Topic
  • 14 replies
  • Latest Post - ‏2016-04-15T13:04:54Z by Jonathan.Pechta (IBM)
YamShar
YamShar
2 Posts

Pinned topic Xforce Premium group

‏2014-02-09T08:18:01Z |

Hello,

I can see a separate group as XForce Premium after the upgrade to 7.2 . In that group few of the rules are using some reference lists like XForce_Premium.Premium_Malware , XForce_Premium.Premium_AnonymousProxies

Does anyone knows where are the XForce Premium watchlists stored. ??

  • Alaa Ali
    Alaa Ali
    8 Posts

    Re: Xforce Premium group

    ‏2014-02-17T16:14:42Z  

    Be careful with your wording because "Reference Lists" is a phrase for lists that you can create in QRadar =), but those XForce_Premium.Premium_Malware and XForce_Premium.Premium_AnonymousProxies are not QRadar Reference Lists, they are network objects (which are "lists" used for reference). You should be able to see them if you go to the Admin tab and go to Remote Networks (or Remote Services. Can't remember which one). One of them should have a group called XForce_Premium, and you'll find the subgroups when you expand it.

  • YamShar
    YamShar
    2 Posts

    Re: Xforce Premium group

    ‏2014-02-20T07:29:26Z  
    • Alaa Ali
    • ‏2014-02-17T16:14:42Z

    Be careful with your wording because "Reference Lists" is a phrase for lists that you can create in QRadar =), but those XForce_Premium.Premium_Malware and XForce_Premium.Premium_AnonymousProxies are not QRadar Reference Lists, they are network objects (which are "lists" used for reference). You should be able to see them if you go to the Admin tab and go to Remote Networks (or Remote Services. Can't remember which one). One of them should have a group called XForce_Premium, and you'll find the subgroups when you expand it.

    Hello Alaa,

    Thank you for ignoring my wrong choices of words.

    As you said I have checked both Remote Networks & Remote Services but i'm not able to find it anywhere.

    Can you also tell me where on the server are the lists mentioned in Remote Networks stored

  • Alaa Ali
    Alaa Ali
    8 Posts

    Re: Xforce Premium group

    ‏2014-03-06T14:36:45Z  
    • YamShar
    • ‏2014-02-20T07:29:26Z

    Hello Alaa,

    Thank you for ignoring my wrong choices of words.

    As you said I have checked both Remote Networks & Remote Services but i'm not able to find it anywhere.

    Can you also tell me where on the server are the lists mentioned in Remote Networks stored

    I do not have access to a QRadar system right now, but the remote networks should be in a file called remotenet.conf, located under /store/configservices/staging/globalconfig/.

  • Vijay Tumu
    Vijay Tumu
    1 Post

    Re: Xforce Premium group

    ‏2014-09-04T11:14:58Z  
    • Alaa Ali
    • ‏2014-03-06T14:36:45Z

    I do not have access to a QRadar system right now, but the remote networks should be in a file called remotenet.conf, located under /store/configservices/staging/globalconfig/.

    Hi Team,

    Can some one Please help me out for getting the list of IP's under Admin Tab -> Remote Networks and services Configuration-->Remote Networks-->XForce_Premium-->Premium_Malware

    I can able to see the list of IP's, But do we have copy & Past Option of these IP's?  should send them our network team to restrict in firewall

    Thanks in Advance 

    Vijay Tumu

     

     

  • pjl
    pjl
    3 Posts

    Re: Xforce Premium group

    ‏2014-09-25T15:38:32Z  

    Hi Team,

    Can some one Please help me out for getting the list of IP's under Admin Tab -> Remote Networks and services Configuration-->Remote Networks-->XForce_Premium-->Premium_Malware

    I can able to see the list of IP's, But do we have copy & Past Option of these IP's?  should send them our network team to restrict in firewall

    Thanks in Advance 

    Vijay Tumu

     

     

    So I realize I'm asking the obvious, but is XForce Premium an additional license? The only reason I ask is I can see it used in a few canned rules. For example:  XForce Premium: Internal Connection to Possible Malware Host. I'm on version 7.2.3. Is it possible to get a temp key to try it out for a period of time?

  • Jayakumar66
    Jayakumar66
    2 Posts

    Re: Xforce Premium group

    ‏2015-06-11T04:04:05Z  

    When we can expect TAXII protocol in QRadar.?

  • DJey
    DJey
    9 Posts

    Re: Xforce Premium group

    ‏2015-11-05T07:42:30Z  

    Dear All,

    I have uploaded and activated " Qradar Xforce IP Reputation Intelligence Feed license"  and enable all Xforce rules. Till no xforce related offenses are triggered. Please could some one let me know how i can verify this xforce events from the log activity.

