QRadar does not ingest feed from Opentaxii

[JohanPhom]

Hi everyone,

I am trying to ingest some IOC in QRadar from OpenTaxii in Docker container. Here is what I managed to do:

• Get the taxii server running
• Push/Pull data from the server using the taxii client Cabby
• Connect successfully from QRadar Threat Intelligence App to taxii server

However when I pull the data with 'Poll Now', I don't receive any data. I know the timestamp matters when QRadar pulls data so I tried to create an fresh IOC event (from MISP), and push it to the taxii server before pulling it from QRadar, but nothing.

I used tcpdump to check what the taxii server answers, and I can see the server sending the IOC to QRadar, so it seems that QRadar doesn't understand the data. When pulling from QRadar, I configured it to use TAXII 1.x.

Here is my configuration file for the taxii server:

domain: "mydomain.com:9000"

support_basic_auth: yes
return_server_error_details: yes

auth_api:
  class: opentaxii.auth.sqldb.SQLDatabaseAPI
  parameters:
    db_connection: sqlite:////data/auth.db
    create_tables: yes
    secret: secret
    token_ttl_secs: 3600

taxii1:
  save_raw_inbox_messages: yes
  xml_parser_supports_huge_tree: yes
  count_blocks_in_poll_responses: no
  unauthorized_status: UNAUTHORIZED
  hooks:
  persistence_api:
    class: opentaxii.persistence.sqldb.SQLDatabaseAPI
    parameters:
      db_connection: sqlite:////tmp/data.db
      create_tables: yes

taxii2:
  persistence_api:
    class: opentaxii.persistence.sqldb.SQLDatabaseAPI
    parameters:
      db_connection: sqlite:////data/data.db
      create_tables: yes

logging:
  opentaxii: debug
  root: debug

Regarding the services I have the exact default configuration from data-configuration.yml

Any help would be appreciated

[JohanPhom]

Issues is probably not related to QRadar. I managed to get data ingested into QRadar using other XML files in STIX format from other sources. I believe problem is probably because MISP is generating a STIX format non understandable for QRadar.