Connect the STIX Bundle data source to
IBM Security QRadar® Suite Software to enable your applications and
dashboards to collect and analyze STIX Bundle
security data. Universal Data Insights connectors enable
federated search across your security products.
Structured Threat Information eXpression (STIX) is a language and serialization
format. A STIX Bundle is a collection of STIX Objects and marking definitions that are
grouped in a single container. Organizations can share cyberthreat intelligence (CTI) by using
STIX Objects. The marking definitions are
used as the requirements for handling and sharing the CTI data.
Before you begin
Ensure that a valid STIX Bundle is generated.
To validate a STIX Bundle file, you can use the
bundle validator script that is stored in the bundle_validator folder of the
STIX-Shifter GitHub repository. To validate and troubleshoot the bundle JSON file, follow the
instructions in README.md file.
Provide access to a JSON file that contains a valid STIX Bundle. The JSON file can be uploaded to a web
server, cloud storage, or to any location that is accessible by HTTP request. Optionally, the URL of
the JSON file can have a basic authentication requirement.
Alternatively, you can configure an adapter for demonstration purposes that is not connected to
any real data source. This dummy connector always returns sample data in the same way as it would
return data from IBM® QRadar, Splunk Enterprise Security, or Carbon Black CB Response. For example, an administrator can configure
the connector through the UI and a Data Explorer user can then run queries against the
connector and view sample results.
If you have a firewall between your cluster and the data source target, use the
IBM Security Edge Gateway to host the containers. The Edge Gateway must be V1.6 or later. For more information,
see Edge Gateway.
About this task
To query a STIX Bundle, your bundle must be
STIX 2.0 and must contain observed-data objects.
Procedure
- Log in to IBM Security QRadar Suite Software.
- From the menu, click
.
- On the Data Sources tab, click
Connect a data source.
- Click STIX Bundle, then click
Next.
- Configure the connection to allow
IBM Security QRadar Suite Software to connect to the data source.
- Configure the connection to the data source.
Table 1. Connection parameters
| Parameter |
Description |
| Data source name |
Enter a unique name to identify the data source connection. You can create multiple
connections to a data source, so it is useful to clearly set them apart by name. Only
alphanumeric characters and the following special characters are allowed: - .
_
|
| Data source description |
Enter a description to indicate the purpose of the data source connection. You can create
multiple connections to a data source, so it is useful to clearly indicate the purpose of each
connection by description. Only alphanumeric characters and the following special characters are
allowed: - . _
|
| Edge gateway |
If you have a firewall between your cluster and the data source target, use the Edge Gateway to host the containers. In the
Edge gateway field, specify an Edge Gateway to host the connector. It can take up to
five minutes for the status of newly deployed data source connections on the Edge Gateway to show as being connected.
|
| Full URL of a stix-bundle file |
Enter the URL of the STIX Bundle JSON file
so that the platform can communicate with it. This information is required.Alternatively, you can
use the following URLs to configure a dummy data source connection that is only for demonstration
purposes. The STIX Bundle URLs contain sample
data for the respective data sources.
- CloudWatch:
https://raw.github.com/opencybersecurityalliance/stix-shifter/develop/data/cybox/aws/aws_cloudwatch_logs_19062020.json
- QRadar:
https://raw.github.com/opencybersecurityalliance/stix-shifter/develop/data/cybox/qradar/qradar_observed_2000.json
- Splunk:
https://raw.github.com/opencybersecurityalliance/stix-shifter/develop/data/cybox/splunk/splunk_observed_1143.json
- Carbon Black CB Response:
https://raw.github.com/opencybersecurityalliance/stix-shifter/develop/data/cybox/carbon_black/cb_observed_156.json
|
- Set the query parameters to control the behavior of the
federated search query on the data source.
Table 2. Query parameters
| Query parameter |
Description |
| Concurrent search limit |
Enter the number of simultaneous connections that can be made to the data source. The default
limit for the number of connections is 4. The value must not be less than 1 and must not be greater
than 100. |
| Query search timeout limit |
Enter the time limit in minutes for how long the query is run on the data source. The default
time limit is 30. When the value is set to zero, no timeout occurs. The value must not be less than
1 and must not be greater than 120. |
| Result size limit |
Enter the maximum number of entries or objects that are returned by search query. The default
result size limit is 10,000. The value must not be less than 1 and must not be greater than
500,000. |
| Query time range |
Enter the time range in minutes for the search, represented as the last X
minutes. The default is 5 minutes. The value must not be less than 1 and must not be greater than
10,000. |
| Custom mapping (Optional) |
If you need to customize the STIX attributes mapping, click
Customize attribute mapping and edit the JSON blob to map new or existing
properties to their associated target data source fields. |
Important: If you increase the Concurrent search limit and the
Result size limit, a greater amount of data can be sent to the data source,
which increases the strain on the data source. Increasing the query time range also increases the
amount of data.
- Click Add a
configuration.
- Configure identity and access.
Table 3. Configuration parameters
| Parameter |
Description |
| Configuration Name |
Enter a unique name to describe the access configuration and distinguish it from the other
access configurations for this data source connection that you might set up. Only alphanumeric
characters and the following special characters are allowed: - . _ |
| Configuration Description |
Enter a unique description to describe the access configuration and distinguish it from the
other access configurations for this data source connection that you might set up. Only alphanumeric
characters and the following special characters are allowed: - . _ |
| Username |
Enter a username with access to the search API. |
| Password |
Enter the password associated with the username. |
- Click Add.
- To save your configuration and establish the connection, click
Done.
- To edit your configurations, complete the following steps:
- On the Data Sources tab, select the data source connection that
you want to edit.
- In the Configurations section, click Edit
Configuration (
).
- Edit the identity and access parameters and click
Save.
Results
If you use the URLs that are supplied to configure a dummy data source connection, as outlined in
step 5, these URLs contain only sample data. Therefore, queries to the data source do not return
data unless the query is based on the sample data. The following simple example queries return
results based on the sample data that is contained in the
URLs.
[ ipv4-addr:value != '127.0.0.1' ]
[ network-traffic:src_ref.value != '127.0.0.1' ]
[ network-traffic:dst_port = 443 ]
[ user-account:user_id = 'test' ]
What to do next
Test the connection by searching for an IP address in IBM Security Data Explorer that matches an asset data source. In
Data Explorer, click an IP address to view
its associated assets and risk.
To use Data Explorer,
you must have data sources that are connected so that the application can run queries and retrieve
results across a unified set of data sources. The search results vary depending on the data that is
contained in your configured data sources. For more information about how to build a query in
Data Explorer, see Build a query.