To add elements to a reference set, import indicator of compromise (IOC) data to the
reference set. Import IOC data to a reference set when you want IBM
QRadar to compare a property
to the element value. Use QRadar to manually add elements
to a reference set, or to import elements from a .csv file.
Before you begin
To import elements, make sure that the .csv file is stored locally.
About this task
You can assign reference data to a specific domain. Domain-specific reference data can be viewed
by tenant users who have access to the domain, MSSP Administrators, and users who do not have a
tenant assignment. Users in all tenants can view shared reference data. For example, MSSP users who
are not administrators can view reference data that is assigned to a domain.
Procedure
-
Go to the Admin tab.
-
In the System Configuration section, click Reference Set
Management.
-
Select the reference set that you want to add the elements to, and click View
Contents.
-
Click the Content tab.
-
To add data elements manually, follow these steps:
-
Click Add and configure the parameters.
Valid port values are 0 - 65535. Valid IP addresses are between 0 and 255.255.255.255.
Note: If you use data obfuscation techniques on the event properties that you want to compare to the
reference set data, you must use an alphanumeric reference set that contains the obfuscated data
values.
-
Click Add.
-
To add elements from a .csv file, follow these steps:
-
Click Import.
-
Click Select File and browse to select the .csv
file that you want to import.
The .csv file must be formatted with all items comma-separated on a single
line, or with each item on a separate line. A delimiter is not required when each item is on a
separate line.
-
Select the Domain that you want to add the reference set data to.
-
Click Import.
The import adds the content of the text file to the reference set.