Am I Affected scan FAQs

Am I Affected is a threat intelligence capability that helps you to quickly determine whether your environment is affected by a threat.

  1. How do I check whether I am affected by a threat?
  2. How does the scan work?
  3. What are indicators of compromise (IoC)?
  4. What is the difference between total indicators and found indicators?
  5. How do I set up an automatic scan

How do I check whether I am affected by a threat?

On the IBM® Security Threat Intelligence Insights landing page, complete the following steps.

  1. Scroll to the Top relevant threats section and choose the threat activity that is not yet scanned.
  2. Click Scan now.

On the threat details page, complete the following steps:

  1. Look at the Check if you are affected card.
  2. Data sources must be connected before you can run a scan. You can select which data sources to scan for threat indicators. Otherwise, all connected data sources are scanned.
  3. Choose a timeframe. Scan now is set by default to search your connected data sources for the last 60 minutes. If you want to search for a longer period against your connected data sources, select from the predefined timeframes.
  4. Click Scan now.

When the scan is complete and indicators are found:

  • The card is updated to show the number of found indicators.
  • A case is created to help you begin the investigation.

How does the scan work?

You must have data sources that are connected to your IBM Security QRadar® Suite Software account. Learn how to connect a data source

Threat Intelligence Insights cross-references the user logs in all connected data sources to determine whether events and flows are related to any indicators of compromise (IoC) that are captured within the threat reports.

  • If an indicator is found and it is supported in your connected data sources, the indicator is counted in the scan result, and returned in found indicators.
  • If an indicator is not supported in your connected data sources, then that indicator is not counted in the scan result.
Important: Your Am I Affected scan might not start if it is scanning for a threat that contains more than 300 indicators of compromise.

A tis_system key is automatically created when you first initiate a scan. Threat Intelligence Insights uses this key to provide Am I Affected Scans. If the tis_system key is deleted, scans cannot be completed. Data sources must be connected

What are indicators of compromise (IoC)?

Indicators of compromise are any recorded or captured pieces of digital evidence from a security incident that can be used to provide information about an intrusion or issue.

These indicators provide the first concrete targets for your investigation. Different threat intelligence feeds might use different indicators, depending on your region, business sector, or security requirements. Threat Intelligence Insights uses the following indicators:

  • URLs
  • IP addresses
  • MD5 and SHA-256 hashes

What is the difference between total indicators and found indicators?

  1. Total indicators

    The total number of indicators that are associated with the threat, a value that is based on consolidated reports. The value does not include the indicators that are found in your connected data sources after an Am I Affected scan is run. The value corresponds to the total number of indicators that are listed in the threat details Indicators tab.

  2. Found indicators

    The number of indicators that are supported and found in your connected data sources after an Am I Affected scan is run.

How do I set up an automatic scan?

In addition to the manual scans, entitled users have access to continuous, automated overnight scans for all applicable threats published in the past 7 days. The default time range for overnight scans is a 24-hour look-back across connected data sources. Currently, the default automated scans cannot be adjusted.