IBM Support

QRadar: X-Force Frequently Asked Questions (FAQ)

Question & Answer


Question

What do I need to know and what are the frequently asked questions about the QRadar X-Force Threat Intelligence feed?

Cause

Answer


How to enable X-Force Threat Intelligence in QRadar 7.2.8 and Later


In QRadar 7.2.8 and later, X-Force Threat Intelligence feed no longer needs to be purchased as a separate subscription. It is included with the standard license as part of Service & Support. Administrators who previous did not have IP and URL reputation data licensed and want to enable X-Force Threat Intelligence feeds can now enable this feature from the System Settings screen of the Admin tab. Any users who do not upgrade to QRadar 7.2.8 remain on their existing subscription model until they upgrade.

To enable X-Force Threat Intelligence Feeds for QRadar 7.2.8 and later

  1. Log in to QRadar as an administrator.
  2. Click the Admin tab.
  3. Click the System Settings icon.
  4. From the Enable X-Force Threat Intelligence Feed drop-down, select Yes.
  5. Click Save.
  6. From the Admin tab, click Deploy Changes to enabled the X-Force Threat Intelligence Feed for the deployment.

    NOTE: Administrators must allow Internet access from the QRadar Console to the following addresses to get X-Force Threat Intelligence Feed data from IBM. The following servers are contacted for both X-Force data updates, licensing, dashboard widget feeds, and QRadar automatic updates:
    Server contacted Server description
    update.xforce-security.com X-Force Threat Intelligence Feed update server for IP reputation and URL data
    license.xforce-security.com X-Force Threat Intelligence licensing server


    What to do next
    After enabling the X-Force Threat Intelligence Feed, administrators who are on new installs should ensure they have the Threat Content Extension installed. This procedure is discussed in the next section and enables X-Force rules to be enabled that work with the Threat Intelligence Feed.



Downloading X-Force Rule Content for QRadar


In QRadar 7.2.6 and later, administrators have the option to install rule content that is pertinent to them instead of using the full default rule set. If you are a new administrator, you should review for availble content extensions to expand the base rules for QRadar, including X-Force Premium Rules. These content extensions add rules, building blocks, reports, and other types of data to build off of the baseline QRadar rule set. After completing a new install of QRadar, administrators are encouraged to review and install these extensions from the IBM X-Force Exchange.

IMPORTANT: To add X-Force Rules to QRadar, administrators must install the QRadar Threat Content Extension.

List of Common QRadar 7.2.x Rule Content Extensions:
Extension Name / download Required for X-Force Premium Users?
Description
IBM QRadar Security Threat Content
Yes
 Threat content rules focus on threat indicators and integration with threat intelligence feeds, such as IBM X-Force premium rules. X-Force Premium rules can be leveraged on event or flow data as they are common rules in QRadar.

The following IP-based rules can generate offenses when:
1. The Threat Content Extension is installed.
2. The rule is enabled.
3. The X-Force Feed is enabled in QRadar (System Settings) and Firewalls/Proxies are configured.

IP Rules
IP rules leverage basic categories and confidence factor when evaluating events or flows. Categories can be anonymization server, botnet C&C, botnet, malware, dynamic IPs, Scanning IPs, or spam. The following IP-based rules are added to QRadar when an IP of the category meets the confidence factor assigned to that IP address. By default, these rules use a confidence factor of 75 or greater.
  • X-Force Premium: Internal Connection to Host Categorized as Malware
  • X-Force Premium: Internal Hosts Communicating with Host Categorized as Anonymizers
  • X-Force Premium: Mail Server Sending Mail to Servers Categorized as SPAM
  • X-Force Premium: Non-Mail Servers Sending Mail to Servers Categorized as SPAM
  • X-Force Premium: Non-Servers Communicating with External IP Classified as Dynamic
  • X-Force Premium: Server Communicating with External IP Classified as Dynamic
     
