Monday, April 6, 2015

QRadar - Threat Intel On the Cheap - Checking our environment for suspect IPs

In this our final post in this series, we will search our logs and flows to see if any of the suspected IPs.

P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.

To search our logs let's do the following:
1. Login to QRadar
2. Select "Logs" or "Network Activity" tab
3. From the "Search" dropdown, select "New Search"
3. Select your "Time Range"
    Let's start with the "Last 7 Days"
4. In the "Search Parameters" choose "Reference Set"
5. In the "Value: Data Entry" select "Destination IP"
6. Operators select "Exists in any of"
7. From the "Reference Set" list, choose "SecurityNik_IP_Darklist"
8. Click the "+"
9. Click "Add Filter"
10. Click "Search"

Based on the search query we just entered, you would be able to see if any of the hosts in your environment has been or is communicating with any of the IPs in the SecurityNik_IP_Darklist.

To check for domains in the SecurityNik_DNS_Darklist, you would basically do the same steps above. However, you would chose a different reference set.

Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.

1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.


  1. Great script and thank you for improving our Security posture at our office.

    Thank you!

  2. Hi,

    great post! Currently i am researching an similiar approach and asking me:
    You are really able to search in the created reference-set?

    For my understanding: Your reference-sets are holding ranges in CIDR-Notation (in my case this applies also)

    The following technote from ibm describes this is currently not possible:

    How do you handle this?

    I have tried to put the data in a reference-set with type "text" also... however i am not able to get a rule firing if source or destination ip is in my reference set

  3. Of course:

    My rule looks like:

    If any of Source or Destination IP is in any of reference set

    The reference set type is "text / Alphanumeric" and contains about 5000 Entries like XXX.XXX.XXX.XXX/XX

    In the action tab i have configured (for testing purposes):
    - create new event
    - new offense
    - alert email.

    The point is: If i put a single IP-Adress in my reference set like, then rule is working. With CIDR-Ranges it is not... for this reason i am asking me if this is really working for you.

    Is there a possibility to send you a mail? IMHO it would be great if i can attach some screenshots.