QRadar: How to verify X-Force IP, URL, and Web application database versions are current

Answer

To verify whether the X-Force server is receiving the daily updates to the database, administrators with command line access to the QRadar Console can manually validate their database version against the IBM Security X-Force Database reference (http://www.xforce-security.com/dbversion/).

When the QRadar Console receives updates from the IBM X-Force Exchange, reference sets are updated and the latest versions are logged in /var/log/dca/dca_info.log.

Procedure

1. Use SSH to log in to the QRadar Console as the root user.
2. Navigate to the /var/log/dca directory.
3. To validate an X-Force database versions, review the following commands:
   • To view the X-Force URL database version, type:

     grep "UpdateModule.*url_database" /var/log/dca/dca_info.log | tail -2

   • To view the X-Force IP reputation database version:

     grep "UpdateModule.*ipr_database" /var/log/dca/dca_info.log | tail -2

   • To view the X-Force Web Application database version:

     grep "UpdateModule.*wac_database" /var/log/dca/dca_info.log | tail -2

4. Compare the date and version info from the command-line output to the X-Force master database list: http://www.xforce-security.com/dbversion/

   13756   2024-06-25 23:25:10.974 N       UpdateModule    Updating client ipr_database (dcafilterdb) from 6.01784205 to 6.01784206
   13756   2024-06-25 23:25:10.975 N       UpdateModule    Update for client ipr_database completed with return code 2800

   
   Results
   If the database version is old or out-of-date, administrators can review their proxy configurations to verify that the X-Force Threat Intelligence feeds are enabled and that firewalls are not rejecting connections to: update.xforce-security.com or license.xforce-security.com. For more information, see: Enabling X-Force Threat Intelligence in QRadar.