triage process by significantly
reducing the number of alerts that the analyst needs to review. The Offense Priority AI Model,
a feature of IBM Security QRadar Advisor with Watson, evaluates offenses and assigns a high
or low priority to each offense. The automatic prioritization of offenses in the queue by the
Offense Priority AI model gives analysts the ability to focus on higher priority offenses first
before moving on to lower priority offenses.
Provide AI Evaluation feedback
The AI Evaluations feature allows the prioritization AI model to learn from the offenses that are
prioritized based on whether you agree or disagree with the output of the model. The AI model
learns the priorities for your SOC, allowing analysts to make quicker and better-informed
decisions based on historical context. Therefore, it is critical to provide feedback by using the
AI Evaluations features in QRAW. The more feedback that is received, the more the AI tool can
help by streamlining alerts quicker and with more accuracy based on your specific environment
and types of incidents that are seen over time. This helps analysts by saving time, boosting
productivity, and improving security effectiveness by focusing on high priority offenses first.
4
You might also configure QRAW to provide feedback automatically by mapping your existing
offense closing reasons to High or Low priority. That way the AI model gets the feedback that
it needs to learn your environment without any extra steps from your team.
For more information, see:

https://www.ibm.com/support/knowledgecenter/en/SS42VS_SHR/com.ibm.Watsonapp.doc/
t_Qapps_advisor_closing_reason_priority_mapping.html
Let QRAW gather context and correlate threat intelligence
QRAW puts context around the components that are involved in an investigation. Does an IP
address have a bad reputation? Is it listed with Malware? Is it a phishing site? Is it generic and
there's nothing else to do? QRAW helps to answer these questions by providing WHOIS and IP
Reputation listing. In addition, as part of the investigation, QRAW gathers both external and
internal threat indicators from the alert. QRAW does the data research and gathering from the
local contextual information, including the events and flows themselves from QRadar and it
enriches that information with Watson insights.
5
Watson for Cybersecurity also performs the external threat research and uses its cognitive
capability to do internal research on the indicators. QRAW also checks to see whether the hash
or the IP address matches the localized threat intelligence. Essentially, the goal with Advisor
here is to highlight the existence of the threat or highlight the fact that it's not a threat.
6
Use Offense Disposition Analysis
QRAW’s Offense Disposition Analysis (ODA) is a data analytics feature that does a historical
analysis of how similar offenses were closed in the past. ODA can help you drive
recommendations about how to approach an investigation. By using Offense Disposition
Analysis, you can immediately understand how something was handled from a behavioral
aspect of your analysis in the past. You determine whether to escalate it, or at least whether to
take a different approach to how you investigate an offense.
For more information about Offense Disposition Analysis, see:

https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.Watsonapp.doc/c_
Qapps_advisor_oda.html
7
Tier two analyst
Tier two analysts, though, have a different job. Their job is really investigation analysis
to drive context. What does it mean to the environment? What's the associated risk?
Generally, these analysts perform in-depth incident analysis by correlating the multiple
sources of events that come together. They determine what types of things are impacted
within the environment. What data is impacted? Is it exfiltrated? They advise on what
action to take through mediation of the attack tactics. They also provide support for new
methods of detecting the attacks. What failed? What control within my assessment
failed that caused this incident to become an incident in the first place?
View blocked or allowed connections
One of the ways Advisor helps a Tier two analyst is by determining whether
communication between two items occurred or was blocked. Did my firewall or my
Intrusion Detection System (IDS) stop the communication? QRAW uses multiple
methods to look at both events and flows to make a determination on whether
something occurred within the environment. As you can see in the graphic, a dotted line
between notes represents a blocked connection, which helps an analyst to quickly
observe the communication status.
8
Determine whether malware ran or not
QRAW can also look and can tell you the status of a malware. It can tell you whether the
malware ran, if it was quarantined, if it was cleaned, if it was stopped at the end point,
or if it did in fact run. If it did run, are you missing something in the antivirus software?
This information helps the analyst figure out whether the malware is a new thing or if
there a gap of signature set. Advisor also identifies the critical assets within an
environment to know what's impacted by the incident. An analyst can filter the
knowledge graph to see only the items that are involved where malware ran.
The File Action Blocked/Allowed references sets control the determination of whether
a piece of malware was run. Go to the following link to see how you can customize
these reference sets:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_SHR/com.ibm.Watsonap
p.doc/t_Qapps_advisor_executed_malware.html
9
Data mining
QRAW automatically performs data mining of information that is associated with the
threat. Data mining determines the scope of the threat so that the Tier two analyst has
the context to know how the extent of the incident’s impact. To see the raw data (events
or flows) associated with the relationship between two nodes, click the edge (that is, the
arrow) between them and then click the View Events or the View Flows link. This
performs the proper database query and takes the analyst to the QRadar Log Viewer for
a deeper analysis of the data.
10
Add data to watch lists
QRAW can also automatically improve QRadar CRE (Custom Rule Engine) rules by
adding malicious identifiers to reference set watch lists after an investigation is
complete. The more investigations that QRAW runs, the richer your reference sets
become and the more your CRE rules can identify potential threats. The reference sets
are updated and are all prefaced with the name Watson Advisor:. You can set up the
automatic watch list export on the QRAW configuration page.
11
https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.Watsonapp.d
oc/t_Qapps_advisor_reference_set_export.html
Investigate users with UBA integration

