By default, "Enable X-Force Threat Intelligence Feed" within the system settings in QRadar 7.2.8 and 7.3 are set to NO. This setting can cause any enabled X-Force rules to fail to function as designed.
Resolving The Problem
To resolve the issue
- Log in to the QRadar User Interface as an Administrator.
- Click Admin Tab > System Settings icon.
- From System Settings section, click Yes from the drop down menu to the Enable X-Force Threat Intelligence Feed.
- Click Save.
- From the Admin tab menu bar click Deploy Changes.
- Click Offenses tab > Rules
- Click Actions > New Event Rule
- From Choose the source from which you want this rule to generate, Click Events > Next.
- In the Rule WIzard text window, Type X-Force.
Results: Based on these default rules you can enable or duplicate and enable any of these rules. You can create new Enhanced X-Force Rules as well based on the Enhanced X-Force Conditionals:
For more information please refer to this link QRadar: X-Force Frequently Asked Questions (FAQ)
Where do you find more information?
Was this topic helpful?
16 June 2018