IBM Support

QRadar: X-Force Frequently Asked Questions (FAQ)

Question/Answer


Question

What do I need to know and what are the frequently asked questions about the QRadar X-Force Threat Intelligence feed?

Cause


Answer


How to enable X-Force Threat Intelligence in QRadar 7.2.8 and Later


In QRadar 7.2.8 and later, X-Force Threat Intelligence feed no longer needs to be purchased as a separate subscription. It is included with the standard license as part of Service & Support. Administrators who previous did not have IP and URL reputation data licensed and want to enable X-Force Threat Intelligence feeds can now enable this feature from the System Settings screen of the Admin tab. Any users who do not upgrade to QRadar 7.2.8 remain on their existing subscription model until they upgrade.

To enable X-Force Threat Intelligence Feeds for QRadar 7.2.8 and later

  1. Log in to QRadar as an administrator.
  2. Click the Admin tab.
  3. Click the System Settings icon.
  4. From the Enable X-Force Threat Intelligence Feed drop-down, select Yes.
  5. Click Save.
  6. From the Admin tab, click Deploy Changes to enabled the X-Force Threat Intelligence Feed for the deployment.

    NOTE: Administrators must allow Internet access from the QRadar Console to the following addresses to get X-Force Threat Intelligence Feed data from IBM. The following servers are contacted for both X-Force data updates, licensing, dashboard widget feeds, and QRadar automatic updates:
    Server contacted Server description
    update.xforce-security.com X-Force Threat Intelligence Feed update server for IP reputation and URL data
    license.xforce-security.com X-Force Threat Intelligence licensing server


    What to do next
    After enabling the X-Force Threat Intelligence Feed, administrators who are on new installs should ensure they have the Threat Content Extension installed. This procedure is discussed in the next section and enables X-Force rules to be enabled that work with the Threat Intelligence Feed.



Downloading X-Force Rule Content for QRadar


In QRadar 7.2.6 and later, administrators have the option to install rule content that is pertinent to them instead of using the full default rule set. If you are a new administrator, you should review for availble content extensions to expand the base rules for QRadar, including X-Force Premium Rules. These content extensions add rules, building blocks, reports, and other types of data to build off of the baseline QRadar rule set. After completing a new install of QRadar, administrators are encouraged to review and install these extensions from the IBM X-Force Exchange.

IMPORTANT: To add X-Force Rules to QRadar, administrators must install the QRadar Threat Content Extension.

List of Common QRadar 7.2.x Rule Content Extensions:
Extension Name / download Required for X-Force Premium Users?
Description
IBM QRadar Security Threat Content
Yes
Threat content rules focus on threat indicators and integration with threat intelligence feeds, such as IBM X-Force premium rules. X-Force Premium rules can be leveraged on event or flow data as they are common rules in QRadar.

The following IP-based rules can generate offenses when:
1. The Threat Content Extension is installed.
2. The rule is enabled.
3. The X-Force Feed is enabled in QRadar (System Settings) and Firewalls/Proxies are configured.

IP Rules
IP rules leverage basic categories and confidence factor when evaluating events or flows. Categories can be anonymization server, botnet C&C, botnet, malware, dynamic IPs, Scanning IPs, or spam. The following IP-based rules are added to QRadar when an IP of the category meets the confidence factor assigned to that IP address. By default, these rules use a confidence factor of 75 or greater.
  • X-Force Premium: Internal Connection to Host Categorized as Malware
  • X-Force Premium: Internal Hosts Communicating with Host Categorized as Anonymizers
  • X-Force Premium: Mail Server Sending Mail to Servers Categorized as SPAM
  • X-Force Premium: Non-Mail Servers Sending Mail to Servers Categorized as SPAM
  • X-Force Premium: Non-Servers Communicating with External IP Classified as Dynamic
  • X-Force Premium: Server Communicating with External IP Classified as Dynamic
     
URL Rules
URL rules leverage categories for web sites, instead of confidence factor. Categories can be botnet, spam, gambling, job search, adult, etc. The following URL-based rules are added to QRadar when X-Force premium is licensed and can be leveraged by events that contain URLs as a custom property URL(custom) and trigger against a categorization of the URL itself.
  • X-Force Premium: Internal Host Communicating with Botnet Command and Control URL
  • X-Force Premium: Internal Host Communication with Malware URL
IBM Security Anomaly Content
No
The Anomaly extension adds 10 anomaly rules and 9 building blocks for a total of 19 content add-ons for QRadar.
IBM Security Compliance Content
No
The Compliance extensions adds 4 custom event properties, 42 event searches, 7 flow searches, 153 reports, 140 rules and building blocks, and 10 reference data sets.
IBM Security Intrusion Content
No
The Intrusion extension adds 20 intrusion rules, 52 building blocks, and one reference data set for a total of 73 content add-ons for QRadar.
IBM Security ISO 27001 Content
No
The ISO 27001 extension adds 4 custom event properties, 29 event searches, 77 reports, 4 rules, and 31 building blocks for a total of 145 content add-ons for QRadar.
IBM Security Reconnaissance Content
No
The Recon extension adds 10 reference sets, 62 rules, and 42 building blocks for a total of 114 content add-ons for QRadar.
 




