These instructions are for connecting the PrecisionSec STIX/TAXII Threat Intelligence Feed to your IBM QRadar SIEM. This information is based on the IBM documentation.

Credentials required. If you have not yet received evaluation credentials, please request access.

Note: Our TAXII server currently only supports versions 1.x of the TAXII protocol.

1. From the navigation menu on the Threat Intelligence dashboard, click the Feeds Downloader icon.

2. Click Add Threat Feed, then click Add TAXII Feed.

3. On the Add TAXII Feed window, click the Connection tab and configure the following:

   • TAXII Endpoint: https://taxii.precisionsec.com/services/discovery
   • Version: TAXII 1.x
   • Authentication Method: HTTP Basic
   • Username/Password: Enter the credentials you were provided

4. Click Discover. You should now be able to view the available collections on the Parameter page.

5. Add the IPv4 Observable type to the Malware IPs Reference Set:

   • “malware-collection” should already be selected under Collections (leave this as default)
   • Select your Polling Interval (we recommend Hourly)
   • Set the Observable Type to IPv4 Address
   • Set the Reference Set to Malware IPs
   • Set Poll Initial Date to Now
   • Click Add

6. Repeat step 5 to add Malware URLs to the Malware URLs Reference Set.

7. Repeat step 5 to add Domain Names to the Malware Hostnames Reference Set.

8. Repeat step 5 to add MD5 Hashes to the Malware Hashes MD5 Reference Set.

9. Repeat step 5 to add SHA256 Hashes to the Malware Hashes SHA256 Reference Set.

10. Click Next to move to the Summary page, then click Save.

Your QRadar instance is now configured to pull PrecisionSec threat intelligence automatically from the STIX/TAXII feed. You can manually trigger a pull by clicking Poll Now. Once a feed has been downloaded, metrics will appear in the Signatures received last poll and Total signatures received fields. Click any Reference Set link to view the indicators and export them to CSV.