IBM Support

QRadar: Difference between the default X-Force threat intelligence feeds and those provided by the Threat Intelligence app

Question & Answer


What is the difference between the default X-Force threat intelligence feeds and those provided by the Threat Intelligence app?


Current QRadar® versions have a feature that pulls X-Force® Threat Intelligence feeds. This feature is included with the standard license and is used to pull IP and URL reputation data. Another way of pulling in threat feeds is by using the IBM QRadar Threat Intelligence app. This app can pull in any threat intelligence feed (including X-Force) using the open standard STIX and TAXII formats.
The primary difference between these two methods is the categorization of data.
The inbuilt feed pulls in data classified into broad and common categories like spam, botnet, malware, and anonymization services. These categories are sufficient to get general threat analysis started.
The X-Force feeds pulled by the Threat Intelligence app, are categorized at a more granular level. If an administrator needs specific data on a certain coordinated campaign or from another public collection, the feeds from the Threat Intelligence app are more appropriate. For example, at the time of writing this article, some public collections from X-Force Research® were Emotet Botnet Activity Monitoring and Santander Squatting Campaign. Apart from that enhanced classification, if an administrator wants to subscribe to the X-Force Advanced Threat Protection feed, the app can pull that feed if provided with an appropriate license.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.0;7.3.1;7.3.2;7.3.3;7.4.0;7.4.1"}]

Document Information

Modified date:
12 November 2020