Configuring the QRadar DNS Analyzer app settings

Before you use the IBM® QRadar DNS Analyzer app, you must create an authentication token for the QRadar DNS Analyzer app before you can configure the QRadar DNS Analyzer settings.

Before you begin

You must have QRadar® administrator privileges to configure the QRadar DNS Analyzer app.

Procedure

  1. Open the Admin settings:
    • In IBM QRadar V7.3.0 or earlier, click the Admin tab.
    • In IBM QRadar V7.3.1 and later, click the navigation menu (Icon for main navigation menu), and then click Admin to open the admin tab.
  2. Click the IBM QRadar DNS Analyzer Settings icon in the Plug-ins section.
    The IBM QRadar DNS Analyzer Settings dialog box opens.
  3. In the QRadar Settings section, click Manage Authorized Services.
  4. Click the row that contains the service you created and then select and copy the token string from the Selected Token field in the menu bar.
  5. In the IBM QRadar DNS Analyzer Settings window, paste the authorized service token string into the Token field.
  6. Optional: In the Proxy Settings section, configure the following settings.
    Option Description

    Use Proxy

    Select to enable Proxy.

    HTTPS/SOCKS5

    Select the type of secure protocol you want to use for your proxy.

    Hostname

    If the application server uses a proxy server to connect to the internet, type the URL for the proxy server.

    Port

    Type the port number for the proxy server.

    Enable Authentication

    If your proxy server requires a user name and password, select this option.

    • User name - Type the user name for the proxy server. You must use user name to use an authenticated proxy.
    • Password: - Type the password for the proxy server. You must use a password to use an authenticated proxy.
  7. Optional: In the Analytic Settings section, configure the following settings:
    Option Description

    Squatting
    • Processing - Detects domain names that are closely related to a trademark, brand, or popular website.
    • Local Events - Creates Domain Squatting events.

    DGA
    • Processing - Detects Domain name Generated by Algorithm (DGA). DGA is commonly used in phishing kits to generate a random and unique domain name. By default, it is always enabled.
    • Local Events - Enable this option to create DGA events.

    Deny list
    • Processing - Detects Domain names with negative reputation. By default, it is always enabled.
    • Local Events - Creates Deny list events.

    Tunneling
    • Processing - Detects Domain names using data encoded in DNS queries and response.
    • Local Events - Creates Tunneling events.
  8. Optional: In the Tunneling Settings section, configure the following settings:
    Option Description

    Hit Threshold

    		 Sets the value for how many differing subsequent sub-domains for a given hash must be detected in order to generate a tunneling event.

    Subdomain Minimum Length

    		 Sets the minimum character length a subdomain must be in order to be processed by the tunneling analytics.
  9. Click Save Configuration.