QRadar: X-Force Frequently Asked Questions (FAQ)

How to enable X-Force Threat Intelligence in QRadar 7.2.8 and Later

In QRadar 7.2.8 and later, X-Force Threat Intelligence feed no longer needs to be purchased as a separate subscription. It is included with the standard license as part of Service & Support. Administrators who previous did not have IP and URL reputation data licensed and want to enable X-Force Threat Intelligence feeds can now enable this feature from the System Settings screen of the Admin tab. Any users who do not upgrade to QRadar 7.2.8 remain on their existing subscription model until they upgrade.

To enable X-Force Threat Intelligence Feeds for QRadar 7.2.8 and later

1. Log in to QRadar as an administrator.
2. Click the Admin tab.
3. Click the System Settings icon.
4. From the Enable X-Force Threat Intelligence Feed drop-down, select Yes.
   
5. Click Save.
6. From the Admin tab, click Deploy Changes to enable the X-Force Threat Intelligence Feed for the deployment.
   
   NOTE: Administrators must allow Internet access from the QRadar Console to the following addresses to get X-Force Threat Intelligence Feed data from IBM. The following servers are contacted for both X-Force data updates, licensing, dashboard widget feeds, and QRadar automatic updates:

   Server contacted	Server description
   update.xforce-security.com	X-Force Threat Intelligence Feed update server for IP reputation and URL data
   license.xforce-security.com	X-Force Threat Intelligence licensing server

   
   
   What to do next
   After enabling the X-Force Threat Intelligence Feed, administrators who are on new installs should ensure they have the Threat Content Extension installed. This procedure is discussed in the next section and enables X-Force rules to be enabled that work with the Threat Intelligence Feed.

Downloading X-Force Rule Content for QRadar

In QRadar 7.2.6 and later, administrators have the option to install rule content that is pertinent to them instead of using the full default ruleset. If you are a new administrator, you should review for available content extensions to expand the base rules for QRadar, including X-Force Premium Rules. These content extensions add rules, building blocks, reports, and other types of data to build off of the baseline QRadar rule set. After completing a new install of QRadar, administrators are encouraged to review and install these extensions from the IBM X-Force Exchange.

IMPORTANT: To add X-Force Rules to QRadar, administrators must install the QRadar Threat Content Extension.

List of Common QRadar 7.2.x Rule Content Extensions:

Extension Name / download	Required for X-Force Premium Users?	Description
IBM QRadar Security Threat Content	Yes	Threat content rules focus on threat indicators and integration with threat intelligence feeds, such as IBM X-Force premium rules. X-Force Premium rules can be leveraged on event or flow data as they are common rules in QRadar. The following IP-based rules can generate offenses when: 1. The Threat Content Extension is installed. 2. The rule is enabled. 3. The X-Force Feed is enabled in QRadar (System Settings) and Firewalls/Proxies are configured. IP Rules IP rules leverage basic categories and confidence factor when evaluating events or flows. Categories can be anonymization server, botnet C&C, botnet, malware, dynamic IPs, Scanning IPs, or spam. The following IP-based rules are added to QRadar when an IP of the category meets the confidence factor assigned to that IP address. By default, these rules use a confidence factor of 75 or greater. X-Force Premium: Internal Connection to Host Categorized as Malware X-Force Premium: Internal Hosts Communicating with Host Categorized as Anonymizers X-Force Premium: Mail Server Sending Mail to Servers Categorized as SPAM X-Force Premium: Non-Mail Servers Sending Mail to Servers Categorized as SPAM X-Force Premium: Non-Servers Communicating with External IP Classified as Dynamic X-Force Premium: Server Communicating with External IP Classified as Dynamic   URL Rules URL rules leverage categories for web sites, instead of confidence factor. Categories can be botnet, spam, gambling, job search, adult, etc. The following URL-based rules are added to QRadar when X-Force premium is licensed and can be leveraged by events that contain URLs as a custom property URL(custom) and trigger against categorization of the URL itself. X-Force Premium: Internal Host Communicating with Botnet Command and Control URL X-Force Premium: Internal Host Communication with Malware URL
IBM Security Anomaly Content	No	The Anomaly extension adds 10 anomaly rules and 9 building blocks for a total of 19 content add-ons for QRadar.
IBM Security Compliance Content	No	The Compliance extensions add 4 custom event properties, 42 event searches, 7 flow searches, 153 reports, 140 rules and building blocks, and 10 reference data sets.
IBM Security Intrusion Content	No	The Intrusion extension adds 20 intrusion rules, 52 building blocks, and one reference data set for a total of 73 content add-ons for QRadar.
IBM Security ISO 27001 Content	No	The ISO 27001 extension adds 4 custom event properties, 29 event searches, 77 reports, 4 rules, and 31 building blocks for a total of 145 content add-ons for QRadar.
IBM Security Reconnaissance Content	No	The Recon extension adds 10 reference sets, 62 rules, and 42 building blocks for a total of 114 content add-ons for QRadar.

