IBM Support

QRadar Security Content Extension: ThreatStream Optic

Question & Answer


A new security content pack is available for ThreatStream Optic. This technical note outlines the included security content and provides installation instructions for administrators.


Quick links

About the ThreatStream security content extension

The ThreatStream security content pack adds several new options to enhance the visibility of data for ThreatStream users or administrators. This security content pack contains 9 new searches, 9 custom rules, 7 reference sets, and a ThreatStream dashboard to summarize event information. The events are captured by IP addresses, which are populated in the reference set at installation time. To keep this IP address information up-to-date, ThreatStream users need to integrate a data feed from the ThreatStream appliance with the QRadar Reference Set API. For installation issues with this security content pack, administrators can contact QRadar Customer Support. For data feed IP address instructions or content questions regarding IP addresses in this content pack, contact ThreatStream Customer Support at

Saved searches added for ThreatStream

(click to enlarge image)

Rules added for ThreatStream

(click to enlarge image)

Reference sets added for ThreatStream
The reference sets added by the security content pack include pre-populated IP addresses for multiple categories: brute force, DDoS, exploits, malware, and more.

(click to enlarge image)

Dashboard added for ThreatStream Optic counts by IP occurrence

(click to enlarge image)

Note: As ThreatStream events are provided, the graphs will populate with data.

Installing a security content extension

The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar.


  1. Download the extension from the X-Force App Exchange to your laptop or workstation:
    Note: You must log in using your IBMid to download files or rate software.
  2. Log in to the QRadar Console as an administrator.
  3. Click the Admin tab.
  4. Click the Extension Management icon.
  5. To upload an extension, click Add and select the extension to upload.
    The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.
  6. To install the extension immediately, select the Install immediately check box.
  7. Click Add to begin the installation.
    A preview of the application content is displayed.
  8. Administrators can review the content items being installed. If the content items exist, select Overwrite or Keep existing data.
    • Overwrite - Updates the deployment with the latest content from the extension.
    • Keep existing data - Updates from the content extension are discarded if a content property exists with the same name.

After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019