DomainTools App for QRadar

Similar documents
DomainTools for Splunk

File Reputation Filtering and File Analysis

IBM Security QRadar Deployment Intelligence app IBM

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Infoblox Dossier User Guide

Installing and Configuring vcloud Connector

ForeScout Extended Module for MobileIron

Tripwire App for QRadar Documentation

CDP Data Center Console User Guide CDP Data Center Console User Guide Version

Installing and Configuring vcloud Connector

Carbon Black QRadar App User Guide

Managing GSS Devices from the GUI

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

One Identity Starling Two-Factor HTTP Module 2.1. Administration Guide

Oracle Enterprise Manager. 1 Before You Install. System Monitoring Plug-in for Oracle Unified Directory User's Guide Release 1.0

ThreatScape App for QRadar: Overview, Installation and Configuration

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

IBM CLOUD DISCOVERY APP FOR QRADAR

IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 5. User Guide IBM

ExtraHop 7.3 ExtraHop Trace REST API Guide

How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity

Configuring Vulnerability Assessment Devices

Integrate Microsoft Office 365. EventTracker v8.x and above

IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 7. User Guide IBM

ForeScout Extended Module for VMware AirWatch MDM

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Setting Up Resources in VMware Identity Manager

Using vrealize Operations Tenant App as a Service Provider

How to Set Up External CA VPN Certificates

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Using AD360 as a reverse proxy server

ForeScout Extended Module for MaaS360

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4

Step 2 - Deploy Advanced Security for Exchange Server

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

User guide NotifySCM Installer

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

H O W T O I N S T A L L A N S S L C E R T I F I C A T E V I A C P A N E L

Security, Internet Access, and Communication Ports

BIG-IP Analytics: Implementations. Version 12.1

F5 Analytics and Visibility Solutions

IBM CLOUD APP ANALYTICS FOR QRADAR

NetBackup Collection Quick Start Guide

Security, Internet Access, and Communication Ports

How-to Guide: JIRA Plug-in for Tenable.io. Last Revised: January 29, 2019

Comodo cwatch Web Security Software Version 1.6

INSTALLATION GUIDE FOR ACPL FM220 RD WINDOWS APPLICATION INDEX

Installation Guide. 3CX CRM Plugin for ConnectWise. Single Tenant Version

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

vcenter Operations Manager for Horizon View Administration

vrealize Automation Management Pack 2.0 Guide

ForeScout Extended Module for Carbon Black

AvePoint Governance Automation 2. Release Notes

Cisco ISE pxgrid App 1.0 for IBM QRadar SIEM. Author: John Eppich

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

SMS 2.0 SSO / LDAP Launch Kit

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

Microsoft Exchange Server 2007 and 2010 Operations

SAFARI Montage v6.5.28

INSITES CONNECT ADMINISTRATION GUIDE. Version 1.4.3

WhatsUp Gold. Evaluation Guide

TIBCO LiveView Web Getting Started Guide

Content for Sophos- Theory and lab session

Interface Reference topics

This chapter describes the tasks that you perform after installing Prime Cable Provisioning.

Workspace ONE UEM Notification Service. VMware Workspace ONE UEM 1811

Integrate Bluecoat Content Analysis. EventTracker v9.x and above

Version 2.38 April 18, 2019

Z AUDIT FOR QRADAR. Getting Started. Version Last Modified March 23, 2018

Integrate Microsoft ATP. EventTracker v8.x and above

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

ecrt Workflow and Basic Information

Security, Internet Access, and Communication Ports

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

CorreLog IP Block List and Reputation Database Application Notes

vrealize Operations Management Pack for NSX for vsphere 2.0

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

WebAnalyzer Plus Getting Started Guide

Setup for Cisco Unified Communications Manager

Integration Guide. LoginTC

USER MANUAL. SalesPort Salesforce Customer Portal for WordPress (Lightning Mode) TABLE OF CONTENTS. Version: 3.1.0

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

DaDaDocs for Microsoft Dynamics 365 Administrator Guide

VARONIS DATALERT APP FOR IBM QRADAR

RealPresence Access Director System Administrator s Guide

USM Anywhere AlienApps Guide

Integrating AirWatch and VMware Identity Manager

ForeScout Extended Module for Tenable Vulnerability Management

Edge Device Manager Quick Start Guide. Version R15

vcenter Operations Management Pack for NSX-vSphere

Mitel MiVoice Connect Security Certificates

Running the Setup Web UI

Click the following link. Note that this will display a technical configuration file rather than a formatted page. This is normal.