URL Rules
URL rules leverage categories for web sites, instead of confidence factor. Categories can be botnet, spam, gambling, job search, adult, etc. The following URL-based rules are added to QRadar when X-Force premium is licensed and can be leveraged by events that contain URLs as a custom property URL(custom) and trigger against a categorization of the URL itself.
  • X-Force Premium: Internal Host Communicating with Botnet Command and Control URL
  • X-Force Premium: Internal Host Communication with Malware URL
IBM Security Anomaly Content
No
 The Anomaly extension adds 10 anomaly rules and 9 building blocks for a total of 19 content add-ons for QRadar.
IBM Security Compliance Content
No
 The Compliance extensions adds 4 custom event properties, 42 event searches, 7 flow searches, 153 reports, 140 rules and building blocks, and 10 reference data sets.
IBM Security Intrusion Content
No
 The Intrusion extension adds 20 intrusion rules, 52 building blocks, and one reference data set for a total of 73 content add-ons for QRadar.
IBM Security ISO 27001 Content
No
 The ISO 27001 extension adds 4 custom event properties, 29 event searches, 77 reports, 4 rules, and 31 building blocks for a total of 145 content add-ons for QRadar.
IBM Security Reconnaissance Content
No
 The Recon extension adds 10 reference sets, 62 rules, and 42 building blocks for a total of 114 content add-ons for QRadar.
 



What is the X-Force Threat Intelligence Feed for QRadar?


The IBM Security X-Force Threat Intelligence provides two levels of data to customers, both a free basic feed and subscription based premium feed for QRadar users. As of QRadar 7.2.8, the premium X-Force Threat Intelligence Feed is now a core feature as part of the appliance support license. X-Force uses a series of data centers across the globe to collect tens of thousands of malware samples, analyze web pages and URLs, and running IP address analysis to categorize IP address information. By categorizing IP addresses into segments such as malware hosts, spam sources and anonymous proxies, this IP reputation data can be incorporated into QRadar rules, offenses, and events. This allows for capturing events more quickly and accurately than previously possible, as well as for capturing them in a way that provides additional understanding for further analysis.

Firewalls and X-Force Data Updates


QRadar is updated daily with new X-Force IP reputation and URL data. This data is provided when new IP reputation or URL database information is available. These checks occur every minute and it is possible for QRadar to be updated multiple times per day with new data, with new IP information provided every 2 minutes and URL data every 5 minutes. The updates are merged in to their own databases and the content is replicated from the Console out to the managed hosts in the deployment. In older versions of QRadar (7.2.3 or below) the X-Force data was provided using QRadar automatic updates.

The following servers are contacted for both X-Force data updates, licensing, dashboard widget feeds, and QRadar automatic updates:
Server contacted Server description
update.xforce-security.com X-Force Threat Intelligence Feed update server for IP reputation and URL data
license.xforce-security.com X-Force Threat Intelligence licensing server
qmmunity.q1labs.com QRadar automatic updates.

Note: qmmunity.q1labs.com is also used for X-Force Threat Intelligence updates on QRadar Consoles at 7.2.3 and earlier.

The X-Force data provided includes IP reputation data, URL data, and categorization data. Administrators should expect that these updates will consume bandwidth daily. The following list contains the approximate daily bandwidth usage for all data types:
  • IP Reputation (IPR) Data: 16 MB
  • WEB/URL Data: 5 MB
  • Web Application Categorization Data: 100 KB

How to Configure X-Force Feeds with Proxy Servers



The answer to this depends on the version of QRadar that you have installed on your Console.

QRadar 7.2.4 and later
In QRadar 7.2.4, an change was made so that X-Force IP reputation data was unlinked from the automatic update process. This means that QRadar updates no longer use the proxy settings from the automatic updates screen on the Admin tab for X-Force data updates as QRadar 7.2.3 did. QRadar 7.2.4 leverages new X-Force servers and the IP reputation and URL lookup database is kept locally for evaluating rules. QRadar now uses a reverse proxy lookup through Apache on the QRadar Console to collect data directly from X-Force servers on the Internet. All QRadar appliances in the deployment (includes the Console), will contact Apache/http on the Console in order to get a cached request out to the X-Force servers. After the data is received by the Console, the result is cached and replayed for all other hosts who make a request for new IP reputation data.



Unauthenticated Proxy Server Configuration
If you have a proxy configured in your network, administrators will need to update HTTPD on the Console in order to pass-through the existing request and to also send the request through the proxy server in order to receive the X-Force data. Note: NTLM authentication is not supported.
 
