TAXII into QRadar

L2 Linker

TAXII into QRadar

Hi there,

Is there any guidance for how to set up TAXII output for QRadar to ingest? I see in the latest release notes:

 

- TAXII DataFeed now translated IP Ranges into CIDR for better compatibility with 3rd party TAXII clients (read IBM QRadar)

 

 

So I figure it must be possible :) but when I put the discover service URL into the Threat Intelligence app (https://<hostname>/taxii-discovery-service) I get a very generic error of:

 

"There is a problem connecting to the TAXII server. Please check your connection information and verify that the TAXII server is available"

 

In MineMeld I've setup an output node of type stdlib.taxiiDataFeed with an input of one of the aggregators. I'm trying to figure out how to get more detailed error logs from QRadar in the mean time...

 

Thanks in advance!

Dan

 
Tags (1)
L7 Applicator

Re: TAXII into QRadar

Hi Dan,

is the certificate on MineMeld signed by a known CA ? QRadar verifies the certificate and drops the connection if the cert is not valid. I haven't found a flag to disable it.

 

Luigi

L2 Linker

Re: TAXII into QRadar

Hi Luigi, 

 

It's a valid cert but I think it might have been installed without the full chain. I plan to give that a try soon. Thanks,

 

Dan

L2 Linker

Re: TAXII into QRadar

Hi Luigi,

 

I found the error logs in QRadar and then got further by adding the root and intermediates to the cert file. However, now I'm getting a different error:

 

2016-10-19 00:10:23,184 [com.ibm.ThreatIntelligence] [INFO] - Sending Discovery request to https://<hostname>/taxii-discovery-service
2016-10-19 00:10:23,214 [com.ibm.ThreatIntelligence] [INFO] - Sending Collection Information Request to https://<hostname>/taxii-collection-management-service
2016-10-19 00:10:23,250 [com.ibm.ThreatIntelligence] [ERROR] - Failed to get list of collections from https://<hostname>/taxii-discovery-service; '@available'

 

In Minemeld, the only setup I did was to create an output miner of type stdlib.taxiiDataFeed and then make sure it had some inputs. Is there any other setup I need to do?

 

FYI, I'm on QRadar 7.2.7 and 1.0.2 of the Threat Intelligence app, if that's of any use.

 

Thanks,

Dan

L7 Applicator

Re: TAXII into QRadar

Hi Dan,

which MineMeld version are you running ?

 

Thanks,

luigi

L2 Linker

Re: TAXII into QRadar

It looks like I'm on 0.9.24:

 

$ ls -l /opt/minemeld/engine/current
lrwxrwxrwx 1 root root 27 Sep 30 02:20 /opt/minemeld/engine/current -> /opt/minemeld/engine/0.9.24

L0 Member

Re: TAXII into QRadar

Dan,

 

Try MISP, and use the export to feed the Qradar reference sets. The Taxi engine on the qradar app store doesnt work that great...

L7 Applicator

Re: TAXII into QRadar

In MineMeld 0.9.24 we have introduced some changes to improve compatibility with IBM QRadar, and they do interoperate.

One way to check the TAXII output from MineMeld is using Postman and this collection of requests:

https://gist.github.com/jtschichold/65ee13d29038f78e220d75e6668eeea1

 

If you send the Collection Information Request you should see the list of available feeds. Could you check the list is not empty ?

 

L2 Linker

Re: TAXII into QRadar

@SSattler thanks for the idea. MISP is on my list of things to play with. I was shooting for a quick win with the Threat Intelligence app though!

 

Luigi and I determined that the error was caused by having only one TAXII output miner in MineMeld. As soon as we added more than one, QRadar picked them all up.

L7 Applicator

Re: TAXII into QRadar

MISP is a great platform, I am planning a Miner and Output node for it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!