 

What is the X-Force Threat Intelligence Feed for QRadar?

The IBM Security X-Force Threat Intelligence provides two levels of data to customers, both a free basic feed and subscription-based premium feed for QRadar users. As of QRadar 7.2.8, the premium X-Force Threat Intelligence Feed is now a core feature as part of the appliance support license. X-Force uses a series of data centers across the globe to collect tens of thousands of malware samples, analyze web pages and URLs, and running IP address analysis to categorize IP address information. By categorizing IP addresses into segments such as malware hosts, spam sources, and anonymous proxies, this IP reputation data can be incorporated into QRadar rules, offenses, and events. This allows for capturing events more quickly and accurately than previously possible, as well as for capturing them in a way that provides additional understanding for further analysis.

Firewalls and X-Force Data Updates

QRadar is updated daily with a new X-Force IP reputation and URL data. This data is provided when new IP reputation or URL database information is available. These checks occur every minute and it is possible for QRadar to be updated multiple times per day with new data, with new IP information provided every 2 minutes and URL data every 5 minutes. The updates are merged into their own databases and the content is replicated from the Console out to the managed hosts in the deployment. In older versions of QRadar (7.2.3 or earlier), the X-Force data was provided by using QRadar automatic updates.

The following servers are contacted for both X-Force data updates, licensing, dashboard widget feeds, and QRadar automatic updates:

Server contacted	Server description
update.xforce-security.com	X-Force Threat Intelligence Feed update server for IP reputation and URL data
license.xforce-security.com	X-Force Threat Intelligence licensing server
qmmunity.q1labs.com	QRadar automatic updates. Note: qmmunity.q1labs.com is also used for X-Force Threat Intelligence updates on QRadar Consoles at 7.2.3 and earlier.

The X-Force data provided includes IP reputation data, URL data, and categorization data. Administrators should expect that these updates consume bandwidth daily. The following list contains the approximate daily bandwidth usage for all data types:

• IP Reputation (IPR) Data: 16 MB
• WEB/URL Data: 5 MB
• Web Application Categorization Data: 100 KB

How to Configure X-Force Feeds with Proxy Servers

The answer to this depends on the version of QRadar that is installed on your Console.

QRadar 7.2.4 and later
In QRadar 7.2.4, a change was made so that X-Force IP reputation data was unlinked from the automatic update process. This means that QRadar updates no longer use the proxy settings from the automatic updates screen on the Admin tab for X-Force data updates as QRadar 7.2.3 did. QRadar 7.2.4 leverages new X-Force servers and the IP reputation and URL lookup database is kept locally for evaluating rules. QRadar now uses a reverse proxy lookup through Apache on the QRadar Console to collect data directly from X-Force servers on the Internet. All QRadar appliances in the deployment (includes the Console), contacts Apache/http on the Console in order to get a cached request out to the X-Force servers. After the data is received by the Console, the result is cached and replayed for all other hosts who make a request for new IP reputation data.



Unauthenticated Proxy Server Configuration
If you have a proxy configured in your network, administrators need to update HTTPD on the Console in order to pass-through the existing request and to also send the request through the proxy server in order to receive the X-Force data. Note: NTLM authentication is not supported.
 

