IBM QRadar

By Maltego Technologies
Extract and map context of IOCs from event logs and offenses.
# Endpoint & Security Events # Incident Response # Threat Hunting
IBM QRadar integration for Maltego

IBM QRadar Transforms for Maltego

QRadar uses rules to monitor information security events and network flows to detect security threats. When events and flows meet the test criteria that are defined in the ruleset, an offense is created to show that a security attack or policy breach is suspected.

The IBM QRadar integration for Maltego provides context for events and offenses helping improve investigations by mapping the complex relationships. The IBM QRadar Enterprise integration for Maltego enable security teams to extract and map host assets, IP addresses, hashes, operating systems, vulnerabilities and other IOCs from event logs and offenses.

Using the Transforms, investigators and analysts can query offenses from a given QRadar Instance, find the related events for those offenses, bring in the IOCs into Maltego, and leverage our wide variety of data sources to augment and enrich their investigations.

IBM QRadar Transforms in Maltego

Typical Users of IBM QRadar Data

  • Threat Intelligence Teams
  • Threat Hunting Teams
  • Incident Response Teams
  • Security Operation Centers

Integration Benefits

Seamlessly start investigations in a simple, visualized graph

Cross-reference data points like IP Addresses, domains, hashes, URLs, and other Indicators of Compromise (IoC) with organization-wide internal intelligence stored in QRadar directly via Maltego.

Exploring offenses and performing deep dive investigations

Cross-reference relevant information in different events mapped to the existing offenses in order to understand what happened and finding common offense patterns, such as targeting the same assets, using the same ports/services, abusing the same accounts/usernames, and more.

Combine QRadar with other threat intelligence feeds

Pivot from information of the QRadar events to data in other threat intelligence feeds such as ATT&CK MISP, OpenCTI, VirusTotal, Intezer all within the same graph. This is especially helpful for analysts to assess security incidents and start remediation processes.

Map IT assets and related events and offenses

View offences for IT assets and related IOC’s. From the event find destination IP address, find other offences that are targeting our sourced from the same IP address.

Enabling incident response, hunting, and digital forensic investigations

Understanding more about active threats so that the different cybersecurity teams can really perform a proper containment, identification of impacted assets, tracking threat actor activities, and understanding sources of digital evidence to fully deliver a forensic investigation if needed.

Leverage IBM QRadar Data for

Incident Response

Triage security events through the analysis and investigation of QRadar offences by exploring and visualizing details, network logs, time information, related user accounts, and more. Pivot directly from QRadar data to threat intelligence feeds to enrich your security analysis to properly respond to potential security incidents.

Threat Hunting

Improve and automate your threat hunting process by pivoting from Threat Intelligence Reports to IoCs and then searching them in QRadar offences in minutes instead of hours, with the enrichment provided by our Free and Paid Intelligence vendors.

Threat Assessment

Enrich information associated with IT inventory in your organization and check for relevant offences in QRadar to mitigate risk and protect your organization’s inventory.
Read more

Resources

Articles

Investigator Toolkit February 2023: Cheat Sheets for Faster and Spot-on Workflows

Contact

Reach out to us to learn more about this data integration and how to access it.
By clicking on "Send Message", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

About IBM QRadar

IBM QRadar is an enterprise security information and event management (SIEM) product. It collects log data from an enterprise, its network devices, host assets and operating systems, applications, vulnerabilities, and user activities and behaviors to then perform real-time analysis of the log data and network flows to identify malicious activity so it can be stopped quickly, preventing, or minimizing damage to the organization.

For more information, visit https://www.ibm.com/uk-en/qradar.