Outgoing feed - Qradar Outgoing Feed#

Note

This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Create and configure outgoing feeds.

Specifications

Transport type

Qradar Outgoing Feed

Content type

Qradar JSON model

Published data

Create a reference set or reference data table on your Qradar instance, and push observable & related entities with it.

Requirements#

  • Qradar instance URL

  • Qradar user account with permissions to access:

    • Reference Data Table API

    • Reference Set Table API

  • For that user account:

    • Qradar Secret Token

Configure the outgoing feed#

  1. Create or edit an outgoing feed.

  2. Set a name for this outgoing feed in Outgoing feed name.

  3. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Datasets*

    Select one or more existing datasets from the drop-down menu. The menu only displays datasets that contain observables supported by the Transport type you’ve selected.

    See Supported observable types_ for more information.

    Update strategy*

    Select an update strategy.

    See Update strategies for more information.

    Transport type*

    Select Qradar Outgoing Feed from the drop-down menu.

    Content type*

    Select Qradar JSON model from the drop-down menu.

    API URL*

    Set this to the URL for your Qradar instance.

    Security Token*

    Enter the security_token generated from Qradar application.

    Add to Reference Set*

    Select to push data to Qradar reference set. Once you select this , provide the data for the fields reference set table name and Time to live

    Reference Set table*

    Default: EIQ-IOC Provide the name of the reference set table to which the observable & its related entities data must be sent. A suffix (e.g., -ip, -domain) will be automatically added based on the IOC type.

    Time to Live*

    Specify how long each entry should remain in the Reference Set before expiring. Use formats like ‘5 minutes’, ‘1 month’, ‘1 day’, etc. Leave blank for no expiration…

    Add to Reference Data Tables*

    Default: This Name is designed from the Outgoing feed name: Structure - eiq_{feed_id}{feed_name}{type(ip|domain)}

    Skip Deletion of Reference Data Items*

    Enabling this option ensures that existing items in the reference data table are retained when using the ‘diff’ strategy, which is recommended for large datasets to avoid performance issues or long deletion times.

  4. Store your changes by selecting Save.

Update strategies#

Select an update strategy to determine how this outgoing feed updates Qradar Reference set table/ Reference data table based on the selection.

Important

Update strategies behave slightly differently in this outgoing feed. Read the descriptions below carefully.

Append

Each time this feed runs, new and updated observables with related entities are sent to the Reference set table or Reference data table based on the configuration.

Diff

Each time the feed runs:

  • New and updated observables with related entities are sent to the Reference set table or Reference data table based on the configuration.

  • Removed observables will be removed from reference set or reference data table based on configurations.