IBM Support

QRadar: DNS Analyzer stops processing flows after QRadar 7.4.1

Troubleshooting


Problem

When using DNS Analyzer version 1.4.6 on QRadar® 7.4.1 or later, DNS records in-flows are no longer processed correctly.

Symptom

After updating to QRadar 7.4.1 or installing DNS Analyzer 1.4.6 on QRadar 7.4.1 or later, DNS statistics on flows no longer increase, and flows are not properly processed.

Diagnosing The Problem

Previous versions of the DNS Analyzer used a field in the QRadar ariel database that is now deprecated.

To check if this field is being used, review the dns_flow_flag Custom Flow Property.
  1. Go to the QRadar web interface Admin tab.
  2. Under the Data Sources section, open the Custom Flow Properties page.
  3. View the Expression for the dns_flow_flag property.
dns_flow_flag property
If the dns_flow_flag property shows the older "dns response" field, then it should be modified.

Resolving The Problem

You will need to make modifications to the custom flow property added by DNS Analyzer.
  1. Log in to the QRadar UI and go to the Admin tab.
  2. Under the Data Sources section, open the Custom Flow Properties page.
  3. Edit the dns_flow_flag property.
  4. Change the AQL Expression field.
    From:
    IF "dns response"=NULL THEN 0 ELSE 1
    To:
    IF "dns response code"=NULL THEN 0 ELSE 1
  5. Click "Save" to save the property changes.
Note:  If an index has been enabled for the dns_flow_flag property, it may be necessary to remove and re-add the index to reflect the change properly.

 

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.1","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
22 February 2021

UID

ibm16253289