IBM Support

QRadar: DNS Lookups for Assets and Asset Details

Question & Answer


Question

How does QRadar leverage DNS?

Answer

There is often confusion about DNS hostname lookup in QRadar as it relates to Asset Profiles. The purpose of this technical note is to clear up how QRadar leverages DNS lookups in QRadar.


There are three separate DNS name lookup features in QRadar SIEM:

1. Right-Click DNS Lookups
IP addresses in QRadar include a right-click menu that includes a DNS Lookup option. This option is available anywhere an IP address is displayed in the user interface. When a user selects DNS Lookup, this options runs the 'dig' or 'host' command in the background and displays the output to the user.


Figure 1: DSN Lookup right-click from the Log Activity tab in QRadar.


2. Asset Identity
If the identity data includes a hostname for a given asset, then that hostname will be displayed in the asset summary list and also in the asset details page. This DNS lookup is done automatically as the asset profiles receives event information that contains identity. By default, DNS lookups for host identity is enabled in QRadar.

Hostname lookups occur whenever a DSM provides identity updates to the back-end. Typically, this only happens for authentication, DHCP, or VPN events, since these DSMs create a large number of identity events to provide to the back-end. Depending on the log sources that you have configured for QRadar, this might mean that the identity data is very sparse.

TIP: A quick way to determine what event data includes identity is to add a filter for "Has Identity = True" on the Log Activity tab. When you view the event details screen, the identity information is the last table displayed. The identity information that appears in the last table is passed to the Asset Profiler in QRadar, which is responsible for updating the Asset tab from the event data.

To review this setting, in QRadar 7.2.4 or higher:
  1. Click the Admin tab.
  2. Click the Asset Profiler Configuration icon.
  3. Review the setting of the Enable DNS Lookups for Host Identity field.

    Figure 2:


To review this setting, in QRadar 7.2.3 or lower:
  1. Click the Admin tab.
  2. Click the Console Settings icon.
  3. Review the setting of the Enable DNS Lookups for Host Identity field.



3. Asset Details
In the asset details (double-click from summary list), the hostname from the identity data will be displayed if available. If it is not available, then the user interface may optionally perform the lookup while displaying the page. The option of performing this real-time lookup is controlled by the "Enable Real-Time DNS Lookups for Asset Profiles" option under the Asset Profiler Configuration. Enabling this extra lookup can cause the Asset Details page to render slightly slower than normal as the system is waiting for the DNS lookup information. This option affects only the detail page, the summary list will be unaffected. By default, QRadar will attempt to complete a DNS lookup in real-time for asset profiles.

To review this setting, in QRadar 7.2.4 or higher:
  1. Click the Admin tab.
  2. Click the Asset Profiler Configuration icon.
  3. Review the setting of the Enable Real-Time DNS Lookups for Asset Profiles field.


To review this setting, in QRadar 7.2.3 or lower:
  1. Click the Admin tab.
  2. Click the Console Settings icon.
  3. Review the setting of the Enable DNS Lookups for Asset Profiles field.


4. Resolving QRadar Appliance Hostnames
If you are looking to resolve QRadar IP addresses to host names, you will need to register the appliances at the DNS record level. Consult with your DNS administrator to register the QRadar appliance names from IP addresses.

 

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbcAAC","label":"QRadar->Assets"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2.8;7.3.1;7.3.2;7.3.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 April 2020

UID

swg21690480