Integrating MineMeld with IBM QRadar

Reply
L0 Member

Integrating MineMeld with IBM QRadar

Hi,

I am new to minemeld. I went through the documentation for integrating minemeld with qradar. Succesfully added the TAXII feeds in Qradar.

I couldnt see any values getting populated in reference set defined in Qradar or updates shown in threat intellegence TAXII configuration section in qradar.

 

Regards

Thanzeer

 

L7 Applicator

Re: Integrating MineMeld with IBM QRadar

Hi @thanzeeer,

please could you post a screenshot of your NODES view ?

 

Thanks,

luigi

L1 Bithead

Re: Integrating MineMeld with IBM QRadar

Hi.

 

I believe there is an issue with the IP feed within TAXII.

 

As per documention for setting this up, you create an IP reference set, now this type of reference set can only contain individual host IP's and not ranges, CIDRs etc.

 

When comparing the normal output lists (I have duplicated my TAXII output into a standard output) I can see this uses IP ranges (or CIDRs if you use ?tr=1), if this is the same as what is contained within the TAXII feed then this will not work within QRadar.

 

As an example, my TAXII feed has several thousand indicators, however within QRadar it is only processing 4 indicators. I believe what I have mentioned above is the cause.

 

Can you confirm if this is the case and if there is anyway around it?

L7 Applicator

Re: Integrating MineMeld with IBM QRadar

Hi @JordDurh,

please note that TAXII DataFeeds work differently from the plain text feeds generated by MineMeld. See this answer for the difference:

https://live.paloaltonetworks.com/twzvq79624/board/message?board.id=MineMeldDiscussions&message.id=4...

 

The MineMeld TAXII DataFeed node will generate CIDRs if the miner generate IP ranges or CIDRs. Otherwise single IPs are generated.

 

Thanks,

luigi

L1 Bithead

Re: Integrating MineMeld with IBM QRadar

Thanks!

 

Any pointers as to where to get details on how to change the miners from abbreviating into CIDRs? I've tried to find this but not been able to.

 

 

L7 Applicator

Re: Integrating MineMeld with IBM QRadar

Hi @JordDurh,

the output are in charge of abbreviating ranges into CIDRs. For stdlib.taxiiDataFeed this happens automatically, for output nodes based on stdlib.feed* it happens only when you add the tr=1 parameter

L1 Bithead

Re: Integrating MineMeld with IBM QRadar

Thanks!

 

I know you can add this to the URL when browsing, however I'm not seeing any documentation (or have not yet found) on how / if you can add this option direclty to the output config to use this as default.

 

Can you confirm if its possible?

L7 Applicator

Re: Integrating MineMeld with IBM QRadar

Hi @JordDurh,

this is automatically done by default by stdlib.taxiiDataFeed nodes, but you need a parameter on the URL for the stdlib.feed* nodes. Currently there is no way to change the default of the stdlib.feed*.

Do you have a client that does not support URL with parameters ?

 

Thanks !

luigi 

L0 Member

Re: Integrating MineMeld with IBM QRadar

This is issue which I am facing. I created reference set to accept IP Address, it allways shows one IP Address. Another referrence defined for collecting URL information is pupulating and getting updated.

 

Regards

Thanzeer

L1 Bithead

Re: Integrating MineMeld with IBM QRadar

I'm trying to use this TAXII feed within QRadar via their ThreatIntel app, this is the method detailed in your articles. I'm able to access and browse the TAXII feed, however once added no IP's get populated within reference sets (even if this is set to an alphanumeric reference set rather than an IP based one).

 

Am I able to modify the outputs to include the extra syntax to convert to CIDR? If so what is the contaxt to use in the output config?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!