Ctrl+K

IBM QRadar SIEM - STIX/TAXII Integration

IBM QRadar SIEM - STIX/TAXII Integration#

These instructions are for connecting the PrecisionSec STIX/TAXII Threat Intelligence Feed to your IBM QRadar SIEM. This information is based on the documentation from the IBM website here: https://www.ibm.com/docs/en/qradar-common?topic=tif-adding-threat-intelligence-feeds

Attention

Credentials are required to access this data. If you have not yet received evaluation credentials, please request access.

Note

Our TAXII server currently only supports versions 1.x of the TAXII protocol.

  1. From the navigation menu on the Threat Intelligence dashboard, click the Feeds Downloader icon.

  2. Click Icon for Add Threat Feed, and then click Add TAXII Feed.

  3. On the Add TAXII Feed window, click the Connection tab, and configure the following options:

    • TAXII Endpoint: https://taxii.precisionsec.com/services/discovery

    • Version: TAXII 1.x

    • Authentication Method: HTTP Basic

    • Username/Password: Enter the credentials you were provided

  4. Click Discover

    • You should now be able to view the available collections on the Parameter page.

  5. Add the “IPv4 Observable” type to the “Malware IPs” Reference Set

    • “malware-collection” should already be selected under “Collections”, leave this as default

    • Select your Polling Interval. We recommend “Hourly”

    • Set the “Observable Type” to “IPv4 Address”

    • Set the “Reference Set” to “Malware IPs”

    • Set Poll Initial Date (Now)

    • Click “Add”

  6. Repeat step 5 for adding “Malware URLs” to the “Malware URLs” Reference Set

  7. Repeat step 5 for adding “Domain Names” to the “Malware Hostnames” Reference Set

  8. Repeat step 5 for adding “MD5 Hashes” to the “Malware Hashes MD5” Reference Set

  9. Repeat step 5 for adding “SHA256 Hashes” to the “Malware Hashes SHA256” Reference Set

  10. Click “Next” to be moved to the Summary page

  11. Click “Save”

  12. Your QRadar instance should now be configured to pull PrecisionSec Threat Intelligence automatically from the STIX/TAXII feed

    • You can manually poll the feeds by clicking “Poll Now”

    • Once a feed has been downloaded, you should see some metrics populated in the “Signatures received last poll” and “Total signatures received” fields

    • You can view the indicators by clicking the corresponding Reference Set link. From the pop up window you can export the indicators to CSV for additional analysis