1. Introduction

Farsight Security DNSDB® is the world’s largest DNS intelligence database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure. DNSDB leverages the richness of Farsight’s Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts. Farsight collects Passive DNS data from its global sensor array. It then filters and verifies the DNS transactions before inserting them into the DNSDB, along with ICANN-sponsored zone file access download data. The end result is the highest-quality and most comprehensive DNS intelligence data service of its kind - with more than 100 billion DNS records since 2010.

This document is intended to help users how to download, install and configure the Farsight DNSDB App for IBM QRadar.

Farsight DNSDB App for IBM QRadar enables to accelerate incident response with its orchestration and automation capabilities to investigate and mitigate threats. The IBM QRadar users can view the DNS enriched data in the Offense summary page for the Offense Sources. This will help to speed up QRadar investigations and prioritise the offenses to investigate and identify the source of the suspected security breach for threat hunting.

Farsight DNSDB App allows the IBM QRadar users to perform Log activity investigation in real time by using the Right-click menu options.

2. Download

Following steps to be followed while downloading the Farsight DNSDB App.

Please note that you will need a active IBMid to download the Farsight DNSDB App for QRadar from IBM Security App Exchange portal.

3. Installation

Follow the procedures below to install the Farsight DNSDB App.

images: 01

images: 02

images: 03

4. Configuration

Once the app is installed, you will need to configure the extension as per your requirement. To do so, follow the steps below

images: 05

images: 06

images: 07

Farsight DNSDB App Settings

images: 08

images: 09

images: 10

images: 11

Automatic Offense Enrichment Settings

images: 12

images: 13

images: 14

images: 15

images: 16

images: 17

images: 18

images: 19

images: 20

5. Automated Threat Hunting

Farsight DNSDB App enables the IBM QRadar users to view the Farsight DNSDB Passive DNS Enrichment data in the Offense summary page for the Offense Sources of type Domain/IP Address.

For IBM QRadar Offenses with IP address as Offense Source, you will see “Farsight DNSDB RData” and “Farsight DNSDB Co-located IP’s” results in a tabular format.

For IBM QRadar Offenses with Domain as Offense Source, you will see “Farsight DNSDB RData”, “Farsight DNSDB RRSET” and “Farsight DNSDB Co-located Domains” results in a tabular format.

Note: The results returned will be based on your configuration settings.

To view the Farsight DNSDB Threat Lookup results on the Offense Summary Page, Go to “Offenses” tab from the menu options.

In order to investigate, Double-click any Offense, where Offense Source is either Domain or IP Address, You will see the Farsight DNSDB Enrichment data in the tabular format.

</dnsdb/dnsdb-apiv2/#rdata-lookups>

images: 23

images: 23

This lookup queries DNSDB’s RRSet index, which supports “forward” lookups based on the owner name of an RRSet.

</dnsdb/dnsdb-apiv2/#rrset-lookups>

images: 24

images: 25

images: 26

6. Manual Threat Hunting

Log Activity Investigation

Farsight DNSDB App enables the IBM QRadar users to perform Log activity investigation with Right-click menu options. When you right-click on IP Address/Domain fields in the log viewer or event viewer you will see “Lookup in Farsight DNSDB Scout” option, when you click it, this will redirect you to the “Farsight DNSDB Scout” Page, where you can make queries for the IP Address/Domain.

images: 27

images: 28

For any other fields apart from IP Address/Domain, select the Log Record in the log viewer or event viewer and click on “Lookup in Farsight DNSDB Scout” toolbar button, which opens a new window where you will see all the log record fields, you can click the desired field to lookup, which will redirect to the “Farsight DNSDB Scout” Page.

images: 29

images: 30

Threat Lookup via Dashboard

Farsight DNSDB App enables the IBM QRadar users to do Threat Lookup for user provided text irrespective of Log activity (or) offense Sources.

The next step is, go to “Farsight DNSDB Dashboard”, in the dashboard page provide any user provided text you want to search in Farsight DNSDB Scout.

images: 31

images: 33

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.