IBM Security QRadar

 View Only

QRadar and X-Force integration

By Gladys Koskas posted Wed May 18, 2022 01:52 PM


Hey guys !

You guessed it from the title, today I would like to talk about X-Force !
A lot of information is available in many places, but it's always easier when things are centralised.
So I would like to take you through the different types of integration between X-Force and QRadar, the use cases for each of them and some secrets that shouldn't be !

Free or Paid license what's the difference ?

Here is what you can do with a free license

  • Search for IOCs and access collections in the X-Force Exchange portal 
  • API integration (limited to 5000 records per month)
    • Search for IP and URL reputation through the API
    • Pull collections via TAXII feeds

As a QRadar user you get an extra advantage, you can do unlimited lookups to the X-Force Threat Intelligence database. I'll get into the detail of that in a little bit.

With a paid license you get everything above plus:

  • Malware Analysis reports
  • Threat Groups reports
  • Threat Activity reports
  • Industry reports
  • Advanced Threat Protection Feed (ATPF) available for export
    • Early Warning IOCs
    • Other actionable IoCs by category (malware, botnet, c2, phishing, scanning, anonymization service, and crypto mining service)
  • "Am I Affected" functionality, enabling to search in one click in the log and network activity for IOCs (documentation here, configuration steps here)

To get a free trial license or subscribe to the service, follow this link.

How does it integrate with QRadar ?

Paid license option

Yeah, I'm starting with the shorter option explanation :) 

If you opt for the paid license, all you have to do is:

  • Go on the App Exchange, download the Threat Intelligence App,
  • Install the app as usual (documentation here),
  • Add your X-Force API key and password (documentation for key generation here)

Everything will just work !

The app comes with a full set of Reference Sets, the collections will be downloaded automatically, all you have to do is to create the rules you want or download content extensions from the App Exchange (such as my faves, the Threat and Endpoint content extension) !

And that's it ! I said it was short !

Free license option

As I mentioned earlier, as a QRadar customer you get some benefits even if you are using the free license. It is super simple to integrate but there are a few things I want to explain as well.

1. Use the embedded filters

No need to create Reference sets, lookup is native in rules and searches. In both places you can use regular filters

or AQL ones

2. Do not use the TAXII Feeds to populate your Reference Sets

The TAXII feeds are great source of content, but only if they are used as what they really are, meaning real time information.

If you fill your reference sets with the TAXII feeds, you might end up very quickly with a lot of false positives. An IP address sent through the feeds might be a true positive at the time you receive it, but 100% benign a few hours later.
Even with a fine tuning of the Reference Set data expiration, you might still end up with a lot of false positives.

With a free license, your best chances of finding true positives stays the embedded lookup function I mentioned just above, this is going to be the most up to date information. Keep the "XFE APTF" Reference Sets for ATPF content (paid license) and the other reference sets for other sources of threat intelligence (feeds or investigation results).

3. You can verify that your connection with the XFE is still working 

This has already been written by someone else, I am only making sure the information gets to you.
You'll find how to check your connection here.


4. Make sure X-Force is enabled

You can verify that in Admin > System Setting > Enable X-Force Threat Intelligence Feed.

5. Rules need to be adapted to meet your needs
The rules that are provided with various content extensions (IBM or not) are meant to be guides for you.
Thanks to them you can discover the options that are available to you, don't hesitate to tune the content. 

It is not uncommon that we see hundreds of offenses being opened because of a scanning IP, it happens all the time. Even a fridge or a lamp could be scanning your network, so what you want is to create smarter offenses, by adding filters to your rules or making correlation between events. 
Here is an example of a rule that is a little bit more complex and gives less room to false positives:
Apply Communication with a Potential Hostile Host on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Operating System
and when the event category for the event is one of the following Audit.General Audit Event, System.Process Creation Success, Audit.Command Execution Success, Audit.Command Execution Attempt, Application.DNS In Progress
and when the event matches UrlHost (custom) is not N/A
and when the event matches XFORCE_URL_CATEGORY("UrlHost") in ('Anonymization Services','Malware', 'Botnet Command and Control Server', 'Spam URLs', 'Cryptocurrency Mining', 'Bots', 'Phishing URLs') OR REFERENCESETCONTAINS('Malicious URLs',"UrlHost") OR REFERENCESETCONTAINS('Malware URLs',"UrlHost") OR REFERENCESETCONTAINS('Phishing URLs',"UrlHost") AQL filter query

This rule focuses on critical event types happening on endpoints only, if you see a connection to a suspicious address in this context, the likelihood of catching a true-positive is much greater.

I hope this will help with the understanding of the different benefits of having a free or a paid license, and how to use the great content produced by the X-Force team in QRadar.
Will come back to you soon with more content deep dive!

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.