SIEM & DETECTION · 8 MIN
Detecting APTs with the QRadar Suite: What Actually Works in 2026
Modern APT detection in QRadar Suite — why generic correlation rules fail, the four detection layers that actually catch nation-state tradecraft, and how QMasters tunes them at scale.
How do you detect Advanced Persistent Threats with IBM QRadar?
Detecting APTs in QRadar requires four layered detection capabilities working together: (1) Behavioral baselining via UBA to surface deviations from user and host norms, (2) MITRE ATT&CK-mapped use case content covering initial access, execution, persistence, and lateral movement, (3) Threat intelligence enrichment correlating internal events with high-fidelity IOC feeds, and (4) Cross-domain correlation joining endpoint, network, identity, and cloud telemetry in a single offense. Default QRadar content alone is not sufficient — APT detection requires custom DSM tuning, custom rules, and continuous content engineering against an ATT&CK coverage map.

Detecting APTs with the QRadar Suite: What Actually Works in 2026
Most SOCs running QRadar can detect commodity malware, brute force attempts, and policy violations. Detecting an actual Advanced Persistent Threat — APT29, APT41, Lazarus, Volt Typhoon — is a different problem entirely.
APTs use legitimate credentials. They use signed binaries the platform trusts. They operate during business hours. They exfiltrate data slowly enough to blend with normal traffic. The default correlation rule that catches a brute-force attack will not catch a nation-state operator who logged in cleanly with a stolen password three weeks ago and has been quietly mapping your Active Directory ever since.
This post is the working model QMasters uses to detect APT activity in QRadar Suite. It assumes you already have QRadar deployed and are past the basic content pack stage.
What "APT detection" actually means
Forget the marketing definition. Operationally, APT detection means catching adversaries who:
- Avoid the noisy techniques default rules detect
- Use living-off-the-land tools that look like admin activity
- Persist through environment changes (reboots, password resets, even reimages)
- Exfiltrate data over channels that look like normal business traffic
You are not looking for a single smoking-gun event. You are looking for patterns of low-confidence signals across multiple domains that, correlated, become high-confidence.
QRadar Suite is well-suited to this — when configured correctly. The four-layer model below is what we actually run.
Layer 1 — Behavioral baselining via QRadar UBA
The QRadar User Behavior Analytics app builds per-user and per-host baselines from authentication, network, and (if you have EDR integrated) endpoint activity. The detections that matter for APT work:
- First-seen authentication patterns — service account suddenly logging in interactively, admin logging in from a new geographic region, lateral authentication chains that don't match this user's history
- Privileged account anomalies — Domain Admin executing PowerShell on a workstation, sudden enrollment in MFA changes, group membership changes outside change windows
- Host behavior drift — workstation running tools (
certutil,bitsadmin,wmic,psexec) it has never run before, server initiating outbound connections to new external destinations
UBA is noisy out of the box. It needs 30–60 days of clean baseline data and aggressive tuning of low-value risk rules. Plan for that — UBA you don't tune is UBA you turn off.
Layer 2 — MITRE ATT&CK-mapped detection content
Build a coverage map. For each ATT&CK technique your threat model says matters, you should have:
- A QRadar building block or rule that detects it
- A documented data source dependency (which log source feeds it)
- A documented false-positive expectation
- An owner and a review cadence
The high-leverage techniques to start with for APT-style adversaries:
- T1078 Valid Accounts — impossible travel, unusual logon times, service-account interactive logon
- T1059 Command and Scripting Interpreter — encoded PowerShell, suspicious parent-child process trees (Office spawning cmd, etc.)
- T1003 OS Credential Dumping — LSASS access patterns, NTDS.dit access, suspicious DPAPI activity
- T1021 Remote Services — anomalous SMB lateral movement, RDP from atypical sources, PsExec usage
- T1071 Application Layer Protocol — DNS tunneling indicators, unusual HTTPS to never-before-seen domains
- T1567 Exfiltration Over Web Service — bulk uploads to cloud storage, anomalous traffic to file-sharing platforms
Each technique becomes one or more QRadar rules. You also want a dashboard that shows your coverage: which techniques have rules, which don't, which are firing, which haven't fired in 90 days (suspect — either dead detection or tuned out).
Layer 3 — Threat intelligence enrichment
QRadar's Threat Intelligence app lets you ingest feeds (commercial, open source, ISAC, internal) and use them as conditions inside rules. This is where the detection economics get attractive — a single high-fidelity IOC turns a low-signal log line into a confirmed alert.
What we run inside QMasters MCSS:
- DailyIOC feed — our internal CTI team's curated indicators (250K+ daily IOCs filtered to high-confidence subset), pushed into QRadar reference sets
- Vendor feeds — IBM X-Force, CrowdStrike Intel, sector-specific ISAC feeds
- Internal IOC sets — domains, hashes, and IPs from incidents we've handled, recycled into detection content for all customers
The point isn't to ingest every IOC ever published — that drowns the SOC. The point is to maintain a curated, decayed, scored reference set that adds high signal to existing rules.
