Exporting reference sets

You can configure the QRadar® Advisor with Watson™ app to export reference sets to QRadar automatically.

Before you begin

You must have QRadar administrator privileges to export reference sets to QRadar.

About this task

Note: Reference sets are automatically exported to QRadar by default.

Based on the analysis results from your Watson investigation, you can export malicious identifiers to reference sets in your QRadar system. Watson determines what is malicious by the observables that exceed both the default toxicity threshold and the default relevance threshold. Each time an export occurs, any new observables that are found are added to the relevant reference set.

If you automatically export reference sets, the results of the export contain observable types (configured on the Automatic Investigation page) that are sufficiently toxic and relevant from the highest investigated stage.

To manually export the reference set from the Relationship Graph page, see Viewing the relationship graph

Note: Enabling automatic export for reference sets applies to offenses that are manually or automatically investigated.

For more information about Reference Sets in QRadar, see Reference sets overview.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the Apps section, under QRadar Advisor with Watson, click Configuration.
  3. Click Optional Settings to open the Optional Settings menu page.
  4. Click Reference Set Export.
  5. Select the Enable automatic export checkbox and select from the following choices:
    • IP addresses
    • Hashes
    • Domains
  6. Click Submit.
    Export reference set screen