IBM Support

QRadar: Threat Intelligence App: Troubleshooting Polling Issues

Question & Answer


Question

How to troubleshoot polling interval issues in the QRadar Threat Intelligence app. After the app is installed, it is not returning results after polling due to a short polling interval length of 5 minutes.

Cause

If you set the polling time to look for results in the last 5 minutes it may sometimes not find data due to the short polling interval. Creating a new TAXII feed with a longer polling interval can resolve the issue, such as 1 hour or 1 day.

Answer


How to create a new threat feed with a longer polling interval


  • The ability to edit a Taxii feed was introduced in Threat Intelligence. To extend the polling interval, you will still require a Username and Password to edit the taxii feed. For versions prior to 1.2.0, it is required you add a feed and delete the old feed.

    Adding a feed

    1. Log in to the QRadar Console.
    2. Click the Admin tab.
    3. From the Plug-ins menu, select Threat Intelligence.
    4. Click on the STIX/TAXII Configuration icon.

    5. Add an Authorized Service Token, if not already done.
      1. Select Manage Authorized Service Token.
      2. Provide values to your authorized service token and click Create Service.
      3. A unique token is created that can be used in the Threat Intelligence application.
    6. To add a feed, select Add Threat Feed > Add Taxi Feed.

      Note: To use a Taxii Feed from IBM X-Force you will need to obtain an API key and password.
      Refer to this Article to Obtain the API key and password 

    7. On the Connection tab, type a value for your Taxii Endpoint.
    8. From the Authentication Method drop-down, select an Authentication Method option:
      • None - No authentication required.
      • HTTP Basic - Requires a user name and password to access the threat feed.
      • JSON Web Token - Requires a token as described at http://jwt.io.
    9. On the Parameters tab, configure the following values:
      • Collection - Select the threat data from the drop-down menu for the TAXII feed.
      • Observable Type - Select the data type, such as IPv4 address, hostname, file hash, or more.
      • Polling Interval - Select a polling interval. It is recommended that this value be set to Hourly. Connections polling faster might not return results.

    10. Click on Next.


       
    11. On the Actions tab, select a Reference Set to hold the observable type data. NOTE: If you have not already created a reference set, you can create a new reference set by using the Reference Set Management link.

    12. Optional. On the Actions tab, administrators can select the Replace Contents check box to replace data in an existing reference set. This option overwrites the data in the selected reference set when the threat feed is polled.


Editing a feed

  1. Log in to the QRadar Console.
  2. Click the Admin tab.
  3. From the Plug-ins menu, select Threat Intelligence.
  4. Select the Feed you choose to modify and click edit

  5. Enter the Username and Password > click Discover.

  6. Modify the Polling Interval
  7. Click Next
  8. If required update the Reference Set.

  9. Click Next > Save.


Results
By creating a new threat feed with a longer polling interval, or editing an existing feed, the TAXII feed should query the remote server.
To verify that data is being polled, the administrator can review the reference set in the QRadar user interface or use the API to verify data is created from the TAXII feed. The App and Poll logs can also provide information on the polling of a remote threat feed. The administrator should wait the minimum polling interval to determine if the data is successfully populated in QRadar.

For example:
2016-08-02 19:13:35,075 [com.ibm.ThreatIntelligence] [INFO] - Poll TAXII Server ID 1 complete! Imported 0 observables into reference set Cyber Tracker IPs.  0 observables reported over the lifetime of this feed. 

Note: Refer to this article on how to access your App logs:
QRadar App Frameworks App logs




Where do you find more information?



[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"APP Framework","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
19 April 2019

UID

swg21989134