WIXLIB

Indicator of Compromise Tracker for QRadar - DocumentationIndicator of Compromise Tracker for QRadar - DocumentationTable of contents1Overview . 22Installing the app. 23How to use this app . 23.1IoC Tracker tab – Navigation . 33.2IoC Tracker tab – Dropdown Menu. 53.3IoC Tracker tab – Network Hierarchy Check . 63.4IoC Tracker tab – Search Bar . 64Rules . 75Offense Enrichment . 86IoC Hunting . 97IoC Parsing. 108Feature List. 109Example IoC Tracker workflow . 101

Indicator of Compromise Tracker for QRadar - Documentation1 OverviewIndicator of Compromise (IoC) Tracker was developed to support Security Intelligence Analysts to workwith custom IoCs of various kinds such as (but not limited to) hashes, URLs, IPs etc. It does so byallowing to upload and manage collections of IoCs with metadata such as source/requester, adescription per IoC and per collection.By displaying the metadata in offenses that were created based on IoCs in IoC Tracker, it also helpsLevel 1 and 2 analysts to understand the context of the offenses/IoCs.For SIEM Admins the benefit of IoC Tracker is that selected users can work with IoCs without havingQRadar admin level access and the same rules can work across multiple collections of IoCs.2 Installing the app1. On the Admin tab, click Extension Management.2. eIoC Tracker Version .zip that you want to upload to the console.3. Select the Install immediately check box, if you want QRadar to install the appimmediately. Before the app is installed, a preview list of the content items is displayed.4. To preview the contents of an App after it is added and before it is installed, select it fromthe list of extensions, and click More Details. Expand the folders to view the individualcontent items in each group.5. After installation is complete you will see three IoC Tracker Setting icons added to QRadaradmin tab and an IoC Tracker Tab in the area menu. You may have to restart/refresh theAdmin tab after installation to see this.3 How to use this appThe app can be configured in the QRadar Admin Menu Indicator of Compromise Tracker allows to set the Reference Table the app uses it to storedata. A table with the name IOCtrackingTable has been installed with the app and has thecolumns configured to be used with the app.2

Indicator of Compromise Tracker for QRadar - Documentation Reference Sets lookups allow to list several reference sets separated by comma. These will beadded as additional columns. If the IoC next to the columns is part of the reference set, thecell will include this information in the IoC Tracker tab.Reference Maps lookup show the value of a reference map, if the IoC is a key in this map.Reference Map of Sets shows all values separated by comma, if the IoC is a key in the map ofsets.Help Link allows to set a link. A help link will be shown in the top right corner leading to thislink, if set.QRadar API Token: You must a Token with the permissions to read the network hierarchy andreference data for this app to work.Editor Users: List all users in QRadar, which are allowed to do changes to the IoC Tracker(adding, updating or deleting IoCs). Without being listed here, users can only view the contentin IoC Tracker. You still have to check the app in User Roles for IoC Tracker to be available atall for non-admin users.QRadar Certificate CN or DNS: Enter the name of the CN or DNS used by the QRadar SSLcertificate, if the Console hostname is not in the certificate. If you to clear the field, the apphas to be restarted, because the initial value is set during app startup.3.1 IoC Tracker tab – NavigationAfter configuring the app with a proper token, you can switch to the IoC Tracker tab.If your user role is in the Editor list, you will see the IoC File upload Menu.Click on Download IoCs3

Indicator of Compromise Tracker for QRadar - DocumentationYou will get an excel, which should only contain a header line. Once you have uploaded IoCs, you candownload all stored IoC data this way (e.g. as a backup or for sharing).The columns ioc, iocType, response, mail, origin, Requester and info are mandatory for uploadingIoCs.The column originDescription is optional and can be used to set information valid for all IoCs sharingthe same origin i.e. a collection.Column origin is used to group all IoCs having the same origin.After uploading IoCs of different origins, each origin is represented as a button at the top of IoCTracker. A button with black background means, that the IoCs of this origin will be shown in a tablebelow the buttons. A button with grey background mean, that the IoCs of this origin will not be shown.Clicking a button changes the state.4

Indicator of Compromise Tracker for QRadar - DocumentationThe following features are available from Dashboard:(De-)Select All: allows to select (or deselect) all contained campaigns by one click. By default, allcampaigns are selected when you open IoC Tracker. To review only one or several campaigns, youshould “De-Select” all campaigns and click on the name of the chosen campaign(s).Search IoCs: contains predefined set of QRadar queries that will automatically launch an AQL querybased on the one of IoC type. In addition, it contains “Audit History” – option that allows to track allmodifications done to application. This allows to search multiple collections at once by selectingwanted collections first and use the Search IoCs buttons.Choose File: allows to choose from computer XLSX or CSV file that contain the list of IoCs, which shouldbe imported into the application.Upload: allows to upload IoCs listed in chosen file.Download IoCs: allows to export all IoCs (all collections/origins) into a single XLSX file.Not all IoC groups are shown at once. When you scroll down, new groups will be loaded until all groups,which are enabled, become visible.3.2 IoC Tracker tab – Dropdown MenuDownload IoCs: allows to export all IoCs that belongs to a single collection into a single XLSX file.Search IoCs Options: contain predefined set of QRadar queries that will automatically launch an AQLquery for a specific set of IoCs based on the one of IoC type.5

