RiskIQ Enriches IBM QRadar with Internet Security Context

For the past several years, IBM’s QRadar has been recognized as a leader in Gartner’s Magic Quadrant for SIEM and Log Management. RiskIQ is the cornerstone of External Threat Management programs for many of the largest enterprises in the world. In December of 2015, IBM launched the Security App Exchange that allowed companies to begin creating applications that could enhance the QRadar experience. Today, RiskIQ’s PassiveTotal is excited to announce the release of our QRadar integration into the app exchange, enriching QRadar with internet infrastructure data. Customers of both QRadar and PassiveTotal can install the application by visiting the Security App Exchange from within their local QRadar instance.

Application Functionality

This integration speeds up security incident investigation by bringing RiskIQ internet intelligence to QRadar. IP addresses in QRadar can now have the context of the internet in real time by combining PassiveDNS, WHOIS, SSL certificates, web components, host pairs and RiskIQ's zlist into a single app on the exchange. There are three clear features were created within the system - contextual metadata, automatic offense triage, analyst feedback loops and personalized content.

Metadata Provider

One of the core data types within QRadar are IP addresses. The RiskIQ application provides users with the ability to quickly gain a deeper understanding about an IP address through a hover context menu and right-click pivot search.

Data shown in the hover menu allows an analyst to better understand the role of the IP address. Details shown include the network, autonomous system number and name, longitude, latitude, country of origin and contextual tags derived from the PassiveTotal service. If users would like to conduct a deeper investigation using PassiveTotal, they can simply click the “View in PassiveTotal” link, or right-click one a one-click pivot.

Automatic Offense Triage

One of the most powerful features to RiskIQ’s PassiveTotal application is its ability to inspect source IP addresses from within open offenses in order to understand if any are flagged as malicious. In order to do this, our application will routinely collect all open offenses, extract the relevant IP addresses and query the PassiveTotal API.

If an IP address is flagged inside of the RiskIQ threat intelligence service, a note will be appended to the offense, a follow-up flag will be set, and two new reference sets will be created, one for offense hits and the other for passive DNS for the offending IP address.

Having this automated triage means analysts can spend less time going through every single offense in order to understand if it needs further inspection. Instead, they can let the RiskIQ application perform the initial triage and surface what’s most important. Additionally, analysts can leverage the hit items inside their own custom rules to retroactively search old or closed offenses that may have been overlooked.

Analyst Feedback Loops

After configuring the application inside of QRadar, a background service will start in order to bring data from PassiveTotal directly into your local instance. PassiveTotal supports the concept of classifying infrastructure, both domains and IP addresses. There are four different categories of classification - malicious, suspicious, non-malicious and unknown. For all categories except unknown, reference lists are automatically created.

These references lists can be viewed, modified or deleted by visiting the “Admin” tab and clicking the “Reference Set Management” icon under “System Configuration”. What makes these reference sets powerful is the ability to include them in custom rules. For example, if you have flagged several items as “malicious” within PassiveTotal, you may want to automatically log an offense if someone internally visits that website. By using PassiveTotal and classifying values, analysts create a feedback loop where QRadar is constantly being updated with the latest threat data.

Personalized Content

Recognizing that an analyst may pivot back and forth between QRadar and the PassiveTotal platform, the RiskIQ application includes dashboard widgets showing recent search history for your personal account and/or your enterprise team.

Clicking on the value listed in history allows an analyst to instantly jump from QRadar directly into a PassiveTotal search result. This seamless integration makes users feel like the two applications are one and saves a significant amount of time.

Future Development

Having an integration that not only personalizes your SIEM, but also allows for automated triage is the ultimate feature. We believe that using the PassiveTotal app for QRadar brings analysts closer to that reality. Like any enterprise product, QRadar will improve over time and support additional features which we will evaluate for inclusion into our application. If you have any questions or feedback on the app, please send a message to feedback@passivetotal.org.