What's new in QRadar Threat Intelligence
Learn about the new features in each IBM® QRadar® Threat Intelligence app release.
- Renewed CA certificates for generating a Certificate Signing Request for app validation.
- Bug fix for the user interface.
- The Advanced Threat Protection Feed IOC that has more than 300,000 elements now has multiple reference sets.
- AQL search performance improvements.
- Extended the Am I Affected capability to the Network Activity tab on the QRadar Console so that QRadar events can be more fully investigated by using the Threat Intelligence app.
- Added license information for the X-Force Exchange no-fee tier and the IBM Advanced Threat Protection Feed fee subscription so that users can see which Threat Intelligence capabilities are available to them.
- Added support for STIX/TAXII version 2.0 in the single observation in a pattern.
- User experience (UX) enhancements：
- Direct link to Feeds downloaders reference sets.
- Direct link to ATP Feed Management reference sets.
- Threat Intelligence dashboard configuration is now synchronized with the classic STIX/TAXII features configuration.
- Integrated all Threat Intelligence features into the Threat Intelligence dashboard. (The Create Rule Action is not supported on the dashboard but is still available from the Configuration page on the Admin tab.)
- Added the Threat Feeds Downloader (beta) page that contains modernized STIX/TAXII feeds.
- Added an integration with the Am I Affected option from IBM X-Force® Exchange. The Am I Affected option searches your IBM QRadar environment and notifies you if you are prone to threats identified in the X-Force Exchange collections. QRadar Threat Intelligence compares any Indicators of Compromise (IOCs) from the STIX/TAXII feeds and the IBM Advanced Threat Protection Feed that are stored in the reference set with QRadar logs. If any logs contain the indicators listed in the reference sets, the matches are displayed in the event list.
- Renamed the Recent Collections page to Collection Highlights.
- Collection Highlights page now has two sections: Recent Collections and Early Warnings.
- Recent Collections now list four latest actionable threat intelligence collections that are provided by X-Force Exchange.
- Early Warnings now list four latest Early Warning Feed collections on hundreds of new malicious domains surfaced daily through IBM's collaboration with Quad9.
- Enhanced user interface in the IBM Advanced Threat Protection Feed Management page to offer better data visualization and analytical efficiency.
- Updated Ready for IBM Security Intelligence (RFISI) rules to integrate with IBM Advanced Threat Protection Feed.
- Added Integration with the IBM Security QRadar Analyst Workflow app, which can provide easy ways for filtering offenses and events.
- Added support for HTTPS.
- Introduces critical X-Force Exchange capabilities, including Recent Collections, Public Collections, and Am I Affected features.
- Provides X-Force Intelligence on a specific threat by hovering over the indicators on the Event Page in QRadar.
- Integrates Advanced Threat Protection Feed by X-Force into QRadar, allowing you to stay ahead of threats with actionable feeds.
- Provides a visualized view for Advanced Threat Protection Feed by X-Force.
- Added an option to refetch data from new XFE Public Collections I follow
If you recently started to follow a new XFE Public Collections I follow collection, you can refetch all its previous data. Without refetching, you get only the data added to the collection from the time you started to follow it. If you choose to refetch the data from a specific date, that date is set as the new start date for the feed, and the signature counts are reset to 0. Data that is already collected by this feed remains intact in the reference set.
- Improved memory management in TAXII feed polling intervals.
- Added support for STIX 1.2 so that the app can connect with TAXII feeds that use only STIX 1.2. This version does not support SWIFT feeds due to the extra authentication process required by the SWIFT feeds compared to normal feeds.
- Displays polling start time, date, and status during polling.
- Improved memory management in TAXII feed polling intervals. The app detects failures during the polling process and reduces the request data timeframe in half to 30 minutes. Each time the poll fails, the data timeframe continues to be cut in half, down to 1 minute. Shorter polling timeframes receive less data with each request but take longer to poll. If the last poll was successful, the timeframe is increased up to 60 minutes.
- Fixed an error where TAXII feed data that was sent to reference set names that contain special characters caused an error. For example, UBA: Trusted Usernames.
- The app autodetects if a newer version is available from the QRadar Assistant app or the IBM Security App Exchange, making it easier to stay current with the latest app capabilities.
- Improved performance by limiting TAXII feed polling to one feed at a time.
- Added email as an observable type when you add a TAXII feed.
- Migrated to Python 2.7 to fix certificate errors.
- Added the ability to upload a client key for client certificates for TAXII feeds (for example, the United States Department of Homeland Security).
- Added proxy validation.
- Updated the app to allow special characters in the password.
- Updated the RFISI content.
Added the ability to install the app offline after you download it from the IBM Security App Exchange.
- Added GDPR compliance by separating logs in to daily log files and deleting them every 30 days.
- Added the ability to upload a client key for client certificates for TAXII feeds.
- Added the ability to choose from a list of existing TAXII endpoints when you add a threat feed or a rule action.
- Added the ability to add multiple collections per TAXII endpoint.
- Fixed an issue where a blank list was rendered for the Collection list when the TAXII feed response didn't have a Description field.
- Fixed an issue where feeds that use proxies might break when you upgrade the app from V1.1 to V1.2.
Threat Intelligence users now have unlimited free access to pull collections from X-Force Exchange.
Version 1.3 fixes the following issues:
- Feeds that use threat intelligence with a proxy that contains a username and password failed to work.
- Inbox service names were included in collections.
- If a poll failed, the app continued to repoll the feed, which prevented other feeds from polling.
- The app didn't recognize some root certificate authorities.
- The edit feed didn't work when the client certificate was specified.
- The feed for the XFE URL Report collection didn't work because the app didn't support a way to enter a valid URL when the feed was added.
- Improved error handling.
- Added capabilities for editing threat feeds and rule actions.
- Clarified the descriptions in the Poll Initial Date field when you edit a threat feed.
- Fixed an issue where the app feed can't connect to an HTTP feed by using a proxy.
- Bundles the IBM Security RFISI Content (which is also available separately on the IBM App Exchange),
and adds rules and reference collections to IBM
QRadar SIEM Console. Reference
sets that can act as receivers for data from the TAXII feed are added, which eliminates the need to
manually create the reference sets and the rules that act on the data that is contained in the
reference sets.Note: If you remove the Threat Intelligence app, the rules remain in QRadar.
- Fixed an issue where users cannot create rules.
- Fixed an issue where you can't install the app on a system that doesn't have an internet connection.
- Minor fixes
- Discovery and polling support for open TAXII servers
- Fixed an issue where authentication token cannot be saved.
- Discovery and polling support for open TAXII servers
- Minor fixes
- Add a proxy server to mediate between IBM® QRadar® and the TAXII server.
- Upload private root certificate authority (CA) bundle for use with IBM® QRadar® Threat Intelligence app.
- Add client certificates when you add threat feeds and create rule actions.
- Fixed an issue where certain observable types were not captured by the app. This issue led polls to be returned without data.
- The ability to create rule actions that post information on threats on your system to a TAXII inbox service, so you can share information with a wider community.
- Support for JSON authentication tokens.
- Support for SSL and SNI authentication.
- Support for unauthenticated connections.