This guide explains how to ingest Axur Platform feeds into IBM QRadar using the Universal Cloud REST API protocol with a custom workflow.
Note: This tutorial assumes you already have access to the Axur Platform and the required API Key.
UI note: Depending on your QRadar version, the location of Log Sources / Log Source Management may differ (top tab vs Admin → Log Sources). You must access this area to create and configure the integration. If you don’t see it or the Universal Cloud REST API protocol, go to Admin → Extensions Management to install/enable them.
Prerequisites
IBM QRadar version 7.3.2 or higher (Universal Cloud REST API support)
Access to Log Source Management (tab) or to
Admin→Log SourcesAccess to
Admin→Extensions Management(to install apps/protocols if needed)Administrative access to the QRadar console
Axur Platform API Key and a Feed ID
Cost and billing considerations
Important: This integration uses QRadar’s built-in Universal Cloud REST API capabilities, so there are no additional licensing costs for the integration itself.
The main cost considerations are:
QRadar licensing: Ensure your QRadar license supports the required features
Network bandwidth: Data ingestion from external APIs will consume bandwidth
Storage: Ingested events will consume QRadar storage space
Tip: A glossary of QRadar terms used in this tutorial is available at the end of the document.
1) Create the Axur Platform Feed
Create an API Key and a Feed directly on the Axur Platform. Keep both values at hand for later steps.
Generate an API Key
In the Axur Platform, go to API Keys configuration.
Create a new API key and copy the API Key value securely.
Note: The feed only returns data that the API key user has permission to access.
Screenshots:
Create the Feed and copy its ID
In the Axur Platform, go to API & Integrations → Feeds.
Create a new feed according to your use case (e.g., phishing, brand abuse, credential leaks), setting the desired filters.
After saving, open the newly created feed. Copy only the Feed ID from the URL and save it for later.
Screenshots:
(Optional) Validate the feed via API Use curl to confirm the feed returns data using your API Key and Feed ID:
curl -sS \ -H "Authorization: Bearer YOUR_AXUR_API_KEY" \ -H "Accept: application/json" \ "https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/YOUR_FEED_ID" | jq '.'
On API & Integrations → Feeds, you can also monitor feed status over time (e.g., last request timestamp).
If no events are returned, verify the feed filters and the API key user’s permissions.
From this point onward (Step 2+), all configuration is performed in the IBM QRadar console.
2) Locate Log Source Management (UI differences by version)
Depending on your QRadar version, Log Source Management may appear in different places.
In the QRadar console:
If you see a
Log Source Managementtab in the top navigation, open it.Otherwise, go to
Admin→Log Sources(classic view).If you cannot find Log Source Management, install via
Admin→Extensions Management:Click
Addand install from IBM App Exchange, or upload the extension fileInstall/enable the “Log Source Management” app
Deploy changes and wait for installation to complete
Screenshots:
3) Create a New Log Source
Create a new log source using the Universal Cloud REST API protocol.
In the QRadar console:
Go to the
Log Source Management tab, or navigate toAdmin→Log Sources.Click on
+ New Log Sourceto add a new log source.When prompted, select
Single Log Source.In the “Log Source Type” field, select
Universal DSM. Then set the “Protocol Type” toUniversal Cloud REST API.Set the “Log Source Name” to something meaningful (e.g.,
Axur Platform Feed).In the “Log Source Identifier” field, enter a descriptive name (e.g.,
Axur_Feed_Integration).
Screenshots:
4) Configure the Workflow XML
Configure the workflow that defines how QRadar will collect events from the Axur feed.
The Axur Platform provides three types of feeds, each with a different data structure in the API response:
Tickets Feed: Returns data in
/collectionData/tickets- used for ticket-based feeds (phishing, brand abuse, etc.)Credentials Feed: Returns data in
/collectionData/detections- used for credential leak detection feedsIOCs Feed: Returns data in
/collectionData/iocs- used for Indicators of Compromise feeds
Important: You must select the appropriate workflow XML based on your feed type. The only difference between the workflows is the path used to access the data in the API response.
