Configuring Threat Intelligence Insights external data sources

IBM® Security Threat Intelligence Insights integrates extra threat intelligence feeds from external sources. Configuring threat intelligence feeds from external sources requires a premium license key from the vendor.

About this task

Only an administrator can configure external data sources for Threat Intelligence Insights.

Feeds from the following vendors are supported:
  • AbuseIPDB
  • AlienVault OTX
  • APIVoid
  • Cisco Threatgrid
  • Intezer
  • Mandiant Threat Intelligence
  • MaxMind Geolocation
  • Recorded Future,
  • ReversingLabs
  • SANS Internet StormCenter
  • ThreatQ
  • VirusTotal
Important: To get enrichments for IP, URL, Domain, and Hash from a Reversing Labs source, your API key must have access to the following three endpoints:
  • TCA-0101 File Reputation
  • TCA-0402 URI Statistics
  • TCA-0403 URL Threat Intelligence

Procedure

  1. Log in to IBM Security QRadar® Suite Software.
  2. From the menu, click Connections > Data sources.
  3. On the Integration data sources page, select the data source tile, and then click Set up a connection.
  4. On the Connection services page, select the service tile, and then click Enable.
  5. Click Next.
  6. On the Connection details page, configure the connection to the data source.
    Table 1. Connection parameters
    Parameter Description
    Data source name Enter a unique name to identify the data source connection. You can create multiple connections to a data source, so it is useful to clearly set them apart by name.

    Only alphanumeric characters and the following special characters are allowed: - . _
    Data source description Enter a description to indicate the purpose of the data source connection. You can create multiple connections to a data source, so it is useful to clearly indicate the purpose of each connection by description.

    Only alphanumeric characters and the following special characters are allowed: - . _
    Edge Gateway If you have a firewall between your cluster and the data source target, use the Edge Gateway to host the containers. In the Edge gateway field, specify an Edge Gateway to host the connector.

    It can take up to five minutes for the status of newly deployed data source connections on the Edge Gateway to show as being connected.
    Concurrent Search Limit Enter the number of simultaneous connections that can be made to the data source. The default limit for the number of connections is 4. The value must not be less than 1 and must not be greater than 100.
    Custom Mapping (Optional) If you need to customize the STIX attributes mapping, upload a JSON file in the Custom mapping field and edit the JSON blob to map new or existing properties to their associated data source fields.
  7. Click Next.
  8. On the Connection configurations page, configure identity and access.
    1. Click Add a configuration.
    2. In the Configuration details window, configure the following parameters.
      Table 2. Configuration parameters
      Parameter Description
      Configuration Name Enter a unique name to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
      Configuration Description Enter a unique description to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
      Key Enter your vendor's API key.
    3. Select the types of reports that you want to receive.
      Each vendor supports different report types, for example Domain, hash, IP, URL.
    4. To save your configuration and establish the connection, click Save, and then click Next.
  9. Click Finish.
  10. To manage your active connections, complete the following steps:
    1. On the Integration data sources page, on the tile of the relevant data source, click Manage <x> of <x> active connections.
    2. On the Connection status page, on the tile of the relevant data source, you can edit, refresh, or delete your data source connection.

Results

When an indicator is scanned and found, Threat Intelligence Insights displays any evidence that is received from the vendor.

  • In Threat Intelligence Insights, click an indicator in a threat to see a summary of the third-party threat source information under Other sources in the side pane.
    • Click View Report and select the Other Sources tab.
    • Each configured threat source that is listed on the tab can be expanded to show the actual threat source report.
    • Trigger a response workflow in Case Management.
  • In Case Management, to display third-party intelligence, choose one of the following methods:
    • Hover over the red triangle that indicates one or more threat sources that are matched and see the number of hits.
    • Click the indicator row to see Case Artifact Details and each threat source hit summary.
    • Clicking a threat source summary opens a side pane with more artifact hit details.
    • From the Case artifact, you can investigate further with Data Explorer by selecting the action Run a query in Data Explorer.
  • After a Data Explorer scan, click an indicator to display a side pane with threat source details.
Tip: If the Threat Intelligence Insights app is not enabled, the third-party threat intelligence sources are displayed in the side pane and enriching Case artifacts only.