What is the X-Force Threat Intelligence Feed for QRadar?


The IBM Security X-Force Threat Intelligence provides two levels of data to customers, both a free basic feed and subscription based premium feed for QRadar users. As of QRadar 7.2.8, the premium X-Force Threat Intelligence Feed is now a core feature as part of the appliance support license. X-Force uses a series of data centers across the globe to collect tens of thousands of malware samples, analyze web pages and URLs, and running IP address analysis to categorize IP address information. By categorizing IP addresses into segments such as malware hosts, spam sources and anonymous proxies, this IP reputation data can be incorporated into QRadar rules, offenses, and events. This allows for capturing events more quickly and accurately than previously possible, as well as for capturing them in a way that provides additional understanding for further analysis.





Firewalls and X-Force Data Updates


QRadar is updated daily with new X-Force IP reputation and URL data. This data is provided when new IP reputation or URL database information is available. These checks occur every minute and it is possible for QRadar to be updated multiple times per day with new data, with new IP information provided every 2 minutes and URL data every 5 minutes. The updates are merged in to their own databases and the content is replicated from the Console out to the managed hosts in the deployment. In older versions of QRadar (7.2.3 or below) the X-Force data was provided using QRadar automatic updates.

The following servers are contacted for both X-Force data updates, licensing, dashboard widget feeds, and QRadar automatic updates:
Server contacted Server description
update.xforce-security.com X-Force Threat Intelligence Feed update server for IP reputation and URL data
license.xforce-security.com X-Force Threat Intelligence licensing server
qmmunity.q1labs.com QRadar automatic updates.

Note: qmmunity.q1labs.com is also used for X-Force Threat Intelligence updates on QRadar Consoles at 7.2.3 and earlier.

The X-Force data provided includes IP reputation data, URL data, and categorization data. Administrators should expect that these updates will consume bandwidth daily. The following list contains the approximate daily bandwidth usage for all data types:
  • IP Reputation (IPR) Data: 16 MB
  • WEB/URL Data: 5 MB
  • Web Application Categorization Data: 100 KB

How to Configure X-Force Feeds with Proxy Servers



The answer to this depends on the version of QRadar that you have installed on your Console.

QRadar 7.2.4 and later
In QRadar 7.2.4, an change was made so that X-Force IP reputation data was unlinked from the automatic update process. This means that QRadar updates no longer use the proxy settings from the automatic updates screen on the Admin tab for X-Force data updates as QRadar 7.2.3 did. QRadar 7.2.4 leverages new X-Force servers and the IP reputation and URL lookup database is kept locally for evaluating rules. QRadar now uses a reverse proxy lookup through Apache on the QRadar Console to collect data directly from X-Force servers on the Internet. All QRadar appliances in the deployment (includes the Console), will contact Apache/http on the Console in order to get a cached request out to the X-Force servers. After the data is received by the Console, the result is cached and replayed for all other hosts who make a request for new IP reputation data.



Unauthenticated Proxy Server Configuration
If you have a proxy configured in your network, administrators will need to update HTTPD on the Console in order to pass-through the existing request and to also send the request through the proxy server in order to receive the X-Force data. Note: NTLM authentication is not supported.
 
Procedure
* Important* Administrators should understand that restarting the Apache server on the Console will log out all users. While the Apache server is restarting on the Console, the managed hosts might write some error messages to their logs while the Apache service is restarted. The process to restart Apache only takes a moment, but we suggest that this work be completed during scheduled maintenance windows.
 

