IBM®
QRadar® Threat Intelligence can't connect to
the TAXII feed server. You can test the connection availability by running a curl command inside the
docker container and simulating the request.
Procedure
-
Use SSH to log in to your QRadar Console as the root
user, and run the following command to determine the docker container of the QRadar Threat
Intelligence app:
/opt/qradar/support/qappmanager
-
Use SSH to log in as the root user to the managed host where the QRadar Threat
Intelligence app is installed, and then
run the following command to log in to the docker container:
# /opt/qradar/support/recon connect <app-id>
Note: The managed host can be a QRadar App Host or
Console.
- To obtain your encoded username and password, enter your API Key and password into the
base64 command in QRadar. From
the command line base64 tool, enter your API Key and password in the following format:
echo -n '<API_Key>:<password>' | base64 -w 0
- In the following command, replace {base64Encoded string} with your
encoded username and password, and then run the command.
curl -k -v -X POST \
-L https://api.xforce.ibmcloud.com/taxii \
-H 'accept: application/xml' \
-H 'authorization: Basic {base64Encoded string} ' \
-H 'content-type: application/xml' \
-H 'x-taxii-accept: urn:taxii.mitre.org:message:xml:1.1' \
-H 'x-taxii-content-type: urn:taxii.mitre.org:message:xml:1.1' \
-H 'x-taxii-protocol: urn:taxii.mitre.org:protocol:http:1.0' \
-H 'x-taxii-services: urn:taxii.mitre.org:services:1.1' \
-d '<taxii_11:Discovery_Request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1"
xsi:schemaLocation="http://taxii.mitre.org/messages/taxii_xml_binding-1.1
http://taxii.mitre.org/messages/taxii_xml_binding-1.1" message_id="123" />'
In the example, the XFE feed is used in the command but you can replace it as
necessary. The
-k flag instructs
QRadar to ignore the server
certificate.
If the command fails, you might not have a direct connection to the TAXII server. Go
to step 3 and try to use a proxy server that is accessible from the docker container that has access
to the TAXII server.
- Optional: In the following command, use your username and password in the
http(s)://username:password@ip:port/ variable, and then run the command.
curl -k -v -X POST \
-x " http://username:password@proxyip:proxyport " \
-L https://api.xforce.ibmcloud.com/taxii \
-H 'accept: application/xml' \
-H 'authorization: Basic {base64Encoded string}' \
-H 'content-type: application/xml' \
-H 'x-taxii-accept: urn:taxii.mitre.org:message:xml:1.1' \
-H 'x-taxii-content-type: urn:taxii.mitre.org:message:xml:1.1' \
-H 'x-taxii-protocol: urn:taxii.mitre.org:protocol:http:1.0' \
-H 'x-taxii-services: urn:taxii.mitre.org:services:1.1' \
-d '<taxii_11:Discovery_Request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1"
xsi:schemaLocation="http://taxii.mitre.org/messages/taxii_xml_binding-1.1
http://taxii.mitre.org/messages/taxii_xml_binding-1.1" message_id="123" />'
Results
If neither of these commands work, contact your network
administrator to investigate possible issues with the firewall or network configuration in your
environment.If a proxy is already configured for the app, try entering the password
again.