In the log source configuration:
In the "Workflow" field, paste the XML that matches your feed type:
Workflow for Tickets Feed
Use this workflow when your feed returns ticket data (path: /collectionData/tickets):
<?xml version="1.0" encoding="UTF-8"?>
<Workflow name="Axur_Feed_Tickets_OneCall" version="1.0" minimumRecurrence="60"
xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
<Parameters>
<Parameter name="base_url" label="Base URL" default="https://api.axur.com" />
<Parameter name="feed_id" label="Feed ID" required="true" />
<Parameter name="jwt_token" label="JWT Bearer Token" required="true" secret="true" />
<Parameter name="current_page" label="Page to Fetch" default="1" />
</Parameters>
<Actions>
<Set path="/axur/url" value="https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/${/feed_id}" />
<CallEndpoint url="${/axur/url}" method="GET" savePath="/axur/response">
<QueryParameter name="page" value="1" />
<RequestHeader name="Authorization" value="Bearer ${/jwt_token}" />
<RequestHeader name="Accept" value="application/json" />
</CallEndpoint>
<If condition="/axur/response/status_code = 429">
<SetStatus type="WARN" message="Rate limited (429). Try increasing the minimumRecurrence (>= 30s) or wait for Retry-After." />
<Abort reason="HTTP 429 from Axur API" />
</If>
<If condition="/axur/response/status_code != 200">
<Abort reason="${/axur/response/status_code}: ${/axur/response/status_message}" />
</If>
<If condition="${count(/axur/response/body/collectionData/tickets)} > 0">
<PostEvents path="/axur/response/body/collectionData/tickets" source="${/base_url}" />
<SetStatus type="INFO" message="Published ${count(/axur/response/body/collectionData/tickets)} events from page ${/current_page}." />
</If>
<Delete path="/axur/response" />
</Actions>
<Tests>
<DNSResolutionTest host="api.axur.com"/>
<SSLHandshakeTest host="api.axur.com"/>
</Tests>
</Workflow>
Workflow for Credentials Feed
Use this workflow when your feed returns credential detection data (path: /collectionData/detections):
<?xml version="1.0" encoding="UTF-8"?>
<Workflow name="Axur_Feed_Credentials_OneCall" version="1.0" minimumRecurrence="60"
xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
<Parameters>
<Parameter name="base_url" label="Base URL" default="https://api.axur.com" />
<Parameter name="feed_id" label="Feed ID" required="true" />
<Parameter name="jwt_token" label="JWT Bearer Token" required="true" secret="true" />
<Parameter name="current_page" label="Page to Fetch" default="1" />
</Parameters>
<Actions>
<Set path="/axur/url" value="https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/${/feed_id}" />
<CallEndpoint url="${/axur/url}" method="GET" savePath="/axur/response">
<QueryParameter name="page" value="1" />
<RequestHeader name="Authorization" value="Bearer ${/jwt_token}" />
<RequestHeader name="Accept" value="application/json" />
</CallEndpoint>
<If condition="/axur/response/status_code = 429">
<SetStatus type="WARN" message="Rate limited (429). Try increasing the minimumRecurrence (>= 30s) or wait for Retry-After." />
<Abort reason="HTTP 429 from Axur API" />
</If>
<If condition="/axur/response/status_code != 200">
<Abort reason="${/axur/response/status_code}: ${/axur/response/status_message}" />
</If>
<If condition="${count(/axur/response/body/collectionData/detections)} > 0">
<PostEvents path="/axur/response/body/collectionData/detections" source="${/base_url}" />
<SetStatus type="INFO" message="Published ${count(/axur/response/body/collectionData/detections)} events from page ${/current_page}." />
</If>
<Delete path="/axur/response" />
</Actions>
<Tests>
<DNSResolutionTest host="api.axur.com"/>
<SSLHandshakeTest host="api.axur.com"/>
</Tests>
</Workflow>
Workflow for IOCs Feed
Use this workflow when your feed returns IOC data (path: /collectionData/iocs):
<?xml version="1.0" encoding="UTF-8"?>
<Workflow name="Axur_Feed_IOCs_OneCall" version="1.0" minimumRecurrence="60"
xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
<Parameters>
<Parameter name="base_url" label="Base URL" default="https://api.axur.com" />
<Parameter name="feed_id" label="Feed ID" required="true" />
<Parameter name="jwt_token" label="JWT Bearer Token" required="true" secret="true" />
<Parameter name="current_page" label="Page to Fetch" default="1" />
</Parameters>
<Actions>
<Set path="/axur/url" value="https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/${/feed_id}" />
<CallEndpoint url="${/axur/url}" method="GET" savePath="/axur/response">
<QueryParameter name="page" value="1" />
<RequestHeader name="Authorization" value="Bearer ${/jwt_token}" />
<RequestHeader name="Accept" value="application/json" />
</CallEndpoint>
<If condition="/axur/response/status_code = 429">
<SetStatus type="WARN" message="Rate limited (429). Try increasing the minimumRecurrence (>= 30s) or wait for Retry-After." />
<Abort reason="HTTP 429 from Axur API" />
</If>
<If condition="/axur/response/status_code != 200">
<Abort reason="${/axur/response/status_code}: ${/axur/response/status_message}" />
</If>
<If condition="${count(/axur/response/body/collectionData/iocs)} > 0">
<PostEvents path="/axur/response/body/collectionData/iocs" source="${/base_url}" />
<SetStatus type="INFO" message="Published ${count(/axur/response/body/collectionData/iocs)} events from page ${/current_page}." />
</If>
<Delete path="/axur/response" />
</Actions>
<Tests>
<DNSResolutionTest host="api.axur.com"/>
<SSLHandshakeTest host="api.axur.com"/>
</Tests>
</Workflow>
5) Configure Workflow Parameters
Set the required parameters for the workflow to connect to the Axur API.
