In this our final post in this series, we will search our logs and flows to see if any of the suspected IPs.
P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.
To search our logs let's do the following:
1. Login to QRadar
2. Select "Logs" or "Network Activity" tab
3. From the "Search" dropdown, select "New Search"
3. Select your "Time Range"
Let's start with the "Last 7 Days"
4. In the "Search Parameters" choose "Reference Set"
5. In the "Value: Data Entry" select "Destination IP"
6. Operators select "Exists in any of"
7. From the "Reference Set" list, choose "SecurityNik_IP_Darklist"
8. Click the "+"
9. Click "Add Filter"
10. Click "Search"
Based on the search query we just entered, you would be able to see if any of the hosts in your environment has been or is communicating with any of the IPs in the SecurityNik_IP_Darklist.
To check for domains in the SecurityNik_DNS_Darklist, you would basically do the same steps above. However, you would chose a different reference set.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.