topic Re: TAXII into QRadar in General Topics

TAXII into QRadar

DanWoodruff — Thu, 13 Oct 2016 12:36:52 GMT

Hi there,

Is there any guidance for how to set up TAXII output for QRadar to ingest? I see in the latest release notes:

- TAXII DataFeed now translated IP Ranges into CIDR for better compatibility with 3rd party TAXII clients (read IBM QRadar)

So I figure it must be possible 🙂 but when I put the discover service URL into the Threat Intelligence app (https://<hostname>/taxii-discovery-service) I get a very generic error of:

"There is a problem connecting to the TAXII server. Please check your connection information and verify that the TAXII server is available"

In MineMeld I've setup an output node of type stdlib.taxiiDataFeed with an input of one of the aggregators. I'm trying to figure out how to get more detailed error logs from QRadar in the mean time...

Thanks in advance!

Dan

Re: TAXII into QRadar

lmori — Mon, 17 Oct 2016 19:40:10 GMT

Hi Dan,

is the certificate on MineMeld signed by a known CA ? QRadar verifies the certificate and drops the connection if the cert is not valid. I haven't found a flag to disable it.

Luigi

Re: TAXII into QRadar

DanWoodruff — Mon, 17 Oct 2016 20:35:41 GMT

Hi Luigi,

It's a valid cert but I think it might have been installed without the full chain. I plan to give that a try soon. Thanks,

Dan

Re: TAXII into QRadar

DanWoodruff — Wed, 19 Oct 2016 00:18:02 GMT

Hi Luigi,

I found the error logs in QRadar and then got further by adding the root and intermediates to the cert file. However, now I'm getting a different error:

2016-10-19 00:10:23,184 [com.ibm.ThreatIntelligence] [INFO] - Sending Discovery request to https://<hostname>/taxii-discovery-service
2016-10-19 00:10:23,214 [com.ibm.ThreatIntelligence] [INFO] - Sending Collection Information Request to https://<hostname>/taxii-collection-management-service
2016-10-19 00:10:23,250 [com.ibm.ThreatIntelligence] [ERROR] - Failed to get list of collections from https://<hostname>/taxii-discovery-service; '@available'

In Minemeld, the only setup I did was to create an output miner of type stdlib.taxiiDataFeed and then make sure it had some inputs. Is there any other setup I need to do?

FYI, I'm on QRadar 7.2.7 and 1.0.2 of the Threat Intelligence app, if that's of any use.

Thanks,

Dan

Re: TAXII into QRadar

lmori — Wed, 19 Oct 2016 04:10:13 GMT

Hi Dan,

which MineMeld version are you running ?

Thanks,

luigi

Re: TAXII into QRadar

DanWoodruff — Wed, 19 Oct 2016 11:45:04 GMT

It looks like I'm on 0.9.24:

$ ls -l /opt/minemeld/engine/current
lrwxrwxrwx 1 root root 27 Sep 30 02:20 /opt/minemeld/engine/current -> /opt/minemeld/engine/0.9.24

Re: TAXII into QRadar

SSattler — Wed, 19 Oct 2016 19:02:36 GMT

Dan,

Try MISP, and use the export to feed the Qradar reference sets. The Taxi engine on the qradar app store doesnt work that great...

Re: TAXII into QRadar

lmori — Wed, 19 Oct 2016 21:00:12 GMT

In MineMeld 0.9.24 we have introduced some changes to improve compatibility with IBM QRadar, and they do interoperate.

One way to check the TAXII output from MineMeld is using Postman and this collection of requests:

https://gist.github.com/jtschichold/65ee13d29038f78e220d75e6668eeea1

If you send the Collection Information Request you should see the list of available feeds. Could you check the list is not empty ?

Re: TAXII into QRadar

DanWoodruff — Thu, 20 Oct 2016 13:21:45 GMT

@SSattler thanks for the idea. MISP is on my list of things to play with. I was shooting for a quick win with the Threat Intelligence app though!

Luigi and I determined that the error was caused by having only one TAXII output miner in MineMeld. As soon as we added more than one, QRadar picked them all up.

Re: TAXII into QRadar

lmori — Thu, 20 Oct 2016 14:43:10 GMT

MISP is a great platform, I am planning a Miner and Output node for it.

Re: TAXII into QRadar

Nocturnalknight — Fri, 03 Aug 2018 12:10:16 GMT

Hi Dan,

Just follow the below steps:

Step 1

1./opt/qradar/support/qapp_utils.py ls

Step 2:

Note down the app id of threat intelligence.

step 3:

Connect the app container using the below command

#/opt/qradar/support/qapp_utils.py connect <app_id>

Step 4:

Add the host entry of the certficate name with the IP and try to wget to the url which you have added .

Step 5:

Go to the TAXII plugin and while adding the taxii url give the name which you have configured inside the container and try.

it should work. Actually i tried and its working for me.

Thanks and Regards,
Ramprasath

@DanWoodruff wrote:
Hi Luigi,

It's a valid cert but I think it might have been installed without the full chain. I plan to give that a try soon. Thanks,

Dan