Installing the IBM QRadar Security Threat Monitoring Content Extension application

The IBM QRadar Security Threat Monitoring Content Extension application contains IBM QRadar content, such as rules, building blocks, and custom properties, that are designed specifically for use with X-Force data. The enhanced content can help you to identify and to remediate undesirable activity in your environment before it threatens the stability of your network.

Before you begin

Download the IBM QRadar Security Threat Monitoring Content Extension application from the IBM Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:IBMContentPackageInternalThreat).

About this task

To use X-Force data in QRadar rules, offenses, and events, you must configure IBM QRadar to automatically load data from the X-Force servers to your QRadar appliance.

To load X-Force data locally, enable the X-Force Threat Intelligence feed in the system settings. If new information is available when X-Force starts, the IP address reputation or URL database is updated. These updates are merged into their own databases and the content is replicated from the QRadar Console to all managed hosts in the deployment.

The X-Force rules are visible in the product even if the application is later uninstalled.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Extensions Management.
  3. Upload the application to the QRadar console by following these steps:
    1. Click Add.
    2. Click Browse to find the extension.
    3. Optional: Click Install immediately to install the extension without viewing the contents.
    4. Click Add.
  4. To view the contents of the extension, select it from the extensions list and click More Details.
  5. To install the extension, follow these steps:
    1. Select the extension from the list and click Install.
    2. If the extension does not include a digital signature, or it is signed but the signature is not associated with the IBM Security certificate authority (CA), you must confirm that you still want to install it. Click Install to proceed with the installation.
    3. Review the changes that the installation makes to the system.
    4. Select Overwrite or Keep existing data to specify how to handle existing content items.
    5. Click Install.
    6. Review the installation summary and click OK.

      The rules appear under the Threats group in the Rules List window. They must be enabled before they are used.

What to do next

Enable the X-Force Threat Intelligence feed so that you can use the X-Force rules or add X-Force functions to AQL searches. For more information, see Enabling the X-Force Threat Intelligence feed.