[Package

Installation]

PHISHME INTELLIGENCE
FOR QRADAR
V 1.0.4

PhishMe Intelligence Solutions Engineering

Table of Contents

Installation Instructions .......................................................................................................................... 2

Installation ................................................................................................................................................................... 2

Configuration .............................................................................................................................................. 3

Note on Upgrading ........................................................................................................................................................ 3

Generate an API Token ................................................................................................................................................. 3

Configure QRadar APP .................................................................................................................................................. 3

Content...................................................................................................................................................... 4

Reference Sets .............................................................................................................................................................. 4

Reference Tables ........................................................................................................................................................... 5

Example correlation rule ............................................................................................................................................... 5

INSTALLATION INSTRUCTIONS

INSTALLATION

These instructions follow IBM’s documentation for installing apps :

https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.apps.doc/c_Qapps_MngExts.html

1. Download the application zip

2. Upload the application to your QRadar console

a. On the Admin tab under Plug-Ins open the “PhishMe Configuration”icon

b. In the Extension Management window, click Add and select the app ZIP archive that you want to upload
to the console. Select the Install immediately check box, if you want QRadar to install the app right
away.

Before the app is installed, a preview list of the content items is displayed.

c. To preview the contents of an app after it is added and before it is installed, select it from the list of
extensions, and click More Details. Expand the folders to view the individual content items in each group.

3. Install the app

a. On the Admin tab, click Extension Management.

2
 b. Select your app in the Extension Management window, and click Install.

Before the app is installed, the content items are compared to content items that are already in the
deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.

On the Installation Summary window, No change indicates that an overwrite was not required for that
content item.

This will take several minutes to complete. Please be patient.

CONFIGURATION

NOTE ON UPGRADING

You will need to restart the app. You can go to the “Edit Configuration” menu and just reenter your API password to restart the app.

If you are upgrading from version 1.0.2 the configuration will not be saved from your previous config. All the data will be saved in
the reference collections, however you will need to configure the app as if it were a fresh installation. Set the start date to the date
you’re the application last ran.

GENERATE AN API TOKE N

Before you begin you will need to generate an API token set (Only accessible by current PhishMe Intelligence customers):

1. Log in www.threathq.com

2. Click on the setting menu (Gear Icon) in the left navigation bar

3. Select the “API Token” tab

4. Click on “Add a New Token” – make sure you save the password, it will not be accessible again

CONFIGURE QRADAR APP

1. In the Admin Tab of your QRadar environment open the PhishMe App.

2. Select “New Configuration”

3. API Username: The Username assigned to your ThreatHQ API Token.

4. API Password: The Password assigned to your ThreatHQ API Token when it was created.

5. Start Date: The date the begin threat data collection from. Use YYYY-MM-DD format.

6. QRadar Authorized Service Token. (A valid authorization token for QRadar. Can be created in the Authorized

Services page of the QRadar Admin Tab)

7. Polling Interval: How often to poll PhishMe Intelligence. Should be entered in minutes. (15 minutes minimum)

3
8. Local Proxy (Optional): Check this if you must use a Local Proxy

9. Local Proxy URL (Optional): The URL for the Local Proxy if Local Proxy is checked.

10. Local Proxy Username (Optional): The Username for the Local Proxy if Local Proxy is checked.

11. Local Proxy Password (Optional): The Password for the Local Proxy if Local Proxy is checked.

12. Local Proxy Confirm Password (Optional): The password confirmation for the Local Proxy Password if Local Proxy is

checked. Must match Local Proxy Password.

EDITING YOUR CONFIGURATION

1. In the Admin Tab of your QRadar environment open the PhishMe App.

2. Select “Current Configuration” and then “Edit Configuration”

3. API Username: The Username assigned to your ThreatHQ API Token.

TROUBLESHOOTING

1. If you are not seeing data populating the reference collections, make sure you selected an appropriate start date and

that your network/proxy setting are configured correctly.

2. You can access the log files by following these instructions:

https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.appfw.doc/c_appframework_viewLogs.html

You can find your app id in the url of the admin window, or via the API endpoint

gui_app_framework/applications

3. If the app needs to be restarted, or you wish to manually backfill, you can clear the API position marker by navigation

to your “Current Configuration” from the initial admin screen and clicking “Clear Position Marker”

a. After clearing you can edit the configuration and restart from the chosen start date to backfill Indicators to that

date.

4. If there is a connection issue caused by bad credentials, you’ll need to clear the application lock:

a. Navigate to “Edit Configuration”

b. Click on “Clear Lock”

CONTENT

REFERENCE SETS

The following Reference Sets are created and populated with IOCs:

4
 PhishMe_Intelligence_Malware_Hostnames

PhishMe_Intelligence_Malware_IPs

PhishMe_Intelligence_Malware_URLs

PhishMe_Intelligence_Malware_Hashes_MD5

PhishMe_Intelligence_Malware_Hashes_SHA

REFERENCE TABLES

The following Reference Tables are created to hold extensive context about the IOCs in the above Sets. The main
key in each Reference Table is the same value as is present in the corresponding Reference Set of similar name.
The use of both sets and tables with the same IOC is to reduce searching time on initial queries. In both Rules and
Advanced Query Language (AQL), a look up against a Reference Table should be performed only when a
successful look up occurs against the corresponding Reference Set.

PhishMe_Intelligence_Malware_Hostnames_Data

PhishMe_Intelligence_Malware_IPs_Data

PhishMe_Intelligence_Malware_URLs_Data

PhishMe_Intelligence_Malware_Hashes_MD5_Data

PhishMe_Intelligence_Malware_Hashes_SHA_Data

EXAMPLE CORRELATION RULE

The following rule tests are an example of ways you could do advanced correlation using IOC context. This rule will
test each source or destination IP for matches against any of our IOCs; if matched it will analyze the context to
determine the impact. Using the Reference Set first narrows the results down much more efficiently than reviewing
the table for each IP.