IBM Security QRadar

Hi All,
Is there any application to do whois when a SRC/DST IP is a public IP and fill in the "Source Asset Name"?

Regards,
Edgar

------------------------------
Edgar Faria
------------------------------

Hello @Edgar Faria,

​If it is an Asset of your QRadar it is related to the identity field matching this and your network hierarchy, so you can tune.

You can take a look at the Asset profiler Configuration on Admin tab on how to handle identity DNS or WINS.

Hope this helps,
Regards,
@zoldax.​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges
------------------------------

Original Message:
Sent: Thu June 23, 2022 04:39 AM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi All,
Is there any application to do whois when a SRC/DST IP is a public IP and fill in the "Source Asset Name"?

Regards,
Edgar

------------------------------
Edgar Faria
------------------------------

Hi, 
My question is related to public IP's that don't belong to the client. Other siems display the whois result.

Regards, 
Edgar

------------------------------
Edgar Faria
------------------------------

Original Message:
Sent: Sun July 17, 2022 06:09 AM
From: Pascal Weber
Subject: APP to do whois and populate "Source Asset Name"

Hello @Edgar Faria,

​If it is an Asset of your QRadar it is related to the identity field matching this and your network hierarchy, so you can tune.

You can take a look at the Asset profiler Configuration on Admin tab on how to handle identity DNS or WINS.

Hope this helps,
Regards,
@zoldax.​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges

Original Message:
Sent: Thu June 23, 2022 04:39 AM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi All,
Is there any application to do whois when a SRC/DST IP is a public IP and fill in the "Source Asset Name"?

Regards,
Edgar

------------------------------
Edgar Faria
------------------------------

Hello @Edgar Faria,

I'm not sure to understand the question, guess it was related to the asset database handled by QRadar.

Of course you have enhanced functions like this in QRadar...

If you simply want to see where an IP belong for an analyst you just have to let the pointer of the mouse on the IP, you will get :

• The Geographical Location with a map
• Depending if you use ATPF, the IOC risk score

You can right click an IP to on log activity and select More Options > Information > WHOIS Lookup

As you use the MaxMind GeoIP on QRadar too if you correclty configure it you have the physical location or registrar location.
​
Hope this helps,
Regards,
@zoldax​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges
------------------------------

Original Message:
Sent: Mon July 18, 2022 01:03 PM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi, 
My question is related to public IP's that don't belong to the client. Other siems display the whois result.

Regards, 
Edgar

------------------------------
Edgar Faria

Original Message:
Sent: Sun July 17, 2022 06:09 AM
From: Pascal Weber
Subject: APP to do whois and populate "Source Asset Name"

Hello @Edgar Faria,

​If it is an Asset of your QRadar it is related to the identity field matching this and your network hierarchy, so you can tune.

You can take a look at the Asset profiler Configuration on Admin tab on how to handle identity DNS or WINS.

Hope this helps,
Regards,
@zoldax.​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges

Original Message:
Sent: Thu June 23, 2022 04:39 AM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi All,
Is there any application to do whois when a SRC/DST IP is a public IP and fill in the "Source Asset Name"?

Regards,
Edgar

------------------------------
Edgar Faria
------------------------------

I totally get your question.  I have set up QRadar in many environments and I could not tell you how many times I heard that question from a customer.  Sadly, I have not found a way to perform an automatic whois on remote IPs coming into their environments.  The best I could find was to add a right-click-plugin to various IP tools sites.  I know this is not optimal.  I was hoping to see someone respond with a solution...

------------------------------
Scott Searls
------------------------------

Original Message:
Sent: Tue July 19, 2022 02:26 AM
From: Pascal Weber
Subject: APP to do whois and populate "Source Asset Name"

Hello @Edgar Faria,

I'm not sure to understand the question, guess it was related to the asset database handled by QRadar.

Of course you have enhanced functions like this in QRadar...

If you simply want to see where an IP belong for an analyst you just have to let the pointer of the mouse on the IP, you will get :

• The Geographical Location with a map
• Depending if you use ATPF, the IOC risk score

You can right click an IP to on log activity and select More Options > Information > WHOIS Lookup

As you use the MaxMind GeoIP on QRadar too if you correclty configure it you have the physical location or registrar location.
​
Hope this helps,
Regards,
@zoldax​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges

Original Message:
Sent: Mon July 18, 2022 01:03 PM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi, 
My question is related to public IP's that don't belong to the client. Other siems display the whois result.

Regards, 
Edgar

------------------------------
Edgar Faria

Original Message:
Sent: Sun July 17, 2022 06:09 AM
From: Pascal Weber
Subject: APP to do whois and populate "Source Asset Name"

Hello @Edgar Faria,

​If it is an Asset of your QRadar it is related to the identity field matching this and your network hierarchy, so you can tune.

You can take a look at the Asset profiler Configuration on Admin tab on how to handle identity DNS or WINS.

Hope this helps,
Regards,
@zoldax.​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges

Original Message:
Sent: Thu June 23, 2022 04:39 AM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi All,
Is there any application to do whois when a SRC/DST IP is a public IP and fill in the "Source Asset Name"?

