QRadar XDR

Expand all | Collapse all

MISP and OTX Integration with Qradar

  • 1.  MISP and OTX Integration with Qradar

    Posted Tue December 08, 2020 04:12 AM
    Hello All,

    Could you please help me in this case that i want to integrate the MISP and OTX Applications with Qradar version 7.3.3 so, any one know how to integrate the MISP and OTX With Qradar Server because I don't find any configuration for these Application So any one know how to integrate it or know if there is an workaround for this Applications

    Thanks

    ------------------------------
    Moustafa Salah
    ------------------------------


  • 2.  RE: MISP and OTX Integration with Qradar

    Posted Sat January 16, 2021 04:25 PM
    Hi! You can use Threat inteligence APP and receive data by STIX/TAXII. In my case i using TAXII for poll data from https://otx.alienvault.com/taxii/discovery collections and save them to referense set for using in rules.
    Threat Intelligence for IBM QRadar enables you to pull in any threat intelligence feed using the open standard STIX and TAXII formats, and to deploy the data to create custom rules for correlation, searching, and reporting. For example, you can use the App to import public collections of dangerous IP addresses from IBM X-Force Exchange and create a rule to raise the magnitude of any offense that includes IP addresses from that watch list. Since version 2.0.0, you can search for and browse Recent Collections, Early-Warning Collections, Public Collections, and view IBM Advanced Threat Protection Feeds in the Threat Intelligence dashboard on the QRadar Console. You can also configure Am I Affected settings to conduct scanning in your QRadar environment.
    Hope this help.


    ------------------------------
    Serhii Barabash
    ------------------------------



  • 3.  RE: MISP and OTX Integration with Qradar

    Posted Mon January 18, 2021 10:54 AM
    Hi - We set up a "minemeld" server to collect data from MISP instances which it then presents to Qradar Threat Intel App as a taxii feed.

    Works well as a a docker container, but you do need to either give it a trusted certificate or do a quick self signed CA and tls cert and trust the CA in the threat intel all.



    Thanks!





  • 4.  RE: MISP and OTX Integration with Qradar

    Posted Mon July 05, 2021 03:25 AM
    Hi! We are wondering how to use the data when information is changing on X-Force. A usecase is for example a list of dangerous IPs that is downloaded into a ref set and used in a rule. Assuming one of the IPs is no longer dangerous and is removed from the list on X-Force does anybody knows a automatic way to remove that IP out of the ref set? BR Martin

    ------------------------------
    Martin Schmitt
    ------------------------------



  • 5.  RE: MISP and OTX Integration with Qradar

    Posted Tue July 06, 2021 02:46 AM

    Hi Martin,

    maybe there's a way to automatically get rid of non-listed IP-records in your ref set by setting the parameter 'Time to Live of elements' to e.g. 20 days. This should keep the records for the specified amount of time, automatically remove expired elements and re-add only those records from X-Force which are sill existing there. Hope this helps. Bernhard



    ------------------------------
    Kammerstetter Bernhard
    IBM
    (431) 211-4533 x92
    ------------------------------



  • 6.  RE: MISP and OTX Integration with Qradar

    Posted Tue July 06, 2021 04:34 AM
    Hi Bernhard,

    thanks for your advise. I tried this option, but experienced, that when the entry is removed from the ref set it will be not re-added from the feed. The other limitation exists, like that an entry should stay there for longer than 3 month and the longest time that can be gone back into a feed is 3 month and syncing such a long time back takes hours. Martin

    ------------------------------
    Martin Schmitt
    ------------------------------



  • 7.  RE: MISP and OTX Integration with Qradar

    Posted Mon August 16, 2021 08:52 AM
    Hi Martin,

    For that you need create automation script using python to check reputation to XForce and if the risk score show as not dengerous will delete automaticly in referece set.
    the script can run every days or week, but in my case i running 2 time in week.

    Thanks.

    ------------------------------
    Rudi Permana Yudha
    ------------------------------



  • 8.  RE: MISP and OTX Integration with Qradar

    Posted Mon August 16, 2021 08:53 AM
    Hi Martin,

    For that you need create automation script using python to check reputation to XForce and if the risk score show as not dengerous will delete automaticly in referece set.
    the script can run every days or week, but in my case i running 2 time in week.

    Thanks.

    ------------------------------
    Rudi Permana Yudha
    ------------------------------



  • 9.  RE: MISP and OTX Integration with Qradar

    Posted Mon August 16, 2021 08:53 AM
    Hi Martin,

    For that you need create automation script using python to check reputation to XForce and if the risk score show as not dengerous will delete automaticly in referece set.
    the script can run every days or week, but in my case i running 2 time in week.

    Thanks.

    ------------------------------
    Rudi Permana Yudha
    ------------------------------



  • 10.  RE: MISP and OTX Integration with Qradar

    Posted Tue August 17, 2021 02:05 PM
    Hi Martin

    I have the same problem. The old values will not be removed. Setting a ttl or delete the values doesn't work well because the values will not be readded. So for example an ip which canges from malicious to begnin and later to malicious will not readded. That's a big problem!



    Mathias

    ------------------------------
    Mathias Unterweger
    ------------------------------



  • 11.  RE: MISP and OTX Integration with Qradar

    Posted Tue August 17, 2021 02:05 PM
    Hi Martin

    I have the same problem.

    After deleting an entry it could not be readded. So if an entry, for example an IP, will be removed and later it becomes malicious again, the entry will not be readded.
    That's a big problem and makes Xforce for me unusable. 
    I excpected that the values will be added and removed automatically with a given timeperiod. 

    _______
    Mathias
    ------------

    ------------------------------
    Mathias Unterweger
    ------------------------------