Mapping threat intelligence
To enhance the offense analysis, you can map your IBM® QRadar® threat intelligence data to the QRadar Advisor with Watson™ app property names.
Before you begin
You must have QRadar administrator privileges to map threat intelligence reference sets.
To get the best results from your threat intelligence data, make sure that you mapped all of your custom properties to the QRadar Advisor with Watson app. For more information, see Mapping custom properties.
About this task
The Enable local threat intelligence correlation checkbox is selected by default. The following reference sets, Watson Advisor: Hash, Watson Advisor: IpAddress, and Watson Advisor: DomainName are all mapped by default. The following screen shows the default configuration for Threat Intelligence Mapping in V2.5.0 and later.
Configure threat intelligence mapping to correlate your local threat intelligence data, which is contained in reference sets, to the QRadar Advisor with Watson app property names. The QRadar Advisor with Watson app can correlate any existing threat intelligence data that is configured and available.
- Filename supports ALN and ALNIC
- IpAddress supports ALN, ALNIC, and IP
When an observable is found to match a threat intelligence reference set, the observable icon on the knowledge graph displays in red and the toxicity is set to 1.0. You can click the red observable to open the details pane and see the reference set that was matched.
- On the navigation menu ( ), click Admin.
- In the Apps section, under QRadar Advisor with Watson, click Configuration.
- Click Optional Settings to open the Optional Settings menu page.
- Click Threat Intelligence.
- Select the Enable local threat intelligence correlation checkbox.
- Select a canonical property name that you want to correlate and then click Edit.
From the Available reference sets list, you can select one or more
reference sets and then click the down arrow to add them to the Selected reference
Note: All canonical types can be mapped to one or more reference sets.
- Click Submit.