TAXII into QRadar

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

TAXII into QRadar

L2 Linker

Hi there,

Is there any guidance for how to set up TAXII output for QRadar to ingest? I see in the latest release notes:

 

- TAXII DataFeed now translated IP Ranges into CIDR for better compatibility with 3rd party TAXII clients (read IBM QRadar)

 

 

So I figure it must be possible 🙂 but when I put the discover service URL into the Threat Intelligence app (https://<hostname>/taxii-discovery-service) I get a very generic error of:

 

"There is a problem connecting to the TAXII server. Please check your connection information and verify that the TAXII server is available"

 

In MineMeld I've setup an output node of type stdlib.taxiiDataFeed with an input of one of the aggregators. I'm trying to figure out how to get more detailed error logs from QRadar in the mean time...

 

Thanks in advance!

Dan

 
1 accepted solution

Accepted Solutions

L7 Applicator

Hi Dan,

is the certificate on MineMeld signed by a known CA ? QRadar verifies the certificate and drops the connection if the cert is not valid. I haven't found a flag to disable it.

 

Luigi

View solution in original post

10 REPLIES 10

L7 Applicator

Hi Dan,

is the certificate on MineMeld signed by a known CA ? QRadar verifies the certificate and drops the connection if the cert is not valid. I haven't found a flag to disable it.

 

Luigi

Hi Luigi, 

 

It's a valid cert but I think it might have been installed without the full chain. I plan to give that a try soon. Thanks,

 

Dan

Hi Luigi,

 

I found the error logs in QRadar and then got further by adding the root and intermediates to the cert file. However, now I'm getting a different error:

 

2016-10-19 00:10:23,184 [com.ibm.ThreatIntelligence] [INFO] - Sending Discovery request to https://<hostname>/taxii-discovery-service
2016-10-19 00:10:23,214 [com.ibm.ThreatIntelligence] [INFO] - Sending Collection Information Request to https://<hostname>/taxii-collection-management-service
2016-10-19 00:10:23,250 [com.ibm.ThreatIntelligence] [ERROR] - Failed to get list of collections from https://<hostname>/taxii-discovery-service; '@available'

 

In Minemeld, the only setup I did was to create an output miner of type stdlib.taxiiDataFeed and then make sure it had some inputs. Is there any other setup I need to do?

 

FYI, I'm on QRadar 7.2.7 and 1.0.2 of the Threat Intelligence app, if that's of any use.

 

Thanks,

Dan

Hi Dan,

which MineMeld version are you running ?

 

Thanks,

luigi

It looks like I'm on 0.9.24:

 

$ ls -l /opt/minemeld/engine/current
lrwxrwxrwx 1 root root 27 Sep 30 02:20 /opt/minemeld/engine/current -> /opt/minemeld/engine/0.9.24

L0 Member

Dan,

 

Try MISP, and use the export to feed the Qradar reference sets. The Taxi engine on the qradar app store doesnt work that great...

In MineMeld 0.9.24 we have introduced some changes to improve compatibility with IBM QRadar, and they do interoperate.

One way to check the TAXII output from MineMeld is using Postman and this collection of requests:

https://gist.github.com/jtschichold/65ee13d29038f78e220d75e6668eeea1

 

If you send the Collection Information Request you should see the list of available feeds. Could you check the list is not empty ?

 

@SSattler thanks for the idea. MISP is on my list of things to play with. I was shooting for a quick win with the Threat Intelligence app though!

 

Luigi and I determined that the error was caused by having only one TAXII output miner in MineMeld. As soon as we added more than one, QRadar picked them all up.

MISP is a great platform, I am planning a Miner and Output node for it.

Hi Dan,

 

Just follow the below steps:

Login to qradar using root and execute the below command

Step 1

1./opt/qradar/support/qapp_utils.py ls

 

Step 2:

 

Note down the app id of threat intelligence.

 

step 3:

 

Connect the app container using the below command

 

#/opt/qradar/support/qapp_utils.py connect <app_id>

 

Step 4:

 

Add the host entry of the certficate name with the IP and try to wget to the  url which you have added .

 

Step 5:

 

Go to the TAXII plugin and while adding the taxii url give the name which you have configured inside the container and try.

it should work. Actually i tried and its working for me.

 

Thanks and Regards,
Ramprasath


@DanWoodruff wrote:

Hi Luigi, 

 

It's a valid cert but I think it might have been installed without the full chain. I plan to give that a try soon. Thanks,

 

Dan



@DanWoodruff wrote:

Hi Luigi, 

 

It's a valid cert but I think it might have been installed without the full chain. I plan to give that a try soon. Thanks,

 

Dan




 

 

  • 1 accepted solution
  • 16106 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!