IBM Support

QRadar: Enable X-Force Threat Intelligence Feed prior to enabling any X-Force Rules

Troubleshooting


Problem

By default, "Enable X-Force Threat Intelligence Feed" within the system settings in QRadar 7.2.8 and 7.3 are set to NO. This setting can cause any enabled X-Force rules to fail to function as designed.

Resolving The Problem

To resolve the issue

  1. Log in to the QRadar User Interface as an Administrator.
  2. Click Admin Tab > System Settings icon.


  3. From System Settings section, click Yes from the drop down menu to the Enable X-Force Threat Intelligence Feed.
  4. Click Save.

  5. From the Admin tab menu bar click Deploy Changes.
  6. Click Offenses tab > Rules
  7. Click Actions > New Event Rule
  8. From Choose the source from which you want this rule to generate, Click Events > Next.
  9. In the Rule WIzard text window, Type X-Force.

Results: Based on these default rules you can enable or duplicate and enable any of these rules. You can create new Enhanced X-Force Rules as well based on the Enhanced X-Force Conditionals:


For more information please refer to this link QRadar: X-Force Frequently Asked Questions (FAQ)


Where do you find more information?




[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Rules","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22001974