Enabling X-Force Threat Intelligence in QRadar

By enabling X-Force Threat Intelligence in QRadar®, you can receive feeds of the X-Force Threat Intelligence information to your console.

Before you begin

In QRadar V7.2.8 and later, the X-Force Threat Intelligence feed no longer needs to be purchased as a separate licensed subscription. After you update to QRadar V7.2.8, this feature is included with the standard license as part of the Service & Support contract.

Administrators who want access to the X-Force IP and URL reputation data feed must enable the X-Force Threat Intelligence feeds on their Console. Administrators can enable this feature from the System Settings screen of the Admin tab. All administrators must verify that the X-Force IP reputation feed is enabled before they attempt to enable X-Force rules on their appliance. Enabling the feed first prevents errors in QRadar and ensures that enabled rules are supplied data to trigger rules properly.

About this task

Use the following steps to enable X-Force Threat Intelligence Feeds for QRadar V7.2.8 and later.

Procedure

  1. Log in to QRadar as an administrator.
  2. Click the Admin tab.
  3. Click the System Settings icon.
  4. From the Enable X-Force Threat Intelligence Feed drop-down menu, select Yes.
  5. Click Save.
  6. From the Admin tab, click Deploy Changes to enable the X-Force Threat Intelligence Feed for the deployment.
    Note: Administrators must allow Internet access from the QRadar Console to the following addresses to get X-Force Threat Intelligence Feed data from IBM®. The following servers are contacted for both X-Force data updates, licensing, dashboard widget feeds, and QRadar automatic updates:
    Server Contacted Server Description
    update.xforce-security.com X-Force Threat Intelligence Feed update server for IP reputation and URL data
    license.xforce-security.com X-Force Threat Intelligence licensing server

What to do next

After you enable the X-Force Threat Intelligence Feed, administrators who are on new installs need to ensure that they installed the Threat Content Extension. This procedure is discussed in the Installing extensions by using Extensions Management section, and it enables X-Force rules that work with the Threat Intelligence Feed.