QRadar DNS Analyzer Courses (4):

IBM QRadar DNS Analyzer - Overview

This course provides an overview of IBM QRadar DNS Analyzer, which provides insights into your local DNS traffic by identifying malicious activity, and allowing your security team to detect Domain Generated Algorithm (DGA), tunneling, or squatting domains that are accessed from within your network. The DNS Analyzer also provides options to filter any domains using blacklists and whitelists.

The video defines prerequisites, and provides an architecture overview explaining how the application is integrated with IBM QRadar SIEM and IBM X-Force Exchange.

Utilizing QNI flows, or logs with domain information from other devices, such as DNS servers, proxies, Apache web servers, or other BIND compatible devices, you can detect and monitor outbound network traffic to potentially malicious sites. With the DNS Analyzer dashboard and drill down capabilities, your team can identify DNS trends and investigate activity such as squatting attempts.

The application is also integrated with the IBM QRadar Pulse and IBM QRadar User Behavior Analytics app.



Domain Generation Algorithm detection with QRadar DNS Analyzer

This course provides an overview of the Domain Generation Algorithm (DGA) and how IBM QRadar DNS Analyzer can help with early detection of that type of DNS traffic.  Domain Generation Algorithm is code that is used to periodically generate a large list of domain names that are usually used by botnets. The video also demonstrates how DNS Analyzer detects and reports on the DGA domains.

Domain squatting detection with QRadar DNS Analyzer

This course provides an overview of the domain squatting technique and how IBM QRadar DNS Analyzer can help with early detection of that type of DNS traffic. Domain squatting is a technique used by hackers to register and use domains that are similar to a legitimate domain. Hackers use those domains to inject malware through phishing and other methods such as typo-squatting.
The video also demonstrates how the DNS Analyzer app detects and reports on squatting domains.



Filtering DNS traffic with QRadar DNS Analyzer

The DNS Analyzer app uses two types of filters that improve processing of the analytics algorithms. The first type of filter is based on the IBM X-Force Threat Intelligence feed, and the second is based on filtering lists built into DNS Analyzer, where you can add any domain to the whitelist or the blacklist. The video also demonstrates how DNS Analyzer reports a blacklisted domain.

The video also demonstrates how the DNS Analyzer app reports the blacklisted domain.