What's new in the QRadar DNS Analyzer app

Learn about the new features in each IBM® QRadar DNS Analyzer app release.

Version 2.0.3

  • Updates to improve security.
  • Fixed compatibility issues for QRadar® 7.5 Update Package 8 and later.

Version 2.0.2

  • Fixed an issue where configuration files might reset on a container restart.
  • Fixed an issue that caused the app configuration page to be inaccessible after you disable the analytics.
  • Updates to improve security.

Version 2.0.1

Updated Squatting and DGA Analytics to resolve multiple known squatting false-positives.

Version 2.0.0

The DNS Analyzer app is upgraded to use version 2 of the App Framework SDK.

Version 1.5.0

Version 1.5.0 includes the following new features and improvements:

  • Improved Squatting and DGA analytics.
  • Squatting analytics enabled by default on new installs.

Version 1.4.7

Version 1.4.7 includes the following new features and improvements:

  • Additional cleanup for saved searches.
  • dns_flow_flag property definition updated.

Version 1.4.6

Version 1.4.6 includes the following new features and improvements:

  • Performance improvement settings to enable or disable collecting data for analytics for both events or flows.
  • Tunneling analytics settings for event threshold and minimum subdomain length.
  • Support for QRadar on Cloud.
  • Squatting Brand visibility custom event property updates.
  • Added new search view: DNS Analyzer - Traffic, Events.

Version 1.4.4

Version 1.4.4 includes the following new features and improvements:

  • Added the ability to improve performance by enabling INDEXING with the admin account. For more information, see Enabling QRadar DNS Analyzer support for INDEXING.
  • Added the ability to disable unused events or flow interfaces.
  • Improved the quality of Squatting Analytics, based upon the access to the latest X-Force Threat Intelligence feed.
  • Fixed an issue that caused the Out of Memory issue when searching without INDEXING.
  • Fixed an issue where DNS Analyzer counters do not update automatically due to an error with Ariel communications or database initialization.
  • Fixed an issue that caused user search results to disappear too early due to competing DNS Analytics activity.

Version 1.4.3

Version 1.4.3 includes the following new features and improvements:

  • Fixed compatibility issue with QRadar 7.3.2 patch 3 release.
  • Improved Blacklist and Whitelist processing when adding or removing domains to take effect immediately.
  • Updated DNS Tunneling detection’s accuracy based on specific Resource Record types in use.
  • Eliminated confusing log errors and warnings occurring when no DNS events are currently available to process.
  • Corrected an software crash caused by processing certain overly long URLs as domain names.
  • Improved the extraction of domain names from URLs.

Version 1.4.2

Version 1.4.2 includes the following new features and improvements:

  • Added DSM support for Fortinet FortiGate Security Gateway.
  • Improved event processing performance for supported QRadar devices.
  • Improved DNS flow parsing.
  • Improved memory usage when generating malicious domain events.
  • Added "UNKNOWN" trace label (formerly "0i") to the Request Types volumetrics graph.

Version 1.4.1

Version 1.4.1 includes the following new features and improvements:

  • Fixed a stability issue in version 1.4.0 that can cause the dashboard metrics to display as 0 (zero).
    Note: If all dashboard metrics start to display 0 (zero), you must uninstall DNS Analyzer version 1.4.0 before you can install version 1.4.1.
  • Removed Domain Profile and Top Domain List from the DNS Analyzer dashboard. Day and week display intervals are supported.

Version 1.4.0

Version 1.4.0 includes the following new features and improvements:

  • Added DNS traffic charts to the DNS Analyzer dashboard.
  • Only QRadar Pulse Dashboard V2.12 and later is supported by the QRadar DNS Analyzer app.
  • Added a feature to indicate if the required X-Force Threat Intelligence feed is disabled in QRadar.

Version 1.3.0

Version 1.3.0 includes the following new features and improvements:

  • Added Feature: DNS Tunneling detection.
  • Added Support for QRoC (QRadar on Cloud).
  • Added Support for QRadar 731-Patch5 New QNI format.
  • Added DSM support: BlueCat Networks Adonis DNS Server
  • Added DSM support: Cisco IronPort Web Security Appliance
  • Added DSM support: Check Point Firewall
  • Enabled "Process only newly observed domains" by default.
  • Disable Squatting event reporting by default.
  • Fixed an issue where the Chart Filters causes the app to crash.
  • Fixed an issue where timestamp is incorrect in MDD and UAMD event.

Version 1.2.1

Version 1.2.1 includes the following new features and improvements:

  • Improved the domain detection efficacy of DGA and Squatting.
  • Added DSM support: McAfee Web Gateway.
  • Added DSM support: Microsoft DNS Debug.
  • Fixed an issue that caused the Ariel database to overload.

Version 1.2.0

Version 1.2.0 includes the following new features and improvements:

  • GDPR compliant.
  • Integration support for the IBM QRadar User Behavior Analytics (UBA) app and IBM QRadar Pulse app.
  • Domain filtering (whitelist and blacklist) configuration settings.
  • Proxy configuration settings for outbound traffic.
  • Support for X-Force Threat Intelligence feed for domain categorization and filtering.
  • DGA Domains detection and analytics.
  • Squatting Domains detection and analytics.
  • Sorting capability for DGA/SQUATTING/BLACKLIST/User Accessed Malicious domain events by source IP.
  • DGA/SQUATTING/BLACKLIST/User Accessed Malicious domain event list.
  • DGA/SQUATTING/BLACKLIST/User Accessed Malicious domain event creation and CRE response through QRadar.
  • Configuration settings for enabling and disabling a specific analytic or event type.
  • Identified and improved performance benchmark for analytics pipeline.