10-13-2016 05:36 AM
Hi there,
Is there any guidance for how to set up TAXII output for QRadar to ingest? I see in the latest release notes:
- TAXII DataFeed now translated IP Ranges into CIDR for better compatibility with 3rd party TAXII clients (read IBM QRadar)
So I figure it must be possible 🙂 but when I put the discover service URL into the Threat Intelligence app (https://<hostname>/taxii-discovery-service) I get a very generic error of:
"There is a problem connecting to the TAXII server. Please check your connection information and verify that the TAXII server is available"
In MineMeld I've setup an output node of type stdlib.taxiiDataFeed with an input of one of the aggregators. I'm trying to figure out how to get more detailed error logs from QRadar in the mean time...
Thanks in advance!
Dan
10-17-2016 12:40 PM
Hi Dan,
is the certificate on MineMeld signed by a known CA ? QRadar verifies the certificate and drops the connection if the cert is not valid. I haven't found a flag to disable it.
Luigi
10-17-2016 12:40 PM
Hi Dan,
is the certificate on MineMeld signed by a known CA ? QRadar verifies the certificate and drops the connection if the cert is not valid. I haven't found a flag to disable it.
Luigi
10-17-2016 01:35 PM
Hi Luigi,
It's a valid cert but I think it might have been installed without the full chain. I plan to give that a try soon. Thanks,
Dan
10-18-2016 05:18 PM
Hi Luigi,
I found the error logs in QRadar and then got further by adding the root and intermediates to the cert file. However, now I'm getting a different error:
2016-10-19 00:10:23,184 [com.ibm.ThreatIntelligence] [INFO] - Sending Discovery request to https://<hostname>/taxii-discovery-service
2016-10-19 00:10:23,214 [com.ibm.ThreatIntelligence] [INFO] - Sending Collection Information Request to https://<hostname>/taxii-collection-management-service
2016-10-19 00:10:23,250 [com.ibm.ThreatIntelligence] [ERROR] - Failed to get list of collections from https://<hostname>/taxii-discovery-service; '@available'
In Minemeld, the only setup I did was to create an output miner of type stdlib.taxiiDataFeed and then make sure it had some inputs. Is there any other setup I need to do?
FYI, I'm on QRadar 7.2.7 and 1.0.2 of the Threat Intelligence app, if that's of any use.
Thanks,
Dan
10-18-2016 09:10 PM
Hi Dan,
which MineMeld version are you running ?
Thanks,
luigi
10-19-2016 04:45 AM
It looks like I'm on 0.9.24:
$ ls -l /opt/minemeld/engine/current
lrwxrwxrwx 1 root root 27 Sep 30 02:20 /opt/minemeld/engine/current -> /opt/minemeld/engine/0.9.24
10-19-2016 12:02 PM
Dan,
Try MISP, and use the export to feed the Qradar reference sets. The Taxi engine on the qradar app store doesnt work that great...
10-19-2016 02:00 PM
In MineMeld 0.9.24 we have introduced some changes to improve compatibility with IBM QRadar, and they do interoperate.
One way to check the TAXII output from MineMeld is using Postman and this collection of requests:
https://gist.github.com/jtschichold/65ee13d29038f78e220d75e6668eeea1
If you send the Collection Information Request you should see the list of available feeds. Could you check the list is not empty ?
10-20-2016 06:21 AM
@SSattler thanks for the idea. MISP is on my list of things to play with. I was shooting for a quick win with the Threat Intelligence app though!
Luigi and I determined that the error was caused by having only one TAXII output miner in MineMeld. As soon as we added more than one, QRadar picked them all up.
10-20-2016 07:43 AM
MISP is a great platform, I am planning a Miner and Output node for it.
08-03-2018 05:10 AM
Hi Dan,
Just follow the below steps:
Login to qradar using root and execute the below command
Step 1
1./opt/qradar/support/qapp_utils.py ls
Step 2:
Note down the app id of threat intelligence.
step 3:
Connect the app container using the below command
#/opt/qradar/support/qapp_utils.py connect <app_id>
Step 4:
Add the host entry of the certficate name with the IP and try to wget to the url which you have added .
Step 5:
Go to the TAXII plugin and while adding the taxii url give the name which you have configured inside the container and try.
it should work. Actually i tried and its working for me.
Thanks and Regards,
Ramprasath
@DanWoodruff wrote:Hi Luigi,
It's a valid cert but I think it might have been installed without the full chain. I plan to give that a try soon. Thanks,
Dan
@DanWoodruff wrote:Hi Luigi,
It's a valid cert but I think it might have been installed without the full chain. I plan to give that a try soon. Thanks,
Dan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
