Mapping threat intelligence

To enhance the offense analysis, you can map your IBM® QRadar® threat intelligence data to the QRadar Advisor with Watson™ app property names.

Before you begin

You must have QRadar administrator privileges to map threat intelligence reference sets.

To get the best results from your threat intelligence data, make sure that you mapped all of your custom properties to the QRadar Advisor with Watson app. For more information, see Mapping custom properties.

Matches to reference sets are determined based on the values that are configured in the Custom Event Properties. For example, if a custom event property for URL captures ““, then the matching value in the reference set would also need to be “” Values such as “” would not be matched.

About this task

The Enable local threat intelligence correlation checkbox is selected by default. The following reference sets, Watson Advisor: Hash, Watson Advisor: IpAddress, and Watson Advisor: DomainName are all mapped by default. The following screen shows the default configuration for Threat Intelligence Mapping in V2.5.0 and later.

Threat Intelligence Configuration screen

Configure threat intelligence mapping to correlate your local threat intelligence data, which is contained in reference sets, to the QRadar Advisor with Watson app property names. The QRadar Advisor with Watson app can correlate any existing threat intelligence data that is configured and available.

The following reference set types are supported:
  • Username
  • Domain
  • Hash
  • URL
  • AVSignature
  • Filename supports ALN and ALNIC
  • IpAddress supports ALN, ALNIC, and IP

When an observable is found to match a threat intelligence reference set, the observable icon on the knowledge graph displays in red and the toxicity is set to 1.0. You can click the red observable to open the details pane and see the reference set that was matched.

Note: Threat intelligence data is included only with Local and Expanded Local Context analysis.


  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the Apps section, under QRadar Advisor with Watson, click Configuration.
  3. Click Optional Settings to open the Optional Settings menu page.
  4. Click Threat Intelligence.
  5. Select the Enable local threat intelligence correlation checkbox.
  6. Select a canonical property name that you want to correlate and then click Edit.
  7. From the Available reference sets list, you can select one or more reference sets and then click the down arrow to add them to the Selected reference sets list.
    Note: All canonical types can be mapped to one or more reference sets.
  8. Click Submit.