Configuring the QRadar DNS Analyzer app settings
Before you use the IBM® QRadar DNS Analyzer app, you must create an authentication token for the QRadar DNS Analyzer app before you can configure the QRadar DNS Analyzer settings.
You must have QRadar® administrator privileges to configure the QRadar DNS Analyzer app.
Before you begin
Open the Admin
- In IBM QRadar V7.3.0 or earlier, click the Admin tab.
- In IBM QRadar V7.3.1 and later, click the navigation menu (), and then click Admin to open the admin tab.
Click the IBM QRadar DNS Analyzer Settings icon in the
The IBM QRadar DNS Analyzer Settings dialog box opens.
- In the QRadar Settings section, click Manage Authorized Services.
- Click the row that contains the service you created and then select and copy the token string from the Selected Token field in the menu bar.
- In the IBM QRadar DNS Analyzer Settings window, paste the authorized service token string into the Token field.
In the Proxy Settings section, configure the
Select to enable Proxy.
Select the type of secure protocol you want to use for your proxy.
If the application server uses a proxy server to connect to the internet, type the URL for the proxy server.
Type the port number for the proxy server.
If your proxy server requires a user name and password, select this option.
- User name - Type the user name for the proxy server. You must use user name to use an authenticated proxy.
- Password: - Type the password for the proxy server. You must use a password to use an authenticated proxy.
- Optional: In the Analytic Settings section, configure
the following settings:
- Processing - Detects domain names that are closely related to a trademark, brand, or popular website.
- Local Events - Creates Domain Squatting events.
- Processing - Detects Domain name Generated by Algorithm (DGA). DGA is commonly used in phishing kits to generate a random and unique domain name. By default, it is always enabled.
- Local Events - Enable this option to create DGA events.
- Processing - Detects Domain names with negative reputation. By default, it is always enabled.
- Local Events - Creates Deny list events.
- Processing - Detects Domain names using data encoded in DNS queries and response.
- Local Events - Creates Tunneling events.
- Optional: In the Tunneling Settings section, configure
the following settings:
Sets the value for how many differing subsequent sub-domains for a given hash must be detected in order to generate a tunneling event.
Subdomain Minimum Length
Sets the minimum character length a subdomain must be in order to be processed by the tunneling analytics.
- Click Save Configuration.