Pinned topic APT1 Investigation
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Has anyone started to incorporate the data provided by APT1 investigation into Qradar. I have a reference set full of FQDN's but I'm failing in the creation of a rule. I have URL's from a firewall but it's the full URL, I can see dns requests in the Qflow payload but I do not see how to do a payload search using a reference set. Other than that most of the data is in the ioc format which doesn't play well with Qradar.-------Posted BY Derek Thomas
Updated on 2013-02-21T14:23:34Z at 2013-02-21T14:23:34Z by SystemAdmin
Re: The following py script will2013-02-21T03:54:48ZThis is the accepted answer. This is the accepted answer.The following py script will get all the IP addresses out of all the IOCs.
import os, re, sys
root = r"D:\IOC\Appendix G (Digital) - IOCs"
files = os.listdir(root)
for fname in files:
with open(os.path.join(root, fname), "r") as fin:
for line in fin:
if line.find("<Content type=\"IP\">") > -1:
Posted By John Mcleod
Re: use custom properties2013-02-21T09:27:34ZThis is the accepted answer. This is the accepted answer.You will need to extract the URLs and/or DNS requests into a custom property, and then use the "when any of these properties are contained in any of these reference set(s)" test in your rule. And you are right to worry that a URL of "http://host1.example.com" will not match if the reference set only contains "example.com". For this reason, it is probably best to extract a "base domain" custom property, rather than the complete URL (or, in addition to the complete URL, meaning two different custom properties) and also to populate your reference set with base domains rather than complete domain names (in other words example.com not host1.example.com).
If you do this with a script, do take care to watch out for cases where the "base domain" should be more than 2 levels deep, for example "bbc.co.uk". But the bigger challenge there will probably be working out the regular expression to extract the custom property the way you want.
Posted By travis.mcwaters
Re: This does look challenging.2013-02-21T14:06:14ZThis is the accepted answer. This is the accepted answer.This does look challenging. The DNS requests in Qflow payloads isn't pretty. I believe i have seen extra spaces and periods but I will double check. Firewall logs show the full URL in a pretty standard format and are already parsed, the difficulty will be extracting the domain from the full URL for the reasons you mentioned. I'm going to work on the IP list before I start moving to DNS/URLs. It would be great if we could get some good dns logs but I haven't yet found an easy way to do that.
Posted By Derek Thomas
Re: Thanks for this script! I2013-02-21T14:09:29ZThis is the accepted answer. This is the accepted answer.Thanks for this script! I didn't have a chance to rip one out. It would still be cool if we could import .ioc's into Qradar.
Posted By Derek Thomas