Adding threat intelligence feeds

You can add and configure the threat intelligence feeds you want to add to QRadar.

Before you begin

You must configure an authorized service token before you can configure a TAXII feed. See Configuring the Threat Feeds Downloader.

Procedure

  1. From the navigation menu on the Threat Intelligence dashboard, click the Feeds Downloader icon (Icon for Feeds Downloader).
  2. Click Icon for downloadAdd Threat Feed, and then click Add TAXII Feed.
  3. On the Add TAXII Feed window, click the Connection tab, and configure the following options:
    Option Description

    TAXII Endpoint

    Type the URL of the TAXII server you want to use.

    Existing TAXII endpoints in your deployment appear in a list. If you choose an existing endpoint, the corresponding options are prepopulated.

    Note: For getting collections from TAXII 2.0 servers, see TAXII™ API - Collections.

    Version

    		 Select either TAXII 1.x orTAXII 2.0.

    Authentication Method

    Select the authentication that you want to use and complete the corresponding options based on your choice.

    The available authentication method varies depending on the TAXII version you select.

    • TAXII 1.x: None, HTTP Basic, JSON Web Token.
    • TAXII 2.0: None, HTTP Basic.

    Client Certificate

    If you want to use a client certificate with the TAXII server, click Choose file in the Client Certificate area to select the file you want to upload. Only the .pem file type is supported.

    Client Key

    If your client certificate requires a key file, click Choose file in the Client Key area to browse to the file's location and upload it.
  4. Click Discover.
  5. On the Add TAXII Feed window, click the Parameter tab, and configure the following options:
    Option Description

    Collections

    The TAXII data collection set you want use.

    Observable Type

    An observable is a STIX schema component that specifies a suspicious object. Only observables of this type are used. All others are ignored.

    Polling Intervals

    How often QRadar Threat Intelligence polls the TAXII server. The default polling interval is hourly.

    Poll Initial Date

    The time period that is covered by the initial poll. You can choose to poll data in increments of minutes, hours, or daily.

    Reference Set

    If you want to add elements that are based on a new TAXII feed to a dedicated reference set, you must set it up in advance. For more information about reference sets, see the IBM QRadar Administration Guide.
  6. Click Add. You can add unlimited multiple collections to the same TAXII endpoint, or you can continue to create this feed.
  7. When you finish creating the feeds, click Next.
  8. On the Add TAXII Feed window, click the Summary tab to check your configuration parameters before you implement the threat intelligence feed, and then click Save.

Results

The threat feed collections display on the Threat Feeds Downloader page. The Am I Affected feature compares STIX/TAXII feed indicators that are stored in the reference set with QRadar logs. Matches are displayed on the event list. Click the View Result icon Icon for View Result to see the events.