     

    I want to ensure xforce is working or not ?

     

    Thanks

  • RobWalker
    RobWalker
    1 Post

    Re: Xforce Premium group

    ‏2015-12-15T22:35:42Z  
    • DJey
    • ‏2015-11-05T07:42:30Z

    Dear All,

    I have uploaded and activated " Qradar Xforce IP Reputation Intelligence Feed license"  and enable all Xforce rules. Till no xforce related offenses are triggered. Please could some one let me know how i can verify this xforce events from the log activity.

     

    I want to ensure xforce is working or not ?

     

    Thanks

    DJey, I asked the same question from Support  and was told the only way to know if it's working is if those X-Force specific rules fire. Hint: don't enable the "X-Force Legacy" rules.

  • dwight s (IBM)
    dwight s (IBM)
    7 Posts

    Re: Xforce Premium group

    ‏2016-02-25T21:15:49Z  

    Hi YamShar ... 

    The older, original X-Force integration in QRadar (prior to 7.2.4) was updated via QRadar autoupdates, and the data was stored in text files similar to that used for the network hierarchy. 

    However, as of 7.2.4, the integration is more .. integrated right into qradar itself.  There is now a service that runs on the QRadar console, that pulls updates quite often, directly from the IBM X-Force exchange (https://www.xforce-security.com/apploupe/), I believe, every 5 minutes. This is why the newer integration requires the QRadar console to have internet access.  The data store in QRadar for xforce information is no longer user viewable. 

    You can confirm that the X-Force feed is being updated, using the attached script from one of our Lab Services colleagues, Alaa Ali,  "chkxforce.sh" can be installed onto the console, and run from there.  Upload to /opt/qradar/support/, and set executable with "chmod 755 /opt/qradar/support/chkxforce.sh".   Alaa's comments on the script are as follows.

    Note, this script is not officially supported part of QRadar, but should provide you with confirmation that xforce information is updating. 

    --------------

    The script goes through the qradar logs and checks XForce accesses the day. If you want to "make sure X-Force is updating", run it again a minute or two later to see the numbers go up.  The logs can be viewed directly as well - 7.2.4 /opt/qradar/dca/logs/, 7.2.5+ /var/log/dca/).

    Sample output of script:
     
    [INFO]  Found valid X-Force license.
    [INFO]  Found X-Force update server running.
    [INFO]  --------------------
    [INFO]  Data for 2015-09-17:
    [INFO]  --------------------
    [INFO]  URL Classification DB:
    [INFO]      Number of times updated:            209
    [INFO]      Total number of entries set:        111867
    [INFO]      Total number of entries removed:    48786
    [INFO]
    [INFO]  IP Reputation DB:
    [INFO]      Number of times updated:            326
    [INFO]      Total number of entries set:        137966
    [INFO]      Total number of entries removed:    56512
    [INFO]
    [INFO]  Done.

     
    It won't work if there is no X-Force license:
    [ERROR] Could not find the QRadar X-Force IP Reputation Intelligence Feed license.
     
    If it finds a license but X-Force is not updating, most likely because it couldn't pull a license/activation from the X-Force servers because of proxy:
    [INFO]  Found valid X-Force license.
    [INFO]  Found X-Force update server running.
    [ERROR] The X-Force update server is not licensed. Is a proxy needed to access the internet for QRadar?

    ------------

    If you do need to enter proxy information, review this document for assistance in that - http://www-01.ibm.com/support/docview.wss?uid=swg21701213

    hope this helps!
    dwight s.

    (script credit to Alaa Ali)

     

    Attachments

    Updated on 2016-02-25T21:16:40Z at 2016-02-25T21:16:40Z by dwight s (IBM)
  • michael2323jordan
    michael2323jordan
    2 Posts

    Re: Xforce Premium group

    ‏2016-04-12T20:00:14Z  

    Hi YamShar ... 

    The older, original X-Force integration in QRadar (prior to 7.2.4) was updated via QRadar autoupdates, and the data was stored in text files similar to that used for the network hierarchy. 

    However, as of 7.2.4, the integration is more .. integrated right into qradar itself.  There is now a service that runs on the QRadar console, that pulls updates quite often, directly from the IBM X-Force exchange (https://www.xforce-security.com/apploupe/), I believe, every 5 minutes. This is why the newer integration requires the QRadar console to have internet access.  The data store in QRadar for xforce information is no longer user viewable. 

