IBM Support

QRadar: DNS Analyzer app and DSM support for custom event properties

Question & Answer


Question

How do you update a Device Support Module (DSM) to parse information using a custom event properties for the IBM QRadar DNS Analyzer app?

Answer

Overview

Custom event properties can be used in a Device Support Module (DSM) to extract values from device event logs for non-normalized fields in IBM QRadar. By default, QRadar normalizes data from the event logs and populates the user interface with certain data, including user names, source IP, destination IP, ports, and so on. Since there is no normalized property for storing domain name data in QRadar, the IBM QRadar DNS Analyzer app uses the standard URL custom event property included in IBM QRadar. Likewise, since there is no normalized property for storing DNS Request Types, DNS Analyzer uses a DNS Request Type custom event property.


The following workflow describes how custom event properties are processed by the IBM QRadar DNS Analyzer app:

  1. The device DSM that is deployed on the user network either includes or is updated to parse domain name information and DNS request type information into the URL and DNS Request Type custom event properties.
  2. Logs forwarded from the deployed device to the IBM QRadar console are parsed by the updated DSM and domain name data is stored in the URL custom event property, and DNS request type data is stored in the DNS Request Type custom event property.
  3. The IBM QRadar DNS Analyzer queries the IBM QRadar console for logged events where the URL custom event property is populated by checking the dns_event_flag indexable custom event property.
  4. The queried domain names are processed by the IBM QRadar DNS Analyzer app, and, if populated, the DNS Request Type value is displayed on the app dashboard statistics, otherwise UNKNOWN is displayed.
 

How to update a DSM with custom event property support

The standard DSM for any device can be updated by an administrative user through the DSM editor to add support for the URL and DNS Request Type custom event properties if they can determine the regex (regular expression) for domain data from logs for the targeted device.

Update procedures
For example, you can add URL custom event property support for Microsoft Windows DNS servers where Request Logging has been enabled. The following workflow describes how to add a custom event property to parse URLs for the Microsoft DNS Debug log source type:

  1. Open the DSM Editor from the IBM QRadar admin page and choose the Microsoft DNS Debug log source type for editing.
  2. In the Properties tab, click the plus sign icon (+) to add a custom property, choosing URL from the displayed list.
  3. Click the new URL property added to the Properties tab to edit it.
  4. Add the regex Question Name=(\S+) to the Expression input field and add “1” to the Capture Group field.
  5. Click the OK button to confirm the edit and then click Save to update the DSM.

    Results
    The custom event property is created for the log source type. When you view the event details page in QRadar, you will see your custom property displayed in the user interface with the notation (custom). Anytime you see (custom) in the user interface it indicates that the data associated to the value is a custom property in QRadar.
    If the event payloads for the event source contain DNS Request Type information, a DNS Request Type custom event property may also be added for the event source.Not all event sources provide DNS Request Type information in the event payload, especially if the event does not originate from a DNS Server.  If no DNS Request Type information is available for the event, or the custom event property is not properly added for the event source, then the request type will display as 'UNKNOWN' in the DNS Analyzer app dashboard statistics.
 

Content packs that add URL Custom Properties

Content packs can contain custom properties, rules, searches, and other valuable information to extends the core capabilities of QRadar for administrators. A good practice for administrators is to review that your apps and content packs are updated as the content pack may contain important parsing updates or optimizations.

The following list includes applications or content extensions for QRadar that contain the URL custom event property.

A. When you install the IBM QRadar DNS Analyzer app, it adds a URL custom property for the following DSMs:

  • ICS Bind DNS / InfoBlox DNS
  • Apache Web Proxy
  • Squid Web Proxy
  • BlueCat Networks Adonis
  • McAfee Web Gateway
  • Microsoft DNS Debug
IBM QRadar DNS Analyzer app additionally adds a DNS Request Type custom property for the following DSMs:
  • ICS Bind DNS / InfoBlox DNS
  • Microsoft DNS Debug
  • BlueCat Networks Adonis
Note that the added custom event properties may not match event payloads for every environment and product version.  If existing custom event properties are not populated for a specific environment and the information is available in the event payload then new custom event properties can be added to match the event payloads for the site.


B. The following content packs can be downloaded and installed to add a URL custom event property for the following event sources if it does not already exist, such as on older versions of QRadar:

Note: A custom property can be included in a content pack, but be disabled by default. When a custom event property is disabled, the regular expression is not applied to parse the custom property from the event payload and this can lead to N/A values being displayed for the custom property. QRadar Support often recommends that administrators review custom properties to ensure they are enabled after adding content packs to QRadar.

C. Depending on the version, IBM QRadar may ship with a URL custom property in the following DSMs:

  • Blue Coat SG Appliance
  • Juniper Networks Secure Access VPN SSL
  • Check Point
  • Cisco IronPort
  • FireEye
  • Fortinet FortiGate Security Gateway
  • McAfee ePolicy Orchestrator
  • Microsoft Windows Defender ATP
  • Palo Alto PA Series
  • Pulse Secure Pulse Connect Secure
  • Symantec Endpoint Protection
 

TIP: Enabling XForce URL rule tests may cause performance issues for the QRadar DNS Analyzer app and generate "performance degradation" notifications in QRadar. Administrators can avoid performance issues by reducing the number of unique of URLs being tested by the system. Each unique URL must be evaluated when contained within a rule test; however, not all data in the query string of the URL is valid. By removing unneeded URL parameters with your custom event property regular expression it can help reduce system load by parsing only the important security information from the URL. Administrators should evaluate the data and significance of the URLs being collected by the system and attempt to optimize them where appropriate.

For example, the URL contains a non-human readable query string for a document edit. Since this is not relevant security information, the URL can be truncated down to the domain, path, and document information in the custom event property.

Non-optimized URL: example.com/path/document?a=some_value,token=88r23182734sajd182weee71262ee
Optimized URL: example.com/path/document




Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM Apps","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.1;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
01 December 2020

UID

swg22017144