Installing and Configuring Content Packs for QRadar

Installing and Configuring Content Packs for QRadar

This guide describes how to deploy Content Packs for QRadar based on the recommended example of the “SOC Prime – Sigma Custom Event Properties” content item available on the SOC Prime Platform. This recommended Content Pack contains extended Custom Event Properties used in Sigma translations. 

Note:
SOC Prime recommends installing the Sigma Custom Event Properties Content Pack for QRadar by default. Once installed, all Sigma translations for QRadar available on the SOC Prime Platform and verified by SOC Prime, will work out of the box without the need to configure Custom Field Mapping settings.

Downloading the Recommended Content Pack from the SOC Prime Platform

  1. Log in to the SOC Prime Platform with your user credentials.
  2. Select Threat Detection Marketplace > Get Started.
  3. Select Search from the navigation panel.
  4. To find the recommended Content Pack on the Platform, enter “custom event properties” keywords in the Content Search field and select SOC Prime – Sigma Custom Event Properties from the suggested options.Search Recommended Content Pack for QRadar
  5. Drill down to the content item by clicking the “SOC Prime – Sigma Custom Event Properties” from the Search page filtered according to your search criteria. The Content Pack page will automatically display the QRadar tab as the pre-selected platform.
  6. On the content item page, check the Additional Info section for the compatibility of the recommended content with your environment characteristics.zView the Additional Info section for the compatibility of the recommended Content Pack with your environmental characteristics
  7. Download the  “SOC Prime – Sigma Custom Event Properties” Content Pack by clicking the Download button in the upper right-hand corner of the page.

Download recommended Content Pack for QRadar

Note:
To be able to install the “SOC Prime – Sigma Custom Event Properties” Content Pack to your environment, make sure you are using IBM QRadar 7.2.8 or a newer version.

Installing the Recommended QRadar Content Pack 

To install the recommended Content Pack to your QRadar instance:

  1. After logging in to your SIEM instance, select the Admin tab.
  2. Select Extensions Management from the System Configurations menu.elect Extensions Management from the System Configurations menu
  3. Click the Add button.Click the Add button
  4. Then click the Browse button and select the downloaded archive with the “SOC Prime – Sigma Custom Event Properties” content.

    Click the Browse button to add a new extension

  5. Select Install immediately and confirm installation by clicking Add.
  6. To complete installation, on the Confirm Installation pop-up, click the Install button.

To complete installation, on the Confirm Installation pop-up, click the Install button

That’s it, you have successfully installed the “SOC Prime – Sigma Custom Event Properties” Content Pack for QRadar. Now you are all set to deploy SOC Prime verified Sigma rules translated to the QRadar language format out of the box without additional customization settings.  

Striving to create vendor-agnostic code instantly convertible to 64 query languages? Rely on Uncoder AI to make the most of bi-directional query translation to the SIEM, EDR, or XDR language format of your choice backed by augmented intelligence and collective industry expertise.

The post Installing and Configuring Content Packs for QRadar appeared first on SOC Prime.