Here at Anomali we have over 30 out-of-the box integrations, from SIEMs to endpoints and everything in between. Our QRadar integration is one of our most popular.
The QRadar app and Content Pack available to ThreatStream customers provide security analysts visibility into threats within their network by matching and enriching log data to known indicators of compromise through interactive dashboards.
We recently shared the latest version of the app (v1.0.4) with the IBM QRadar team who have blessed it with their certification (given to only a handful of apps in the XForce exchange).
In the latest release, we've added some new features that improve the workflow for threat hunting and SOC teams. Here's a brief introduction to some of them...
Submit observables from QRadar
As you work through offenses in QRadar, it is very likely you'll identify new threats not already reported to ThreatStream during an investigation. With this in mind, we decided to make it easier to submit new observables to ThreatStream from QRadar in a matter of clicks.
Once submitted, you can then explore and edit the indicator in the ThreatStream interface. The new indicator of compromise will also be available for matching to new logs in QRadar using the ThreatStream rules included in the Content Pack.
Submit false positives
Depending on the feeds you're subscribed to, it is likely you might discover events deemed to be malicious that are in fact benign. In such cases, users can mark the indicator as a false positive in ThreatStream so that it does not subsequently flag up as a match in QRadar.
Where can I download the latest release?
ThreatStream customers can get a copy of the app and Content Pack on the IBM XForce Exchange:
If you're not already a ThreatStream customer, sign up for a free trial today.
Finally a big thank you to Declan Wilson, Ryan Gribben, Gavin McDaid, Sean Creen, and Jagdeep Chabra who worked on this release here at Anomali.