Integrating MineMeld with IBM QRadar

Printer Friendly Page

Using MineMeld TAXII output nodes and IBM QRadar Threat Intelligence app, it is possible to populate IBM QRadar reference sets with Threat Intelligence indicators processed by MineMeld. Reference Sets can then be used in IBM QRadar rules to detect suspicious activities

 

After installing IBM QRadar Threat Intelligence app (available on IBM QRadar App Exchange), follow this procedure to connect IBM QRadar to MineMeld:

  1. Create one or more TAXII DataFeed Output nodes in MineMeld
  2. Define authentication for TAXII DataFeed nodes (optional)
  3. Upload CA certificate to IBM QRadar Threat Intelligence app
  4. Configure one or more reference sets on IBM QRadar (optional)
  5. Configure MineMeld TAXII Feeds on IBM QRadar Threat Intelligence app

1. Create TAXII DataFeed Output nodes in MineMeld

Use stdlib.taxiiDataFeed prototype to instantiate one or more output nodes. Each output node becomes a new TAXII data feed IBM QRadar can grab indicators from. In this picture all the taxiiKnownCampaigns* nodes are TAXII DataFeed nodes.Screen Shot 2017-02-15 at 22.51.05.png

 

2. Define authentication for TAXII DataFeed nodes

This step is required only if you have enabled authentication for feed access.

 

Note for MineMeld on AutoFocus

Authentication for feeds is automatically enabled in MineMeld on Autofocus.

 

2.1. Define a feed user

Under Admin > Feeds Users create a new user and associate an access tag to it. The new feed user does not have access to the Admin WebUI, but only to feeds tagged with at least one of the tags listed in the ACCESS field. In the following picture SOC_QRadar user has access only to feeds tagged with siem.Screen Shot 2017-02-15 at 22.55.43.png

 

2.2. Configure tags on TAXII DataFeed nodes

Under Nodes select the TAXII DataFeed nodes and add the access tag.Screen Shot 2017-02-15 at 22.58.21.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Upload CA certificate to IBM QRadar TI app

IBM QRadar Threat Intelligence app requires a valid certificate on the TAXII server. If the certificate on your MineMeld instance is signed by a private CA or a CA not known to IBM QRadar Threat Intelligence app, you have to upload the certificate on the app. The certificate should be in PEM format and the extension of the file should be pem.

 

Note for MineMeld on AutoFocus

Download the GoDaddy Class2 Root certificate here https://certs.godaddy.com/repository/gd-class2-root.crt, change the extension to pem and upload it to the app.

 

 

Screen Shot 2017-02-15 at 17.57.40.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4. Configure one or more reference sets on IBM QRadar

This step is optional. To keep MineMeld indicators separated from other sources you can define a new Reference Set for each MineMeld DataFeed.

 

Screen Shot 2017-02-15 at 17.55.05.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Screen Shot 2017-02-15 at 17.56.22.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5. Configure TAXII Feeds

In the IBM QRadar Threat Intelligence app, select Add TAXII Feed.

 

5.1. Configure TAXII server parameters

In TAXII Endpoint set https://<minemeld address>/taxii-discovery-service

If feeds authentication is enabled on MineMeld, select HTTP Basic in Authentication Method and set Username and Password of a MineMeld feed user with access to the TAXII DataFeed.

Then click on Discover.

Screen Shot 2017-02-15 at 17.58.36.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5.2. Select the collection

In the next dialog select the Collection, and set the appropriate Observable Type - that is the type of the indicators in the MineMeld TAXII DataFeed. Each MineMeld TAXII DataFeed node is seen as a separate Collection.

Screen Shot 2017-02-15 at 17.58.52.png

 

5.3. Select the target reference set

In the next dialog, select the target reference set.

Screen Shot 2017-02-15 at 17.59.01.png

 

5.4. Save & Poll

Click on Save.

Screen Shot 2017-02-15 at 17.59.10.png

 

 

In the TAXII Feed list, click on Poll Now to retrieve the indicators from the datafeed.

 

Screen Shot 2017-02-15 at 18.02.08.png

Comments

Hi Luigi,

 

How do I know IP-address or URL of MineMeld on AutoFocus?

Actually, It seems that URL name is the "https://autofocus.paloaltonetworks.com/#/app-container/2".

 

/takashi

Hi @tasano,

good point, this will be addressed in the next release. If you have an EDL node you can grab the URL from the URL inside the node config.

 

luigi

Certainly. I found the URL name from inside the node config for EDL. Thanks.

Hi,

 

I successed a lot of indicator to QRadar by TAXII through MineMeld. These data formats appear on QRadar in the following format:

 

177.91.0.0/22

 

IBM engineer said, "We can't make correlation rule in this format." I heard that only use static address with no subnet (eg: 177.91.0.3).

 

Does anyone have experience of collaboration with QRadar? If so, what kind of correration rule did you use on QRadar?

Hi @tasano,

if you remove feeds generating CIDRs, are you able to implement correlation rules ? For OSINT usually CIDRs come from spamhaus only.

 

Luigi

Hi @lmori,

 

I confirmed it IBM engineer again, It seems to be able to make a correlation rule using AQL function on QRadar even though CIDR indicators. 

 

Certainly, CIDRs format is only spamhaus in OSINT. 

 

Thanks.

Good morning, we are trying to integrate MineMeld with IBM Qradar but we configured the threat intelligence app in Qradar. We configured the taxi URL: https://X.X.X.X/taxii-discovery-service but when we navigate on it we received the error: 405 Method Not Allowed. Anyone have just deal with this error? thank you

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
4 of 4
Last update:
‎02-16-2017 03:50 AM
Updated by:
 
Contributors