  1. Log in to the QRadar Console as the root user.
  2. Edit the following file: /etc/httpd/conf.d/ssl.conf 
  3. Add the following lines before </VirtualHost> in the ssl.conf file:

    ProxyRemote https://license.xforce-security.com/ http://PROXY_IP:PROXY_PORT
    ProxyRemote https://update.xforce-security.com/ http://PROXY_IP:PROXY_PORT

    Note: Administrators must update step 3 with the IP address and port of the corporate proxy server. This step requires that the proxy allow an anonymous (no credentials) connection to the x-force-security servers.
  4. Save the changes to the ssl.conf file.
  5. Edit the following file: /opt/qradar/dca/server.ini
  6. Add the following information to the server.ini file:
    #
    # Configure proxy settings
    #
    [proxy_server]
    (type your proxy server IP address here)

    [proxy_port]
    (type your proxy port here)
     
  7. Type the following command to restart the Apache server on the Console and scaserver:
  • QRadar 7.2.8 and earlier: /opt/qradar/init/scaserver restart & service apache restart
  • QRadar 7.3.0 and later: apachectl restart & systemctl restart scaserver


Basic Authentication for Proxy Servers
For administrators who have basic authentication enabled on their proxy server, they can configure their proxy settings in the server.ini file on the QRadar Console.
 
Procedure
  1. Log in to the QRadar Console as the root user.
  2. Edit the following file: /opt/qradar/dca/server.ini
  3. Add the following information to the server.ini file:

    #
    # Configure proxy settings
    #
    [proxy_server]
    (type your proxy server IP address here)

    [proxy_port]
    (type your proxy port here)

    [proxy_user]
    (type your proxy username here)

    [proxy_pass]
    (type your proxy password here)

     
  4. Save the changes to the server.ini file.
  5. To restart the scaserver and load the file changes, type one of the following commands:
    QRadar 7.2.8 and earlier: /opt/qradar/init/scaserver restart
    QRadar 7.3.0 and later: systemctl restart scaserver




For QRadar 7.2.3 and earlier
For administrators using QRadar 7.2.3 or below, the X-Force IP Reputation data is provided through the QRadar auto update process and uses qmmunity.q1labs.com to get both auto updates and X-Force IP Reputation data. If a corporate proxy is in place, administrators can configure the proxy information in the user interface from the Admin tab in QRadar. These changes require a user with an administrator user role to complete changes from the Admin tab of QRadar.

Procedure
  1. Log in to the QRadar Console as an admin user.
  2. Click the Admin tab.
  3. Click the Auto Update icon.
  4. Click Change Settings.
  5. Click the Advanced tab.
  6. Type the IP address, port, and credentials for your proxy server.

    (Click to enlarge the image)
  7. Click Save.

My rules are grouped by "Enhanced X-Force Rules" and "Legacy Rules". How are these rule groups different?


QRadar X-Force has been available in QRadar SIEM since version 7.2.0. The original version of X-Force common rules in QRadar evaluated the source or destination IP addresses in events or flows against the list of X-Force addresses. In QRadar 7.2.4 and later, the X-Force rules were enhanced to not only support IP-based rule tests, but to also support URLs for event rules, and a new value called, 'confidence factor'. To ensure that user rules were not corrupted after an update to QRadar 7.2.4, we split the rules as two separate groups, which are listed under the X-Force Premium rules group as "Enhanced X-Force Rules" and "Legacy rules".

NOTE: Legacy X-Force rules are only shown if you have upgraded from a previous version of QRadar.

(Click to enlarge the image)

An example of an X-Force legacy rule:
"when the [source IP|destinationIP|any IP] is part of any of the following [remote network locations]"

An example of an IP address and URL X-Force enhanced rule:
"when [this host property] is categorized by X-Force as [Anonymization Servers|Botnet C&C|DynamicIPs|Malware|ScanningIPs|Spam] with confidence value [equal to] [this amount]" (Based on IP address)
"when [this URL property] is categorized by X-Force as [Gambling|Auctions|Job Search|Alcohol|Social Networking|Dating|etc]" (Based on URL)


(Click to enlarge the image)
 

Advanced Searches (AQL) with IBM X-Force?


Yes, users can leverage advanced searches to return data from X-Force Exchange from the Log Activity or Network Activity tab in QRadar.
 
Description Example advanced search
To search for source IP addresses on an X-Force category with a confidence factor above 50. select * from events where XFORCE_IP_CONFIDENCE('Spam',sourceip)>50
To search for X-Force categories associated to a URL. select url, XFORCE_URL_CATEGORY(url) as myCategories from events where XFORCE_URL_CATEGORY(url) IS NOT NULL
To search for X-Force categories associated to an IP a source IP address. select sourceip, XFORCE_IP_CATEGORY(sourceip) as IPcategories from events where XFORCE_IP_CATEGORY(sourceip) IS NOT NULL
  1. Log in to the QRadar user interface.
  2. Click the Log Activity tab.
  3. Select Advanced Search from the drop-down on the Search toolbar.
  4. Type an advanced search expression.
    For example:

    (Click to enlarge image)
     
  5. Click Search.


 

What is Confidence Factor?