Tenable.sc-Tenable.io Upgrade Assistant Guide, Version 2.0. Last Revised: January 16, 2019

FieldView. Management Suite

Using LifeSize Systems with Microsoft Office Communications Server 2007

Transcription:

DomainTools App for QRadar App Startup Guide for Version 1.0.480 Updated November 1, 2017 Table of Contents DomainTools App for QRadar... 1 App Features... 2 Prerequisites... 3 Data Source Identification... 3 Data Source FQDN Field... 3 App Configuration... 4 QRadar User Account... 4 App Settings... 4 Log Sources... 5 App Log... 5 Reference Data... 6 Managing Reference Data... 6 DomainTools Reference Data Collections... 7 Sample AQL... 9 DomainTools App Area... 10 (c) 2017 DomainTools LLC 1

App Features The DomainTools App for QRadar populates reference data with DomainTools domain profile and risk scores for domain names observed in QRadar events. It also provides a DomainTools app area to research a single domain name to uncover domain ownership profiles, risk scores, and more. Key capabilities enabled by the app include: Create offenses using DomainTools proprietary proximity- based domain risk scores Investigate domain names in- context, without leaving QRadar Target threat hunting at key aspects of a domain name s registration profile (c) 2017 DomainTools LLC 2

Prerequisites Data Source Identification Before installing the app, first identify which data source(s) in your QRadar instance contain domain names. DomainTools data works best with web proxy log data, because the domain names are easy to extract, and the web traffic captures most of the interactions between end- user workstations on your network and potentially malicious domain names. Other less common but still effective log sources include DNS logs or logs from next- generation, layer 7 firewalls that also contain domain name data. Once you locate the list of data sources, take note of the log source names in QRadar. You will use it later when setting up the DomainTools app. Data Source FQDN Field For the DomainTools app to function optimally, your log source should provide a field that contains only a fully- qualified domain name, and if possible, it should be labeled FQDN. This documentation will assume the field name is FQDN unless otherwise noted. Here s why this is important. DomainTools provides Whois and risk scoring data on second- level domain names. Examples of a second- level domain names include domaintools.com, google.com, and bbc.co.uk. Most traffic on a network does not reference these second- level domains directly instead, logs will contain fully- qualified domain names (also known as FQDNs or hostnames) or even complete URLs. Examples of FQDNs include research.domaintools.com, www.google.com or www.bbc.co.uk. Those FQDNs must first be collapsed to only their domain name before a query is made to the DomainTools API to avoid making unnecessary requests. In most networks, this results in a 10x reduction in the volume of API queries, and it also improves performance by enabling effective caching. The task of extracting a second- level domain name from an FQDN or a complete URL is non- trivial, and cannot be performed effectively with regular expression matching. The optimal solution requires a list of domain extensions, and there are code libraries dedicated to solving the problem efficiently. QRadar does not provide a built- in mechanism to make that conversion, so the DomainTools app handles that for you. You may find it necessary to add a custom field to your data source to extract the FQDN from a URL or other unparsed field. Adding a custom field to a log source in QRadar is out of the scope of this documentation. (c) 2017 DomainTools LLC 3

App Configuration QRadar User Account The DomainTools app runs a process that queries your QRadar event logs for new events, finds domain names, and then populates reference sets with Whois and Risk Score data from DomainTools APIs. For this to work, the app needs a QRadar user account to sign in with and read those events. Create that account in QRadar, and then note the username and password so you can set that in the app settings page. App Settings Access the DomainTools App configuration page by first visiting the Admin settings page in QRadar, then scroll down to the DomainTools Configuration option. Click the DomainTools icon to open the settings page and enter the correct values for your environment. DomainTools application user name Password DomainTools host name API user name API user token Use HTTPS protocol to invoke DomainTools APIs Verify SSL certificate is used to invoke DomainTools APIs Max number of records to fetch from log source at a time. Max threshold value of reputation score User name of a QRadar user the app will use to read events and store reference data. Password for the QRadar user account. Must be set to api.domaintools.com DomainTools API username (contact your eval point of contact if you do not have an API username and API key) DomainTools API key. Whether to use SSL when accessing the DomainTools APIs. We strongly recommend setting this to false to get the most throughput and fastest response times from the server. API keys are still protected with HMAC signatures even when SSL is disabled. Some environments with SSL filtering require accepting an organization s CA, but that CA may not be loaded into the QRadar instance. Again, disable HTTPS queries whenever possible to avoid problems and improve throughput. Start with a value of 200 and adjust as needed. Domain names with a score higher than this threshold will be added to a special reference set. The score ranges from 0 to 100 with higher numbers indicating a riskier domain. (c) 2017 DomainTools LLC 4

Time interval to invoke the scheduler in minutes. After how many cycles the settings to be refreshed No. of records to be displayed in a page DomainTools recommends starting with a minimum value of 70. Set how frequently the job will run that extracts log data. Start with 10 minutes and adjust as needed. App settings are cached between successive runs of the enrichment job and are periodically refereshed. Start with a value of 1 while you are adjusting the settings, then increase to at least 4 for best performance. Adjust pagination for pivot data returned on the domain profile page. Start with 50 and adjust accordingly. Log Sources Access the DomainTools app configuration page, then click on Delete Log Source. The app installs with an example log source that you should remove once you familiarize yourself with the expected values for the log source name and domain column name. Next, click on Add Log Source to add one or more log sources that contain domain names (see Prerequisites above). Ensure the values in the fields match the data source name and column name, then click the Submit button. Repeat for as many data sources as you need. App Log Once the app is configured, the DomainTools App will run a job at the interval specified in the settings, query the logs, and fetch DomainTools data to populate in reference sets. A QRadar administrator can access application logs on the QRadar server to monitor this process and provide debugging information to DomainTools if problems arise. The logs are stored in one of these folders: /store/docker/vfs/dir/[container_id] /store/docker/containers/[container_id] The container_id portion of the path is not a predicable value, so it will require visiting each directory to find the one with the DomainTools log files. The correct folder will have a dtstore.db file and a log directory navigate to the log directory to find the app.log file. If you have command line access to the server, this command can help you locate the folder more quickly than trial- and- error: find /store -maxdepth 4 -name "dtstore.db" (c) 2017 DomainTools LLC 5