→ Learn about DailyIOC threat intelligence
Layer 4 — Cross-domain correlation
This is where QRadar Suite earns its keep. A single domain rarely has enough signal. Combined, they do.
Example correlation chain — credential abuse → lateral movement → staging:
- Identity provider event: admin user authenticates from a new ASN (low confidence)
- EDR event 30 minutes later: same user runs
nltest,net group "Domain Admins",adfindon a workstation (medium confidence) - Network event 2 hours later: same workstation initiates SMB to 12 servers in the data center it has never connected to (high confidence)
- EDR event the next day: large archive (.7z, .zip) created in
%TEMP%on a file server (very high confidence)
Any one of these events, alone, generates a low-priority alert nobody actions. Together, in a QRadar offense that joins the four log sources on the username and asset, this is a near-certain APT in mid-attack.
Building these multi-stage correlations requires discipline:
- Reference sets that track entities across rules (an IP from rule 1 carries to rule 2's condition)
- Time windows wide enough to span attacker dwell (hours, not minutes)
- Scoring logic that elevates an offense once N building blocks have triggered for the same entity
- Investigator-facing context — when the offense fires, the analyst sees the chain, not four disconnected events
What we see go wrong
Across the QRadar deployments we've audited and adopted, the same patterns recur:
- DSM coverage gaps. Critical log sources (cloud admin events, SaaS audit logs, modern EDR) parsed as generic syslog or not at all. If parsing is broken, every detection downstream is broken.
- Rule sprawl. 800 enabled rules, 50 actually firing, 12 actually actioned. The other 750 generate background noise the SOC mentally filters out.
- No coverage map. Nobody can answer "do we detect T1003?" in under 10 minutes.
- Stale TI. Reference sets last updated 14 months ago, full of expired IOCs.
- Single-domain offenses. Every offense is from one log source, which means every alert is one signal — exactly the configuration APTs are designed to evade.
How to start
If you're running QRadar today and your APT detection posture is "we have UBA and some default rules":
- Build the ATT&CK coverage map. Spreadsheet, one row per technique, current state per technique.
- Pick the top 20 techniques that match your threat model. Build or tune content for each one.
- Curate your TI. Decay old IOCs, score remaining ones, document feed-by-feed value.
- Build at least 5 cross-domain correlation rules that span identity + endpoint + network.
- Schedule the next quarter's tuning work against the gap list.
This is a months-long effort — and it's the work most SOCs never get to because they're drowning in tier-1 triage.
Want the bigger picture? Visit QMasters, learn about our managed detection and response, or take a look at SaaS security.
Frequently asked questions
What is an APT in security terms?
An Advanced Persistent Threat is a sophisticated, often nation-state-affiliated adversary that gains long-term access to a target environment, operates with stealth, blends with legitimate activity, and pursues specific strategic objectives — espionage, IP theft, infrastructure pre-positioning.
Why aren't default QRadar rules enough for APT detection?
Default rules focus on noisy, well-known threats. APTs deliberately operate below those thresholds. Detecting them requires behavioral analytics, ATT&CK-mapped custom content, and cross-domain correlation that defaults don't provide.
How does QRadar Suite differ from legacy QRadar SIEM?
QRadar Suite unifies SIEM, SOAR, EDR, and threat intelligence on a shared open data architecture, giving you a single correlation surface across endpoint, network, and identity telemetry without custom integration work.
Where does QMasters fit?
We operate QRadar deployments at scale across 240+ enterprise customers, with our own SOC engineering team building and tuning ATT&CK-mapped content and feeding curated DailyIOC threat intelligence into customer environments.
---
Want a free QRadar APT-readiness audit?
Our IBM-certified engineers will review your DSM coverage, ATT&CK map, rule health, and correlation strategy. You'll leave with a prioritized gap list and a 90-day improvement roadmap. Book your audit →
FAQ
Frequently asked questions.
An Advanced Persistent Threat is a sophisticated, often nation-state-affiliated adversary that gains long-term access to a target environment, operates with stealth, blends with legitimate activity, and pursues specific strategic objectives — espionage, IP theft, infrastructure pre-positioning. Examples include APT29, APT41, Lazarus Group, and Volt Typhoon.
Default content focuses on noisy, well-known threats — brute force, malware signatures, port scans. APTs deliberately operate below those thresholds: legitimate credentials, signed binaries, business-hours activity, low-and-slow data movement. Detecting them requires behavioral analytics, ATT&CK-mapped custom content, and cross-domain correlation that defaults don't provide.
QRadar Suite (2023+) unifies SIEM, SOAR, EDR, and threat intelligence on a shared open data architecture. For APT detection this means a single correlation surface across endpoint and network telemetry, federated search across hot and cold data, and integrated case management — capabilities that previously required custom integration work.
ABOUT THE AUTHOR
Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.