I am new to minemeld. I went through the documentation for integrating minemeld with qradar. Succesfully added the TAXII feeds in Qradar.
I couldnt see any values getting populated in reference set defined in Qradar or updates shown in threat intellegence TAXII configuration section in qradar.
I believe there is an issue with the IP feed within TAXII.
As per documention for setting this up, you create an IP reference set, now this type of reference set can only contain individual host IP's and not ranges, CIDRs etc.
When comparing the normal output lists (I have duplicated my TAXII output into a standard output) I can see this uses IP ranges (or CIDRs if you use ?tr=1), if this is the same as what is contained within the TAXII feed then this will not work within QRadar.
As an example, my TAXII feed has several thousand indicators, however within QRadar it is only processing 4 indicators. I believe what I have mentioned above is the cause.
Can you confirm if this is the case and if there is anyway around it?
please note that TAXII DataFeeds work differently from the plain text feeds generated by MineMeld. See this answer for the difference:
The MineMeld TAXII DataFeed node will generate CIDRs if the miner generate IP ranges or CIDRs. Otherwise single IPs are generated.
Any pointers as to where to get details on how to change the miners from abbreviating into CIDRs? I've tried to find this but not been able to.
the output are in charge of abbreviating ranges into CIDRs. For stdlib.taxiiDataFeed this happens automatically, for output nodes based on stdlib.feed* it happens only when you add the tr=1 parameter
I know you can add this to the URL when browsing, however I'm not seeing any documentation (or have not yet found) on how / if you can add this option direclty to the output config to use this as default.
Can you confirm if its possible?
this is automatically done by default by stdlib.taxiiDataFeed nodes, but you need a parameter on the URL for the stdlib.feed* nodes. Currently there is no way to change the default of the stdlib.feed*.
Do you have a client that does not support URL with parameters ?
This is issue which I am facing. I created reference set to accept IP Address, it allways shows one IP Address. Another referrence defined for collecting URL information is pupulating and getting updated.
I'm trying to use this TAXII feed within QRadar via their ThreatIntel app, this is the method detailed in your articles. I'm able to access and browse the TAXII feed, however once added no IP's get populated within reference sets (even if this is set to an alphanumeric reference set rather than an IP based one).
Am I able to modify the outputs to include the extra syntax to convert to CIDR? If so what is the contaxt to use in the output config?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!