Creating rule actions

You can create rule actions that post information on threats on your system to a TAXII inbox service.

Procedure

  1. From the Admin tab, click Apps > Threat Intelligence, and click the STIX/TAXII Configuration icon.
  2. Click Create Rule Action > Create A TAXII Rule Action.
  3. On the Connection tab of the Create TAXII Rule Action window, enter the URL of the TAXII Endpoint you want to upload to.
    Existing TAXII Endpoints in your deployment appear in a list. When you choose an existing endpoint, the corresponding Authentication Method, Client Certificate, and Ignore Certificate options are prepopulated.
  4. Select the relevant Authentication Method and add the Username and Password for basic HTTP authentication or a token string for JSON Web Token authentication.
  5. If you want to use a client certificate with the TAXII inbox service, click Choose File to locate the certificate on your system, and upload it to QRadar®. Only the .pem file type is supported.
  6. If you want to add a key file, click Choose File to locate the key on your system, and upload it to QRadar.
  7. On the Parameters tab, use the following guidelines to define the rule action parameters.
    • Enter the name of the TAXII inbox service that you want to post event data to in the Collection field.
    • Enter values for the Indicator Source Name and the Action Name.
    • Select a network event property from the Property lists.

      Network event properties are dynamic Ariel properties that are generated by events. For example, the network event property sourceip provides a parameter that matches the source IP address of the triggered event. Parameters are passed to the rule in the order in which you added them.

      For more information about Ariel properties, see the IBM® QRadar Ariel Query Language Guide.

    • Select the STIX observable type and indicator type relevant to the threat from the Indicator type lists.

      Select the observable type appropriate to the event you want post to the TAXII server. No validation is done on the custom response by QRadar.

  8. Click Save.
  9. On the Admin tab main toolbar, click Deploy Changes.

    The rule actions that you create are added to the QRadar Custom Actions window. Click Define Actions on the Admin tab to view. You can edit or delete a rule action from the Custom Actions window and the changes are reflected in the Threat Intelligence app.