Indicator of Compromise Tracker for QRadar - Documentation3.3 IoC Tracker tab – Network Hierarchy CheckIf there are any IPs in the IoC Tracker for QRadar, which also belong to the QRadar network hierarchy,it will show a red label in the upper left corner showing the number of internal IPs being part of theIoCs. Internal IP IoCs are also highlighted red and the string (internal) is added to theses IoCs to allowto easily search for them.3.4 IoC Tracker tab – Search BarThe search bar allows to search the content of all IoC data. All IoC groups with matches will be enabled.All IoC groups without matches will be disabled. You can choose between a normal string search anda regular expression-based search.6

Indicator of Compromise Tracker for QRadar - Documentation4 RulesSince IoC Tracker works with a single Reference Table only, you can benefit from a minimal set of wellscaling rules.Rules for source IP and destination IP based IoCs are included.The method for creating rules is:1. A Building Block with one or two conditions to filter on the relevant IoC Type for betterperformance. For Source IP the condition R2L has been chosen to ignore L2L and L2R Traffic.If the source IP should be internal, it would pop up in IoC Tracker as internal.The second condition checks using AQL, if the IP is part of the Reference Table used by the IoCTracker and is matching the type of the rule2. To respond in different ways to IoCs, rules are created. These rules have the Building Block forthe same type as the first condition.The second condition checks based on the response column. This way IoC can have differentresponses based on the input in the offense column so that source IP based offenses areindexed on source IP and also to have offenses with different names based on response. Othercustom actions can also be used.Example: Offenses tagged with High Priority could increase the magnitude in addition to justcreate an offense.The mail column can be used to decide, if a mail should be send based on the content of thecolumn.7

Indicator of Compromise Tracker for QRadar - Documentation5 Offense EnrichmentIf the source of an offense is also part of IoC Tracker, IoC details will be shown. On the one hand, thiscan be used to inform that an offense source is an IoC and on the other hand it allows to give moredetails or incident procedures in the IoC details field.The sample below shows, that detail information to the username admin is shown, because adminhas been added as an IoC to IoC Tracker.8

Indicator of Compromise Tracker for QRadar - Documentation6 IoC HuntingIoC Tracker allows to create template searches to check for past IoC occurrences.These searches can be configured using IoC Tracker – IoC search configuration:Search sample for source and destination IPs:The string {campaigns} will be replaced by all the IoC groups, which are selected (having a blackbutton). The string is built by concatenating all IoC group names by pipe character. This way it can beused by the AQL MATCH function to check several IoC groups at once.It is advised to set the result of {campaigns} to a variable for reuse ( SET org c {campaigns}; ). Thisway AQL will be shorter and more readable. (See picture above)The checkbox Multi Search defines, if the search will appear in the Search IoCs menu.The checkbox Single Search defines, if the search will appear in the IoC Group dropdown menu.9

Indicator of Compromise Tracker for QRadar - Documentation7 IoC ParsingIoC Tracker allows to pre-parse the input you bulk upload using Excel/CSV by specifying regularexpressions for specific IoC types. If the regular expression matches, it will extract the capture groups,concatenate the groups and use it as the IoC. This can be useful to make sure, that types like URLmatch the format used for the custom event property for URLs.The sample below shows how to pre-parse all values coming in with the IoC Type of URL.It will strip https:// or http:// in the beginning and also drop all query parameters coming after a literalquestion mark. Not all proxies log the protocol of the URL and query parameters can make it muchharder to match a malicious URL.The order is used, if there is more than one expression matching the IoC. The first regular expressionmatching wins. If nothing matches, the original input will be used. Because the first regular expressionwins, it is advised to put the most specific expression at the top.8 Feature List Structured IoC presentationFlexible Integration in QRadar Rules and searches by using Reference TableSimple rights managementIntegrated IoC hunting capabilities (Configurable Search Templates)Simple Interface for normalization/parsingAudit LoggingEnrichment by other QRadar Reference DataBulk Operation support by Excel/CSV UploadEnriched IoC Report by Excel DownloadOffense EnrichmentIntegrated IoC Cleanup (12 months, if IoC are not updated in the meantime)9 Example IoC Tracker workflowHere is an example of how IoC Tracker may be used by the various users/roles in a SOC:1. A Security Intelligence Analyst (SIA) gathers IoCs related to a campaign/attack and uploads itwith related metadata such as links to runbooks, IoCs sources etc. as a new collection in IoCTracker without yet specifying an action.2. The SIA then uses IoC Tracker searches to check if any of the IoCs from the new collection arepresent in the existing logs by e.g. checking the last week or month of events. This serves thepurpose of a) checking if any IoC related threat is already present in the environment and b)verifying for false positives in the environment.10