Getting started with the QRadar Advisor with Watson app

For the features in IBM® QRadar® products to work properly, review the table to improve your QRadar deployment.

The QRadar Advisor with Watson™ app relies on data in your QRadar deployment. To get the best information from QRadar Advisor with Watson, you should consider tuning your QRadar deployment.
Note: The QRadar Use Case Manager app can help you to tune your QRadar system. For more information, see QRadar Use Case Manager.

The following table includes a list of items that you should consider tuning to improve the quality of your QRadar Advisor with Watson investigations.

Table 1. Tuning QRadar deployment and process
Issue Remedy
Advisor depends on QRadar normalization. The QRadar Advisor with Watson app uses QRadar standard properties and custom properties when it mines data from events and flows. If important observables are in the payload, you should check that they are being extracted into custom properties and then map those properties in the QRadar Advisor with Watson app.

Mapping custom properties

Custom event and flow properties

Non-working custom properties cause issues. Ensure that a custom property works accurately for all event types in your log sources. For example, if your file hash custom property gets incorrect data in it for some events, and works for others, the quality of your investigation results in the QRadar Advisor with Watson app can suffer.
Advisor requires custom mapping. The QRadar Advisor with Watson app requires mappings beyond the app's default custom properties. If you only used the default mappings after you install, your QRadar Advisor with Watson analysis can be missing a significant portion of local context. You should increase your QRadar Advisor with Watson mappings.

Mapping custom properties

Define and update your network hierarchy in your QRadar system. The QRadar Advisor with Watson app needs to know what IP addresses are local and what IP addresses are not part of your local network. If your network changed, for example, you added a subnet, check to make sure that your QRadar network hierarchy is still accurate.

Network hierarchy

Define asset weights in the QRadar asset profile. The QRadar Advisor with Watson app uses asset weights from the Asset profile in QRadar. Make sure that the asset weight in the QRadar asset profile is accurate.

Adding or editing an asset profile

CRE rule accuracy affects Advisor. If CRE rules are misfiring, the QRadar Advisor with Watson app's MITRE ATT&CK accuracy can suffer. Additionally, rules that misfire and create offenses can cause issues with the QRadar Advisor with Watson app. Periodically review and tune rules.

QRadar tuning

Guidelines for tuning system performance

Advisor uses host definition building blocks (BB:HostDefinition).

The QRadar Advisor with Watson app, MITRE ATT&CK mappings, and CRE rules depend on hosts that provide specific functions, such as DNS servers and DHCP servers, are accurately defined in QRadar building blocks.

Reviewing building blocks
Install and configure theUBA app to see user information.

If the User Behavior Analytics app is installed,QRadar Advisor with Watson uses UBA reference sets and UBA risk scores. If both the QRadar Advisor with Watson app and the UBA app are installed, you can start a user-specific investigation.

User Behavior Analytics for QRadar

QRadar system warnings cause issues.

Before you install the QRadar Advisor with Watson app, pay attention to QRadar system warnings and fix them. They can prevent the app from functioning properly.

QRadar system notifications

QRadar patch installations should not be combined with QRadar Advisor with Watson installations.

Don't combine QRadar Advisor with Watson patch installations and QRadar Advisor with Watson installations at the same time. This makes debugging issues with QRadar Advisor with Watson more challenging. Complete the QRadar patch update, spend some time at the new patch level to ensure it is functioning well and only then install or upgrade the QRadar Advisor with Watson app.

Advisor uses QRadar offense closing reasons.

Consider adding some closing reasons that make sense for your workflow (for example, "Escalated to Incident Response" or "CRE rule tuning needed") and ensure that all your QRadar users and scripts that close offenses select the appropriate QRadar Closing Reason when they are closing an offense.

Custom offense close reasons

Advisor depends on proper reference set values from anti-virus custom properties.

The QRadar Advisor with Watson app's anti-virus blocking and execution graph highlighting depends on proper reference set values from anti-virus custom properties.

Showing executed and blocked malware and file hashes