Regards,
Edgar

------------------------------
Edgar Faria
------------------------------

Hi,
The same here. The problem is that we have a SOAR and with the "right button" this information is not populated.

------------------------------
Edgar Faria
------------------------------

Original Message:
Sent: Mon August 01, 2022 03:38 PM
From: Scott Searls
Subject: APP to do whois and populate "Source Asset Name"


I totally get your question.  I have set up QRadar in many environments and I could not tell you how many times I heard that question from a customer.  Sadly, I have not found a way to perform an automatic whois on remote IPs coming into their environments.  The best I could find was to add a right-click-plugin to various IP tools sites.  I know this is not optimal.  I was hoping to see someone respond with a solution...

------------------------------
Scott Searls

Original Message:
Sent: Tue July 19, 2022 02:26 AM
From: Pascal Weber
Subject: APP to do whois and populate "Source Asset Name"

Hello @Edgar Faria,

I'm not sure to understand the question, guess it was related to the asset database handled by QRadar.

Of course you have enhanced functions like this in QRadar...

If you simply want to see where an IP belong for an analyst you just have to let the pointer of the mouse on the IP, you will get :

• The Geographical Location with a map
• Depending if you use ATPF, the IOC risk score

You can right click an IP to on log activity and select More Options > Information > WHOIS Lookup

As you use the MaxMind GeoIP on QRadar too if you correclty configure it you have the physical location or registrar location.
​
Hope this helps,
Regards,
@zoldax​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges

Original Message:
Sent: Mon July 18, 2022 01:03 PM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi, 
My question is related to public IP's that don't belong to the client. Other siems display the whois result.

Regards, 
Edgar

------------------------------
Edgar Faria

Original Message:
Sent: Sun July 17, 2022 06:09 AM
From: Pascal Weber
Subject: APP to do whois and populate "Source Asset Name"

Hello @Edgar Faria,

​If it is an Asset of your QRadar it is related to the identity field matching this and your network hierarchy, so you can tune.

You can take a look at the Asset profiler Configuration on Admin tab on how to handle identity DNS or WINS.

Hope this helps,
Regards,
@zoldax.​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges

Original Message:
Sent: Thu June 23, 2022 04:39 AM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi All,
Is there any application to do whois when a SRC/DST IP is a public IP and fill in the "Source Asset Name"?

Regards,
Edgar

------------------------------
Edgar Faria
------------------------------

Hi,
In Arcsight Siem fills the result of whois (hostname) in a variable. In the case of QRadar, it just fills the "Source Asset Name" variable with the hostname when the IP is internal.
The problem is that we have a SOAR and with the "right button" this information is not populated.

------------------------------
Edgar Faria
------------------------------

Original Message:
Sent: Tue July 19, 2022 02:26 AM
From: Pascal Weber
Subject: APP to do whois and populate "Source Asset Name"

Hello @Edgar Faria,

I'm not sure to understand the question, guess it was related to the asset database handled by QRadar.

Of course you have enhanced functions like this in QRadar...

If you simply want to see where an IP belong for an analyst you just have to let the pointer of the mouse on the IP, you will get :

• The Geographical Location with a map
• Depending if you use ATPF, the IOC risk score

You can right click an IP to on log activity and select More Options > Information > WHOIS Lookup

As you use the MaxMind GeoIP on QRadar too if you correclty configure it you have the physical location or registrar location.
​
Hope this helps,
Regards,
@zoldax​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges

Original Message:
Sent: Mon July 18, 2022 01:03 PM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi, 
My question is related to public IP's that don't belong to the client. Other siems display the whois result.

Regards, 
Edgar

------------------------------
Edgar Faria

Original Message:
Sent: Sun July 17, 2022 06:09 AM
From: Pascal Weber
Subject: APP to do whois and populate "Source Asset Name"

Hello @Edgar Faria,

​If it is an Asset of your QRadar it is related to the identity field matching this and your network hierarchy, so you can tune.

You can take a look at the Asset profiler Configuration on Admin tab on how to handle identity DNS or WINS.

Hope this helps,
Regards,
@zoldax.​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges

Original Message:
Sent: Thu June 23, 2022 04:39 AM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi All,
Is there any application to do whois when a SRC/DST IP is a public IP and fill in the "Source Asset Name"?

Regards,
Edgar

------------------------------
Edgar Faria
------------------------------

Hi All,

this is a request i also received from customer. Lately i saw a presentation showing the App "Analyst Custom Searches and Toolbox for QRadar" from the developer of the app Julian Sattelmair. 

This app has some nice features that enrich offenses overview and events with a lot of such information. 

Quite Nice this app and worth lookin into it.

Regards

Martin

------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: Thu June 23, 2022 04:39 AM
From: Edgar Faria
Subject: APP to do whois and populate "Source Asset Name"

Hi All,
Is there any application to do whois when a SRC/DST IP is a public IP and fill in the "Source Asset Name"?

Regards,
Edgar

------------------------------
Edgar Faria
------------------------------