Hey guys !
You guessed it from the title, today I would like to talk about X-Force !
A lot of information is available in many places, but it's always easier when things are centralised.
So I would like to take you through the different types of integration between X-Force and QRadar, the use cases for each of them and some secrets that shouldn't be !
Free or Paid license what's the difference ?
Here is what you can do with a free license
- Search for IOCs and access collections in the X-Force Exchange portal
- QRadar SIEM (Classic) users accessing the QRadar Threat Intelligence App get a few benefits.
- Complimentary access to their collections on X-Force Exchange.
- Complimentary access to TAXII feeds (marked “Included with TI for IBM QRadar app”)
- In QRadar V7.5 and later we provide unlimited access to X-Force Threat Intelligence IP and URL reputation data feed.
As a QRadar Classic SIEM user you get an extra advantage, you can do unlimited lookups to some of the content available via X-Force Threat Intelligence. I'll get into the detail of that in a little bit.
With a paid license you get everything above and can choose from IBM X-Force Threat Intelligence Essentials, Standard or Premium:
How does it integrate with QRadar ?
Paid license option
Yeah, I'm starting with the shorter option explanation :)
If you opt for the paid license, all you have to do is:
- Go on the App Exchange, download the Threat Intelligence App,
- Install the app as usual (documentation here),
- Add your X-Force API key and password (documentation for key generation here)
Everything will just work !
The app comes with a full set of Reference Sets, the collections will be downloaded automatically, all you have to do is to create the rules you want or download content extensions from the App Exchange (such as my faves, the Threat and Endpoint content extension) !
And that's it ! I said it was short !
Free license option
As I mentioned earlier, as a QRadar customer you get some benefits. It is super simple to integrate but there are a few things I want to explain as well.
1. Use the embedded filters
No need to create Reference sets, lookup is native in rules and searches. In both places you can use regular filters
or AQL ones
2. Do not use the TAXII Feeds to populate your Reference Sets
The TAXII feeds are great source of content, but only if they are used as what they really are, meaning real time information.
If you fill your reference sets with the TAXII feeds, you might end up very quickly with a lot of false positives. An IP address sent through the feeds might be a true positive at the time you receive it, but 100% benign a few hours later, setting an appropriate retention period is important.
With a free license, your best chances of finding true positives stays the embedded lookup function I mentioned just above, this is going to be the most up to date information. Keep the "XFE APTF" Reference Sets for ATPF content (paid license) and the other reference sets for other sources of threat intelligence (feeds or investigation results).
3. You can verify that your connection with the XFE is still working
This has already been written by someone else, I am only making sure the information gets to you.
You'll find how to check your connection here.
4. Make sure X-Force is enabled
You can verify that in Admin > System Setting > Enable X-Force Threat Intelligence Feed.
The rules that are provided with various content extensions (IBM or not) are meant to be guides for you.
Thanks to them you can discover the options that are available to you, don't hesitate to tune the content.
It is not uncommon that we see hundreds of offenses being opened because of a scanning IP, it happens all the time. Even a fridge or a lamp could be scanning your network, so what you want is to create smarter offenses, by adding filters to your rules or making correlation between events.