Hari
there is no need for installing domaintools which is 3rd party app. Of course you can add extra services for looking up IP adresses, but pls start with basics 1st.
What about using x-force lookup from the right click menu?
Admin tab gives you access to system config where you can specify dns servers if you havent done so during setup.
nslookup should tell you which server has been specified for dns queries. If this dns server is recursive you should be ale to ask for internal and external IP address from the context menu.
This should answer you other questions as well. If your dns server doesnt allow for external dns requests you can follow the context menu programming instructions at
https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.appfw.doc/c_appframework_samples_AddRighclick.html?cp=SS42VS_7.3.3BR Karl
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Wed March 24, 2021 10:07 AM
From: HARI RUMBAY
Subject: DNS , Whois Lookups in the log and Network Activity pane without right click navigations
How can we achieve to view the public domain names ( FQDN ) for the valid public IPs seen in the log activity and network activity ? Through some research , i could understand that the Qradar has provisioned a app extension called domaintools . I just installed it and have a question on how to configure it ( BTW it shows only as events ) and will this app help to get the DNS lookups for the flows as well ( network activity ) ?
I don't want to perform the below navigation path every now & then in short
High Level Objectives :
-Configure custom AQL function to extract registered domains from Public IP Addresses
-Dashboards of DomainTools Risk Scores
-Populates reference set with high-risk domains for easier rule matching
Thank you and please comment
------------------------------
HARI
------------------------------