Using MineMeld TAXII output nodes and IBM QRadar Threat Intelligence app, it is possible to populate IBM QRadar reference sets with Threat Intelligence indicators processed by MineMeld. Reference Sets can then be used in IBM QRadar rules to detect suspicious activities
After installing IBM QRadar Threat Intelligence app (available on IBM QRadar App Exchange), follow this procedure to connect IBM QRadar to MineMeld:
Create one or more TAXII DataFeed Output nodes in MineMeld
Define authentication for TAXII DataFeed nodes (optional)
Upload CA certificate to IBM QRadar Threat Intelligence app
Configure one or more reference sets on IBM QRadar (optional)
Configure MineMeld TAXII Feeds on IBM QRadar Threat Intelligence app
1. Create TAXII DataFeed Output nodes in MineMeld
Use stdlib.taxiiDataFeed prototype to instantiate one or more output nodes. Each output node becomes a new TAXII data feed IBM QRadar can grab indicators from. In this picture all the taxiiKnownCampaigns* nodes are TAXII DataFeed nodes.
2. Define authentication for TAXII DataFeed nodes
This step is required only if you have enabled authentication for feed access.
Note for MineMeld on AutoFocus
Authentication for feeds is automatically enabled in MineMeld on Autofocus.
2.1. Define a feed user
Under Admin > Feeds Users create a new user and associate an access tag to it. The new feed user does not have access to the Admin WebUI, but only to feeds tagged with at least one of the tags listed in the ACCESS field. In the following picture SOC_QRadar user has access only to feeds tagged with siem.
2.2. Configure tags on TAXII DataFeed nodes
Under Nodes select the TAXII DataFeed nodes and add the access tag.
3. Upload CA certificate to IBM QRadar TI app
IBM QRadar Threat Intelligence app requires a valid certificate on the TAXII server. If the certificate on your MineMeld instance is signed by a private CA or a CA not known to IBM QRadar Threat Intelligence app, you have to upload the certificate on the app. The certificate should be in PEM format and the extension of the file should be pem.
Note for MineMeld on AutoFocus
Download the GoDaddy Class2 Root certificate here https://certs.godaddy.com/repository/gd-class2-root.crt, change the extension to pem and upload it to the app.
4. Configure one or more reference sets on IBM QRadar
This step is optional. To keep MineMeld indicators separated from other sources you can define a new Reference Set for each MineMeld DataFeed.
5. Configure TAXII Feeds
In the IBM QRadar Threat Intelligence app, select Add TAXII Feed.
5.1. Configure TAXII server parameters
In TAXII Endpoint set https://<minemeld address>/taxii-discovery-service
If feeds authentication is enabled on MineMeld, select HTTP Basic in Authentication Method and set Username and Password of a MineMeld feed user with access to the TAXII DataFeed.
Then click on Discover.
5.2. Select the collection
In the next dialog select the Collection, and set the appropriate Observable Type - that is the type of the indicators in the MineMeld TAXII DataFeed. Each MineMeld TAXII DataFeed node is seen as a separate Collection.
5.3. Select the target reference set
In the next dialog, select the target reference set.
5.4. Save & Poll
Click on Save.
In the TAXII Feed list, click on Poll Now to retrieve the indicators from the datafeed.