Is there any guidance for how to set up TAXII output for QRadar to ingest? I see in the latest release notes:
- TAXII DataFeed now translated IP Ranges into CIDR for better compatibility with 3rd party TAXII clients (read IBM QRadar)
So I figure it must be possible :) but when I put the discover service URL into the Threat Intelligence app (https://<hostname>/taxii-discovery-service) I get a very generic error of:
"There is a problem connecting to the TAXII server. Please check your connection information and verify that the TAXII server is available"
In MineMeld I've setup an output node of type stdlib.taxiiDataFeed with an input of one of the aggregators. I'm trying to figure out how to get more detailed error logs from QRadar in the mean time...
Thanks in advance!
I found the error logs in QRadar and then got further by adding the root and intermediates to the cert file. However, now I'm getting a different error:
2016-10-19 00:10:23,184 [com.ibm.ThreatIntelligence] [INFO] - Sending Discovery request to https://<hostname>/taxii-discovery-service
2016-10-19 00:10:23,214 [com.ibm.ThreatIntelligence] [INFO] - Sending Collection Information Request to https://<hostname>/taxii-collection-management-service
2016-10-19 00:10:23,250 [com.ibm.ThreatIntelligence] [ERROR] - Failed to get list of collections from https://<hostname>/taxii-discovery-service; '@available'
In Minemeld, the only setup I did was to create an output miner of type stdlib.taxiiDataFeed and then make sure it had some inputs. Is there any other setup I need to do?
FYI, I'm on QRadar 7.2.7 and 1.0.2 of the Threat Intelligence app, if that's of any use.
In MineMeld 0.9.24 we have introduced some changes to improve compatibility with IBM QRadar, and they do interoperate.
One way to check the TAXII output from MineMeld is using Postman and this collection of requests:
If you send the Collection Information Request you should see the list of available feeds. Could you check the list is not empty ?
@SSattler thanks for the idea. MISP is on my list of things to play with. I was shooting for a quick win with the Threat Intelligence app though!
Luigi and I determined that the error was caused by having only one TAXII output miner in MineMeld. As soon as we added more than one, QRadar picked them all up.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!