QRadar: Newly Created Threat Intelligence App Feeds Not Showing Signatures

Troubleshooting

Problem

A newly created feed for Petya or WCry2 returns no data and it does not update the reference set elements.

Cause

When creating a new feed in your Threat Intelligence APP, only the new data going forward is be added after the first Poll Initial Date. Sometimes there is no data from the collection.

Resolving The Problem

The default setting for Poll Initial date in the Add TAXII Feed is to Poll Now. Setting Poll Initial Date when configuring the feed to some date in the past can help resolve the issue were no data or IP Signatures are being added. Currently, you are only allowed to Poll 3 months of data.

To check whether the data you're trying to poll is from the current date or from an older date, please check the time stamps in Reports from the IBM X-Force Exchange.

To access Reports

Click on this link.
https://exchange.xforce.ibmcloud.com/collection?tab=public
Then, choose a collection.
View the report to see where you would like to do your Initial Poll.

Results: You now know when to set your initial Poll Date.

For more information on the Threat Intelligence APP and how to configure it please see this link.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"App","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Newly Created Threat Intelligence App Feeds Not Showing Signatures

Troubleshooting

Problem

Cause

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?