IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Qradar Threat Intelligence

    Posted Mon July 19, 2021 04:54 AM
    I'm using Qradar trial version. I'm using Qradar Threat Intelligence to integrate with taxii 1.1 (Open Taxii https://github.com/eclecticiq/OpenTAXII). But I'm facing a data sync problem. I see the data on Qradar showing incorrect information. In the Configured Threat Intelligence feeds screen, I see Qradar showing 7,306,991 feeds, but actually in the my TAXII DB it's only about 9800. I click to get detail and see Qradar shows 295,000. These parameters do not match and are incorrect. I attach the screenshots. Please help me to understand this problem.

    https://photos.app.goo.gl/dx39EfJkD2FweM1Q9

    https://photos.app.goo.gl/N3NW7zNSiN8xbPQQ6



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Qradar Threat Intelligence

    Posted Mon July 19, 2021 07:11 AM

    Hi, i am also looking into this at the moment. What i found out so far is that this function is not a synchronisation. The feeds will get downloaded but if something gets removed from the feed it will not be deleted in your ref set.

    Items from the ref set will get removed if they age out (time to live option) or they get removed by a rule action.

    When you configure a feed QRadar will look for an entry that is added since the last poll or newer than the "poll initial Date" if this is the first time. This could explain the difference you see.

    I also search for a solution for syncing the reference data. If anybody knows one please let us know.

    Regards

    Martin



    #QRadar
    #Support
    #SupportMigration


Related Content