Home
Threat Intelligence
Learn how Threat Intelligence quickly detects threats to OT/IoT systems and defends against cyberattacks.
Configuration
Details on how to configure Threat Intelligence.
Threat Intelligence Feed
Configuration
Configure QRadar
Do this procedure to integrate a new TAXII feed into QRadar to enhance threat intelligence capabilities. This procedure covers adding the feed, ensuring full indicator ingestion, and monitoring the integration via the Activity Log for optimal security posture.

Threat Intelligence
Learn how Threat Intelligence quickly detects threats to OT/IoT systems and defends against cyberattacks.
- Introduction
  An overview of Threat Intelligence.
- Requirements
  A description of the requirements that are necessary to install and use Threat Intelligence.
- Configuration
  Details on how to configure Threat Intelligence.
  - Configure a Threat Intelligence license
    Before you can use the Threat Intelligence, you must install a license.
  - Enable automatic updates
    If you are connected to Vantage, or a Central Management Console (CMC), you can enable automatic Threat Intelligence updates.
  - Configure manual updates
    If your sensor, or Central Management Console (CMC), is not connected to the internet, you can update Threat Intelligence manually.
  - Sensor-level contents management
    By default, Threat Intelligence contents can only be managed on the top-level sensor. However, this policy can be customized to allow any sensor in the solution to add, edit, enable or disable individual contents.
  - Manage contents at sensor level
    You can change the status of the Enable local contents toggle to change how the Threat Intelligence contents are managed.
  - Threat Intelligence Feed
    - Introduction
    - Requirements
    - Configuration
      - taxii2client configuration
        Learn how to use the minimal Python library from OASIS to set up a taxii2client to interact with the TAXII server from Nozomi Networks. This includes integration for software that does not support the TAXII 2.0 protocol.
      - Configure Anomali STAXX
        Do this procedure to configure the Anomali STAXX, a free TAXII/STIX solution, for integration with the Nozomi Networks TAXII server, including setting descriptions, uniform resource locators (URLs), and authentication details.
      - Configure Microsoft Sentinel
        Once the Threat Intelligence - TAXII data connector is installed, you need to configure the TAXII server.
      - Configure ThreatQ
        Follow these steps to add and enable a new TAXII feed integration in ThreatQ, verify indicator ingestion, and monitor the integration's status through the Activity Log.
      - Configure QRadar
        Do this procedure to integrate a new TAXII feed into QRadar to enhance threat intelligence capabilities. This procedure covers adding the feed, ensuring full indicator ingestion, and monitoring the integration via the Activity Log for optimal security posture.
    - Troubleshooting
- Maintenance
  Information on how to maintain Threat Intelligence.
- Print format documentation
  A list of all the print-format documentation that is available for Threat Intelligence.

Configure QRadar

Do this procedure to integrate a new TAXII feed into QRadar to enhance threat intelligence capabilities. This procedure covers adding the feed, ensuring full indicator ingestion, and monitoring the integration via the Activity Log for optimal security posture.

About this task

Note:

The Threat Intelligence application version 2.4.2, and earlier, has a bug that can lead to only partial ingestion of the Trusted Automated Exchange of Indicator Information (TAXII) data. IBM is aware of the bug.

Procedure

Download QRadar from the IBM website.
Go to Admin > Extensions Management.
Select All items.
Make sure that you have the latest version of the Threat Intelligence app installed.
Select Threat Intelligence.
Select Feeds Downloader.
Select Add Threat Feed > Add TAXII Feed.
In the Connection page, in the Version dropdown, select TAXII 2.0.
Enter the details as necessary in the other fields. Make sure the endpoint string has /root/collections at the end.
Select Discover.
Select Parameter.
From the Collections dropdown, select the applicable option.
From the Observable Type dropdown, select the applicable indicator type.
To the right of Reference Set Management, select Add.
In the bottom right section, select Next.
In the Summary page, select Save.
You can now select Poll Now to force the indicator collection.

Results

QRadar has been configured.