Monday, April 6, 2015

QRadar - Threat Intelligence On The Cheap - Creating the rule to detect IPs in the SecurityNik_DNS_Darklist

Most of the information in the previous post can be used to develop the rule for detecting the malicious domains.

P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.

Follow the steps below to create an Event rule:
 1.    Click "Offenses" tab
    2    Select "Rules"
    3.    Select "Action" menu
    4.    From the "Action" menu, select "New Event Rule"

Once the "Rule Wizard" opens, it should default to "Events"

Next you build your rule by selecting your criteria.
    1.    First in the search box, type "referen". This reduces the number of rule options to sort through
    2.    select the one which states "when any of these properties is contained in any of these reference set(s)"
    3.    Assign your rule a name
    4.    Click "these event properties".
    5.     When the window pops up, select the "domain"
    6.     Click "OK"
    7.    Click "these reference set(s)"
    8.    From the pop up window select the "SecurityNik_DNS_Darklist", then click add
    9.    Click "OK"
Selecting the "Rule Response"
    1.    Ensure that a new event gets created
    2.    you may set the severity, credibility and relevance of the new event which gets created
        Note that these setting may influence the values of an offense but does not specifically set the values on the offense
    3.    Create a new offense when the domain from the SecurityNik_DNS_Darklist reference set is seen in either an event
    4.    Send off an email once a detection is made
Verify the rule is as expected.

You should be good to go.

In the final post, we will run a query against the environment to see if any of the detected IPs (or you can do the domain) is found in our logs and or flows.

Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.

1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.


  1. Hi Nik Alleyne,

    I am your daily readear of your blog, Learn by practicing really good.

    I have one doubt in qradar please clarify on the same:

    I need to send email notification for a user from a offence(Event) not a QRadar user.

    In Detail:

    When offence generated in that we have offence details like
    SourceIP :,
    Source Username(From Event): Abc123

    What i want to do means i want to send email notification to the username(Abc123) from the event. From Qradar itself..?

    Email notification like He or She accesed this URL or Malicious site depends upon the rule that we are creating.


    Thanks in advance.

    Teja R

  2. Teja,
    For what I know you will not be able to send an email for the individual offense. However, you can send an email when the "event" is seen. For example, if you would like user Abc123 to receive an email anytime someone at logs in to then yes this is doable.

    Let me know if this helps, if not provide me with a bit more details on what you are trying to do and we will see if we can build the rule or maybe I would create a post showing you how to do it.