Cybersecurity Toolkit – What’s New!

The Cybersecurity Toolkit provides operators that are capable of analyzing DNS response records. The operators in this toolkit use machine learning models to analyze DNS traffic and report on suspicious behaviour.

The Cybersecurity Toolkit v2.0.0 includes new operators to further allow users to detect suspicious behaviour in their network as well as to better report on that behaviour. This release also makes a number of performance improvements and bug fixes to the existing operators, providing a faster and more stable toolkit.

As part of the v2.0.0 release, a number of changes were made to the v1.0.0 API that will require existing applications to be migrated. See the Cybersecurity Toolkit Migration Guide for details on migrating applications from v1.0.0 to v2.0.0 of the toolkit.

DNSTunneling Operator

DNS tunneling is a technique whereby data is transmitted and received through DNS query and response packets. Since DNS traffic is typically not blocked by network firewalls, users can use this technique to access blocked domains and transfer data between systems that they would otherwise not be allowed to access.

The DNSTunneling operator is a new operator in the v2.0.0 release of the Cybersecurity toolkit. The DNSTunneling operator analyzes DNS response traffic and reports suspicious behaviour that may indicate the presence of DNS tunneling in the network.

See the DNSTunneling Operator Knowledge Center page for more information.

QRadarSink operator

IBM QRadar is an enterprise security information and event management (SIEM) product. It can perform a number of tasks from log management, anomaly detection, incident forensics, incident response and vulnerability management.

The QRadarSink operator enables Streams applications to send syslog messages and events to a QRadar host. The events are sent in LEEF format, which is a customized event format designed for IBM QRadar. By incorporating this operator into a Streaming application, users can stream real-time events and alerts to QRadar, providing a consolidated dashboard for monitoring security.

See the QRadarSink Operator Knowledge Center page for more information

BWListTagger Updates and Changes

The BWListTagger has gone through a makeover in the v2.0.0 release of the Cybersecurity Toolkit. The following are the main features added to the operator:

Support for iterative and exact domain lookup

The BWListTagger operator in v2.0.0 adds a new parameter called domainSearchAlgo, which specifies the algorithm to use when searching for domains in the lookup table. The two algorithm options available are: exact and iterative.

When exact is specified, the operator will try to find an exact match for the domain in the lookup domain. For example, assume the domain “” is added to the domain whiteList. In this case, only incoming
domains with the value “” will be tagged. Any other domains (i.e. “”) will be tagged as nonMatched.

When iterative is specified, the operator will continuously remove labels from the front of the domain until a match is found. This is useful if you want to add a second-level domain to the lookup table and have the operator tag domains with any number of labels. For example, assume the domain “” is added to the domain whiteList. In this case, all of the following domains will be tagged as whiteList:

Nested custom output functions

The BWListTagger operator in v2.0.0 has been enhanced to support nested custom output functions. This feature allows you to specify user-defined functions in the output clause in addition to or in conjunction with the operator’s output functions. This feature can allow users to perform additional operations on the results of the operator’s output functions rather than having to add a downstream operator to perform the same task.

Here is an example of a user-defined function that is being used along with the getDomainTags() operator output function:

BWListTag_e filterTags(list<BWListTag_e> tags)
    mutable BWListTag_e outTag = nonMatched ;
    if(has(tags, blackList))
      outTag = blackList;
    else if(has(tags, whiteList))
      outTag = whiteList;

    return outTag ;

composite BWExample {
  (stream<list<BWListTag_e> domainTags, BWListTag_e filteredDomTag> BW_OutStream) as BW_Op =
          domainAttr : domains ;
          blackDomainFile : "bwlist/DomainsBlackList.txt" ;
          whiteDomainFile : "bwlist/DomainsWhiteList.txt" ;
          BW_OutStream : domainTags = getDomainTags(),
            filteredDomTag = filterTags(getDomainTags())) ;

DomainProfiling and HostProfiling Operators

Numeric IP address support

In v1.0.0 of the Cybersecurity toolkit, the DomainProfiling and HostProfiling operators only supported using string-based IP addresses (attributes representing IPs needed to have a type of rstring). In v2.0.0, these operators now expect attributes that represent IP addresses to have a type of uint32.

Join The Discussion