IBM QRadar

I have been racking my brain on this matter for quite a while.

So, we are a large org and have and appreciate the rule for Large Outbound at Slow|High Rate of Transfer containing Web.SecureWeb.. the issue is this is a Flow rule.  And the Flow rule is DNS related... and as such, the DNS rule of thumb is that the reverse on that IP will be likely a cloudbased item... eg. AmazonAWS, Azure, etc.

I would like to keep the rule as normal as possible without modification of the 2mb in 12 mins... but would instead like to keep a list of domains that are "Whitelisted" or "Exempt" from the rule... and sadly this is just too much for my small cranial mass...

Please help anyone?

Here's an IP for you to hunt that needs to be not blamed for HTTPS traffic 
54.241.138.180 


------------------------------
Charles Senne
------------------------------

Reference set with the domains (or specific IP's you use would be more appropriate IMO) referenced in rule.  Have you tried that or looked into that?



------------------------------
Jason Brinning
------------------------------

Original Message:
Sent: Fri March 29, 2019 07:58 PM
From: Charles Senne
Subject: QRadar Domain "Whitelisting" for a rule

I have been racking my brain on this matter for quite a while.

So, we are a large org and have and appreciate the rule for Large Outbound at Slow|High Rate of Transfer containing Web.SecureWeb.. the issue is this is a Flow rule.  And the Flow rule is DNS related... and as such, the DNS rule of thumb is that the reverse on that IP will be likely a cloudbased item... eg. AmazonAWS, Azure, etc.

I would like to keep the rule as normal as possible without modification of the 2mb in 12 mins... but would instead like to keep a list of domains that are "Whitelisted" or "Exempt" from the rule... and sadly this is just too much for my small cranial mass...

Please help anyone?

Here's an IP for you to hunt that needs to be not blamed for HTTPS traffic 
54.241.138.180 


------------------------------
Charles Senne
------------------------------

Jason, thanks for your reply.  Since you know me, you should know I'm much more clever than that.  

I have two points to my request which will be given now.

1. QNI as it were will not use any "Passive" or "ISDB" list to ensure that cloud-based objects are excluded.  E.G. that IP given as an example in the OP, is 54.241.138.180 which QNI uses basic DNS to resolve back to ec2-54-241-138-180.us-west-1.compute.amazonaws.com.  Well this is a terrible domain to exclude as a whole... you have Domain Fronting, and many bad guys who live in this space.  So... if we look at the following.. Passive DNS will tell us that the IP although in AmazonAWS space really belongs to the "Service" of Crowdstrike which is : ts01-b.cloudsink.net.  This is the "Domain" they (Crowdstrike) want you to exclude.

The issue is, that you are required to have a log source that will do the above.... So why can't QNI?  Isn't it so smart?

2. I was hoping to share ideas of what others use in the context of Log Sources that do this... E.G. Firewalls, DNS, PROXY... etc.  OpenDNS is absolutely terrible.... So anyone reading this, don't use it... not for this.

------------------------------
Charles Senne
------------------------------

Original Message:
Sent: Wed April 03, 2019 09:12 AM
From: Jason Brinning
Subject: QRadar Domain "Whitelisting" for a rule

Reference set with the domains (or specific IP's you use would be more appropriate IMO) referenced in rule.  Have you tried that or looked into that?



------------------------------
Jason Brinning

Original Message:
Sent: Fri March 29, 2019 07:58 PM
From: Charles Senne
Subject: QRadar Domain "Whitelisting" for a rule

I have been racking my brain on this matter for quite a while.

So, we are a large org and have and appreciate the rule for Large Outbound at Slow|High Rate of Transfer containing Web.SecureWeb.. the issue is this is a Flow rule.  And the Flow rule is DNS related... and as such, the DNS rule of thumb is that the reverse on that IP will be likely a cloudbased item... eg. AmazonAWS, Azure, etc.

I would like to keep the rule as normal as possible without modification of the 2mb in 12 mins... but would instead like to keep a list of domains that are "Whitelisted" or "Exempt" from the rule... and sadly this is just too much for my small cranial mass...

Please help anyone?

Here's an IP for you to hunt that needs to be not blamed for HTTPS traffic 
54.241.138.180 


------------------------------
Charles Senne
------------------------------