Procedure
*Important* Administrators should understand that restarting the Apache server on the Console will log out all users. While the Apache server is restarting on the Console, the managed hosts might write some error messages to their logs while the Apache service is restarted. The process to restart Apache only takes a moment, but we suggest that this work be completed during scheduled maintenance windows.
 
  1. Log in to the QRadar Console as the root user.
  2. Edit the following file: /etc/httpd/conf.d/ssl.conf 
  3. Add the following lines before </VirtualHost> in the ssl.conf file:

    ProxyRemote https://license.xforce-security.com/ http://PROXY_IP:PROXY_PORT
    ProxyRemote https://update.xforce-security.com/ http://PROXY_IP:PROXY_PORT

    Note: Administrators must update step 3 with the IP address and port of the corporate proxy server. This step requires that the proxy allow an anonymous (no credentials) connection to the x-force-security servers.
  4. Save the changes to the ssl.conf file.
  5. Edit the following file: /opt/qradar/dca/server.ini
  6. Add the following information to the server.ini file:
    #
    # Configure proxy settings
    #
    [proxy_server]
    (type your proxy server IP address here)

    [proxy_port]
    (type your proxy port here)
     
  7. Type the following command to restart the Apache server on the Console and scaserver:
  • QRadar 7.2.8 and earlier: /opt/qradar/init/scaserver restart & service apache restart
  • QRadar 7.3.0 and later: apachectl restart & systemctl restart scaserver


Basic Authentication for Proxy Servers
For administrators who have basic authentication enabled on their proxy server, they can configure their proxy settings in the server.ini file on the QRadar Console.
 
Procedure
  1. Log in to the QRadar Console as the root user.
  2. Edit the following file: /opt/qradar/dca/server.ini
  3. Add the following information to the server.ini file:

    #
    # Configure proxy settings
    #
    [proxy_server]
    (type your proxy server IP address here)

    [proxy_port]
    (type your proxy port here)

    [proxy_user]
    (type your proxy username here)

    [proxy_pass]
    (type your proxy password here)
     
  4. Save the changes to the server.ini file.
  5. Edit the following file: /opt/qradar/dca/dca/init/dca_license/dca_license_settings_user.txt
  6. In the [license_server] field, update the URL to: https://license.xforce-security.com/license_v4.asp
    For example, 
    [license_server]
https://license.xforce-security.com/license_v4.asp
  7. Save the changes to the license settings file.
  8. Edit the following file: /opt/qradar/dca/dca/init/dca_update/dca_update_settings_user.txt
  9. Update the download and upload server URLs to the following values: 
    [update_download_server]
https://update.xforce-security.com/version6/dca_update6.asp

[update_upload_server]
https://update.xforce-security.com/version6/of_upload.asp
  10. Save the changes to the license settings file.
  11. To restart the scaserver and load the file changes, type one of the following commands:
    QRadar 7.2.8 and earlier: /opt/qradar/init/scaserver restart
    QRadar 7.3.0 and later: systemctl restart scaserver

    NOTE
    Administrators who continue to experience issues after the scaserver restart might be experiencing APAR IJ18011. This issue overwrites the changes made to dca_license_settings_user.txt and dca_license_settings_user.txt. If your changes are not preserved or you do not receive X-Force data after updating your proxy settings, then contact QRadar Support for assistant on IJ18011.




For QRadar 7.2.3 and earlier
For administrators using QRadar 7.2.3 or below, the X-Force IP Reputation data is provided through the QRadar auto update process and uses qmmunity.q1labs.com to get both auto updates and X-Force IP Reputation data. If a corporate proxy is in place, administrators can configure the proxy information in the user interface from the Admin tab in QRadar. These changes require a user with an administrator user role to complete changes from the Admin tab of QRadar.

Procedure
  1. Log in to the QRadar Console as an admin user.
  2. Click the Admin tab.
  3. Click the Auto Update icon.
  4. Click Change Settings.
  5. Click the Advanced tab.
  6. Type the IP address, port, and credentials for your proxy server.

    (Click to enlarge the image)
  7. Click Save.

My rules are grouped by "Enhanced X-Force Rules" and "Legacy Rules". How are these rule groups different?


