QRadar Advisor with Watson

Click roadmap title to expand/collapse roadmap

QRadar Advisor with Watson Roadmap

The total time required to complete this roadmap is 8h 15m.

This roadmap outlines fundamental courses intended for someone who works with IBM QRadar Advisor with Watson. These courses introduce you to cognitive analytics and the QRadar Advisor architecture and deployment models and help you to deploy QRadar Advisor into your overall QRadar environment.


Review the following courses to learn about QRadar Advisor concepts and architecture and how to use the cognitive analytics capabilities for your threat investigations.

QRadar preparation

Before you install and configure QRadar Advisor with Watson, you must tune your QRadar deployment to leverage the QRadar Advisor analytic capabilities in the best way.

Setup and installation

During the installation process, you must address specific critical configuration parameters to make your QRadar Advisor as efficient as possible.

Configure QRadar Advisor with Watson

Once QRadar Advisor is installed, you can leverage certain features to improve your experience with the application.


In this learning path, we present examples of how you can best leverage QRadar Advisor's potential during your investigations.

Investigating offenses by using QRadar Advisor with Watson version 2.x - Virtual lab

In this lab, you learn how to configure and use the QRadar Advisor with Watson app in a QRadar offense investigation.

You learn to use regular expressions to extract QRadar custom properties and configure reference sets, rules, network hierarchy, and assets. The lab also walks you through the investigation process and you learn how to interpret QRadar Advisor knowledge graphs.

The lab provides an overview of the Cyber Adversary Framework Mapping Application. This app is used to map your custom rules to MITRE ATT&CK tactics and override the IBM default rule mappings.

The QRadar Advisor with Watson app V2.0.0 automatically maps MITRE ATT&CK tactics to CRE rules. In the QRadar Advisor with Watson app, you can see the tactics that are identified for an offense investigation. They are displayed in the offense details pane.


  • Learn about QRadar configuration changes and updates necessary for a successful QRadar Advisor with Watson investigation

    • Extract custom properties from various log sources

    • Update relevant reference sets

    • Create QRadar rules

    • Enable X-Force threat intelligence feed

    • Update network hierarchy and critical assets

    • Configure QRadar SIEM and QRadar Advisor to show files that were executed or that were blocked on the systems that are monitored by QRadar SIEM

  • Update the QRadar Advisor configuration to use proper custom mappings

  • Learn how to run investigations and interpret the QRadar Advisor knowledge graph

  • Configure and use the Cyber Adversary Framework Mapping Application