In the “Workflow Parameter Values” field, paste the following XML and replace the placeholder values:
<?xml version="1.0" encoding="UTF-8"?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
<Value name="feed_id" value="YOUR_AXUR_FEED_ID"/>
<Value name="jwt_token" value="YOUR_AXUR_API_KEY"/>
</WorkflowParameterValues>
Important: Replace the following values: - YOUR_AXUR_FEED_ID: The Feed ID you copied from the Axur Platform - YOUR_AXUR_API_KEY: Your Axur API Key
Screenshots:
6) Configure Additional Settings
Set up additional configuration options for the log source.
Use Proxy: If your network requires a proxy to access external APIs, enable this and provide proxy details.
Recurrence: Set the frequency for data collection (default: 10 minutes). For the Axur feed, we recommend starting with 5 minutes.
7) Save and Deploy Changes
Complete the configuration and deploy changes so the log source becomes active.
Review all settings to ensure they are correct.
Click
Finishto save the log source configuration.Go to the
Admintab/page and clickDeploy Changesto apply the configuration across QRadar. Depending on version, the button may appear at the top-right or as a banner action.Wait for the deployment to complete. The log source will show as “Active” only after deployment.
After deployment, wait a few minutes for the initial data collection to begin.
Screenshots:
Validation
After configuring the log source, wait 10-15 minutes for the first data collection cycle to complete, then verify the integration is working correctly.
Check Log Activity
Navigate to
Log Activityin the QRadar console.Search for events from your log source using the log source name or identifier.
Look for events with source “https://api.axur.com” or your log source identifier.
Verify Event Structure
Check that events contain the expected fields from the Axur feed: - ticket_reference - ticket_key - customer_key - detection_type - status - assets - attachments
Monitor Log Source Status
Go to
Admin→Log Sources.Find your Axur log source and check its status.
Look for any error messages or warnings in the log source details.
Screenshots:
Troubleshooting
Common Issues and Solutions
No events appearing in Log Activity: - Verify the Feed ID and API Key are correct - Check if the log source is enabled and active - Ensure the recurrence interval is not too long - Check QRadar logs for error messages
HTTP 401/403 errors: - Verify the API Key is valid and has proper permissions - Check if the API Key has expired - Ensure the Feed ID exists and is accessible
HTTP 429 errors (Rate Limiting): - Increase the minimumRecurrence value in the workflow (e.g., from 60 to 120 seconds) - Reduce the frequency of API calls by increasing the recurrence interval
Connection timeouts: - Check network connectivity to api.axur.com - Verify proxy settings if using a proxy - Increase timeout values in the log source configuration
SSL/TLS errors: - Enable “Allow Untrusted Certificates” if needed - Check if your QRadar instance can resolve api.axur.com - Verify SSL handshake tests pass
Debugging Steps
Check Log Source Logs:
Go to Admin → Log Sources
Click on your Axur log source
Review the “Last Error” and “Status” information
Test Connectivity:
Use the built-in connectivity tests in the log source configuration
Check DNS resolution and SSL handshake tests
Verify API Access:
Test the API directly using curl or similar tools
Ensure the API Key works with the specific Feed ID
Check QRadar System Logs:
Review QRadar system logs for any related error messages
Look for Universal Cloud REST API specific errors
Screenshots:
Advanced Configuration
Custom Event Mapping
You can customize how events are mapped in QRadar by modifying the workflow XML. The current workflow posts events as-is from the Axur API, but you can add transformations if needed.
Multiple Feeds
To integrate multiple Axur feeds, create separate log sources for each feed with different Feed IDs and configurations.
Filtering and Parsing
Consider adding parsing rules in QRadar to extract specific fields from the Axur events for better analysis and correlation.
Glossary
QRadar Console: The web-based administrative interface for IBM QRadar
Log Source Management: QRadar application that manages external data sources
Universal Cloud REST API: QRadar protocol for integrating with cloud-based APIs
Workflow: XML configuration that defines how QRadar collects and processes data from external sources
Log Source: A configured data source in QRadar that collects logs from external systems
Log Activity: QRadar interface for viewing and searching collected log events
Recurrence: The frequency at which QRadar polls external data sources for new data
JWT Bearer Token: Authentication method used by the Axur API
Feed ID: Unique identifier for a specific data feed in the Axur Platform
Rate Limiting: API protection mechanism that limits the number of requests per time period
SSL Handshake: Process of establishing a secure connection between QRadar and external APIs
DNS Resolution: Process of converting domain names to IP addresses
Proxy: Network intermediary that forwards requests between QRadar and external APIs
If you have any questions, feel free to reach out at [email protected] 😊