Example: Detecting malware outbreaks based on the MD5 signature

As a network security analyst for a large organization, you use QRadar to detect when a malware outbreak occurs. You set the criteria for an outbreak as a threat that occurs across 10 hosts within 4 hours. You want to use the MD5 signature as the basis for this threat detection.

You configure IBM QRadar to evaluate the incoming logs to determine whether a threat exists, and then you group all of the fired rules that contain the same MD5 signature into a single offense.
  1. Create a custom property to extract the MD5 signature from the logs. Ensure that the custom property is optimized and enabled.
  2. Create a rule and configure the rule to create an offense that uses the MD5 signature custom property as the offense index field. When the rule fires, an offense is created. All fired rules that have the same MD5 signature are grouped into one offense.
  3. You can search by offense type to find the offenses that are indexed by the MD5 signature custom property.