DNSDB QRadar Integration User Guide
Farsight Security (now part of DomainTools) DNSDB® is the world’s largest DNS intelligence database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure. DNSDB leverages the richness of Farsight’s Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts. Farsight collects Passive DNS data from its global sensor array. It then filters and verifies the DNS transactions before inserting them into the DNSDB, along with ICANN-sponsored zone file access download data. The end result is the highest-quality and most comprehensive DNS intelligence data service of its kind – with more than 100 billion DNS records since 2010.
This document is intended to help users how to download, install and configure the Farsight DNSDB App for IBM QRadar.
Farsight DNSDB App for IBM QRadar enables to accelerate incident response with its orchestration and automation capabilities to investigate and mitigate threats. The IBM QRadar users can view the DNS enriched data in the Offense summary page for the Offense Sources. This will help to speed up QRadar investigations and prioritise the offenses to investigate and identify the source of the suspected security breach for threat hunting.
Farsight DNSDB App allows the IBM QRadar users to perform Log activity investigation in real time by using the Right-click menu options.
Following steps to be followed while downloading the Farsight DNSDB App.
- Go to IBM Security App Exchange portal and search for Farsight DNSDB.
- Select Farsight DNSDB App for IBM QRadar.
- From the app description page, Click on Download button to get the zip package for installation.
Please note that you will need a active IBMid to download the Farsight DNSDB App for QRadar from IBM Security App Exchange portal.
Follow the procedures below to install the Farsight DNSDB App.
- Log in to your IBM QRadar instance.
- Go to the Admin tab and select the Extensions Management.
- On the Extensions Management page click on the Add button.
- On the pop-up window, Click on Browse and select the downloaded zip installation package. Check Install Immediately and click Add button.
- A pop-up window will open which contains the list of all the items which are part of installation package, click on Install button to continue.
- After installation, a pop-up window will open which contains the list of items which are installed.
- Click on Ok button to continue.
- Now the Installation is completed.
Once the app is installed, you will need to configure the extension as per your requirement. To do so, follow the steps below
- Go to the Admin tab, scroll down to the Apps section, and select “Farsight DNSDB” App, then click on “Configure Farsight DNSDB App” (OR) you can Go to the Farsight DNSDB Dashboard, click on “Configure App”.
- On the Farsight DNSDB Configuration page, you will see the following options.
Farsight DNSDB App Settings
- Farsight DNSDB URL refers to the Farsight DNSDB API Endpoint of Farsight DNSDB server
- Farsight DNSDB API Key refers to the API key used to authenticate requests to Farsight DNSDB server. Enter the API key provided to you by Farsight Security. If you do not have an API key then, request an API key, please see the Farsight Security Getting Started page
- Enable Proxy this option is used to define Proxy settings if you desire to Configure Proxy settings to be used by Farsight DNSDB App to connect with Farsight DNSDB Server. When you check this option you will see the section to provide Proxy Settings.
- Proxy Type: Http/HTTPS
- Proxy IP/Hostname: Give a Valid IP/Hostname
- Proxy Port: Port number to connect to
- If the Proxy server requires authentication, specify a username and password to connect the proxy server that requires authentication.
Automatic Offense Enrichment Settings
- Look Back (days) refers to Limit records to those seen within this number of days before the offense. Default is set to 90 days.
- Look Ahead(days) refers to Limit records to those seen within this number of days after the offense. Default is set to 01 days.
- Limit refers to the Limit for the number of results returned per query. Default is set to 10.
- Pivot Limit refers to the Limit the number of intermediate queries for co-located hosts and Ips. Default is set to 10.
- Enable RData(IP Lookup) this option is used to display RData results for the IP address in the Offense Summary Page. Default is set to True.
- Enable Co-located(IP Lookup) this option is used to display Co-located IP’s results for the IP address in the Offense Summary Page. Default is set to True.
- Enable RData(Domain Lookup) this option is used to display RData results for the Domain in the Offense Summary Page. Default is set to True.\
- Enable RRSet(Domain Lookup) this option is used to display RRSet results for the Domain in the Offense Summary Page. Default is set to True.
- Enable Co-located(Domain Lookup) this option is used to display Co-located Domains results for the Domain in the Offense Summary Page. Default is set to True.
5. Automated Threat Hunting
Farsight DNSDB App enables the IBM QRadar users to view the Farsight DNSDB Passive DNS Enrichment data in the Offense summary page for the Offense Sources of type Domain/IP Address.
For IBM QRadar Offenses with IP address as Offense Source, you will see “Farsight DNSDB RData” and “Farsight DNSDB Co-located IP’s” results in a tabular format.
For IBM QRadar Offenses with Domain as Offense Source, you will see “Farsight DNSDB RData”, “Farsight DNSDB RRSET” and “Farsight DNSDB Co-located Domains” results in a tabular format.
Note: The results returned will be based on your configuration settings.
To view the Farsight DNSDB Threat Lookup results on the Offense Summary Page, Go to “Offenses” tab from the menu options.
In order to investigate, Double-click any Offense, where Offense Source is either Domain or IP Address, You will see the Farsight DNSDB Enrichment data in the tabular format.
- DNSDB RDATA Results: This lookup queries DNSDB’s RData index, which supports “inverse” lookups based on RData record values. In contrast to the RRSet lookup method, RData lookups return only individual resource records and not full resource record sets and lack bailiwick metadata. An RRSet lookup on the owner name reported via an RData lookup must be performed to retrieve the full RRSet and bailiwick.
- DNSDB RRSET Results:
This lookup queries DNSDB’s RRSet index, which supports “forward” lookups based on the owner name of an RRSet.
- DNSDB Co-located Domain’s: This lookup will identify all the Domains that are co-located (based on Address) based on the Offense Source value. This would be set of Domains that also shared the same IP address as the originating domain name.
- DNSDB Co-located IP’s: This lookup will identify all the IPs that are co-located (based on Domain) based on the Offense Source value. This would be set of IPs that also shared the same Domain as the originating IP address.
6. Manual Threat Hunting
Log Activity Investigation
Farsight DNSDB App enables the IBM QRadar users to perform Log activity investigation with Right-click menu options. When you right-click on IP Address/Domain fields in the log viewer or event viewer you will see “Lookup in Farsight DNSDB Scout” option, when you click it, this will redirect you to the “Farsight DNSDB Scout” Page, where you can make queries for the IP Address/Domain.
For any other fields apart from IP Address/Domain, select the Log Record in the log viewer or event viewer and click on “Lookup in Farsight DNSDB Scout” toolbar button, which opens a new window where you will see all the log record fields, you can click the desired field to lookup, which will redirect to the “Farsight DNSDB Scout” Page.
Threat Lookup via Dashboard
Farsight DNSDB App enables the IBM QRadar users to do Threat Lookup for user provided text irrespective of Log activity (or) offense Sources.
The next step is, go to “Farsight DNSDB Dashboard”, in the dashboard page provide any user provided text you want to search in Farsight DNSDB Scout.