QRadar Suite threat management

Track, manage, and resolve cybersecurity incidents

IBM Security QRadar SOAR Case Management runs on QRadar Suite Software to provide organizations with the ability to track, manage, and resolve cybersecurity incidents. With Case Management, security and IT teams can collaborate across their organization to rapidly and successfully respond to incidents. Case Management is a subset of IBM Security QRadar SOAR and is available without an extra license on IBM Security QRadar Suite Software. For more information, see IBM Security QRadar SOAR.

IBM Security QRadar SOAR Orchestration & Automation requires a license and is available as an application that is fully integrated in QRadar Suite Software.

Orchestration & Automation provides the following benefits:

• Create response plans that are based on industry standards and best practices.
• Integrate more easily with security and IT tools, and orchestrate responses to events and incidents.
• Collaborate across the organization, equipping various stakeholders with the tools to fulfill their roles and tasks as part of an incident response effort.

The application that is integrated on QRadar Suite Software provides most, but not all, of the stand-alone IBM Security QRadar SOAR feature set. For more information about this application, see IBM Security QRadar SOAR.

If you have an Orchestration & Automation license, you can choose between the application on QRadar Suite Software or the stand-alone version on a virtual appliance. The stand-alone virtual appliance version provides the full feature set of IBM Security QRadar SOAR. For more information, see IBM Security QRadar SOAR .

Automate root cause analysis

IBM Security Threat Investigator can run on QRadar Suite Software automatically to analyze and investigate cases and help you make more informed decisions. By showing potential threats and the assets that are impacted, Threat Investigator can help determine the criticality of exposure, how many systems are at risk, and the level of remediation effort that is required. By viewing the historical timeline of threats within your organization, you can gain a better understanding of the dwell times and the stage of progress of the threat.

For more information, see Threat Investigator.

Investigate details and search across your environment

IBM Security Data Explorer runs on QRadar Suite Software to conduct federated search and investigation across your connected hybrid, multi-cloud environment in a single interface and workflow. Use Data Explorer to complete investigations in a timely manner without compromising visibility. Core underlying services and capabilities include the following features.

• Federated data search with Universal Data Insights connections. Unite silos of security data and provide complete visibility across security solutions (for example, SIEM, EDR, and Data lake tools) and across cloud infrastructures (for example, Microsoft Azure and Amazon Web Services (AWS)).
• Single, unified interface and workflow to investigate threats and Indicators of Compromise into user-selected data sources.
• In-context data enhancements from Connected Assets and Risk data sources and IBM Security Threat Intelligence Insights.
• Workflows to track, append, create security cases from the platform's case management system.

For more information, see Data Explorer.

Manage rules and use cases

The Detection and Response Center app runs on QRadar Suite Software to provide a unified overview of your organization's security posture through use cases from different security tools and platforms. This overview saves you hours of gathering the same insights by using individual tools.

Detection and Response Center supports rules and use cases from IBM QRadar and the Sigma Community. Sigma rules, which are enhanced by STIX patterns, are used by Threat Investigator in its investigations. You can also run the STIX patterns in Data Explorer.

For more information, see Exploring security rule use cases with Detection and Response Center.

Get access to the latest threat intelligence

The IBM Security Threat Intelligence Insights application runs on QRadar Suite Software to deliver unique, actionable, and timely threat intelligence. The application provides almost all of the functions that IBM X-Force® Exchange provides.

• IBM-derived threat intelligence that crosses threat activity, threat groups, malware, and industries.
• Continuous and automated Am I Affected searches that cross connected data sources to proactively identify your most relevant threats.
• Analytical and adaptive threat-scoring to help prioritize threats for further investigation and response.

For more information, see Selecting your Threat Intelligence Insights plan and Threat Intelligence Insights.

Connect your tools and data

In QRadar Suite Software, you can configure Universal Data Insights connectors to enable federated search and analytics across your security tools and data. Configure Connected Assets and Risk connectors to import asset data into QRadar Suite Software. For example, see the following SIEM, NDR, and EDR use cases. For more information about connectors, see Configuring connectors.

Manage security information and events

IBM QRadar is offered as an on-premises solution that delivers intelligent security analytics, enabling visibility, detection, and investigation for a wide range of known and unknown threats. QRadar SIEM event analytics ingest, parse, normalize, correlate, and analyze log and event data to detect indicators of threats. Event analytics also identify anomalous activities and automatically connect related threat activity, and alert security teams to potential threats. QRadar NDR flow analytics collect, extract, and normalize valuable network flow data and packet metadata to augment log-based security insights. Flow analytics also identify network and application level threat activity, such as phishing, lateral movement, and data exfiltration.

A new offering, IBM QRadar Data Store, normalizes and stores both security and operational log data for future analysis and review. The offering supports the storage of an unlimited number of logs without counting against your organization’s Events Per Second QRadar SIEM license, and enables your organization to build custom apps and reports based on this stored data to gain deeper insights into your environments.

For more information about downloading, installing, and working with QRadar Security Intelligence Platform, see QRadar documentation.

IBM QRadar User Behavior Analytics is a tool for detecting insider threats in your organization. Connection to the IBM QRadar on-premises solution by the QRadar Proxy service is a prerequisite to User Behavior Analytics on QRadar Suite Software. User Behavior Analytics, used with the existing data in your QRadar system, can help you generate new insights around users and user risk. For more information, see IBM QRadar Proxy and User Behavior Analytics.

Detect and respond to endpoint threats

IBM Security QRadar EDR offers endpoint detection and response (EDR) security by using automation and AI to quickly detect and remediate threats as they arise. You can use the IBM Security QRadar EDR Universal Data Insights connector to retrieve security events from the IBM Security QRadar EDR unified platform. With this QRadar EDR connector, QRadar Suite Software applications can combine to make a powerful EDR tool. For more information about the QRadar EDR connector, see IBM X-Force App Exchange.