You can add and configure the threat intelligence feeds you want to add to QRadar.
Procedure
- From the navigation menu on the Threat Intelligence dashboard, click the Feeds
Downloader icon ().
- Click Add Threat Feed, and then click Add TAXII
Feed.
- On the Add TAXII Feed window, click the
Connection tab, and configure the following options:
Option |
Description |
TAXII Endpoint
|
Type the URL of the TAXII server you want to use.
Existing TAXII endpoints in your deployment appear in a list. If you choose an existing endpoint,
the corresponding options are prepopulated.
|
Version
|
Select either TAXII 1.x orTAXII 2.0. |
Authentication Method
|
Select the authentication that you want to use and complete the corresponding options based on
your choice.
The available authentication method varies depending on the TAXII version you select.
- TAXII 1.x: None, HTTP Basic, JSON Web Token.
- TAXII 2.0: None, HTTP Basic.
|
Client Certificate
|
If you want to use a client certificate with the TAXII server, click Choose
file in the Client Certificate area to select the file you want
to upload. Only the .pem file type is supported.
|
Client Key
|
If your client certificate requires a key file, click Choose file in the
Client Key area to browse to the file's location and upload it.
|
- Click Discover.
- On the Add TAXII Feed window, click the
Parameter tab, and configure the following options:
Option |
Description |
Collections
|
The TAXII data collection set you want use.
|
Observable Type
|
An observable is a STIX schema component that specifies a suspicious object. Only observables of
this type are used. All others are ignored.
|
Polling Intervals
|
How often QRadar Threat
Intelligence polls the TAXII
server. The default polling interval is hourly.
|
Poll Initial Date
|
The time period that is covered by the initial poll. You can choose to poll data in increments of
minutes, hours, or daily.
|
Reference Set
|
If you want to add elements that are based on a new TAXII feed to a dedicated reference set, you
must set it up in advance. For more information about reference sets, see the IBM
QRadar Administration Guide.
|
-
Click Add. You can add unlimited multiple collections to the same TAXII
endpoint, or you can continue to create this feed.
-
When you finish creating the feeds, click Next.
-
On the Add TAXII Feed window, click the Summary tab
to check your configuration parameters before you implement the threat intelligence feed, and then
click Save.
Results
The threat feed collections display on the Threat Feeds Downloader
page. The Am I Affected feature compares STIX/TAXII feed indicators that are
stored in the reference set with QRadar logs. Matches are displayed
on the event list. Click the View Result icon to see the events.