qradar dns analyzer - round 2 - sqatting = googleapis.com & DGA = IMM modules
Looks like i have URL Custom Properties Regex successfully pulling URL's from Bluecat DNS Query events.
So far, over the past few days - my only alerts are related to "Squatting via .googleapis.com" and "DGA via IMM2-.ddn" (I imagine the "IMM2-.ddn" are from misconfigured IBM IMM modules.)
Is there a way to whitelist some of these domains? Attempting "googleapis.com" is straightforward and appears to be a legit domain. Entering some wildcard to cover the various "imm2-*.ddn" fails. Is there a wildcard method to blacklist/whitelist?
Troy
Hi Troy, The false positive in squatting detection could be remediated by updating X-Force Threat Intelligence database on QRadar. One of the reasons that googleapis.com is flagged by the squatting module is that it has no category on X-Force Exchange. Once we fix it in X-Force database, this false positive will go away. In the meanwhile, we are also improving our squatting analytics.
There are custom domain blacklist and whitelist in DNS Analyzer. Go to DNS Analyzer tab on QRadar console, and you will see a table with two columns. Any domain in the whitelist will not trigger any analytic, and we will create a blacklist event when a domain in logs/flows is in the custom blacklist.
Chenta