Indicator reports

Indicator reports provide detailed information about indicators of compromise.

An indicator of compromise is any recorded or captured piece of digital evidence from a security incident that can be used to provide information about an intrusion or issue.

Indicators of compromise provide the first concrete targets for your investigation. Different threat intelligence feeds might use different indicators, depending on your region, business sector, or security requirements. IBM Security QRadar® Suite Software uses the following indicators.

  • Application

    Web application information contains a risk score, categories, associated actions, base URL, and risks. It also contains relevant information about the application, including vulnerabilities, hosting URLs, and hosting IPs.

  • Botnet

    Devices that use these IP addresses are infected and take part in denial-of-service-attacks, port-scanning, spam-sending, and other unwanted intrusions.

  • IP address

    In an IP report, X-Force® provides a risk score, location, categorization information, historical content, WHOIS, and passive DNS (domain name server) information for both IPv4 and IPv6IP addresses.

  • MD5 hash of malware files

    The MD5 hash, also known as checksum for a file, is like a fingerprint of the file. It is a host-based indicators for malicious code, which consist of a file hash indicator and the name and type of the piece of malware that it indicates.

  • URL

    X-Force collects URL information that contains a risk score, segmentation into one of 75 categories, WHOIS, and passive DNS (Domain Name Server) information.

  • Signature

    Available security information includes specific network signatures that categorize audit events.

  • Vulnerabilities

    Vulnerability information is sourced from the X-Force database, one of the oldest, publically available vulnerability databases in the world. The database currently contains over 88,000 vulnerabilities. In addition to the standard metrics that are associated with any vulnerability, X-Force provides IBM coverage information from a network security perspective, as well as external references that are related to the vulnerability.

Vulnerabilities are indicated by CVE (Common Vulnerabilities and Exposure) number.

To determine IP and URL risk scores, the X-Force Exchange relies on two data elements: the amount of the captured evidence and the timeline of the evidence. An analytics engine processes this data to determine the risk score.

The IP risk score is rated in the range 1 - 10, with 1 indicating no risk and 10 indicating the highest level of risk. The location is provided at a regional level. The historical context shows the previous entries in the database that were related to that IP when it was updated.

The risk score is a normalized value that is produced from processing the threat intelligence information available to IBM, including internet scans and spam collection from across the globe. At a high level, this score reflects the potential maliciousness and risk of that IP. As an example, an IP that is identified as sending a high volume of spam frequently has a high risk score. This score decreases over time if the IP becomes less active in its spam output, either by volume or by frequency.