Most of the information in the previous post can be used to develop the rule for detecting the malicious domains.
P.S. Point to note is the quality of these list are dependent on the people who publish them. I give no warranty or am I vouching for these lists. These IPs and or domains should be used as a starting point of your investigation not the ultimate decision as to whether something good or bad has happened.
Follow the steps below to create an Event rule:
1. Click "Offenses" tab
2 Select "Rules"
3. Select "Action" menu
4. From the "Action" menu, select "New Event Rule"
Once the "Rule Wizard" opens, it should default to "Events"
Next you build your rule by selecting your criteria.
1. First in the search box, type "referen". This reduces the number of rule options to sort through
2. select the one which states "when any of these properties is contained in any of these reference set(s)"
3. Assign your rule a name
4. Click "these event properties".
5. When the window pops up, select the "domain"
6. Click "OK"
7. Click "these reference set(s)"
8. From the pop up window select the "SecurityNik_DNS_Darklist", then click add
9. Click "OK"
Selecting the "Rule Response"
1. Ensure that a new event gets created
2. you may set the severity, credibility and relevance of the new event which gets created
Note that these setting may influence the values of an offense but does not specifically set the values on the offense
3. Create a new offense when the domain from the SecurityNik_DNS_Darklist reference set is seen in either an event
4. Send off an email once a detection is made
Verify the rule is as expected.
You should be good to go.
In the final post, we will run a query against the environment to see if any of the detected IPs (or you can do the domain) is found in our logs and or flows.
Have fun and don't forget the other posts in this series to ensure your reference set and rules are properly created.
1. The Code to download the Darklist
2. Verifying the Reference Set Creation
3. Writing the Common Rule to check for the IPs
4. Writing the Event Rule to check for the domains
5. Checking your environment for the malicious IPs and or domains.