QRadar XDR

  • 1.  Threat intelligence Feed:- Retrieved 0 observables

    Posted Mon September 20, 2021 12:17 PM
    Hello Experts,

    I am trying to integrate the ibm x-force threat feed into my qradar using the taxii endpoint url https://api.xforce.ibmcloud.com/taxii. I was able to connect successfully to the taxii server, but my observables, as well as the reference set created remained 0. 

    Troubleshooting performed:

    * /opt/qradar/support/recon connect <id_threat app>

    * tailf /store/log/app.log --> i could see that the number of observables returned from the above taxii server is 0. 

    * I checked the collections "Phishing & Spam", "Wcry Ransomeware" , and i could see different observable types , like url, ips, hash, etc.

    I have chosen polling initial date of 3months, now. Also i have used a polling interval of 10mins, 1 hour, etc.

    Kindly assist.


  • 2.  RE: Threat intelligence Feed:- Retrieved 0 observables

    Posted Tue September 21, 2021 02:41 AM
    Hi Benlinux,

    from the screnshot i can see that you poll for the collections you follow. Are you following the collections you mentioned?
    You can check it here:
    I could not find the collection by that name you posted. I found a collection called "WCry2 Ransomware Outbreak" do you mean this one:
    The observables in that collection are older than 3 month
    For example:
    Nick Bradley
    May 17, 2017

    Therefore you can not poll it with the app.

    Copy the old ones to notepad and import it to the ref set for example with ref set manager.
    I also strugeled with the Taxii app and i think there should be a much better way for managing IOCs with QRadar. Maybe it is worth raising an RFE.

    Martin Schmitt

  • 3.  RE: Threat intelligence Feed:- Retrieved 0 observables

    Posted Tue September 21, 2021 04:11 AM
    Edited by benlinux Tue September 21, 2021 05:23 AM
    Hello Martin,

    Thank you for your response.

    I checked today, and it is working.


  • 4.  RE: Threat intelligence Feed:- Retrieved 0 observables

    Posted Tue September 21, 2021 05:32 AM
    Hello Benlinux,

    i think the List "Phishing and Spam" was created earlier than 14. Sep as there  are older entries in it for example:
    Sep 10, 2021

    Sep 8, 2021

    Sep 14 was the last update of the list. 

    However, downloading URLs with a initial polling of 3 month should work for the entries above. Did you select URLs in your Taxii configuration? My idea was to use the "Reference Data Management" App which is a must have on a Qradar anyway. Use the App to import all old data staticly and configure the feed also. Everything new well then be updated in your reference tables. There is not realy a big difference in how it would work if you feed the old artifacts into the tables in terms of automation with taxii would it?


    Martin Schmitt