IBM Security IOC Manager 1.0.0 Table of Contents Overview...1 Installing...1 Install steps...1 Uninstall steps...2 Configuring...2 Creating authorized service token...2 First Time Setup...3 Managing permissions for the IOC Manager app...4 Configure IOC Manager Settings...4 Search an Artifact...5 Create Artifact...6 Overview Clients with large Security Operation Centers (SOC) require threat intelligence to be able to be looked up and also add Indicators Of Compromise (IOC) to reference sets. The current challenge is the QRadar permission model requires an admin which gives too much access for Analysts. The IBM Security IOC Manager helps solve this problem by giving QRadar Analysts the ability to search for the origin of an IOC in reference sets and also create new artifacts. Installing Install steps 1. On the Admin tab, click Extension Management. 2. In the Extension Management window, click Add and select the IOC_Manager_1.0.0.zip that you want to upload to the console. 3. Select the Install immediately check box, if you want QRadar to install the app immediately. Before the app is installed, a preview list of the content items is displayed. 4. To preview the contents of an App after it is added and before it is installed, select it from the list of extensions, and click More Details. Expand the folders to view the individual content items in each group. After installation is complete you will see the an IOC Manager tab added to QRadar along with a new IOC Manager Settings icon added under the Admin tab.
Uninstall steps 1. On the Admin tab, click Extension Management. 2. On the INSTALLED tab of the Extension Management window, select your app and click Uninstall. When you uninstall an app, it is removed from the system. If you want to reinstall it, you must add it again. Configuring Creating authorized service token You must create an authorized service token for the IBM Security IOC Manager app to interact with the relevant QRadar APIs for searching and adding to reference sets data. 1. On the Admin tab, in the User Management section, click the Authorized Services icon. 2. Click Add Authorized Services. 3. Configure the following information to create the IOC Manager service: a. In the Service Name field, type IOC Manager. b. From the User Role list, select the Admin user role. c. From the Security Profile list, select the Admin security profile. 4. Click the row that contains the service you created and then select and copy the token string from the Selected Token field in the menu bar. This authentication token will be used in the First Time Setup section to follow.
First Time Setup 1. Go to the IOC Manager tab that has been added to QRadar and you will see the IBM IOC First Time Setup page. 2. Input the authentication token that was created previously. 3. Click Finish. You should now be redirected to the main page for the IOC Manager app.
Managing permissions for the IOC Manager app Administrators use the User Role Management feature in the Admin tab in QRadar to configure and manage user accounts. As an administrator, you must enable the IOC Manager permission for each user role that is permitted to use the IOC Manager App. This will allow users such as QRadar Analysts access to this application. 1. Click the Admin tab. 2. In the System Configuration section, under User Management, click the User Roles icon. 3. Select an existing user role or create a new role. 4. Select the IOC Manager check box to add the permission to the role. 5. Click Save. Configure IOC Manager Settings The IOC Manager Settings allows you to edit the authentication token set in the First Time Setup and also lets you define a Reference Set Exclude List. 1. On the Admin tab, click the IOC Manager Settings icon in the Plug-ins section. The IBM IOC Manager Settings dialog box opens.
2. In the QRadar SEC Token field enter the authentication token for the IOC Manager service if not already done so in First Time Setup. 3. (Optional) In the Reference Set Exclude List add reference sets with the Add button if you would like to exclude any reference sets from the application users. This option means that the users of this app will not to be able to search for artifacts or create artifacts for reference sets in the exclude list. 5. Click Save Configuration. Search an Artifact The Search for Artifact feature lets a QRadar Analyst to take an Indicator Of Compromise (IOC) artifact found when investigating an offense to find out if it exists in any reference set(s). 1. Click the IOC Manager tab. 2. Click on Search in the left-hand navigation bar. 3. Enter the artifact into the search box, e.g. IP, URL, hash, filename etc 4. Click Search. The search result will be displayed below the search box showing any reference sets that this artifact exists along with a number of fields: Table 1. Search Results Fields Container Created On Last Seen On Created By The reference set name Reference set creation date Last time reference set was changed User who created the reference set
Create Artifact The Create Artifact feature allows a QRadar Analyst to add an IOC artifact to an existing reference set along with a comment which can be used for auditing. Procedure 1. Click the IOC Manager tab. 2. Click on Create in the left-hand navigation bar. 3. Click the drop-down list under Reference Set Name to select the reference set to be updated. 4. Under Artifact to Add: a. Enter the IOC artifact (IP, URL, hash, filename etc.) b. Enter comment (Optional) 5. Click Create.