What is it?
A way to grab Seculert’s Crime Servers and Threat Intelligence Records (via their API) and push them into QRadar’s Remote Networks, which then you can build Rules upon. The beauty of this is that in reality it shows you how to more generally push custom “BAD” IPs/Networks into QRadar and auto-deploy them. You can use any list of IPs/networks. If it’s CSV, it should be an absolute breeze to import.
You need to go into ‘seculert_qradar.pl’ and edit the ‘#START USER CONFIG’ section. The first variable you will see is the “seculert” api key – which you can get from your Seculert account (fantastic service http://seculert.com), but again, this can be easily be any CSV list. The idea is that you download both feeds and convert them into the “IP” format that QRadar understands with the “Network” (in this case ‘SECULERT’) ID and the Sub-ID (in this case ‘CS’ and ‘TIR’). Then you pull the existing remotenet.conf file, and prune out the old SECULERT list, and then merge in the new one that you just pulled. Then you upload the new file back to QRadar and auto-trigger the deployment (here is the real qradar magic).