    You can confirm that the X-Force feed is being updated, using the attached script from one of our Lab Services colleagues, Alaa Ali,  "chkxforce.sh" can be installed onto the console, and run from there.  Upload to /opt/qradar/support/, and set executable with "chmod 755 /opt/qradar/support/chkxforce.sh".   Alaa's comments on the script are as follows.

    Note, this script is not officially supported part of QRadar, but should provide you with confirmation that xforce information is updating. 

    --------------

    The script goes through the qradar logs and checks XForce accesses the day. If you want to "make sure X-Force is updating", run it again a minute or two later to see the numbers go up.  The logs can be viewed directly as well - 7.2.4 /opt/qradar/dca/logs/, 7.2.5+ /var/log/dca/).

    Sample output of script:
     
    [INFO]  Found valid X-Force license.
    [INFO]  Found X-Force update server running.
    [INFO]  --------------------
    [INFO]  Data for 2015-09-17:
    [INFO]  --------------------
    [INFO]  URL Classification DB:
    [INFO]      Number of times updated:            209
    [INFO]      Total number of entries set:        111867
    [INFO]      Total number of entries removed:    48786
    [INFO]
    [INFO]  IP Reputation DB:
    [INFO]      Number of times updated:            326
    [INFO]      Total number of entries set:        137966
    [INFO]      Total number of entries removed:    56512
    [INFO]
    [INFO]  Done.

     
    It won't work if there is no X-Force license:
    [ERROR] Could not find the QRadar X-Force IP Reputation Intelligence Feed license.
     
    If it finds a license but X-Force is not updating, most likely because it couldn't pull a license/activation from the X-Force servers because of proxy:
    [INFO]  Found valid X-Force license.
    [INFO]  Found X-Force update server running.
    [ERROR] The X-Force update server is not licensed. Is a proxy needed to access the internet for QRadar?

    ------------

    If you do need to enter proxy information, review this document for assistance in that - http://www-01.ibm.com/support/docview.wss?uid=swg21701213

    hope this helps!
    dwight s.

    (script credit to Alaa Ali)

     

    Dwight,

     

    I looked at the Document you linked above but can you tell me if this connection requires HTTPS or is it HTTP?

  • dwight s (IBM)
    dwight s (IBM)
    7 Posts

    Re: Xforce Premium group

    ‏2016-04-12T20:09:46Z  

    Dwight,

     

    I looked at the Document you linked above but can you tell me if this connection requires HTTPS or is it HTTP?

    Michael - just tried the link, and http seems to work fine.  I get an https error when using chrome, but safari & firefox both work fine with https.

    dwight

  • michael2323jordan
    michael2323jordan
    2 Posts

    Re: Xforce Premium group

    ‏2016-04-13T11:42:58Z  

    Michael - just tried the link, and http seems to work fine.  I get an https error when using chrome, but safari & firefox both work fine with https.

    dwight

    Sorry about the confusion.  I meant for the URLs that need to be accessed for X-Force content.  Do we connect on 80 or 443?  I have to enable specific firewall rules in order to accomplish this, in my environment.

     

    www.iss.net X-Force Threat Intelligence dashboard widget for QRadar (AlertCon / RSS feed)
    update.xforce-security.com X-Force Threat Intelligence Feed update server for IP reputation and URL data
    license.xforce-security.com X-Force Threat Intelligence licensing server
    qmmunity.q1labs.com QRadar automatic updates. This address is also used for X-Force Threat Intelligence updates on QRadar Consoles at 7.2.3 and below.
    Updated on 2016-04-13T11:43:29Z at 2016-04-13T11:43:29Z by michael2323jordan
  • dwight s (IBM)
    dwight s (IBM)
    7 Posts

    Re: Xforce Premium group

    ‏2016-04-13T12:38:04Z  

    Sorry about the confusion.  I meant for the URLs that need to be accessed for X-Force content.  Do we connect on 80 or 443?  I have to enable specific firewall rules in order to accomplish this, in my environment.

     

    www.iss.net X-Force Threat Intelligence dashboard widget for QRadar (AlertCon / RSS feed)
    update.xforce-security.com X-Force Threat Intelligence Feed update server for IP reputation and URL data
    license.xforce-security.com X-Force Threat Intelligence licensing server
    qmmunity.q1labs.com QRadar automatic updates. This address is also used for X-Force Threat Intelligence updates on QRadar Consoles at 7.2.3 and below.

    Oh, well on each specifically, what's -required-, i don't know, other than qmmunity is https.  I just tried the other 3, and they all work with https/443, so I would suggest using that.

    dwight

  • Jonathan.Pechta (IBM)
    11 Posts

    Re: Xforce Premium group

    ‏2016-04-15T13:04:54Z  

    I'll verify this and update the X-Force QRadar FAQ page as I'm the author.