IBM X-Force Exchange Feeds CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.1.0 |
| Compatible with ThreatQ Versions | >= 4.31.0 |
| Support Tier | ThreatQ Supported |
Introduction
ThreatQ integration with IBM X-Force® Incident Response and Intelligence Services (IRIS) team integrates security threat intelligence, incident response and remediation to help minimize the loss.
The integration provides the following feeds:
|
|
The integration ingests indicator and indicator attributes.
Prerequisites
Per the IBM X-Force Exchange documentation: these feeds are only available for users with either an Advanced Threat Protection Feed subscription or an Enterprise subscription. For information regarding subscriptions, you can visit the IBM Marketplace.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description API Key Your IBM X-Force Exchange API Key. API Password Your IBM X-Force Exchange API password. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
All Feeds (Except Top Activity - URL / 10K)
All feeds except IBM X-Force Exchange - Top Activity - URL / 10K use the same mapping table. IBM X-Force Exchange - Top Activity - URL / 10K has a different Feed Data Path for accessing Indicator Values, has a static Indicator Type of URL and Default Indicator Status of Review, and ingests the "Feed Category" Attribute.
Sample Response:
(specifically from "IBM X-Force Exchange - Anonymization Services - IPv4")
{
"FeedCategory": "Anonymization Services",
"FeedType": "IPv4",
"Version": "0000043381",
"CreationDate": "2020-02-20T08:05:30.597Z",
"IndicatorCount": "3",
"PartNo": "D01VKZX",
"Copyright": "(C) Copyright IBM Corp. 2019, 2020. All Rights Reserved.",
"data": [
"109.75.183.124",
"109.74.194.75",
"107.148.6.184"
]
}
ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples |
|---|---|---|---|---|
| data[] | Indicator.Value | See .FeedType | .CreationDate | 109.74.194.75 |
| .FeedType | Indicator.Type | See Indicator Type Mapping table below | N/A | "IPv4" / "IPv6" / "URL" |
Indicator Type Mapping
ThreatQuotient provides the following Indicator Type mapping:
| IBM X-Force Exchange Indicator Type | ThreatQ Indicator Type | Notes |
|---|---|---|
| IPv4 | IP Address | N/A |
| IPv6 | IPv6 Address | N/A |
| URL | URL or FQDN | By default, URL Indicators that are actually FQDNs will be ingested as FQDN Indicators via normalization. |
IBM X-Force Exchange - Top Activity - URL / 10K
Returns the top ten thousand URLs rated by activity as known by X-Force Exchange. The URLs provided by this feed are not guaranteed to be malicious or non-malicious. As a result, the default indicator status for the URL or FQDN Indicators ingested by this feed is Review.
GET https://api.xforce.ibmcloud.com/xfti/topact/url/10k
Sample Response:
{
"FeedCategory": "Top-Volume Domains",
"FeedType": "URL",
"Version": "0000000372",
"CreationDate": "2020-12-16T00:23:01.497Z",
"IndicatorCount": "10000",
"PartNo": "D01VKZX",
"Copyright": "(C) Copyright IBM Corp. 2019, 2020. All Rights Reserved.",
"data": [
{
"url": "google.com",
"categories": [
"Search Engines / Web Catalogues / Portals"
]
},
{
"url": "netflix.com",
"categories": [
"Cinema / Television"
]
},
{
"url": "microsoft.com",
"categories": [
"Software / Hardware",
"General Business"
]
}
]
}ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| data[].url | Indicator.Value | URL or FQDN | .CreationDate | google.com | By default, URL Indicators that are actually FQDNs will be ingested as FQDN Indicators via normalization. |
| .data[].categories[] | Indicator.Attribute | Feed Category | .CreationDate | "Search Engines / Web Catalogues / Portals" | N/A |
Average Feed Run
Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.
