New features include a threat hunting dashboard, domain lookup, and domain risk score for a more powerful app
SEATTLE - August 13, 2019 - Today, DomainTools announced significant enhancements to its DomainTools App for IBM QRadar. The latest update allows security teams to better uncover threats and thoroughly investigate incidents with profiles and risk scores for every domain name. The app is available for download in the IBM Security App Exchange.
"There are countless reports citing alert fatigue and the barrage of noise that makes it challenging for security professionals to stay ahead of threats. It's our responsibility to work with partners like IBM to provide solutions that help security teams prioritize alerts and stay ahead of campaigns targeting their organization," said Corin Imai, senior security advisor, DomainTools. “We believe in surfacing intelligence for domains that are observed on our customers networks, and that is why we've made these enhancements to the DomainTools App for IBM QRadar.”
Users in the security community with access to the app, can now:
Threat Hunting DashboardThe DomainTools Threat Hunting Dashboard in QRadar presents a dynamic view of threats associated with observed domains. The dashboard includes the number of high-risk domains, young domains, as well as a risk map panel that displays the geolocation of IP addresses observed in logs. In addition to these visualizations, it tabulates the rare registrar names, rare registrant names, and rare registrant emails, correlating them with DomainTools Risk Score.
Users can now perform ad-hoc domain lookups from within IBM QRadar by using the 'Domain Profile' tab. This allows Cyber Security Incident Response Teams and Security Operations Centers to quickly triage a domain name, in-context, by viewing its domain profile, Whois data, and Domain Risk Score. They can then perform essential pivots to find related domains and infrastructure likely controlled by the same actor. This allows the user to quickly assess the risk level of the domain and evaluate whether it warrants further investigation without leaving IBM QRadar.
The DomainTools App for IBM QRadar delivers event enrichment at scale by building a reference table with key fields extracted from parsed Whois data. Those fields are then available for teams to create precisely-targeted rules that alert on threat actor identities, the actor’s preferred domain hosting, and registration providers. IBM QRadar’s historical correlation feature then enables retroactive searching on those same fields.
Domain Risk Score
DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is weaponized. This can close the window of vulnerability between the time a malicious domain is registered, and when it is observed and reported causing harm. The Domain Risk Score algorithms analyze a domain’s association to known-bad infrastructure, as well as intrinsic properties of the domain that closely resemble those of known phishing, malware, and spam domains.
The DomainTools App for QRadar adds risk scores to a reference map, immediately populating an associated set of domains with scores above a user-configured threshold. The app ships with sample rules that leverage these reference data sets to create offenses for events which contain risky domains.
For additional information on the DomainTools App for IBM QRadar, please visit: http://www.1081377.com/products/integrations/ibm-security.
About DomainToolsDomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at http://www.1081377.com or follow us on Twitter: @domaintools.