IBM Security QRadar

 View Only
  • 1.  Polling Threat Feeds other than X force in Qradar

    Posted Fri July 26, 2019 09:31 AM
    Hello Team,

    I have configured below taxii threat data to be polled in Qradar.

    http://hailataxii.com/taxii-discovery-service
    https://api.xforce.ibmcloud.com/taxii
    https://otx.alienvault.com/taxii/discovery

    Looking forward to integrate more threat feeds like virustotal or any other open source feeds in Taxii or API basis to integrated with Qradar. Is there a way that we can achieve having other threat intel data ingested to Qradar other than X force app?

    In case any one have more open source discovery threat feeds url please share with me.

    ------------------------------
    sundeep singh
    ------------------------------


  • 2.  RE: Polling Threat Feeds other than X force in Qradar

    Posted Mon July 29, 2019 04:52 AM
    QRadar Threat Intelligence app supports STIX 1.1.1 / TAXII 1.1 (no v. 2 unfortunately) < http://ibm.biz/BdzGHQ >
    What other types of integration did you have in mind? Generally, you could use the standard API < ibm.biz/BdzGHk >

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: Polling Threat Feeds other than X force in Qradar

    Posted Mon July 29, 2019 02:24 PM
    Hello Dusan,

    I have a virus total API key already which I am looking to integrate with Qradar. 

    Also I have this github link https://stixproject.github.io/supporters/ but I am not getting any STIX link to have integrate it. 

    Incase you have any link which you integrated with your setup please share the same.

    ------------------------------
    sundeep singh
    ------------------------------



  • 4.  RE: Polling Threat Feeds other than X force in Qradar

    Posted Mon July 29, 2019 03:31 PM

    Hi Sundeep,

    here's another feed you might want to consider.
    https://www.misp-project.org/

    We have developed an app that gets the feed and pushes them to Qradar via the API. It's now in lab, and we'll be installing it shortly in production. I'm not sure if our code will be released for free usage. That depends of my employer, I'll keep the community posted. Anyways, it's not too much work to build if you want to do it on your own, and it's well documented in the Qradar API development section.

    If anyone has more threat feeds, please post them here.



    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 5.  RE: Polling Threat Feeds other than X force in Qradar

    Posted Mon July 29, 2019 03:55 PM
    Anthony, it was a good point to reference MISP as it is probably regarded as an unofficial "standard" threat info sharing platform for CSIRTs. I avoided mentioning it for the very reason of the lack of widely used or officially published extension for integration with QRadar (there is something available on X-Force App Exchange for integration with IBM Resilient, however). I've seen few related projects on github, but had no opportunity to test them, though.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 6.  RE: Polling Threat Feeds other than X force in Qradar

    Posted Mon July 29, 2019 03:42 PM
    I believe cyware had a free feed option (after registration)

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 7.  RE: Polling Threat Feeds other than X force in Qradar

    Posted Wed July 31, 2019 04:35 AM
    Thanks Anthony and Dusan.

    I may be asking a very simple query but regarding the polling in the threat feed using a JSON or API is a new to me as till date I was only using the simple Taxii links and X force threat feed to fill the Reference set .

    If any one can you help me out or show a way to get the JSON file to send the feed to Qradar it will be very helpful. Do I need to put this code in the config file of any Qradar ​directory?

    ------------------------------
    sundeep singh
    ------------------------------



  • 8.  RE: Polling Threat Feeds other than X force in Qradar

    Posted Thu August 01, 2019 11:18 PM
    Edited by Anthony Gayadeen Thu August 01, 2019 11:30 PM

    i Sundeep,
    we have a programmer in our team that used the Qradar App development kit to create an app that connects to a threat feed's API (it does a GET), and then it feeds Qradar via its API (a POST this time). The language used in the app is python. The threat feed site will need to provide you with a token to access their data, and you'll also need a token in Qradar to import your data. Creating the token in Qradar is the easy part although. 

    Some links:
    https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.appfw.doc/c_appframework_SDKintro.html
    https://developer.ibm.com/qradar/develop-app/
    https://www.youtube.com/watch?v=_A5ogClea8g

    Unfortunately, the app belongs to my employer, thus sharing it is impossible at this time. If they do approve distribution one of these days, then I'll post a link to download it on a platform such as github. By the way, thanks for sharing the feeds you found on github. I've noticed that MISP was already in that list ;)
    Good Luck!



    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------