IBM Security QRadar

 View Only

QRadar and X-Force integration

By Gladys Koskas posted Wed May 18, 2022 01:52 PM

  

Hey guys !

You guessed it from the title, today I would like to talk about X-Force !
A lot of information is available in many places, but it's always easier when things are centralised.
So I would like to take you through the different types of integration between X-Force and QRadar, the use cases for each of them and some secrets that shouldn't be !

Free or Paid license what's the difference ?

Here is what you can do with a free license

  • Search for IOCs and access collections in the X-Force Exchange portal 
  • QRadar SIEM (Classic) users accessing the QRadar Threat Intelligence App get a few benefits.
    • Complimentary access to their collections on X-Force Exchange.
    • Complimentary access to TAXII feeds (marked “Included with TI for IBM QRadar app”)
    • In QRadar V7.5 and later we provide unlimited access to X-Force Threat Intelligence IP and URL reputation data feed.


As a QRadar Classic SIEM user you get an extra advantage, you can do unlimited lookups to some of the content available via X-Force Threat Intelligence. I'll get into the detail of that in a little bit.

With a paid license you get everything above and can choose from IBM X-Force Threat Intelligence Essentials, Standard or Premium:

How does it integrate with QRadar ?

Paid license option

Yeah, I'm starting with the shorter option explanation :) 

If you opt for the paid license, all you have to do is:

  • Go on the App Exchange, download the Threat Intelligence App,
  • Install the app as usual (documentation here),
  • Add your X-Force API key and password (documentation for key generation here)

Everything will just work !

The app comes with a full set of Reference Sets, the collections will be downloaded automatically, all you have to do is to create the rules you want or download content extensions from the App Exchange (such as my faves, the Threat and Endpoint content extension) !

And that's it ! I said it was short !


Free license option

As I mentioned earlier, as a QRadar customer you get some benefits. It is super simple to integrate but there are a few things I want to explain as well.

1. Use the embedded filters

No need to create Reference sets, lookup is native in rules and searches. In both places you can use regular filters


or AQL ones



2. Do not use the TAXII Feeds to populate your Reference Sets

The TAXII feeds are great source of content, but only if they are used as what they really are, meaning real time information.

If you fill your reference sets with the TAXII feeds, you might end up very quickly with a lot of false positives. An IP address sent through the feeds might be a true positive at the time you receive it, but 100% benign a few hours later, setting an appropriate retention period is important.

With a free license, your best chances of finding true positives stays the embedded lookup function I mentioned just above, this is going to be the most up to date information. Keep the "XFE APTF" Reference Sets for ATPF content (paid license) and the other reference sets for other sources of threat intelligence (feeds or investigation results).


3. You can verify that your connection with the XFE is still working 

This has already been written by someone else, I am only making sure the information gets to you.
You'll find how to check your connection here.

 

4. Make sure X-Force is enabled

You can verify that in Admin > System Setting > Enable X-Force Threat Intelligence Feed.

 
5. Rules need to be adapted to meet your needs
The rules that are provided with various content extensions (IBM or not) are meant to be guides for you.
Thanks to them you can discover the options that are available to you, don't hesitate to tune the content. 

It is not uncommon that we see hundreds of offenses being opened because of a scanning IP, it happens all the time. Even a fridge or a lamp could be scanning your network, so what you want is to create smarter offenses, by adding filters to your rules or making correlation between events. 
Here is an example of a rule that is a little bit more complex and gives less room to false positives:
Apply Communication with a Potential Hostile Host on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Operating System
and when the event category for the event is one of the following Audit.General Audit Event, System.Process Creation Success, Audit.Command Execution Success, Audit.Command Execution Attempt, Application.DNS In Progress
and when the event matches UrlHost (custom) is not N/A
and when the event matches XFORCE_URL_CATEGORY("UrlHost") in ('Anonymization Services','Malware', 'Botnet Command and Control Server', 'Spam URLs', 'Cryptocurrency Mining', 'Bots', 'Phishing URLs') OR REFERENCESETCONTAINS('Malicious URLs',"UrlHost") OR REFERENCESETCONTAINS('Malware URLs',"UrlHost") OR REFERENCESETCONTAINS('Phishing URLs',"UrlHost") AQL filter query

This rule focuses on critical event types happening on endpoints only, if you see a connection to a suspicious address in this context, the likelihood of catching a true-positive is much greater.


I hope this will help with the understanding of the different benefits of having a free or a paid license, and how to use the great content produced by the X-Force team in QRadar.
Will come back to you soon with more content deep dive!

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.
0 comments
96 views

Permalink