Confidence factor are values assigned to IP Reputation data that represent how confident X-Force is that the data seen from the IP is categorized properly. Confidence factor is a probability scale that ranges between 0 and 100 where a value of 50+ is the threshold where customers should consider taking action on a triggered rule. IP reputation is evaluated on the time (first seen, last seen) and the volume of messages/data. An example of this could be SPAM messages. An IP Reputation (Spam) entry of zero (0) indicates that the source IP traffic is definitely not spam whereas an entry of 100 indicates definite spam traffic. Consider a value of 50 to be a threshold. Thus, values less than 50 indicate less likelihood that spam is present and values greater than 50 indicate more likelihood that spam is present. These probabilities are based on massive amounts of ongoing Web-based data that IBM X-Force continuously collects and analyzes from around the world in X-Force data centers. As data is collected, the system evaluates "How much spam did we see from an IP address" or "How frequently is this SPAM flagged IP address showing up in the IP Reputation category. The more times we see values, the higher the system scores the confidence factor.

Categorization and the Confidence Factor can be viewed when you investigate an IP address or URL in the X-Force Exchange.


When tuning rules, customers should think of a scale where 50 is the tipping point. On assets of lower importance, an administrator might weight an X-Force rule to trigger at a higher confidence factor (75) for specific categories like SPAM. This reduces the amount of offenses generated on lower priority system and non-critical assets. Tuning the rule higher means that the IP that the rule only triggers when X-Force sees an IP address at or above a confidence factor of 75. An important system or critical business asset might be tuned to trigger the rule at a confidence factor of 50, this triggers an offense at a lower level and can bring attention to an issue more quickly for a business critical system.


Is there a location where I can lookup and investigate IP address information?
Yes, we recommend that customers leverage IBM X-Force exchange to gather information and lookup IP addresses related to botnets, spam, and malware categories. There is a right-click plug-in in QRadar by default where administrators can review and investigate IP addresses and URLs directly from QRadar using a right-click menu. This plug-in is installed by default in QRadar 7.2.5 systems. In most cases, QRadar rules use a default threshold of 75 is an acceptable value for a rule because it defines a high level of probability that the data is correct per the classification based on what is known. For information on the X-Force Exchange right-click plug-in, see QRadar: IBM X-Force Exchange Right-click Menu Plug-in FAQ.


 


Reporting an Incorrect IP Address, URL, or Categorization in X-Force to IBM


If administrators believe that an IP address or URL is being mis-classified by X-Force, they should report this issue by commenting the IP or URL on the X-Force Exchange website. All comments and updates are monitoring by IBM, so any comments created by an authenticated user is reviewed by the X-Force team. Comments are not permitted for 'Guest' accounts on the X-Force Exchange website.
 
How to report an issue to the X-Force Exchange team from QRadar
  1. Log in to QRadar.
  2. Right-click on an IP address or URL and select X-Force Exchange Lookup. (Optionally, navigate to https://exchange.xforce.ibmcloud.com/)

    (Click to enlarge the image)
    The X-Force Exchange website is launched and displays the information and confidence percentage of the IP address or URL categorization.
  3. Select the I agree to the Terms of Service check box.
  4. Click Log in.
    You must log in before making a comment. Guests are not allowed to submit comments on IP addresses or URLs.
  5. Click the Suggest Edit button.

    (Click to enlarge the image)
  6. Fill out the submission form to comment on the IP address or URL.

    (Click to enlarge the image)
  7. To receive updates on your comment, make sure you select Yes on the 'Stay Informed' option.
  8. Click Submit.
  9. After the comment is submitted, it will be reviewed by the X-Force Exchange team. If you selected to stay informed, feedback will be provided by the X-Force Exchange team.







How to Report IP Addresses or URLs in Bulk for Incorrectly Categorized Sites


If administrators have a large number of IP addresses or URLs that are mis-classified by X-Force or believed to be incorrect, they should report this issue to QRadar Support instead of trying to input comments by hand. QRadar administrators can provide a list of IP addresses or URLs to a QRadar Support Representative and they will pass this information to the X-Force team for resolution. The URLs or IP addresses are reviewed by the X-Force team for resolution. This allows administrators to submit data without having to enter comments by hand for a large number of sites or IP addresses.


How to report categorization issues in bulk
 
  1. Open an IBM Service Request for QRadar.
  2. Provide the list of IP addresses or URLs for X-Force review in your service request.
  3. The support representative will contact you using your preferred method of communication to confirm and clarify any questions from your request.
  4. The URL and IP address information will be forwarded to the X-Force team on your behalf.
   






Where do I find more information?


Document information

More support for: IBM QRadar SIEM

Component: Dashboard

Software version: 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 1701213

Modified date: 23 May 2019