Monday, April 6, 2015

QRadar - Threat Intelligence On The Cheap - Verifying Reference Set Creation


P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened. To verify that the reference set exists you can do the following.

    1.    Logon to QRadar
    2.    Select "Admin" Tab
    3.    Under the section "System Configuration" select "Reference Set Management"
    4.     From the Reference Set window, scroll until you find the 2 reference sets.
        a.    'SecurityNik_IP_Darklist'
        b.    'SecurityNik_DNS_Darklist'
    5.    You can now double click the list or click "Edit" to verify their contents.
   
Once you have verified that the reference sets have been successfully created and contains your IPs and or DNS Entries. You may now go ahead and create your rules.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.

1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.



No comments:

Post a Comment