Question & Answer
Question
How does QRadar leverage DNS?
Answer
There is often confusion about DNS hostname lookup in QRadar as it relates to Asset Profiles. The purpose of this technical note is to clear up how QRadar leverages DNS lookups in QRadar.
There are three separate DNS name lookup features in QRadar SIEM:
1. Right-Click DNS Lookups
IP addresses in QRadar include a right-click menu that includes a DNS Lookup option. This option is available anywhere an IP address is displayed in the user interface. When a user selects DNS Lookup, the options runs the 'dig' or 'host' command in the background and displays the output to the user.
Figure 1: DSN Lookup right-click from the Log Activity tab in QRadar.
There are three separate DNS name lookup features in QRadar SIEM:
1. Right-Click DNS Lookups
IP addresses in QRadar include a right-click menu that includes a DNS Lookup option. This option is available anywhere an IP address is displayed in the user interface. When a user selects DNS Lookup, the options runs the 'dig' or 'host' command in the background and displays the output to the user.
Figure 1: DSN Lookup right-click from the Log Activity tab in QRadar.
The Right-click option is something available to all users. However, not all users are in every domain based on the Security Policy set for users per design, and the right-click lookup does not take in to account domains as admins can see everything.
Important: The right-click DNS look option is not available on QRoC-based appliances. The reason for this is that the QRoC instance would not have "line of sight" of the customer DNS structure.
2. Asset Identity
If the identity data includes a hostname for an asset, then that hostname is displayed in the asset summary list and also in the asset details page. This DNS lookup is done automatically as the asset profile receives event information that contains its identity. By default, DNS lookups for host identity are enabled in QRadar.
Hostname lookups occur whenever a DSM provides identity updates to the back-end. Typically, this only happens for authentication, DHCP, or VPN events, since these DSMs create many identity events to provide to the back-end. Depending on the log sources which you configured for QRadar, this might mean that the identity data is sparse.
TIP: A quick way to determine what event data includes identity is to add a filter for "Has Identity = True" on the Log Activity tab. When you view the event details screen, the identity information is the last table displayed. The identity information that appears in the last table is passed to the Asset Profiler in QRadar, which is responsible for updating the Asset tab from the event data.
To review this setting, in QRadar 7.2.4 or higher:
2. Asset Identity
If the identity data includes a hostname for an asset, then that hostname is displayed in the asset summary list and also in the asset details page. This DNS lookup is done automatically as the asset profile receives event information that contains its identity. By default, DNS lookups for host identity are enabled in QRadar.
Hostname lookups occur whenever a DSM provides identity updates to the back-end. Typically, this only happens for authentication, DHCP, or VPN events, since these DSMs create many identity events to provide to the back-end. Depending on the log sources which you configured for QRadar, this might mean that the identity data is sparse.
TIP: A quick way to determine what event data includes identity is to add a filter for "Has Identity = True" on the Log Activity tab. When you view the event details screen, the identity information is the last table displayed. The identity information that appears in the last table is passed to the Asset Profiler in QRadar, which is responsible for updating the Asset tab from the event data.
To review this setting, in QRadar 7.2.4 or higher:
- Click the Admin tab.
- Click the Asset Profiler Configuration icon.
- Review the setting of the Enable DNS Lookups for Host Identity field.
Figure 2:
To review this setting, in QRadar 7.2.3 or lower:
- Click the Admin tab.
- Click the Console Settings icon.
- Review the setting of the Enable DNS Lookups for Host Identity field.
3. Asset Details
In the asset details (double-click from summary list), the hostname from the identity data will be displayed if available. If it is not available, then the user interface can optionally perform the lookup while displaying the page. The option of performing this real-time lookup is controlled by the "Enable Real-Time DNS Lookups for Asset Profiles" option under the Asset Profiler Configuration. Enabling this extra lookup can cause the Asset Details page to render slightly slower than normal as the system is waiting for the DNS lookup information. This option affects only the detail page, the summary list is unaffected. By default, QRadar attempts to complete a DNS lookup in real-time for asset profiles.
To review this setting, in QRadar 7.2.4 or higher:
- Click the Admin tab.
- Click the Asset Profiler Configuration icon.
- Review the setting of the Enable Real-Time DNS Lookups for Asset Profiles field.
To review this setting, in QRadar 7.2.3 or lower:
- Click the Admin tab.
- Click the Console Settings icon.
- Review the setting of the Enable DNS Lookups for Asset Profiles field.
4. Resolving QRadar Appliance Hostnames
If you are looking to resolve QRadar IP addresses to host names, you need to register the appliances at the DNS record level. Consult with your DNS administrator to register the QRadar appliance names from IP addresses.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
08 November 2023
UID
swg21690480