Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QRadar Connector : Must create different reference sets for each hash type in case of files] #2648

Closed
vishesh-verma-coder opened this issue Sep 13, 2024 · 0 comments
Closed

[QRadar Connector : Must create different reference sets for each hash type in case of files] #2648

vishesh-verma-coder opened this issue Sep 13, 2024 · 0 comments
Assignees
@SamuelHassine
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 6.3.0

Comments

@vishesh-verma-coder
Copy link

Use case

When Entity type is Indicator and Main observable is File with Stix pattern including say more than 1 hash [MD5, SHA1, SHA256, SHA512] , at present all these hashes are added to one refence set "File Hashes"
This is a problem as QRadar has an upper limit on elements (observables) it can store in reference set. By default a reference set in QRadar can have 100k elements for optimal performance , which can be increased but not to the limit which can cater high number of hashes.

Current Workaround

At present no workaround, qradar.py can be modified locally to get it done

Proposed Solution

Instead of creating a single reference set for all file hashes, stream connector should have separate for MD5, SHA1, SHA256…

Something like-
OpenCTI - File Hashes (MD5)
OpenCTI - File Hashes (SHA1)
OpenCTI - File Hashes(SHA256)
OpenCTI - File Hashes(SHA512)
@vishesh-verma-coder vishesh-verma-coder added feature use for describing a new feature to develop needs triage use to identify issue needing triage from Filigran Product team labels Sep 13, 2024
@romain-filigran romain-filigran removed the needs triage use to identify issue needing triage from Filigran Product team label Sep 13, 2024
@SamuelHassine SamuelHassine added this to the Release 6.3.0 milestone Sep 13, 2024
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Sep 14, 2024
SamuelHassine added a commit that referenced this issue Sep 14, 2024
@SamuelHassine
[qradar] Create reference sets for hashes and ingest all hashes (#2648,
34535ff 
#2631)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SamuelHassine SamuelHassine

Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 6.3.0
Development

No branches or pull requests
3 participants
@SamuelHassine @vishesh-verma-coder @romain-filigran