IBM Support

QRadar: IBM X-Force Exchange Right-click Context Menu Plug-in FAQ

Question & Answer


Question

The purpose of the technical note is to provide a FAQ for administrators using the X-Force Exchange (XFE) right-click context menu plug-in with IBM Security QRadar. This document covers installation and usage.

Answer

Quick links


What is the IBM X-Force Exchange right-click context menu plug-in for QRadar?


IBM X-Force Exchange (XFE) is a threat intelligence sharing platform for security analysts, network security specialists, Security operations center (SOC) teams. The X-Force Exchange allows users to search for IPs, URLs, CVEs, web applications and also contribute either public or private information to track data in collections when researching security issues.

The IBM X-Force Exchange right-click context menu plug-in allows users to easily conduct right-click menu lookups against X-Force Exchange for IP addresses found in the QRadar user interface, and URLs from the Log Activity tab; allowing you to easily research the information found in X-Force Reports against date found in searches, offenses, and rules.



Figure 1: A screen capture of X-Force Exchange (click to enlarge image).



Where is the IBM X-Force Exchange right-click context menu plug-in located in the QRadar user interface?


The right-click options is found under the right click menu. There are two right-click menus depending on where you are in QRadar:

    1. The IP Addresses on the Offenses tab and Event Details screens, as well as all URL fields, have the right-click menu as: Plugin Options > X-Force Exchange Lookup.

      For example:

    2. The IP Addresses on the Log Activity and Network Activity tabs have the right-click menu as: More Options > Plugin Options > X-Force Exchange Lookup.

      For example:

Using the IBM X-Force Exchange right-click context menu plug-in for the first time


The first time the X-Force Exchange Lookup is used, a pop-up window opens for the X-Force Exchange website. To complete an X-Force Exchange Lookup, the user must log in using an IBM ID.
After the initial log in to the IBM X-Force Exchange site, the browser window can be closed. As long as the session is still valid the QRadar user can complete lookups without having to re-authenticate to the X-Force Exchange website.

The response to the lookup from the QRadar user interface is a pop-up window showing the X-Force Exchange portal's information on the IP or URL selected in the lookup. The report will include a category, a confidence rating in the case of IP, and other information related to the IP address or URL.

A copy of the current X-Force Report can also be added to a Collection. A Collection is a repository used to store X-Force reports, and any relevant uploads you may have.
This information can be shared with your group or any other X-Force Exchange users you choose.


How do I install the X-Force Exchange right-click plug-in?


As of 7.3 the IBM X-Force Exchange right-click context menu plug-in is already preinstalled.
QRadar Consoles prior to QRadar 7.3 can install theIBM X-Force Exchange right-click context menu plug-in, as long they are at QRadar 7.2.3 (7.2.3.906253) or later.
To install the IBM X-Force Exchange right-click context menu plug-in, administrators must download and manually install the plug-in on the QRadar Console.

Before you begin
This procedure requires a Web Server restart from the Admin tab to load the plug-in after the RPM is installed. Restarting the web server logs out all QRadar users, so it is advised that administrators install this plug-in during scheduled maintenance.


Procedure
  1. Download the IBM X-Force Exchange right-click context menu plug-in from IBM Fix Central: https://ibm.biz/BdX4BW (IBM shortened URL)
  2. Copy the RPM file to the QRadar Console.
  3. To install the plug-in, type the following command: rpm -Uvh 7.2.0-QRADAR-RightClick-XFE-7.2.1-1426795712.x86_64.rpm
  4. Log in to QRadar Console as an admin user.
  5. Click the Admin tab.
  6. Select Advanced > Restart Web Server.
    After the web server restart completes, the IBM X-Force Exchange right-click context menu plug-in is enabled for IP addresses throughout the QRadar user interface and for URL fields in the Log Activity tab.

Where can I find more information?


If you have additional questions or some of this content is not clear, you can see the following resources:
-----
Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21718515