IBM X-Force Exchange - Anonymization Services - IPv4
| Metric | Result |
|---|---|
| Run Time | 11 minutes |
| Indicators | 22,301 |
IBM X-Force Exchange - Anonymization Services - IPv6
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 604 |
IBM X-Force Exchange - Anonymization Services - URL
| Metric | Result |
|---|---|
| Run Time | 67 minutes |
| Indicators | 149,568 |
| Indicator Attributes | 18,659 (derived from URLs) |
IBM X-Force Exchange - Botnet CnC Servers - IPv4
| Metric | Result |
|---|---|
| Run Time | 2 minutes |
| Indicators | 3,266 |
IBM X-Force Exchange - Botnet CnC Servers - IPv6
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 10 |
IBM X-Force Exchange - Botnet CnC Servers - URL
| Metric | Result |
|---|---|
| Run Time | 103 minutes |
| Indicators | 240,129 |
| Indicator Attributes | 59 (derived from URLs) |
IBM X-Force Exchange - Bots - IPv4
| Metric | Result |
|---|---|
| Run Time | 25 minutes |
| Indicators | 62,706 |
IBM X-Force Exchange - Bots - IPv6
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 39 |
IBM X-Force Exchange - Cryptocurrency mining - IPv4
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 373 |
IBM X-Force Exchange - Cryptocurrency mining - IPv6
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 18 |
IBM X-Force Exchange - Cryptocurrency mining - URL
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 844 |
| Indicator Attributes | 82 (derived from URLs) |
IBM X-Force Exchange - Early Warning - URL
| Metric | Result |
|---|---|
| Run Time | > 8 hours |
| Indicators | 807,652 |
| Indicator Attributes | 1,687 (derived from URLs) |
IBM X-Force Exchange - Malware - IPv4
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 812 |
IBM X-Force Exchange - Malware - IPv6
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 7 |
IBM X-Force Exchange - Malware - URL
| Metric | Result |
|---|---|
| Run Time | 33 minutes |
| Indicators | 43,409 |
| Indicator Attributes | 35,129 (derived from URLs) |
IBM X-Force Exchange - Phishing - URL
| Metric | Result |
|---|---|
| Run Time | 28 minutes |
| Indicators | 38,105 |
| Indicator Attributes | 18,599 (derived from URLs) |
IBM X-Force Exchange - Scanning IPs - IPv4
| Metric | Result |
|---|---|
| Run Time | 106 minutes |
| Indicators | 235,413 |
IBM X-Force Exchange - Scanning IPs - IPv6
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 0 |
- At the time these feed run metrics were gathered, this feed returned only a single IPv6 address:
2001:db8:1234::3. Reserved IPv6 addresses are not ingested by ThreatQ, and any addresses matching the CIDR Block2001:db8::/32are reserved per RFC 3949.
IBM X-Force Exchange - Top Activity - URL / 10K
| Metric | Result |
|---|---|
| Run Time | 6 minutes |
| Indicators | 9,596 |
| Indicator Attributes | 9,662 |
Known Issues / Limitations
- Streaming errors that occur between the X-Force Exchange server and ThreatQ, after the HTTP status code 200 was received by ThreatQ, will cause the stream to end. This will cause the following feed run error as seen in the ThreatQ UI:
Error fetching data from provider: 524, message='None'. This corresponds to a 524 Timeout Occurred error. The user can disable and re-enable the feed in order to kick off another scheduled run to try again. This error may occur several times in a row.- This error is also documented in the IBM X-Force Exchange documentation.
- Due to the amount of data provided by the feed IBM X-Force Exchange - Early Warning - URL, users may experience ThreatQ system performance issues, such as failed batches due to timeout errors. There is not much one can do to completely mitigate this, but some suggestions are:
- Make sure IBM X-Force Exchange - Early Warning - URL is the only feed enabled when one wants to run it.
- Do not leave IBM X-Force Exchange - Early Warning - URL enabled for consecutive daily runs. Periodically re-enable it to ingest the latest data. Each run will attempt to consume over 800k URL Indicators.
Change Log
- Version 1.1.0
- Removed ingesting the following attributes from all IBM X-Force Exchange feeds:
- Feed Type
- Copyright
- Version
- Part Number
- Removed the Feed Category attribute from all feeds (except for IBM X-Force Exchange - Top Activity - URL / 10k).
- Improved efficiency of IBM X-Force Exchange - Top Activity - URL / 10K.
- By default, all Indicators ingested via IBM X-Force Exchange - Top Activity - URL / 10K will have the Review Indicator Status since the URLs provided by this feed are not guaranteed to be malicious or non-malicious.
- Removed ingesting the following attributes from all IBM X-Force Exchange feeds:
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| IBM X-Force Exchange Feeds CDF Guide v1.1.0 | 4.31.0 or Greater |
| IBM X-Force Exchange Feeds CDF Guide v1.0.0 | 4.31.0 or Greater |