QRAW also seamlessly integrates with the QRadar User Behavior Analytics (UBA) app.
QRAWreveals information from users who are analyzed by UBA. There are no special
steps that are required for the integration. If you have UBA and QRAW installed, it
automatically integrates.
By clicking a user node in the QRAW knowledge graph, you can see the user information
from UBA along with its calculated Risk Score. If you want to dive deeper into the user,
there is a link, which allows you to see the user analysis in UBA.
12
In addition, if you are investigating a user in UBA and would like to investigate that user
further, you can start a QRAW investigation of that user directly from UBA by using the
Search Watson button.
13
This triggers the QRAW investigation by using the username as the source (index) of
the investigation. An example of the investigation results in QRAW is presented in the
following graphic.
14
Tier three analysts
The investigation does not stop with the Tier two analyst. Advisor has the capability to
export information so that the SOC can continue to provide off automation or hand this
information to the next level analyst for remediation.
While QRadar Advisor has many functions centered specifically around the Tier one and
Tier two analysts, which are designed to aid the decision-making process, its functions
don’t end with those two roles. The Tier three subject matter expert is a significant
component of the SOC. Sometimes they're the next level hand off. Sometimes they're
the instant responder. Sometimes they have a different job within the SOC. Tier three
analysts possess in-depth knowledge about multiple different functions within a
cybersecurity environment. They might do threat intelligence analysis. They might do
malware reverse engineering. Their job is specific, and they are usually knowledgeable
about one or several topics. They also act in many organizations as a cyberthreat hunter.
They don’t wait for an incident to occur, but they actively look and poke through data to
figure out what stands out that they need to look at. They look for that needle in the
haystack. They're also involved in developing, tuning, and implementing an in-depth
defensive posture.
Export investigation results to other products
You can export the results of an incident investigation from QRAW in three different
ways: STIX, CSV, and to a reference set by using the Export link from the QRAW
investigation report and graph.
By exporting the results of your analysis, you can share your threat intelligence
information with other parts of the organization, or to another tool that a different
15
department uses, in a consistent and machine-readable format. Sharing threat

