IBM Support

QRadar: Newly Created Threat Intelligence App Feed Does Not Show Signatures

Troubleshooting


Problem

A newly created Threat Intelligence feed does not show any feed data and does not update the reference set elements.

Symptom

After we add a feed in the Threat Intelligence App, it does not pull signatures, and the reference set is not updated with the elements from the feed collection. Even after polling the feed, the Signatures received last poll field does not display any number:
image-20220824232513-3

Cause

This issue is caused due to the selection of an incorrect Observable Type when the feed is being created or edited. If the feed is set to collect URLs as observables, but we set the Observable Type to a value other than URL, the reference set is not updated.
Another cause for this issue is that the reference set type is set incorrectly. In our example, we are adding URLs and if we select the reference set type as numeric, the Threat Intelligence app does not add elements in the reference set.

Resolving The Problem


Select the correct Observable Type and Reference Set type when a TAXII feed is added (or when an existing TAXII feed is edited):
TAXXI Parameter Settings

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
25 October 2022

UID

ibm16615097