QRadar SIEM - Create a rule for Malware domain detection

In the previous post, I already created a Reference set for Malware domain.
This time, we will create a rule when one of the malware domain list matches our proxy server domain event properties.

1 Create Rule
   Offences > Rule > Action > New event rule

2. Select Event properties. Click these event properties

3. Select Reference Set. Click these reference set(s)

4. Next. Add your email address for alert.

Qradar SIEM - Adding Malware Domain Reference Set

1. Download the list of malware domain here: malware list
2. Create a new Reference set.
    Name: Malware Domain List
    Type: AlphaNumeric
 

3. Export the list in Qradar reference set.
    Admin > System Configuration > Reference set management

Communication to a known Bot C&C Server

Description: Communication to a known Bot Command and Control
Destination: 163.172.81.35

Where the list came from?
root@qradar# cat /opt/qradar/conf/remotenet.conf | grep IP_Address

WinCollect - Agent Status

The Status Server is responsible for forwarding messages related to Agent status to QRadar. These LEEF messages can be easily viewed from the QRadar user interface from the WinCollect agent list using the Show Events button. These events are written in the C:\Program Files\IBM\WinCollect\logs\WinCollect_Device.log on the WinCollect agent and are also sent to the QRadar appliance as a LEEF syslog message.   

If you are troubleshooting why your Log Source - WinCollect is not sending any logs, the Agent status/event could help you to check the error  code.
In this example, one of my log source stopped sending log event using WinCollect

Procedure

1. Log in to QRadar as an admin user.
2. Click the Admin tab.
3. Click the WinCollect icon.
4. Select a WinCollect agent from the agent list.
5. Click the Show Events icon

Sysmon

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

SysMon v6.01 is out from Windows Sysinternals and is even better than ever. This free tool runs in the background of your machine, and provides efficient and powerful tracking of key security activity data that you can use for threat hunting.

How to install:
1. Download and extract .Link: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

2. Go to location.
3. Type C:\Users\Test\Downloads\Sysmon>sysmon -i -accepteula

How to Uninstall:
1. Sysmon.exe -u

You can view the configuration by using the following command: Sysmon -c

Once installed, Sysmon does its job automatically in the background. You can find out the results in the Event Viewer.

To increase the event log size to 200 MB:
wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:209715200 

Location of event:
Event viewer > Application and Services Logs > Windows > Sysmon > Operational

Basic configruation:

<sysmon schemaversion="3.40">
  <!-- Capture SHA256 and IMPHASH Hashes -->
  <hashalgorithms>sha256 </hashalgorithms>
  <eventfiltering>
 <networkconnect onmatch="exclude">
 <createremotethread onmatch="include">
  <targetimage condition="image">explorer.exe</targetimage>
  <targetimage condition="image">firefox.exe</targetimage>
  <targetimage condition="image">chrome.exe</targetimage>
     <targetimage condition="image">lsass.exe</targetimage>
  <targetimage condition="image">services.exe</targetimage>
  <targetimage condition="image">svchost.exe</targetimage>
  <targetimage condition="image">winlogon.exe</targetimage>
 </createremotethread>
 <rawaccessread onmatch="exclude">
  <image condition="image">C:\Windows\Sysmon.exe</image>
  <image condition="image">System</image>
 </rawaccessread>
  </networkconnect></eventfiltering>
</sysmon>

Update configuration:
sysmon -c config.xml

Tutorial:
CQURE
https://www.youtube.com/watch?v=8qDEbnofkos