Showing executed and blocked malware and file hashes

You can configure QRadar® Advisor with Watson™ to show executed and blocked malware and file hashes on the knowledge graph.

Before you begin

You must have QRadar administrator privileges.

About this task

Configuring QRadar Advisor with Watson to show executed and blocked malware and file hashes on the knowledge graph requires you to add a value to one of the Watson Advisor reference sets that correspond to the custom event property value for each device type on your system that supports malware execution status. Two reference sets are installed on your QRadar system:
  • Watson Advisor: File Action Allowed
  • Watson Advisor: File Action Blocked
Note: Most of the common values are prepopulated but you should add new ones if these types do not match your logs.
You must complete the following steps:
  1. Configure or modify custom event properties in QRadar.
  2. Add custom event property values to Watson Advisor reference sets.
  3. Configure QRadar Advisor with Watson Property Mapping.

Procedure

  1. Configure or modify custom event properties.
    1. Admin > Data sources > Events > Custom Event Properties.
    2. Add the event property for the value that displays malware status from the device that support malware execution status.
  2. Configure Watson Advisor Reference sets.
    1. Admin > System Configuration > Reference Set Management.
    2. Add all possible values that are found with the custom event property (created in Step 1) to one of the following reference sets:
      • Watson Advisor: File Action Allowed (For example, "Left alone")
      • Watson Advisor: File Action Blocked (For example, "Cleaned by deletion")
      Most of the common values are prepopulated but you should add new ones if these values do not match your logs.
  3. Configure property mapping in QRadar Advisor with Watson.
    1. Admin > > Configuration.
    2. In the Property Mapping section, click Add Mapping.
    3. In the Select a type list, click Events.
    4. In the Select a canonical name list, click File action taken.
    5. In the Select a property name list, click the custom property definition from Step 1.
    6. Click Add.
      File action taken example
    Example:

    In the following example, the Custom Event Property is set to pull the Actual Action "Cleaned by deletion" from the log.

    If “Cleaned by deletion” was added to the Watson Advisor: File Action Blocked reference set, then the knowledge graph shows the file is blocked from executing.

    Log example
    Reference Set: Watson Advisor example

Results

After you configured your custom event property mapping and Watson Advisor reference sets, you can see when malware is executed on the knowledge graph.

Example

Note: The graph shows an example of executed malware on V2.4.1 of the app.
Example of malware executed on graph