MineMeld Articles

Featured Article
Using MineMeld TAXII output nodes and IBM QRadar Threat Intelligence app, it is possible to populate IBM QRadar reference sets with Threat Intelligence indicators processed by MineMeld. Reference Sets can then be used in IBM QRadar rules to detect suspicious activities   After installing IBM QRadar Threat Intelligence app (available on IBM QRadar App Exchange), follow this procedure to connect IBM QRadar to MineMeld: Create one or more TAXII DataFeed Output nodes in MineMeld Define authentication for TAXII DataFeed nodes (optional) Upload CA certificate to IBM QRadar Threat Intelligence app Configure one or more reference sets on IBM QRadar (optional) Configure MineMeld TAXII Feeds on IBM QRadar Threat Intelligence app 1. Create TAXII DataFeed Output nodes in MineMeld Use stdlib.taxiiDataFeed prototype to instantiate one or more output nodes. Each output node becomes a new TAXII data feed IBM QRadar can grab indicators from. In this picture all the taxiiKnownCampaigns* nodes are TAXII DataFeed nodes.   2.  Define authentication for  TAXII DataFeed nodes This step is required only if you have enabled authentication for feed access.   Note for MineMeld on AutoFocus Authentication for feeds is automatically enabled in MineMeld on Autofocus.   2.1. Define a feed user Under Admin > Feeds Users create a new user and associate an access tag to it. The new feed user does not have access to the Admin WebUI, but only to feeds tagged with at least one of the tags listed in the ACCESS field. In the following picture SOC_QRadar user has access only to feeds tagged with siem.   2.2. Configure tags on TAXII DataFeed nodes Under Nodes select the TAXII DataFeed nodes and add the access tag.                                   3. Upload CA certificate to IBM QRadar TI app IBM QRadar Threat Intelligence app requires a valid certificate on the TAXII server. If the certificate on your MineMeld instance is signed by a private CA or a CA not known to IBM QRadar Threat Intelligence app, you have to upload the certificate on the app. The certificate should be in PEM format and the extension of the file should be pem.   Note for MineMeld on AutoFocus Download the GoDaddy Class2 Root certificate here https://certs.godaddy.com/repository/gd-class2-root.crt, change the extension to pem and upload it to the app.                                                       4. Configure one or more reference sets on IBM QRadar This step is optional. To keep MineMeld indicators separated from other sources you can define a new Reference Set for each MineMeld DataFeed.                                                                   5. Configure TAXII Feeds In the IBM QRadar Threat Intelligence app, select Add TAXII Feed.   5.1. Configure TAXII server parameters In TAXII Endpoint set https://<minemeld address>/taxii-discovery-service If feeds authentication is enabled on MineMeld, select HTTP Basic in Authentication Method and set Username and Password of a MineMeld feed user with access to the TAXII DataFeed. Then click on Discover.                                       5.2. Select the collection In the next dialog select the Collection, and set the appropriate Observable Type - that is the type of the indicators in the MineMeld TAXII DataFeed. Each MineMeld TAXII DataFeed node is seen as a separate Collection.   5.3. Select the target reference set In the next dialog, select the target reference set.   5.4. Save & Poll Click on Save.     In the TAXII Feed list, click on Poll Now to retrieve the indicators from the datafeed.  
View full article
lmori ‎02-16-2017 03:50 AM
11,142 Views
7 Replies
1 Like
Ask Questions Get Answers Join the Live Community