QRadar X-Force has been available in QRadar SIEM since version 7.2.0. The original version of X-Force common rules in QRadar evaluated the source or destination IP addresses in events or flows against the list of X-Force addresses. In QRadar 7.2.4 and later, the X-Force rules were enhanced to not only support IP-based rule tests, but to also support URLs for event rules, and a new value called, 'confidence factor'. To ensure that user rules were not corrupted after an update to QRadar 7.2.4, we split the rules as two separate groups, which are listed under the X-Force Premium rules group as "Enhanced X-Force Rules" and "Legacy rules".

NOTE: Legacy X-Force rules are only shown if you have upgraded from a previous version of QRadar.

(Click to enlarge the image)

An example of an X-Force legacy rule:
"when the [source IP|destinationIP|any IP] is part of any of the following [remote network locations]"

An example of an IP address and URL X-Force enhanced rule:
"when [this host property] is categorized by X-Force as [Anonymization Servers|Botnet C&C|DynamicIPs|Malware|ScanningIPs|Spam] with confidence value [equal to] [this amount]" (Based on IP address)
"when [this URL property] is categorized by X-Force as [Gambling|Auctions|Job Search|Alcohol|Social Networking|Dating|etc]" (Based on URL)


(Click to enlarge the image)
 

Advanced Searches (AQL) with IBM X-Force?


Yes, users can leverage advanced searches to return data from X-Force Exchange from the Log Activity or Network Activity tab in QRadar.
 
Description Example advanced search
To search for source IP addresses on an X-Force category with a confidence factor above 50. select * from events where XFORCE_IP_CONFIDENCE('Spam',sourceip)>50
To search for X-Force categories associated to a URL. select url, XFORCE_URL_CATEGORY(url) as myCategories from events where XFORCE_URL_CATEGORY(url) IS NOT NULL
To search for X-Force categories associated to an IP a source IP address. select sourceip, XFORCE_IP_CATEGORY(sourceip) as IPcategories from events where XFORCE_IP_CATEGORY(sourceip) IS NOT NULL
  1. Log in to the QRadar user interface.
  2. Click the Log Activity tab.
  3. Select Advanced Search from the drop-down on the Search toolbar.
  4. Type an advanced search expression.
    For example:

    (Click to enlarge image)
     
  5. Click Search.


 

What is Confidence Factor?


Confidence factor are values assigned to IP Reputation data that represent how confident X-Force is that the data seen from the IP is categorized properly. Confidence factor is a probability scale that ranges between 0 and 100 where a value of 50+ is the threshold where customers should consider taking action on a triggered rule. IP reputation is evaluated on the time (first seen, last seen) and the volume of messages/data. An example of this could be SPAM messages. An IP Reputation (Spam) entry of zero (0) indicates that the source IP traffic is definitely not spam whereas an entry of 100 indicates definite spam traffic. Consider a value of 50 to be a threshold. Thus, values less than 50 indicate less likelihood that spam is present and values greater than 50 indicate more likelihood that spam is present. These probabilities are based on massive amounts of ongoing Web-based data that IBM X-Force continuously collects and analyzes from around the world in X-Force data centers. As data is collected, the system evaluates "How much spam did we see from an IP address" or "How frequently is this SPAM flagged IP address showing up in the IP Reputation category. The more times we see values, the higher the system scores the confidence factor.

Categorization and the Confidence Factor can be viewed when you investigate an IP address or URL in the X-Force Exchange.


When tuning rules, customers should think of a scale where 50 is the tipping point. On assets of lower importance, an administrator might weight an X-Force rule to trigger at a higher confidence factor (75) for specific categories like SPAM. This reduces the amount of offenses generated on lower priority system and non-critical assets. Tuning the rule higher means that the IP that the rule only triggers when X-Force sees an IP address at or above a confidence factor of 75. An important system or critical business asset might be tuned to trigger the rule at a confidence factor of 50, this triggers an offense at a lower level and can bring attention to an issue more quickly for a business critical system.


Is there a location where I can lookup and investigate IP address information?
Yes, we recommend that customers leverage IBM X-Force exchange to gather information and lookup IP addresses related to botnets, spam, and malware categories. There is a right-click plug-in in QRadar by default where administrators can review and investigate IP addresses and URLs directly from QRadar using a right-click menu. This plug-in is installed by default in QRadar 7.2.5 systems. In most cases, QRadar rules use a default threshold of 75 is an acceptable value for a rule because it defines a high level of probability that the data is correct per the classification based on what is known. For information on the X-Force Exchange right-click plug-in, see QRadar: IBM X-Force Exchange Right-click Menu Plug-in FAQ.


