QRadar SIEM - Create a rule for Malware domain detection

In the previous post, I already created a Reference set for Malware domain.
This time, we will create a rule when one of the malware domain list matches our proxy server domain event properties.

1 Create Rule
   Offences > Rule > Action > New event rule

2. Select Event properties. Click these event properties

3. Select Reference Set. Click these reference set(s)

4. Next. Add your email address for alert.

Qradar SIEM - Adding Malware Domain Reference Set

1. Download the list of malware domain here: malware list
2. Create a new Reference set.
    Name: Malware Domain List
    Type: AlphaNumeric
 

3. Export the list in Qradar reference set.
    Admin > System Configuration > Reference set management

Communication to a known Bot C&C Server

Description: Communication to a known Bot Command and Control
Destination: 163.172.81.35

Where the list came from?
root@qradar# cat /opt/qradar/conf/remotenet.conf | grep IP_Address

WinCollect - Agent Status

The Status Server is responsible for forwarding messages related to Agent status to QRadar. These LEEF messages can be easily viewed from the QRadar user interface from the WinCollect agent list using the Show Events button. These events are written in the C:\Program Files\IBM\WinCollect\logs\WinCollect_Device.log on the WinCollect agent and are also sent to the QRadar appliance as a LEEF syslog message.   

If you are troubleshooting why your Log Source - WinCollect is not sending any logs, the Agent status/event could help you to check the error  code.
In this example, one of my log source stopped sending log event using WinCollect

Procedure

1. Log in to QRadar as an admin user.
2. Click the Admin tab.
3. Click the WinCollect icon.
4. Select a WinCollect agent from the agent list.
5. Click the Show Events icon