Topic
  • 5 replies
  • Latest Post - ‏2014-05-14T13:27:20Z by mcalvi91
SystemAdmin
SystemAdmin
184 Posts

Pinned topic Indicators of Compromise

‏2013-01-28T19:53:28Z |
Is anyone else interested in the open IOC format for sharing data? I seems to me that .ioc is gaining traction and there have already been a number of instances where I wish I could upload the ioc into Qradar instead of creating multiple reference sets manually. I also think it would be valuable to customers because it would be a chance to easily share data. Are there any plans for incorporating openIOC into Qradar?-------Posted BY Derek Thomas
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: We have been requesting to

    ‏2013-01-28T21:12:08Z  
    We have been requesting to have a web service to be able to send the IOC data we get from iDefense hourly into QRadar.
    Posted By Greg Mathes
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: Nice, does iDefense provide

    ‏2013-01-28T21:48:52Z  
    Nice, does iDefense provide it in the openIOC format?
    Posted By Derek Thomas
  • SystemAdmin
    SystemAdmin
    184 Posts

    Re: no its CSV or XML (but not

    ‏2013-01-28T22:36:59Z  
    no its CSV or XML (but not openIOC xml).
    Posted By Mike Calvi
  • dan.kennedy
    dan.kennedy
    1 Post

    Re: no its CSV or XML (but not

    ‏2014-05-13T15:29:42Z  
    no its CSV or XML (but not openIOC xml).
    Posted By Mike Calvi

    Has this gained any traction?  We're looking at iDefense & I'd certainly love to import it more easily into the interface above scripting some wget hack of the xml/csv & importing.  

    Are you guys pulling your iDefense feeds into QRadar by that means, or just using it independent of the Q1?  Thanks!

  • mcalvi91
    mcalvi91
    4 Posts

    Re: no its CSV or XML (but not

    ‏2014-05-14T13:27:20Z  

    Has this gained any traction?  We're looking at iDefense & I'd certainly love to import it more easily into the interface above scripting some wget hack of the xml/csv & importing.  

    Are you guys pulling your iDefense feeds into QRadar by that means, or just using it independent of the Q1?  Thanks!

    Currently we pull it and push to our point products (proxy/etc) outside of Q1.  In the proxy we have specialized things setup for Q1 to alert on when the domain/ip/urls are hit.