Managing rules and use cases

Edit online

The IBM® Detection and Response Center provides a unified overview of your organization's security posture through use cases from different security tools and platforms.

Sigma rules, which are enhanced by STIX patterns, are used by Threat Investigator in its investigations. You can also run the STIX patterns in Data Explorer. For more information, see the Sigma rules repository at https://github.com/SigmaHQ/sigma and the license at Detection Rule License (DRL) 1.1.

QRadar® rules are retrieved from a QRadar SIEM deployment when the IBM QRadar Proxy app is configured.

IBM content contains enrichment and correlation rules that work together to group similar alerts together into cases for security analysts to investigate.

Explore detection rules through visualization and reports

  • Explore the rules through different filters.
  • Customize reports to see only the information that is critical to your analysis.
  • Run STIX patterns from Sigma rules in Data Explorer.

Visual threat coverage across the MITRE ATT&CK framework

  • Visually understand your ability to detect threats based on ATT&CK tactics and techniques.
  • Use new insights to prioritize the rollout of new use cases and apps to effectively strengthen your security posture.

IBM content for alert enrichment and correlation

Enrichment adds more information to the normalized alerts (findings) that come in from the separate tools to determine the severity of the alert. The IBM X-Force Threat Intelligence Service provides the risk score for the observables in an alert (files, IP addresses, URLs, domains). The enrichment rules from IBM look for specific observables in alerts that adjust the risk score.

Correlation occurs after enrichment. Similar findings are collected from supported tools (data sources), and combined into one case, with related alerts, for analysts to further investigate. If an alert matches a previous one based on the condition (properties), they are correlated together, based on cumulative risk score, into a case for the analyst to investigate.

Rules and subsequent updates are downloaded automatically from the IBM Security App Exchange. When new or updated IBM content is available, you are notified in Detection and Response Center.