For network defenders, false positives are a common challenge and frequently result in alert fatigue. A consequence of alert fatigue, according to a study conducted by the Cloud Security Alliance, is that 31.9% of IT security professionals ignore alerts. This issue is further reinforced by a lack of resources required to triage, investigate and mitigate. There has been some relief, however. The evolution of Security Information Management (SIM) and Security Event Management (SEM) s into new-age analytics and behavior-centric Security Information and Event Management (SIEM) platforms have successfully automated the tasks of collecting, analyzing, and surfacing key events within a network.
Our customers rely on DomainTools domain and DNS intelligence to triage and analyze events within SIEM platforms. With the context necessary to identify and triage these events our customers transition into a natural evolution of automating the event detection and incident handling processes.
Good SIEM solutions, like QRadar, help CSIRTs and SOCs quickly identify malicious events in their environment with the intelligence to set proper triaging processes. The DomainTools App for QRadar allows teams to automate the consumption of domain intelligence. With this ready to deploy integration, DomainTools and IBM QRadar customers can enable full-scale threat intelligence and threat hunting inside their SIEM solution.
In leveraging this app, organizations can:
- Leverage the Threat Hunting dashboard for risk metrics to highlight malicious activity
- Bulk enrich domains for use in log searches, creation of offenses, or custom AQL rules
- Proactively monitor potentially malicious domains prior to misuse
DomainTools Threat Hunting Dashboard
All intelligence surfaced from DomainTools, including shared infrastructure and historical identities, stays in the same investigative context and enables collaboration across teams
With scaling in mind, the DomainTools App is built with the latest Iris Enrich APIs, which has been proven to handle large scale event enrichment. To enhance performance efficiency, DomainTools has enabled batch queries across a configurable time frame. And finally, since every environment is different, this integration includes configurations in the initial app deployment phases that allow the app to dynamically discover logs in your environment for event discovery.