Showing executed and blocked malware and file hashes
You can configure QRadar® Advisor with Watson™ to show executed and blocked malware and file hashes on the knowledge graph.
Before you begin
You must have QRadar administrator privileges.
About this task
Configuring QRadar Advisor with Watson to show executed and blocked malware and file hashes on the knowledge graph requires you to add a value to one of the Watson Advisor reference sets that correspond to the custom event property value for each device type on your system that supports malware execution status. Two reference sets are installed on your QRadar system:
- Watson Advisor: File Action Allowed
- Watson Advisor: File Action Blocked
Note: Most of the common values are prepopulated but you should add new ones if these types do not match your logs.
You must complete the following steps:
- Configure or modify custom event properties in QRadar.
- Add custom event property values to Watson Advisor reference sets.
- Configure QRadar Advisor with Watson Property Mapping.
Configure or modify custom event properties.
- Add the event property for the value that displays malware status from the device that support malware execution status.
Configure Watson Advisor Reference sets.
Add all possible values that are found with the custom event property (created in Step 1) to
one of the following reference sets:
Most of the common values are prepopulated but you should add new ones if these values do not match your logs.
- Watson Advisor: File Action Allowed (For example, "Left alone")
- Watson Advisor: File Action Blocked (For example, "Cleaned by deletion")
Configure property mapping in QRadar Advisor with Watson.
- In the Property Mapping section, click Add Mapping.
- In the Select a type list, click Events.
- In the Select a canonical name list, click File action taken.
- In the Select a property name list, click the custom property definition from Step 1.
In the following example, the Custom Event Property is set to pull the Actual Action "Cleaned by deletion" from the log.
If “Cleaned by deletion” was added to the Watson Advisor: File Action Blocked reference set, then the knowledge graph shows the file is blocked from executing.
After you configured your custom event property mapping and Watson Advisor reference sets, you can see when malware is executed on the knowledge graph.
Note: The graph shows an example of executed malware on V2.4.1 of the app.