 


Reporting an Incorrect IP Address, URL, or Categorization in X-Force to IBM


If administrators believe that an IP address or URL is being mis-classified by X-Force, they should report this issue by commenting the IP or URL on the X-Force Exchange website. All comments and updates are monitoring by IBM, so any comments created by an authenticated user is reviewed by the X-Force team. Comments are not permitted for 'Guest' accounts on the X-Force Exchange website.
 
How to report an issue to the X-Force Exchange team from QRadar
  1. Log in to QRadar.
  2. Right-click on an IP address or URL and select X-Force Exchange Lookup. (Optionally, navigate to https://exchange.xforce.ibmcloud.com/)

    (Click to enlarge the image)
    The X-Force Exchange website is launched and displays the information and confidence percentage of the IP address or URL categorization.
  3. Select the I agree to the Terms of Service check box.
  4. Click Log in.
    You must log in before making a comment. Guests are not allowed to submit comments on IP addresses or URLs.
  5. Click the Suggest Edit button.

    (Click to enlarge the image)
  6. Fill out the submission form to comment on the IP address or URL.

    (Click to enlarge the image)
  7. To receive updates on your comment, make sure you select Yes on the 'Stay Informed' option.
  8. Click Submit.
  9. After the comment is submitted, it will be reviewed by the X-Force Exchange team. If you selected to stay informed, feedback will be provided by the X-Force Exchange team.



How to Report IP Addresses or URLs in Bulk for Incorrectly Categorized Sites


If administrators have a large number of IP addresses or URLs that are mis-classified by X-Force or believed to be incorrect, they should report this issue to QRadar Support instead of trying to input comments by hand. QRadar administrators can provide a list of IP addresses or URLs to a QRadar Support Representative and they will pass this information to the X-Force team for resolution. The URLs or IP addresses are reviewed by the X-Force team for resolution. This allows administrators to submit data without having to enter comments by hand for a large number of sites or IP addresses.


How to report categorization issues in bulk
 
  1. Open an IBM Service Request for QRadar.
  2. Provide the list of IP addresses or URLs for X-Force review in your service request.
  3. The support representative will contact you using your preferred method of communication to confirm and clarify any questions from your request.
  4. The URL and IP address information will be forwarded to the X-Force team on your behalf.
   

Internal Use Only

Removed content:

What happens if my X-Force Threat Intelligence Feed license expires?


If the X-Force license expires on the QRadar Console, the IP reputation and URL databases will no longer receive updates and rules will leverage the existing values provided from the last good content update. As the X-Force Threat Intelligence Feed license nears expiration, the QRadar system notifies administrators and users with system notification privileges.
  • To renew your new X-Force Threat Intelligence Feed license, you can contact your sales representative or upgrade to QRadar 7.2.8.
  • If you have lost your X-Force Threat Intelligence Feed license and need to request a new copy, see Requesting a missing QRadar license or activation key.
 

How do I tell if my X-Force Premium license is activated for QRadar 7.2.7 or earlier versions?


There are several methods to tell if X-Force Premium is activated for QRadar in 7.2.7. In QRadar 7.2.8, the X-Force IP Reputation License is included as part of the sales and service contract sold with every appliance. If you are on QRadar 7.2.8, administrators need to enable the X-Force Threat Feed system setting.

NOTE: This procedure only applies for QRadar versions that have not upgraded to QRadar 7.2.8 or later versions. Administrators at QRadar 7.2.8 can enable the X-Force feed using 'System Settings' in the QRadar Admin tab.
 
  1. Review the license on your QRadar Console to ensure that 'X-Force IP Reputation Intelligence Feed' is licensed and not expired.
  2. Click the Admin tab.
  3. Click the System and License Management icon.
  4. From the Display drop-drop, select System.
  5. Double-click on the host name for the Console appliance to display the license.
  6. If the QRadar X-Force IP Reputation Intelligence Feed is displayed and not expired, your Console has X-Force premium activated.

    (Click to enlarge the image)
     

 

What do I get when I have the X-Force Premium Subscription versus X-Force Basic for QRadar?


