Run DNS forensics with QRadar's big data security extension

Combine QRadar, X-Force IP Reputation Feed, and InfoSphere BigInsights to deliver DNS-based forensics system


As organizations open up their networks to devices and increased social media access, traditional security defenses such as firewalls and antivirus software can't adequately protect an organization. According to a recent IBM X-Force Trend and Risk Report, social engineering attacks and mobile exploits have increased each year since 2011. Firewalls and traditional security products do little against advanced threats that use unreported techniques, or that have already invaded an organization.

In this video, I demonstrate how to make the QRadar SIEM tool work better at providing you tighter, more intelligent DNS and IP access security.

  • The QRadar big data extension (an InfoSphere® BigInsights™ engine)
  • The IBM Security X-Force IP Reputation Intelligence Feed
  • A whois parsing service

How X-Force and QRadar work together

The IBM Security X-Force IP Reputation Intelligence Feed delivers insight into suspect entities on the Internet that is based on knowledge of more than 15 billion web pages and images. The X-Force IP Reputation Feed provides QRadar with a real-time list of potentially malicious IP addresses that include malware hosts, spam sources, among other threats.

The feed adds dynamic Internet threat data to the analytical capabilities of the QRadar Security Intelligence Platform, enriching QRadar's threat analysis capabilities with up-to-the-minute data. It:

  • Automatically feeds X-Force data into QRadar.
  • Provides vulnerability coverage across a wide range of use cases.
  • Uses IBM X-Force's proven data collection efforts and extensive knowledge base.

Using QRadar's big data extension

In the video demo, I illustrate QRadar's big data extension by doing a little DNS forensics and show you how to get more information out of DNS BIND. (BIND is one of the most widely used pieces of DNS software on the Internet. Also known as named (name daemon), it is considered the de facto standard DNS server.

My goal is to take a list of all the domains visited by all employees and correlate it with the IBM Security X-Force IP Reputation Intelligence Feed and registrar information for each of those domains from From this analysis, I show you how to produce three reference sets that you can feed into QRadar to create or modify existing rules.

Normal DNS BIND gathers about the same limited information as ping. But if you do a whois, you get a wealth of information:

  • Registrar
  • When registered and registration expiration
  • Registrant name and address
  • Admin name, admin address, and phone

This information can add to your security layer: Often attackers register a domain for starting an attack. If your security system can add the registration date to its assessment, it can flag recently registered domains as suspicious.

Other pieces of information also occur that can enhance your security efforts, such as:

  • Valid registrant and admin names
  • Valid registrant and admin addresses
  • Valid postal code that is correct for the city/state
  • Valid phone number and the area code for the calling area

And probably most importantly, does this pattern of names, addresses, and phone numbers correlate with previously known risky domains.

In the demo, I show you how to take all the raw logs that my users pass through when they go on the Internet and have QRadar process them. With the QRadar custom properties standard procedure, I extract the massive list of all the domains that were accessed.

See how QRadar tags the list data with geographic location, the user who accessed the domain, and other details. QRadar then converts that information into the JSON format (JavaScript Object Notation) and forward it into the new QRadar big data extension, an InfoSphere BigInsights engine. This data is highly unstructured data, so the BigInsights engine is the component that processes it. I then access the generated knowledge from the big data extension by using a service,

The Whois API Hosted Webservice returns well-parsed whois fields to your application in formats like XML and JSON per http request without query limits. The service can:

  • Automatically follow the whois registry referral chains until it finds the correct registrars for the most complete data.
  • Parse a variety of free-form whois data into well-structured fields (in XML and JSON) that your application can read.
  • Parse out the name, organization, street, city, state/province, postal code, phone number, and fax from a free-form human-written contact address.
  • Work over basic HTTP so you don't run into problems that are related to firewalls or accessing Whois servers on port 43.
  • Return an indication of whether a domain is available.
  • Return registry dates in their original format and in a normalized format.

Next, I take the resulting data and combine it with the IBM Security X-Force IP Reputation Intelligence Feed. Every eight hours, I process this data into three different reference sets:

  • Risky users
  • Risky domains
  • Risky IPs

Watch the video to see the process in action and the results.

Downloadable resources

Related topics

Zone=Security, Data and analytics
ArticleTitle=Run DNS forensics with QRadar's big data security extension