Skip to main content
Rohan_Patil
Rohan_Patil
New Member
July 3, 2025
Question

Need assistance for FortiSOAR TAXII server mismatch with Qradar Threat feed downloader

  • July 3, 2025
  • 2 replies
  • 769 views

Hello Everyone,

 

I need help to ingest data from FortiSOAR (Version: 7.6.2-5507) Threat Feed into Threat Feed downloader of Qradar using the Threat Intelligence App. 

 

After configuring the FortiSOAR Threat feed and creating sample datasets, I tried using that in the Threat Intelligence App/Threat Feed Downloader. I selected TAXII version 2.0 during configuration since qradar supports TAXII 1.x or 2.0 as per the wizard. The setup wizard completed successfully, and I was able to select the desired dataset that we had configured in FortiSOAR. However, after completing the setup, polling the connector does not result in any signature/observable downloads. Additionally, the following errors are logged in the QRadar log file:

===================================
2025-06-27 16:25:03,286 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:698] [INFO] - Retrieving observables from https://soar123:443/api/taxii/1/collections for collection 66156f6b-28ed-4d26-ba3d-5a44322486ef between 2025-06-27T10:29:26Z and 2025-06-27T10:55:03Z...
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [taxii_ctxt.py:789] [ERROR] - Unable to retrieve STIX 2.0 observable(s) from https://soar123:443/api/taxii/1/collections; Unexpected Response. Got Content-Type: 'application/taxii+json;version=2.1' for Accept: 'application/vnd.oasis.taxii+json; version=2.0'
If you are trying to contact a TAXII 2.0 Server use 'from taxii2client.v20 import X'
If you are trying to contact a TAXII 2.1 Server use 'from taxii2client.v21 import X'
2025-06-27 16:25:05,610 [com.ibm.ThreatIntelligence] [poll.py:92] [INFO] - Updating QRadar with observables from collection 66156f6b-28ed-4d26-ba3d-5a44322486ef found in TAXII feed https://soar123:443/api/taxii/1/collections
===================================

 

Has anyone encountered this issue and discovered a workaround that can be applied on the FortiSOAR side —such as downgrading the TAXII version from 2.1 to 2.0?

 

Thanks,
-Rohan

2 replies

anerot-forti
Staff
anerot-forti
Staff
July 21, 2025

Hi,

when you open the "Feed Dataset" on FortiSOAR, do you retreive any Data ?

Regards

tkanade
Staff
tkanade
Staff
August 6, 2025

Hi,  with a minor code modification in QRadar TI app (ThreatIntelligenceApp.2.5.0.zip) for FortISOAR issue,  Qradar(7.5.0 UpdatePackage 8) was able to ingest IOCs from FortiSOAR TIM.
Issue is that FortiSOAR sends data with timestamp which has seconds and not microseconds as expected by QRadar. We tracking this issue. 

As per - https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html

The timestamp type defines how timestamps are represented in TAXII and is represented in serialization as a string.

 

  •       The timestamp type MUST be a valid RFC 3339-formatted timestamp [RFC3339] using the format YYYY-MM-DDTHH:MM:SS.ssssssZ Unlike the STIX timestamp type, the TAXII timestamp MUST have microsecond precision.
  •       The timestamp MUST be represented in the UTC timezone and MUST use the “Z” designation to indicate this.
Terms & ConditionsAccessibility statement