1. Log in to the QRadar Console as the root user.
2. Edit the following file: /etc/httpd/conf.d/ssl.conf 
3. Add the following lines before </VirtualHost> in the ssl.conf file:
   
   ProxyRemote https://license.xforce-security.com/ http://PROXY_IP:PROXY_PORT
ProxyRemote https://update.xforce-security.com/ http://PROXY_IP:PROXY_PORT
   
   Note: Administrators must update step 3 with the IP address and port of the corporate proxy server. This step requires that the proxy allow an anonymous (no credentials) connection to the x-force-security servers.
4. Save the changes to the ssl.conf file.
5. Edit the following file: server.ini
   QRadar 7.3.2 patch 2 or earlier /opt/qradar/dca/server.ini
   QRadar 7.3.2 Patch 3 or later /store/dca/server.ini
6. Add the following information to the server.ini file:
   #
   # Configure proxy settings
   #
   [proxy_server]
   <type your proxy server IP address here or URL>
   
   [proxy_port]
   <type your proxy port here>
7. Save the changes to the server.ini file.
8. Type the following command to restart the Apache server on the Console and scaserver:
   Important: Restarting the Apache server on the QRadar Console logs out all users and the managed hosts might produce error messages. Restart the Apache server during scheduled maintenance windows.

• QRadar 7.2.8 and earlier: /opt/qradar/init/scaserver restart && service apache restart
• QRadar 7.3.0 and later: apachectl restart && systemctl restart scaserver

Basic Authentication for Proxy Servers
For administrators who have basic authentication enabled on their proxy server, they can configure their proxy settings in the server.ini file on the QRadar Console.

Before you begin
Backup all files you edit to another location such as /storetmp
 

1. Log in to the QRadar Console as the root user.
2. Edit the following file: server.ini
   QRadar 7.3.2 patch 2 or earlier /opt/qradar/dca/server.ini
   QRadar 7.3.2 Patch 3 or later /store/dca/server.ini
3. Add the following information to the server.ini file:
   
   #
   # Configure proxy settings
   #
   [proxy_server]
   (type your proxy server IP address here)
   
   [proxy_port]
   (type your proxy port here)
   
   [proxy_user]
   (type your proxy username here)
   
   [proxy_pass]
   (type your proxy password here)
    
4. Save the changes to the server.ini file.
5. Edit the file: /opt/qradar/systemd/bin/scaserver_update_settings.sh
6. Add  exit 0 to the second line so it looks like this
   #!/bin/sh
   exit 0
   SCRIPT_NAME=$(basename "$0")
7. Save the changes to the scaserver_update_settings.sh file.
8. Edit the following file: dca_license_settings_user.txt
   QRadar 7.3.2 Patch 2 or earlier /opt/qradar/dca/dca/init/dca_license/dca_license_settings_user.txt
   QRadar 7.3.2 Patch 3 or later /store/dca/dca/init/dca_license/dca_license_settings_user.txt
9. In the [license_server] field, update the URL to: https://license.xforce-security.com/license_v4.asp
   For example,

   [license_server]
   https://license.xforce-security.com/license_v4.asp

10. Save the changes to the license settings file.
11. Edit the following file: dca_update_settings_user.txt
    QRadar 7.3.2. Patch 2 or earlier  /opt/qradar/dca/dca/init/dca_update/dca_update_settings_user.txt
    QRadar 7.3.2 Patch 3 or later  /store/dca/dca/init/dca_update/dca_update_settings_user.txt
12. Update the download and upload server URLs to the following values:

    [update_download_server]
    https://update.xforce-security.com/version6/dca_update6.asp
    
    [update_upload_server]
    https://update.xforce-security.com/version6/of_upload.asp 
    

13. Save the changes to the license settings file.
14. To restart the scaserver and load the file changes, type one of the following commands:
    Important: Restarting the Apache server on the QRadar Console logs out all users and the managed hosts might produce error messages. Restart the Apache server during scheduled maintenance windows.
    QRadar 7.2.8 and earlier: /opt/qradar/init/scaserver restart && service apache restart
    QRadar 7.3.0 and later: apachectl restart && systemctl restart scaserver
    
    NOTE
    Administrators who continue to experience issues after the scaserver restart might be experiencing APAR IJ18011. This issue overwrites the changes made to dca_license_settings_user.txt and dca_license_settings_user.txt. If your changes are not preserved or you do not receive X-Force data after updating your proxy settings, then contact QRadar Support for assistants on IJ18011.

