Cannot connect to TAXII feed server

IBM® QRadar® Threat Intelligence can't connect to the TAXII feed server. You can test the connection availability by running a curl command inside the docker container and simulating the request.

Procedure

  1. Use SSH to log in to your QRadar Console as the root user, and run the following command to determine the docker container of the QRadar Threat Intelligence app:
    /opt/qradar/support/qappmanager
  2. Use SSH to log in as the root user to the managed host where the QRadar Threat Intelligence app is installed, and then run the following command to log in to the docker container:
    # /opt/qradar/support/recon connect <app-id>
    Note: The managed host can be a QRadar App Host or Console.
  3. To obtain your encoded username and password, enter your API Key and password into the base64 command in QRadar. From the command line base64 tool, enter your API Key and password in the following format:
    echo -n '<API_Key>:<password>' | base64 -w 0
  4. In the following command, replace {base64Encoded string} with your encoded username and password, and then run the command.
    curl -k -v -X POST \
      -L https://api.xforce.ibmcloud.com/taxii \
      -H 'accept: application/xml' \
      -H 'authorization: Basic  {base64Encoded string} ' \
      -H 'content-type: application/xml' \
      -H 'x-taxii-accept: urn:taxii.mitre.org:message:xml:1.1' \
      -H 'x-taxii-content-type: urn:taxii.mitre.org:message:xml:1.1' \
      -H 'x-taxii-protocol: urn:taxii.mitre.org:protocol:http:1.0' \
      -H 'x-taxii-services: urn:taxii.mitre.org:services:1.1' \
      -d '<taxii_11:Discovery_Request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
          xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" 
          xsi:schemaLocation="http://taxii.mitre.org/messages/taxii_xml_binding-1.1 
          http://taxii.mitre.org/messages/taxii_xml_binding-1.1"  message_id="123" />'
    In the example, the XFE feed is used in the command but you can replace it as necessary. The -k flag instructs QRadar to ignore the server certificate.

    If the command fails, you might not have a direct connection to the TAXII server. Go to step 3 and try to use a proxy server that is accessible from the docker container that has access to the TAXII server.

  5. Optional: In the following command, use your username and password in the http(s)://username:password@ip:port/ variable, and then run the command.
    curl -k -v -X POST \
      -x " http://username:password@proxyip:proxyport " \
      -L https://api.xforce.ibmcloud.com/taxii \
      -H 'accept: application/xml' \
      -H 'authorization: Basic {base64Encoded string}' \
      -H 'content-type: application/xml' \
      -H 'x-taxii-accept: urn:taxii.mitre.org:message:xml:1.1' \
      -H 'x-taxii-content-type: urn:taxii.mitre.org:message:xml:1.1' \
      -H 'x-taxii-protocol: urn:taxii.mitre.org:protocol:http:1.0' \
      -H 'x-taxii-services: urn:taxii.mitre.org:services:1.1' \
      -d '<taxii_11:Discovery_Request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
          xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" 
          xsi:schemaLocation="http://taxii.mitre.org/messages/taxii_xml_binding-1.1 
          http://taxii.mitre.org/messages/taxii_xml_binding-1.1"  message_id="123" />'

Results

If neither of these commands work, contact your network administrator to investigate possible issues with the firewall or network configuration in your environment.

If a proxy is already configured for the app, try entering the password again.