As stated above, and in you example, you should consider using AQL properties or AQL custom.functions to do this.
Main reason why qradar does not work like arcsight is that we need the original event to be forensic evidence, meaning adding, changing, removing parts of it etc. makes it hard to use it in a court of law. So it's not so logical to do this as part of the main event pipeline.
Second reason is that for QRadar to be able to ingest and correlate 2.5 Million EPS, You don't want any expensive lookups in the first steps.
That said, another way of doing this is using historic correlation and add this information later.
If it for DNA specifically we do have a free DNA analytics app in the qradar appstore.
Hope this help
------------------------------
Regards,
Nico de Smidt
________________________________________________
CTE Security Intelligence BeNeLux
------------------------------
Original Message:
Sent: Tue July 16, 2019 11:09 AM
From: Pipotron 2.0
Subject: Event Enrichment
Hey :)
Let's take an example
Here a simplified payload from a DNS event
SystemTime = 2019-16-07T16 :00 :00.6545646546Z
EventID = 3006
Computer = WINDOWS88
QueryName = Google.Fr
QueryType = 28
Qradar will parse the payload and only extract the 5 properties
But as enrichment, i want to add in my payload the informations below
Query_length = 9
IP = 216.58.206.227
NetRange = 216.58.192.0 - 216.58.223.255
CIDR = 216.58.192.0/19
OriginAS = AS15169
RegDate = 2000-03-30
Updated = 2018-10-24
Country = US
Domain_Top_level = fr
Domain_Second_Level = google
Domain_Generational_Algorithm = 0.23
Etc…
With little scripts you can easy get those informations but… how add them to the events ?
as Steve Slivoski said it's seem to be impossible on Qradar.. need to use Syslog or ELK for enrichment :(
------------------------------
Pipotron 2.0
Original Message:
Sent: Tue July 16, 2019 04:05 AM
From: Dusan VIDOVIC
Subject: Event Enrichment
As I understood this, the idea of enrichment was to assist the incident response (I apologize for the remainder if the assumption was wrong)? I'd say generally that a best practice approach to IR within a SOC / CSIRT would be having a NextGen SIEM as a central detection point, but for proper tracking of response/resolution process (and lessons learned afterwards) a connected tool/platform dedicated to this use would be needed (and it would allow adding artifacts on-the-go). IBM's Resilient may be an example of such a tool, but there are several open-source solutions available (which are used by a number of CSIRTs). QRadar has a published and documented API, so integration should be within reach.
------------------------------
Dusan VIDOVIC
Original Message:
Sent: Sat July 13, 2019 10:08 PM
From: Steve Slivoski
Subject: Event Enrichment
This would be great. Per my discussions with IBM, they have no plans to add such capabilities, and the platform is limited to be able to do such enrichment. The event pipeline would need to be re-architected to support such capabilities like the enrichment you can do in Logstash.
With offenses, you would think you can enrich there, but still nothing within QRadar. IBM unfortunately wants to sell you Resilient to do these things. SOC analysts should not have to right click to get basic information. This is sometimes useful, but it does not make a SOC analysts job any easier, just adds frustration.
------------------------------
Steve Slivoski
Original Message:
Sent: Wed July 10, 2019 05:55 AM
From: Pipotron 2.0
Subject: Event Enrichment
Hi,
i want to do event enrichment with informations that are not present in the payload ?
what are the solutions to do that in Qradar plz ? :)
thx !