Skip to main content

QRadar Indicator Hunting V2

This Playbook is part of the IBM QRadar Pack.#

The Playbook queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, or urls.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • QRadar_v3

Scripts#

  • IsIPInRanges
  • SetAndHandleEmpty
  • Set

Commands#

  • qradar-search-retrieve-events
  • qradar-assets-list

Playbook Inputs#


NameDescriptionDefault ValueRequired
MD5MD5 hash file or an array of hashes to search.Optional
QradarMD5FieldMD5 field to search in QRadar. If none are specified, the search will use a payload contains filter.Optional
SHA1SHA1 hash file or an array of hashes to search.Optional
QradarSHA1FieldSHA1 field to search in QRadar. If none are specified, the search will use a payload contains filter.Optional
SHA256SHA256 hash file or an array of hashes to search.Optional
QradarSHA256FieldSHA256 field to search in QRadar. If none are specified, the search will use a payload contains filter.Optional
IPAddressSource or destination IP to search. Can be a single address or an array of addresses.
Optional
QradarIPfieldIP field to search in QRadar. If none are specified, the search will use sourceip or destinationip (combined).sourceip,destinationipOptional
URLDomainDomain or Url can be single or an array of domain/urls to search. By default the LIKE clause is used.
Optional
QradarURLDomainFieldURL/Domain field to search in QRadar. If none are specified, the search will use a payload contains filter.Optional
TimeFrameTime frame as used in AQL
Examples can be
LAST 7 DAYS
START '2019-09-25 15:51' STOP '2019-09-25 17:51'
For more examples review IBM's AQL documentation.
LAST 7 DAYSOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
InvestigationIPFieldsThe values of these QRadar fields will be used for the playbook IP addresses outputs.sourceip,destinationipRequired
InvestigationUserFieldsThe values of these QRadar fields will be used for the playbook user name outputs.usernameRequired

Playbook Outputs#


PathDescriptionType
QRadar.DetectedUsersUsers detected based on the username field in your search.string
QRadar.DetectedInternalIPsInternal IP addresses detected based on fields and inputs in your search.string
QRadar.DetectedExternalIPsExternal IP addresses detected based on fields and inputs in your search.string
QRadar.DetectedInternalHostsInternal host names detected based on hosts in your assets table. Note that the data accuracy depends on how the Asset mapping is configured in QRadar.string
QRadar.DetectedExternalHostsExternal host names detected based on hosts in your assets table. Note that the data accuracy depends on how the Asset mapping is configured in QRadar.string

Playbook Image#


QRadar Indicator Hunting V2