Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Installation]
PHISHME INTELLIGENCE
FOR QRADAR
V 1.0.4
Installation ................................................................................................................................................................... 2
Configuration .............................................................................................................................................. 3
Content...................................................................................................................................................... 4
INSTALLATION INSTRUCTIONS
INSTALLATION
https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.apps.doc/c_Qapps_MngExts.html
b. In the Extension Management window, click Add and select the app ZIP archive that you want to upload
to the console. Select the Install immediately check box, if you want QRadar to install the app right
away.
Before the app is installed, a preview list of the content items is displayed.
c. To preview the contents of an app after it is added and before it is installed, select it from the list of
extensions, and click More Details. Expand the folders to view the individual content items in each group.
2
b. Select your app in the Extension Management window, and click Install.
Before the app is installed, the content items are compared to content items that are already in the
deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.
On the Installation Summary window, No change indicates that an overwrite was not required for that
content item.
CONFIGURATION
NOTE ON UPGRADING
You will need to restart the app. You can go to the “Edit Configuration” menu and just reenter your API password to restart the app.
If you are upgrading from version 1.0.2 the configuration will not be saved from your previous config. All the data will be saved in
the reference collections, however you will need to configure the app as if it were a fresh installation. Set the start date to the date
you’re the application last ran.
Before you begin you will need to generate an API token set (Only accessible by current PhishMe Intelligence customers):
1. Log in www.threathq.com
2. Click on the setting menu (Gear Icon) in the left navigation bar
4. Click on “Add a New Token” – make sure you save the password, it will not be accessible again
1. In the Admin Tab of your QRadar environment open the PhishMe App.
4. API Password: The Password assigned to your ThreatHQ API Token when it was created.
5. Start Date: The date the begin threat data collection from. Use YYYY-MM-DD format.
6. QRadar Authorized Service Token. (A valid authorization token for QRadar. Can be created in the Authorized
7. Polling Interval: How often to poll PhishMe Intelligence. Should be entered in minutes. (15 minutes minimum)
3
8. Local Proxy (Optional): Check this if you must use a Local Proxy
9. Local Proxy URL (Optional): The URL for the Local Proxy if Local Proxy is checked.
10. Local Proxy Username (Optional): The Username for the Local Proxy if Local Proxy is checked.
11. Local Proxy Password (Optional): The Password for the Local Proxy if Local Proxy is checked.
12. Local Proxy Confirm Password (Optional): The password confirmation for the Local Proxy Password if Local Proxy is
1. In the Admin Tab of your QRadar environment open the PhishMe App.
TROUBLESHOOTING
1. If you are not seeing data populating the reference collections, make sure you selected an appropriate start date and
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.appfw.doc/c_appframework_viewLogs.html
You can find your app id in the url of the admin window, or via the API endpoint
gui_app_framework/applications
3. If the app needs to be restarted, or you wish to manually backfill, you can clear the API position marker by navigation
to your “Current Configuration” from the initial admin screen and clicking “Clear Position Marker”
a. After clearing you can edit the configuration and restart from the chosen start date to backfill Indicators to that
date.
4. If there is a connection issue caused by bad credentials, you’ll need to clear the application lock:
CONTENT
REFERENCE SETS
The following Reference Sets are created and populated with IOCs:
4
PhishMe_Intelligence_Malware_Hostnames
PhishMe_Intelligence_Malware_IPs
PhishMe_Intelligence_Malware_URLs
PhishMe_Intelligence_Malware_Hashes_MD5
PhishMe_Intelligence_Malware_Hashes_SHA
REFERENCE TABLES
The following Reference Tables are created to hold extensive context about the IOCs in the above Sets. The main
key in each Reference Table is the same value as is present in the corresponding Reference Set of similar name.
The use of both sets and tables with the same IOC is to reduce searching time on initial queries. In both Rules and
Advanced Query Language (AQL), a look up against a Reference Table should be performed only when a
successful look up occurs against the corresponding Reference Set.
PhishMe_Intelligence_Malware_Hostnames_Data
PhishMe_Intelligence_Malware_IPs_Data
PhishMe_Intelligence_Malware_URLs_Data
PhishMe_Intelligence_Malware_Hashes_MD5_Data
PhishMe_Intelligence_Malware_Hashes_SHA_Data
The following rule tests are an example of ways you could do advanced correlation using IOC context. This rule will
test each source or destination IP for matches against any of our IOCs; if matched it will analyze the context to
determine the impact. Using the Reference Set first narrows the results down much more efficiently than reviewing
the table for each IP.