Showing executed and blocked malware and file hashes
You can configure QRadar® Advisor with Watson™ to show executed and blocked malware and file hashes on the knowledge graph.
Before you begin
You must have QRadar administrator privileges.
About this task
- Watson Advisor: File Action Allowed
- Watson Advisor: File Action Blocked
- Configure or modify custom event properties in QRadar.
- Add custom event property values to Watson Advisor reference sets.
- Configure QRadar Advisor with Watson Property Mapping.
Configure or modify custom event properties.
- Add the event property for the value that displays malware status from the device that support malware execution status.
Configure Watson Advisor Reference sets.
Add all possible values that are found with the custom event property (created in Step 1) to
one of the following reference sets:
Most of the common values are prepopulated but you should add new ones if these values do not match your logs.
- Watson Advisor: File Action Allowed (For example, "Left alone")
- Watson Advisor: File Action Blocked (For example, "Cleaned by deletion")
Configure property mapping in QRadar Advisor with Watson.
- In the Property Mapping section, click Add Mapping.
- In the Select a type list, click Events.
- In the Select a canonical name list, click File action taken.
- In the Select a property name list, click the custom property definition from Step 1.
In the following example, the Custom Event Property is set to pull the Actual Action "Cleaned by deletion" from the log.
If “Cleaned by deletion” was added to the Watson Advisor: File Action Blocked reference set, then the knowledge graph shows the file is blocked from executing.