IBM Support

QRadar: Threat Intelligence application third-party feeds and support policies

Question & Answer


Question

Does IBM® support Threat Intelligence application third-party feeds? This document outlines out-of-scope work for the Threat Intelligence application third-party feed cases and the responsibilities of the QRadar® administrator. 

Answer

Responsibilities for third-party feed issues

IBM® Security Support does not support troubleshooting configuration issues for third-party threat intelligence feeds. QRadar administrators must contact the third-party vendor directly for configuration assistance, such as authentication, server locations, data format issues, and data quality issues.
 
Support type Description Responsibility
Support for Third-Party Feed issues
QRadar® Support can assist with error messages, installation, or confirm product functionality for STIX/TAXII-based feeds for the Threat Intelligence app. QRadar Support can:
  1. Troubleshoot connectivity issues to ensure QRadar can receive data from third-party threat intelligence feeds. For example, users can open a case to have support confirm if external network locations are accessible with curl commands from the QRadar Console or QRadar on Cloud.
  2. Explain error messages in poll.log that can prevent an administrator from receiving data from a third-party feed.
  3. Review reference sets that do not have an appropriate time to live (TTL).
  4. Confirm when threat feed configurations can create bottlenecks. For example, retrieving millions of Indicators Of Compromise (IoCs) can cause polling issues or impact performance on the IBM Threat Intelligence application.  
  5. Provide Threat Intelligence app logs to QRadar on Cloud (QRoC) administrators to investigate issues with third-party feed vendors.
  6. Validate configurations or procedures in IBM Documentation.
  7. Troubleshoot user interface or application errors when administrators add feeds. 
 QRadar technical support

To open a case or report a third-party feed issue, contact QRadar technical support.
Out-of-scope for QRadar Support The following topics are considered out-of-scope for technical support. QRadar Support reserves the right to close cases related to the following issues:
  1. Troubleshooting third-party feed configurations where the QRadar Threat Intelligence app is functioning as designed.
    Note: Administrators must contact the third-party vendor of those feeds to ensure proper configuration parameters are used for connectivity.
  2. Providing advice for best practices or security recommendations on threat intelligence sources.
  3. Troubleshooting scripts or utilities that modify threat intelligence data or work around documented restrictions that might cause errors on the IBM Threat Intelligence app. For example, "I need to confirm why the Threat Intelligence app generates an error after I convert STIX/TAXII 1.2 to version 2.0."
  4. Assist with programmatic questions or functionality where users are enhancing reference set data from QRadar APIs. For example, "How do I use the QRadar API to import more data to the reference set for my threat intelligence feed?"

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
28 June 2021

UID

ibm16427823

Page Feedback