IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Threat Intel App: Unable to fetch data from TAXII v2.1

  • 1.  Threat Intel App: Unable to fetch data from TAXII v2.1

    Posted 2 days ago

    Hello Everyone,

    I need guidance on configuring a Threat Feed downloader using the Threat Intel App to connect to a TAXII 2.1 server.

    I have configured the threat feed downloader in Qradar by following steps mentioned in 

    Adding threat intelligence feeds

    I selected TAXII version 2.0 during configuration. The setup wizard completed successfully, and I was able to select the desired dataset. However, after completing the setup, polling the connector does not result in any signature/observable downloads. Additionally, following errors are logged in the QRadar log file. 

    =============================================================

    2025-06-27 16:25:03,286 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:698] [INFO] - Retrieving observables from <TAXII-feed-URL> for collection 66156f6b-28ed-4d26-ba3d-5a44322486ef between 2025-06-27T10:29:26Z and 2025-06-27T10:55:03Z...
    2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:789] [ERROR] - Unable to retrieve STIX 2.0 observable(s) from <TAXII-feed-URL>; Unexpected Response. Got Content-Type: 'application/taxii+json;version=2.1' for Accept: 'application/vnd.oasis.taxii+json; version=2.0'
    If you are trying to contact a TAXII 2.0 Server use 'from taxii2client.v20 import X'
    If you are trying to contact a TAXII 2.1 Server use 'from taxii2client.v21 import X'
    2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [poll.py:92] [INFO] - Updating QRadar with observables from collection 66156f6b-28ed-4d26-ba3d-5a44322486ef found in TAXII feed <TAXII-feed-URL>https://soar123:443/api/taxii/1/collections" href="https://soar123:443/api/taxii/1/collections" rel="noreferrer noopener" target="_blank" class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://soar123/api/taxii/1/collections">

    =============================================================

    Does qradar support TAXII v2.1? I am not sure since the discovery went fine with the same server and it was able to discover the list of available datasets correctly.

    Thanks & Regards,

    -Rohan



    ------------------------------
    Rohan Patil
    ------------------------------


Related Content