Monday, April 6, 2015

QRadar - Threat Intelligence On The Cheap - Creating the rule to detect IPs in the SecurityNik_IP_Darklist

Now that we've downloaded our suspect IPs and domains with the SecurityNikThreatIntel script along with verifying our reference set creation, we will now create the relevant rules. Note in this post, I will focus primarily on the IP darklist rule creation. Basically the same steps can be used to create a rule to detect the malicious DNS. I will put a quick snapshot below on what needs to be done to get the rule to detect the suspect domains.

P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.

Because we would like to detect the suspect IPs in either flows or events we will create a common rule.

Follow the steps below to create a common rule:
    1.    Click "Offenses" tab
    2    Select "Rules"
    3.    Select "Action" menu
    4.    From the "Action" menu, select "New Common Rule"

Once the "Rule Wizard" opens, it should default to "Events and Flows"

Next you build your rule by selecting your criteria.
    1.    First in the search box, type "referen". This reduces the number of rule options to sort through
    2.    select the one which states "when any of these properties is contained in any of these reference set(s)"
    3.    Assign your rule a name
    4.    Click "these event properties".
    5.     When the window pops up, select the "Source IP", click add, then select "Destination IP"
    6.     Click "OK"
    7.    Click "these reference set(s)"
    8.    From the pop up window select the "SecurityNik_IP_Darklist", then click add
    9.    Click "OK"

Selecting the "Rule Response"
    1.    Ensure that a new event gets created
    2.    you may set the severity, credibility and relevance of the new event which gets created
        Note that these setting may influence the values of an offense but does not specifically set the values on the offense
    3.    Create a new offense when the source or detination IP from the SecurityNik_IP_Darklist reference set is seen in either an event or flow
    4.    Send off an email once a detection is made

Verify the rule is as expected.

You should be good to go.

Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.

1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.

No comments:

Post a Comment