intelligence information helps you better understand and anticipate the computer-
based cyberattacks that are most likely to occur.
The STIX export
The STIX file is a conversion of QRadar Advisor with Watson nodes and edges in their
native JSON format into their equivalent STIX 2.0 JSON format that represent the nodes
and edges of the knowledge graph.
After you submit an incident to Watson for investigation, you can export the results to
STIX format. The STIX file contains all the incident information that is included on the
knowledge graph.
16
The CSV export
You can also export the results to CSV format. The CSV file contains all the incident
information that is included with the offense investigation.
By exporting the results of your analysis, you can share the results with other groups to
view the analysis in any CSV viewer.
Note: The current graph view that is shown in the following image is the view that is
exported when you export to CSV format. For example, if the local graph is displayed
and you export to CSV, you can specify your options and then the information from the
local graph is exported, with your specified options.
17
The Reference Set export
You can also manually export observables from an investigation to a QRadar Reference
Set. You can choose to export IPs, Hashes, and Domains.
Active threat hunting/IOC investigation
In addition to investigating offenses and users, QRAW can perform an ad hoc Watson
investigation on a single IOC/observable or multiple indicators. This allows the Tier
Three analyst to perform active threat hunting or independent research on external
security data.
18
The search creates an investigation like the investigations that are created from
offenses. It performs data mining, threat intelligence correlation, and cognitive analysis
and then displays it all in an interactive knowledge graph for in-depth analysis.
p.doc/t_Qapps_advisor_search.html
19
Analyze Mitre ATT&CK coverage
The QRadar Advisor with Watson app 2.0.0 and later automatically maps MITRE ATT&CK
tactics and techniques to CRE rules.
In the QRadar Advisor with Watson app, you can see the tactics that are identified for an
offense investigation, a search, and the offense details pane.
20
A Tier three analyst can analyze the Mitre results from a Watson investigation and
determine whether there are gaps with their security use case coverage. To update the
Mitre ATT&CK mappings, see the documentation on the QRadar Use Case Manager.
For more information, see the following link:
https://exchange.xforce.ibmcloud.com/hub/extension/bf01ee398bde8e5866fe51d0e
1ee684a?_ga=2.53570856.1205413976.1594823830-
1963041325.1590414347&cm_mc_uid=22922371097215904144265&cm_mc_sid
_50200000=25688421594823828523
21
Other QRAW features that can be used to improve SOC process:
QRAW also integrates with IBM Resilient and it provides Threat Intelligence mapping.
QRadar Advisor with Watson Functions for IBM Resilient
Using Resilient integration with QRadar Advisor, the security analyst can automatically
track and enrich incident artifacts and reporting. The integration package comes with
three functions that run an offense analysis with a QRadar ID and return cyber-threat
intelligence (CTI) data in STIX format. They perform a summarized Watson search on a
Resilient artifact type, perform a Watson search with local context and return in-depth
data on related observables. The three workflows that correspond to the functions
process inputs and generate output based on the function in its parameters. The offense
analysis is run at an incident level while the searches are run on IBM Resilient artifacts.
There are two scripts that users can run to take observables data that is returned from
an analysis or search. They automatically generate IBM Resilient artifacts by mapping
QRadar Advisor observable types to IBM Resilient artifact types.
22
The QRadar Advisor with Watson Functions for IBM Resilient integration package can
be found on the IBM Security App Exchange.
https://exchange.xforce.ibmcloud.com/hub/extension/36856f94f16e29652b176cceb
7432086
23
Incorporate local threat intel
If you have a threat intelligence feed, QRAW can correlate the data that was mined
during an investigation to enhance the analysis. You can access this feature from QRadar
Advisor with Watson Configuration that is located on the QRadar Admin page.
p.doc/t_Qapps_advisor_threatIntel.html
24

SOC Integration Guide - v1.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SOC Integration Guide - v1.0

Uploaded by

Copyright:

Available Formats

SOC Integration guide for

IBM Security QRadar Advisor with Watson

Course code LSD0060X

IBM Director of Licensing

© Copyright International Business Machines Corporation 2020.

There are five sections to this document:

• Where does QRAW fit in the threat management process

Where does QRAW fit in the threat management process?

Tier one analyst

Set up automatic investigations

Use Offense Priority AI Model

Provide AI Evaluation feedback

For more information, see:

Let QRAW gather context and correlate threat intelligence

Use Offense Disposition Analysis

For more information about Offense Disposition Analysis, see:

Tier two analyst

View blocked or allowed connections

Determine whether malware ran or not

Add data to watch lists

For more information, see:

Investigate users with UBA integration

Tier three analysts

Export investigation results to other products

department uses, in a consistent and machine-readable format. Sharing threat

The STIX export

The CSV export

The Reference Set export

Active threat hunting/IOC investigation

For more information, see:

Analyze Mitre ATT&CK coverage

For more information, see the following link:

Other QRAW features that can be used to improve SOC process:

QRadar Advisor with Watson Functions for IBM Resilient

For more information, see:

Incorporate local threat intel

For more information, see:

You might also like