For QRadar 7.2.3 and earlier
For administrators that use QRadar 7.2.3 or earlier, the X-Force IP Reputation data is provided through the QRadar auto-update process and uses qmmunity.q1labs.com to get both auto-updates and X-Force IP Reputation data. If a corporate proxy is in place, administrators can configure the proxy information in the user interface from the Admin tab in QRadar. These changes require a user with an administrator user role to complete changes from the Admin tab of QRadar.

Procedure

1. Log in to the QRadar Console as an admin user.
2. Click the Admin tab.
3. Click the Auto Update icon.
4. Click Change Settings.
5. Click the Advanced tab.
6. Type the IP address, port, and credentials for your proxy server.
   
   (Click to enlarge the image)
7. Click Save.

My rules are grouped by "Enhanced X-Force Rules" and "Legacy Rules". How are these rule groups different?

QRadar X-Force has been available in QRadar SIEM since version 7.2.0. The original version of X-Force common rules in QRadar evaluated the source or destination IP addresses in events or flows against the list of X-Force addresses. In QRadar 7.2.4 and later, the X-Force rules were enhanced to not only support IP-based rule tests, but to also support URLs for event rules, and a new value called, 'confidence factor'. To ensure that user rules were not corrupted after an update to QRadar 7.2.4, we split the rules as two separate groups, which are listed under the X-Force Premium rules group as "Enhanced X-Force Rules" and "Legacy rules".

NOTE: Legacy X-Force rules are only shown if you upgraded from a previous version of QRadar.


An example of an X-Force legacy rule:
"when the [source IP|destinationIP|any IP] is part of any of the following [remote network locations]"

An example of an IP address and URL X-Force enhanced rule:
"when [this host property] is categorized by X-Force as [Anonymization Servers|Botnet C&C|DynamicIPs|Malware|ScanningIPs|Spam] with confidence value [equal to] [this amount]" (Based on IP address)
"when [this URL property] is categorized by X-Force as [Gambling|Auctions|Job Search|Alcohol|Social Networking|Dating|etc]" (Based on URL)


(Click to enlarge the image)
 

Advanced Searches (AQL) with IBM X-Force?

Yes, users can leverage advanced searches to return data from X-Force Exchange from the Log Activity or Network Activity tab in QRadar.
 

Description	Example advanced search
To search for source IP addresses on an X-Force category with a confidence factor greater than 50.	select * from events where XFORCE_IP_CONFIDENCE('Spam',sourceip)>50
To search for X-Force categories associated to a URL.	select url, XFORCE_URL_CATEGORY(url) as myCategories from events where XFORCE_URL_CATEGORY(url) IS NOT NULL
To search for X-Force categories associated to an IP a source IP address.	select sourceip, XFORCE_IP_CATEGORY(sourceip) as IPcategories from events where XFORCE_IP_CATEGORY(sourceip) IS NOT NULL

1. Log in to the QRadar user interface.
2. Click the Log Activity tab.
3. Select Advanced Search from the drop-down on the Search toolbar.
4. Type an advanced search expression.
   For example,
   
   (Click to enlarge image)
    
5. Click Search.

 

What is Confidence Factor?