IBM Security QRadar offers X-Force information as both a free dashboard widget and also a X-Force Premium subscription. This section outlines the differences

X-Force Basic (Free): Provides a dashboard widget for the Internet Threat Information Center that is provided to all users without subscription as a QRadar dashboard widget. All QRadar customers have access to this feed, which is on the Threat and Security Monitoring dashboard by default. This RSS feed provides information on the latest online threats, which can be reviewed by administrators to help understand the current online threat alert level. The severity of these online threats is determined on a daily basis and outlined using the AlertConTM (Alert Condition) visual threat representation system.



There are four AlertCon threat levels:
  1. Normal threats. Ordinary activity compromises an unprotected networks minutes to hours after first being connected to the Internet.
  2. Increased vigilance. Vulnerabilities or online threats to computer networks required vulnerability assessment and corrective action.
  3. Focused attacks. Specific vulnerabilities and weaknesses are the target of Internet attacks and require immediate defensive action.
  4. Catastrophic threats. Critical security situations within a network dictate an immediate and focused defensive action. This condition may be imminent or ongoing.


X-Force Premium Subscription (Paid for QRadar 7.2.7 and lower. Free as of QRadar 7.2.8): X-Force premium requires a license on your QRadar appliance and provides continuous updates of potentially malicious IP addresses, but provides administrators with additional rules they can leverage to determine when systems or networks communicate with IP or CIDR address ranges flagged by X-Force Security as potentially harmful by reputation. X-Force Premium IP reputation data is provided to QRadar customers through daily automatic updates. This means that customers who intend to license X-Force Premium for their QRadar deployment must ensure that they have access to receive automatic updates of IP addresses and URL data. This data can be updated as frequently as every minute for IP reputation and every 3 minutes for URL classifications.

When the Threat Content Extension is applied to the QRadar Console, additional rules for X-Force are added to QRadar. After the license is deployed, the Console activates a series of X-Force rules for the rules interface and enables a set of remote networks for X-Force Premium from the QRadar Admin tab.


The following IP-based rules are added to QRadar when X-Force is enabled and can be leveraged for events or flows as these are common rules.
  • X-Force Premium: Internal Connection to Possible Malware Host
  • X-Force Premium: Internal Hosts Communicating With Anonymous Proxies
  • X-Force Premium: Internal Mail Server Sending Mail to Possible SPAM Host
  • X-Force Premium: Non-Mail Servers Communicating with Known SPAM Sending Hosts
  • X-Force Premium: Non-Servers Communicating with an External Dynamic IP
  • X-Force Premium: Server Initiated Connection to Dynamic Hosts
     
The following URL-based rules are added to QRadar when X-Force premium is licensed and can be leveraged by events that contain URLs.
  • X-Force Premium: Internal Host Communicating with Botnet Command and Control URL
  • X-Force Premium: Internal Host Communication with Malware URL
 



I just added my X-Force IP Reputation License in QRadar. What do I need to do first?


If you have recently added a QRadar X-Force IP Reputation Intelligence Feed license, the license will add new rules as "Enhanced X-Force Rules" to QRadar. By default, these rules are disabled. In your rules list, users are going to want to disable any of the legacy rules, if enabled, then enable and tune the new Enhanced X-Force Rules.

To enable X-Force rules in QRadar
  1. Click the Log Activity tab.
  2. From the navigation bar, click Rules > Rules.
  3. From the Group drop-down, select XForce Premium.
    The list of X-Force rules are displayed. This list might show both legacy and enhanced rules. By default, X-Force rules are all disabled, however, users may have legacy rules enabled.
    The following image shows both legacy and enhanced X-Force rules.

    (Click to enlarge the image)
     
  4. Review the Enabled column for any "Legacy Rules, XForce Premium" that are enabled (True).
  5. Click Actions > Enabled/Disable.
  6. Click OK to disable the rule from the confirmation screen.
  7. Select any Enhanced X-Force Rules to be enabled. Shift + click can be used to select multiple.
  8. Click Actions > Enabled/Disable.
  9. Click OK to enable enhanced X-Force rules from the confirmation screen.

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Dashboard","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"All Editions"}]

Document Information

Modified date:
08 September 2019

UID

swg21701213