IBM QRadar

Hello Everyone,

I need guidance on configuring a Threat Feed downloader using the Threat Intel App to connect to a TAXII 2.1 server.

I have configured the threat feed downloader in Qradar by following steps mentioned in 

Adding threat intelligence feeds

I selected TAXII version 2.0 during configuration. The setup wizard completed successfully, and I was able to select the desired dataset. However, after completing the setup, polling the connector does not result in any signature/observable downloads. Additionally, following errors are logged in the QRadar log file. 

=============================================================

2025-06-27 16:25:03,286 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:698] [INFO] - Retrieving observables from <TAXII-feed-URL> for collection 66156f6b-28ed-4d26-ba3d-5a44322486ef between 2025-06-27T10:29:26Z and 2025-06-27T10:55:03Z...
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:789] [ERROR] - Unable to retrieve STIX 2.0 observable(s) from <TAXII-feed-URL>; Unexpected Response. Got Content-Type: 'application/taxii+json;version=2.1' for Accept: 'application/vnd.oasis.taxii+json; version=2.0'
If you are trying to contact a TAXII 2.0 Server use 'from taxii2client.v20 import X'
If you are trying to contact a TAXII 2.1 Server use 'from taxii2client.v21 import X'
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [poll.py:92] [INFO] - Updating QRadar with observables from collection 66156f6b-28ed-4d26-ba3d-5a44322486ef found in TAXII feed <TAXII-feed-URL>https://soar123:443/api/taxii/1/collections" href="https://soar123:443/api/taxii/1/collections" rel="noreferrer noopener" target="_blank" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://soar123/api/taxii/1/collections">

=============================================================

Does qradar support TAXII v2.1? I am not sure since the discovery went fine with the same server and it was able to discover the list of available datasets correctly.

Thanks & Regards,

-Rohan

Hi Rohan,

It seems that QRadar does support it now, just install the latest Threat Intelligence update.

Hello Everyone,

I need guidance on configuring a Threat Feed downloader using the Threat Intel App to connect to a TAXII 2.1 server.

I have configured the threat feed downloader in Qradar by following steps mentioned in 

Adding threat intelligence feeds

I selected TAXII version 2.0 during configuration. The setup wizard completed successfully, and I was able to select the desired dataset. However, after completing the setup, polling the connector does not result in any signature/observable downloads. Additionally, following errors are logged in the QRadar log file. 

=============================================================

2025-06-27 16:25:03,286 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:698] [INFO] - Retrieving observables from <TAXII-feed-URL> for collection 66156f6b-28ed-4d26-ba3d-5a44322486ef between 2025-06-27T10:29:26Z and 2025-06-27T10:55:03Z...
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:789] [ERROR] - Unable to retrieve STIX 2.0 observable(s) from <TAXII-feed-URL>; Unexpected Response. Got Content-Type: 'application/taxii+json;version=2.1' for Accept: 'application/vnd.oasis.taxii+json; version=2.0'
If you are trying to contact a TAXII 2.0 Server use 'from taxii2client.v20 import X'
If you are trying to contact a TAXII 2.1 Server use 'from taxii2client.v21 import X'
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [poll.py:92] [INFO] - Updating QRadar with observables from collection 66156f6b-28ed-4d26-ba3d-5a44322486ef found in TAXII feed <TAXII-feed-URL>https://soar123:443/api/taxii/1/collections" href="https://soar123:443/api/taxii/1/collections" rel="noreferrer noopener" target="_blank" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://soar123/api/taxii/1/collections">

=============================================================

Does qradar support TAXII v2.1? I am not sure since the discovery went fine with the same server and it was able to discover the list of available datasets correctly.

Thanks & Regards,

-Rohan

Thanks Mykhailo for the suggestion. I am already using latest version (2.4.3) of Threat Intelligence app though and am still facing the issue. 

Hi Rohan,

It seems that QRadar does support it now, just install the latest Threat Intelligence update.

Hello Everyone,

I need guidance on configuring a Threat Feed downloader using the Threat Intel App to connect to a TAXII 2.1 server.

I have configured the threat feed downloader in Qradar by following steps mentioned in 

Adding threat intelligence feeds

I selected TAXII version 2.0 during configuration. The setup wizard completed successfully, and I was able to select the desired dataset. However, after completing the setup, polling the connector does not result in any signature/observable downloads. Additionally, following errors are logged in the QRadar log file. 

=============================================================

2025-06-27 16:25:03,286 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:698] [INFO] - Retrieving observables from <TAXII-feed-URL> for collection 66156f6b-28ed-4d26-ba3d-5a44322486ef between 2025-06-27T10:29:26Z and 2025-06-27T10:55:03Z...
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:789] [ERROR] - Unable to retrieve STIX 2.0 observable(s) from <TAXII-feed-URL>; Unexpected Response. Got Content-Type: 'application/taxii+json;version=2.1' for Accept: 'application/vnd.oasis.taxii+json; version=2.0'
If you are trying to contact a TAXII 2.0 Server use 'from taxii2client.v20 import X'
If you are trying to contact a TAXII 2.1 Server use 'from taxii2client.v21 import X'
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [poll.py:92] [INFO] - Updating QRadar with observables from collection 66156f6b-28ed-4d26-ba3d-5a44322486ef found in TAXII feed <TAXII-feed-URL>https://soar123:443/api/taxii/1/collections" href="https://soar123:443/api/taxii/1/collections" rel="noreferrer noopener" target="_blank" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://soar123/api/taxii/1/collections">

=============================================================

Does qradar support TAXII v2.1? I am not sure since the discovery went fine with the same server and it was able to discover the list of available datasets correctly.

Thanks & Regards,

-Rohan

Hello Everyone,

I need guidance on configuring a Threat Feed downloader using the Threat Intel App to connect to a TAXII 2.1 server.

I have configured the threat feed downloader in Qradar by following steps mentioned in 

Adding threat intelligence feeds

I selected TAXII version 2.0 during configuration. The setup wizard completed successfully, and I was able to select the desired dataset. However, after completing the setup, polling the connector does not result in any signature/observable downloads. Additionally, following errors are logged in the QRadar log file. 

=============================================================

2025-06-27 16:25:03,286 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:698] [INFO] - Retrieving observables from <TAXII-feed-URL> for collection 66156f6b-28ed-4d26-ba3d-5a44322486ef between 2025-06-27T10:29:26Z and 2025-06-27T10:55:03Z...
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:789] [ERROR] - Unable to retrieve STIX 2.0 observable(s) from <TAXII-feed-URL>; Unexpected Response. Got Content-Type: 'application/taxii+json;version=2.1' for Accept: 'application/vnd.oasis.taxii+json; version=2.0'
If you are trying to contact a TAXII 2.0 Server use 'from taxii2client.v20 import X'
If you are trying to contact a TAXII 2.1 Server use 'from taxii2client.v21 import X'
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [poll.py:92] [INFO] - Updating QRadar with observables from collection 66156f6b-28ed-4d26-ba3d-5a44322486ef found in TAXII feed <TAXII-feed-URL>https://soar123:443/api/taxii/1/collections" href="https://soar123:443/api/taxii/1/collections" rel="noreferrer noopener" target="_blank" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://soar123/api/taxii/1/collections">

=============================================================

Does qradar support TAXII v2.1? I am not sure since the discovery went fine with the same server and it was able to discover the list of available datasets correctly.

Thanks & Regards,

-Rohan