IBM QRadar

Hi expert,

I would like to ask your favor about integration between Q-Radar with MISP because I'm quite new for Q-Radar and MISP and I need to integrate MISP for Q-Radar to feed any TIs.

Any documents that recommend or advise.

Thank in advance.

I would probably setup a MISP Taxii endpoint and pull in the data using the QRadar Threat Intel App, as long as the MISP Taxii feed provides data in STIX 1.2 format. Most IOCs in QRadar are pulling via the Threat Intel App and added to a reference set, which can be used in rules, searches, reports, etc. There are other options, but I think looking to see if there are existing STIX/TAXII feeds would be the easiest option. If there is a method to get the data in STIX/TAXII, you should be able to import it. Or you could add a tool to get the MISP feed on a local server, convert it, and import to a reference set in QRadar. There is a list of tools here:

• https://www.misp-project.org/tools/ (Full tools list)
• https://github.com/MISP/MISP-Taxii-Server (Taxii server config info)
• https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/xforceexchange.py (I would look to see if you can get a feed in X-Force, which would make it easy to import).

Hi,

QRadar import threat feeds using QRadar Threat Intelligence (TI) App which eventually connects to a STIX/TAXII server endpoint.

So, if you are trying to integrate MISP, then you should create a custom STIX/TAXII server and then configure the QRadar TI App to discover the collections via your custom URL endpoint.

You can take a look at this github repo for reference:

https://github.com/MISP/MISP-Taxii-Server

https://github.com/MISP/MISP-STIX-Converter