New Features Include a Threat Hunting Dashboard, Domain Lookup, and Domain Risk Score for a More Powerful App
Today, DomainTools announced significant enhancements to its DomainTools App for IBM QRadar. The latest update allows security teams to better uncover threats and thoroughly investigate incidents with profiles and risk scores for every domain name. The app is available for download in the IBM Security App Exchange.
“There are countless reports citing alert fatigue and the barrage of noise that makes it challenging for security professionals to stay ahead of threats. It’s our responsibility to work with partners like IBM to provide solutions that help security teams prioritize alerts and stay ahead of campaigns targeting their organization,” said Corin Imai, senior security advisor, DomainTools. “We believe in surfacing intelligence for domains that are observed on our customers networks, and that is why we’ve made these enhancements to the DomainTools App for IBM QRadar.”
Users in the security community with access to the app, can now:
- Leverage the threat hunting dashboard
- Perform in-context domain lookups without leaving the app
- Enrich domains at scale
- Proactively monitor potentially malicious domains prior to weaponization
Read More: Salesforce Completes Acquisition of Tableau
Threat Hunting Dashboard
The DomainTools Threat Hunting Dashboard in QRadar presents a dynamic view of threats associated with observed domains. The dashboard includes the number of high-risk domains, young domains, as well as a risk map panel that displays the geolocation of IP addresses observed in logs. In addition to these visualizations, it tabulates the rare registrar names, rare registrant names, and rare registrant emails, correlating them with DomainTools Risk Score.
Users can now perform ad-hoc domain lookups from within IBM QRadar by using the ‘Domain Profile’ tab. This allows Cyber Security Incident Response Teams and Security Operations Centers to quickly triage a domain name, in-context, by viewing its domain profile, Whois data, and Domain Risk Score. They can then perform essential pivots to find related domains and infrastructure likely controlled by the same actor. This allows the user to quickly assess the risk level of the domain and evaluate whether it warrants further investigation without leaving IBM QRadar.
The DomainTools App for IBM QRadar delivers event enrichment at scale by building a reference table with key fields extracted from parsed Whois data. Those fields are then available for teams to create precisely-targeted rules that alert on threat actor identities, the actor’s preferred domain hosting, and registration providers. IBM QRadar’s historical correlation feature then enables retroactive searching on those same fields.
Domain Risk Score
DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is weaponized. This can close the window of vulnerability between the time a malicious domain is registered, and when it is observed and reported causing harm. The Domain Risk Score algorithms analyze a domain’s association to known-bad infrastructure, as well as intrinsic properties of the domain that closely resemble those of known phishing, malware, and spam domains.
The DomainTools App for QRadar adds risk scores to a reference map, immediately populating an associated set of domains with scores above a user-configured threshold. The app ships with sample rules that leverage these reference data sets to create offenses for events which contain risky domains.