- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-16-2017 03:37 AM - edited 02-16-2017 03:50 AM
Using MineMeld TAXII output nodes and IBM QRadar Threat Intelligence app, it is possible to populate IBM QRadar reference sets with Threat Intelligence indicators processed by MineMeld. Reference Sets can then be used in IBM QRadar rules to detect suspicious activities
After installing IBM QRadar Threat Intelligence app (available on IBM QRadar App Exchange), follow this procedure to connect IBM QRadar to MineMeld:
Use stdlib.taxiiDataFeed prototype to instantiate one or more output nodes. Each output node becomes a new TAXII data feed IBM QRadar can grab indicators from. In this picture all the taxiiKnownCampaigns* nodes are TAXII DataFeed nodes.
This step is required only if you have enabled authentication for feed access.
Note for MineMeld on AutoFocusAuthentication for feeds is automatically enabled in MineMeld on Autofocus. |
Under Admin > Feeds Users create a new user and associate an access tag to it. The new feed user does not have access to the Admin WebUI, but only to feeds tagged with at least one of the tags listed in the ACCESS field. In the following picture SOC_QRadar user has access only to feeds tagged with siem.
Under Nodes select the TAXII DataFeed nodes and add the access tag.
IBM QRadar Threat Intelligence app requires a valid certificate on the TAXII server. If the certificate on your MineMeld instance is signed by a private CA or a CA not known to IBM QRadar Threat Intelligence app, you have to upload the certificate on the app. The certificate should be in PEM format and the extension of the file should be pem.
Note for MineMeld on AutoFocusDownload the GoDaddy Class2 Root certificate here https://certs.godaddy.com/repository/gd-class2-root.crt, change the extension to pem and upload it to the app. |
This step is optional. To keep MineMeld indicators separated from other sources you can define a new Reference Set for each MineMeld DataFeed.
In the IBM QRadar Threat Intelligence app, select Add TAXII Feed.
In TAXII Endpoint set https://<minemeld address>/taxii-discovery-service
If feeds authentication is enabled on MineMeld, select HTTP Basic in Authentication Method and set Username and Password of a MineMeld feed user with access to the TAXII DataFeed.
Then click on Discover.
In the next dialog select the Collection, and set the appropriate Observable Type - that is the type of the indicators in the MineMeld TAXII DataFeed. Each MineMeld TAXII DataFeed node is seen as a separate Collection.
In the next dialog, select the target reference set.
Click on Save.
In the TAXII Feed list, click on Poll Now to retrieve the indicators from the datafeed.
Hi Luigi,
How do I know IP-address or URL of MineMeld on AutoFocus?
Actually, It seems that URL name is the "https://autofocus.paloaltonetworks.com/#/app-container/2".
/takashi
Hi @tasano,
good point, this will be addressed in the next release. If you have an EDL node you can grab the URL from the URL inside the node config.
luigi
Hi,
I successed a lot of indicator to QRadar by TAXII through MineMeld. These data formats appear on QRadar in the following format:
177.91.0.0/22
IBM engineer said, "We can't make correlation rule in this format." I heard that only use static address with no subnet (eg: 177.91.0.3).
Does anyone have experience of collaboration with QRadar? If so, what kind of correration rule did you use on QRadar?
Hi @lmori,
I confirmed it IBM engineer again, It seems to be able to make a correlation rule using AQL function on QRadar even though CIDR indicators.
Certainly, CIDRs format is only spamhaus in OSINT.
Thanks.
Good morning, we are trying to integrate MineMeld with IBM Qradar but we configured the threat intelligence app in Qradar. We configured the taxi URL: https://X.X.X.X/taxii-discovery-service but when we navigate on it we received the error: 405 Method Not Allowed. Anyone have just deal with this error? thank you