Confidence factor is values assigned to IP Reputation data that represents how confident X-Force is that the data seen from the IP is categorized properly. Confidence factor is a probability scale that ranges 0 - 100 where a value of 50+ is the threshold where customers should consider taking action on a triggered rule. IP reputation is evaluated on the time (first seen, last seen) and the volume of messages/data. An example of this could be SPAM messages. An IP Reputation (Spam) entry of zero (0) indicates that the source IP traffic is definitely not spam whereas an entry of 100 indicates definite spam traffic. Consider a value of 50 to be a threshold. Thus, values less than 50 indicate less likelihood that spam is present, and values greater than 50 indicate more likelihood that spam is present. These probabilities are based on massive amounts of ongoing Web-based data that IBM X-Force continuously collects and analyzes from around the world in X-Force data centers. As data is collected, the system evaluates "How much spam did we see from an IP address" or "How frequently is this SPAM flagged IP address showing up in the IP Reputation category. The more times we see values, the higher the system scores the confidence factor.

Categorization and the Confidence Factor can be viewed when you investigate an IP address or URL in the X-Force Exchange.


When tuning rules, customers should think of a scale where 50 is the tipping point. On assets of lower importance, an administrator might weight an X-Force rule to trigger a higher confidence factor (75) for specific categories like SPAM. This reduces the number of offenses generated on a lower priority system and non-critical assets. Tuning the rule higher means that the IP that the rule triggers only when X-Force sees an IP address at or above a confidence factor of 75. An important system or critical business asset might be tuned to trigger the rule at a confidence factor of 50, this triggers an offense at a lower level and can bring attention to an issue more quickly for a business-critical system.


Is there a location where I can lookup and investigate IP address information?
Yes, we recommend that customers leverage IBM X-Force exchange to gather information and lookup IP addresses related to botnets, spam, and malware categories. There is a right-click plug-in in QRadar by default where administrators can review and investigate IP addresses and URLs directly from QRadar using a right-click menu. This plug-in is installed by default in QRadar 7.2.5 systems. In most cases, QRadar rules use a default threshold of 75 is an acceptable value for a rule because it defines a high level of probability that the data is correct per the classification based on what is known. For information on the X-Force Exchange right-click plug-in, see QRadar: IBM X-Force Exchange Right-click Menu Plug-in FAQ.


 

Reporting an Incorrect IP Address, URL, or Categorization in X-Force to IBM

If administrators believe that an IP address or URL is being misclassified by X-Force, they should report this issue by commenting on the IP or URL on the X-Force Exchange website. All comments and updates are monitoring by IBM, so any comments created by an authenticated user is reviewed by the X-Force team. Comments are not permitted for 'Guest' accounts on the X-Force Exchange website.
 

1. Log in to QRadar.
2. Right-click on an IP address or URL and select X-Force Exchange Lookup. (Optionally, navigate to https://exchange.xforce.ibmcloud.com/)
   
   (Click to enlarge the image)
   The X-Force Exchange website is launched and displays the information and confidence percentage of the IP address or URL categorization.
3. Select the I agree to the Terms of Service check box.
4. Click Log in.
   You must log in before making a comment. Guests are not allowed to submit comments on IP addresses or URLs.
5. Click the Suggest Edit button.
   
   (Click to enlarge the image)
6. Fill out the submission form to comment on the IP address or URL.
   
   (Click to enlarge the image)
7. To receive updates on your comment, make sure you select Yes on the 'Stay Informed' option.
8. Click Submit.
9. After the comment is submitted, it will be reviewed by the X-Force Exchange team. If you selected to stay informed, feedback is provided by the X-Force Exchange team.

How to Report IP Addresses or URLs in Bulk for Incorrectly Categorized Sites

If administrators have a large number of IP addresses or URLs that are misclassified by X-Force or believed to be incorrect, they should report this issue to QRadar Support instead of trying to input comments by hand. QRadar administrators can provide a list of IP addresses or URLs to a QRadar Support Representative and they pass this information to the X-Force team for resolution. The URLs or IP addresses are reviewed by the X-Force team for resolution. This allows administrators to submit data without having to enter comments by hand for many sites or IP addresses.


How to report categorization issues in bulk
 

1. Open an IBM Service Request for QRadar.
2. Provide the list of IP addresses or URLs for X-Force review in your service request.
3. The support representative will contact you using your preferred method of communication to confirm and clarify any questions from your request.
4. The URL and IP address information is forwarded to the X-Force team on your behalf.