Hey guys !
You guessed it from the title, today I would like to talk about X-Force
A lot of information is available in many places, but it's always easier when things are centralised.
So I would like to take you through the different types of integration between X-Force and QRadar
, the use cases for each of them and some secrets that shouldn't be !
Free or Paid license what's the difference ?
Here is what you can do with a free license
- Search for IOCs and access collections in the X-Force Exchange portal
- API integration (limited to 5000 records per month)
- Search for IP and URL reputation through the API
- Pull collections via TAXII feeds
As a QRadar user
you get an extra advantage, you can do unlimited lookups to the X-Force Threat Intelligence database
. I'll get into the detail of that in a little bit.
With a paid license
you get everything above plus
- Malware Analysis reports
- Threat Groups reports
- Threat Activity reports
- Industry reports
- Advanced Threat Protection Feed available for export
- Early Warning IOCs
- Other actionable IoCs by category (malware, botnet, c2, phishing, scanning, anonymization service, and crypto mining service)
- "Am I Affected" functionality, enabling to search in one click in the log and network activity for IOCs (documentation here, configuration steps here)
How does it integrate with QRadar ?
Paid license option
Yeah, I'm starting with the shorter option explanation :)
If you opt for the paid license, all you have to do is:
- Go on the App Exchange, download the Threat Intelligence App,
- Install the app as usual (documentation here),
- Add your X-Force API key and password (documentation for key generation here)
Everything will just work
The app comes with a full set of Reference Sets, the collections will be downloaded automatically
, all you have to do is to create the rules you want or download content extensions from the App Exchange (such as my faves, the Threat
content extension) !
And that's it ! I said it was short !
Free license option
As I mentioned earlier, as a QRadar customer you get some benefits even if you are using the free license. It is super simple to integrate but there are a few things I want to explain as well.
1. Use the embedded filters
No need to create Reference sets, lookup is native in rules and searches. In both places you can use regular filters
or AQL ones
2. Do not use the TAXII Feeds to populate your Reference Sets
The TAXII feeds are great source of content, but only if they are used as what they really are, meaning real time information.
If you fill your reference sets with the TAXII feeds, you might end up very quickly with a lot of false positives. An IP address sent through the feeds might be a true positive at the time you receive it, but 100% benign a few hours later.
Even with a fine tuning of the Reference Set data expiration, you might still end up with a lot of false positives.
Your best chances of finding true positives stays the embedded lookup function.
3. You can verify that your connection with the XFE is still working
This has already been written by someone else, I am only making sure the information gets to you.
You'll find how to check your connection here.
4. QRadar comes with X-Force enabled by default
But just in case, you can verify that in Admin > System Setting > Enable X-Force Threat Intelligence Feed.