Reference Data Managing Reference Data QRadar supports several reference data collection types, but it only provides a UI to manage the contents of reference sets. There is no option in the QRadar admin interface to view reference maps or reference tables, both of which are used extensively by the DomainTools app. The only way to confirm these reference data were created properly, and to view their contents, is to use the API. Fortunately, QRadar provides interactive API documentation under the Help menu. To view a list of reference maps: Go to "Help" > "Interactive API for Developers" Navigate to the 7.0 tree, down to /reference_data Click on /maps Scroll down through the page that appears on right and click "Try it now" The Response Body will list details on each active reference map To view the contents of a reference map: Go to "Help" > "Interactive API for Developers" Navigate to the 7.0 tree, down to /reference_data Expand the /maps node and click /{name} Scroll down through the page that appears on right and locate the parameters section Enter the name of the reference map in the name field and click "Try it now" The Response Body will list details on each active reference map (c) 2017 DomainTools LLC 6

DomainTools Reference Data Collections Name Type Usage dt_fqdn_to_domain Reference Set Contains key / value pairs mapping fully- qualified domain names (FQDNs) to their second- level domain name. Provide a FQDN as the key to obtain a domain name. This reference set is also used to manage caching in the DomainTools app. Log entries that already have an entry in this reference set for the value in their FQDN field will be excluded from the enrichment job. Use this field in a custom AQL query to create a domain name column that can be used to lookup risk score and Whois data. For example: SELECT REFERENCESET('dt_fqdn_to_domain',FQDN) AS domain_name dt_domains_risk_score Reference Set Contains key / value pairs mapping second- level domain names to a DomainTools risk score. Provide a domain name as the key. Use this field in a rule with custom AQL to create offenses when domain names exceed a threshold. For example: REFERENCESET('dt_domains_risk_score', REFERENCESET('dt_fqdn_to_domain',FQDN)) >= 70 dt_whois_details Reference Table Contains a set of columns with parsed Whois data, indexed by the second- level domain name. Columns names include: Registrant Country Registrant Name Registrant Org Registrant Phone Registrar Name Created Date Expired Date Updated Date Use this data to enrich log searches or to create custom AQL rules based on attributes in the Whois record of a domain name. For example, this rule could alert on domains registered at a specific registrar: (c) 2017 DomainTools LLC 7

REFERENCETABLE('dt_whois_details', 'Registrar Name', REFERENCESET('dt_fqdn_to_domain',FQDN) ) = 'Evil Registrar Inc.' (c) 2017 DomainTools LLC 8

Sample AQL This AQL may be used to enrich a log source that contains an FQDN in the FQDN column. Adjust the LOG_SOURCE_NAME value to match the name of your log source. SELECT starttime, LOGSOURCENAME(logsourceid), FQDN, REFERENCEMAP('dt_fqdn_to_domain',FQDN) AS domain, REFERENCEMAP('dt_domains_risk_score',domain) AS dt_risk_score, REFERENCETABLE('dt_whois_details','Registrant Country',domain) AS dt_reg_country, REFERENCETABLE('dt_whois_details','Registrant Name',domain) AS dt_reg_name, REFERENCETABLE('dt_whois_details','Registrant Org',domain) AS dt_reg_org, REFERENCETABLE('dt_whois_details','Registrant Email',domain) AS dt_reg_email, REFERENCETABLE('dt_whois_details','Registrar Name',domain) AS dt_registrar, REFERENCETABLE('dt_whois_details','Created Date',domain) AS dt_create_date FROM events WHERE LOGSOURCENAME(logsourceid)= 'LOG_SOURCE_NAME' AND domain IS NOT NULL (c) 2017 DomainTools LLC 9

DomainTools App Area When the app is installed, a new tab will appear on the QRadar navigation menu labeled DomainTools. Access that tab to view a dashboard focused on key threat hunting and risk metrics. You can adjust threshold and parameters for the dashboard panels by clicking the pencil icon next to the panel titles. (c) 2017 DomainTools LLC 10

To investigate a specific domain name, click the "Search" tab near the top of the dashboard and enter a domain name in the search box. The app loads risk score and Whois information on a single domain name from the DomainTools API. You may also click these elements to view additional related domains using DomainTools Reverse Whois, Reverse IP and Reverse Name Server datasets: Registrant, abuse and admin email addresses Registrant name on the Domain Profile tab IP address Name servers (c) 2017 DomainTools LLC 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback