Hybrid Cloud Use Cases

Use the IBM® Security QRadar® Content Extension for Hybrid Cloud Use Cases to closely monitor your hybrid cloud deployment.

About the IBM Security QRadar Content Extension for Hybrid Cloud Use Cases

The IBM Security QRadar Content Extension for Hybrid Cloud Use Cases adds several rules and saved searches that focus on detecting Virtualization activities.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.3.1
IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.3.0
IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1
IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0
IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.1.0
IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0
IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.3.1

The following table shows the rules that are new in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.3.1.

Table 1. Rules in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.3.1
Type	Name	Description
Rule	Admin Role Added for Azure	Detects admin role added for Azure.

The following table custom properties that are new in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.3.1.

Name	Optimized	Description
Attribute New Value	No	Default custom extraction of Attribute New Value from DSM payload.

_{(Back to top)}

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.3.0

The Multi-Factor Authentication Bypass rule filter is updated to use the lower function.

The Logs Have Been Deleted / Disabled or Stopped rule is updated to be more generic to capture other cloud devices.

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1

The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1.

Table 2. Rules and Building Blocks in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1
Type	Name	Description
Building Block	BB:BehaviorDefinition: Management Role Assignment Added (Office 365)	Identifies when a management role was assigned to a management role group, management role assignment policy, user, or universal security group (USG).
Building Block	BB:BehaviorDefinition: Management Role Assignment Removed (Office 365)	Identifies when a management role was removed from a management role group, management role assignment policy, user, or universal security group (USG).
Building Block	BB:CategoryDefinition: Object Access Events	Edit this Building Block to include all object (file, folder, etc) access related event categories.
Building Block	BB:CategoryDefinition: Object Download Events	Edit this Building Block to include all object (file, folder, etc) download related event categories.
Building Block	BB:CategoryDefinition: Object Upload Events	Edit this Building Block to include all object (file, folder, etc) upload related event categories.
Building Block	BB:BehaviorDefinition: Regular Virtualization Administration	Defines regular virtual environment administration activity such as machines management, and rights management.
Rule	Logs Have Been Deleted / Disabled or Stopped	Triggers when logs are being deleted, disabled or stopped.
Rule	Same Management Policy Added and Deleted within a Short Period of Time (Office 365)	Triggers when there are multiple authentication failures to virtualization or cloud systems from the same source address.

The following table shows the custom properties that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1.

Table 3. Custom Properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1
Name	Optimized
Affected Workload	Yes
Policy Name	Yes

The following table shows the reports that are new in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1.

Table 4. Reports in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1
Report Name	Description
Office 365 File Activity - Monthly	Saved Search: Office 365: File Activity
Office 365 File Activity - Weekly	Saved Search: Office 365: File Activity
Office 365 Incidents that have impacted the health of an Office 365 Workload - Monthly	Saved Search: Office 365: Incidents that have impacted the health of an Office 365 Workload
Office 365 Incidents that have impacted the health of an Office 365 Workload - Weekly	Saved Search: Office 365: Incidents that have impacted the health of an Office 365 Workload

The following table shows the saved searches that are new in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1.

Table 5. Saved Searches in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.1
Name	Description
Office365: File Activity	Describes Office 365 file activity events.
Office 365: Incidents that have impacted the health of an Office 365 Workload	Describes incidents that have impacted the health of an Office 365 Workload

_{(Back to top)}

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0

The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0.

Table 6. Rules and Building Blocks in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0
Type	Name	Description
Building Block	BB: AWS Cloud: API Request Has Been Denied	Defines denied pi requests (AWS).
Building Block	BB:BehaviourDefinition: Modification in Instance Profile (AWS)	Defines a change in the instance profile value on AWS. An instance profile contains one role, and the role can be changed at will. For example, a "Restricted Instance Profile" with a "Restricted Role" can be changed to instead have an "Admin Role". The instance profile name does not change in this case, which is more difficult to notice.
Building Block	BB:DeviceDefinition: Cloud	More devices have been added to the building block.
Rule	Hybrid Cloud Multiple Login Failures From Different Source IPs	Triggers when a user fails to login to a cloud platforms 25 times in two minutes from different Source IP addresses.
Rule	Logs Have Been Deleted / Disabled or Stopped (AWS)	Triggers when there are alerts on Amazon AWS logs being deleted, disabled, or stopped .
Rule	Multiple Failed API Requests From Same Source IP (AWS)	Triggers when at least 10 failed API requests have been initiated from the same Source IP in two minutes.
Rule	Multiple Failed API Requests From The Same Username (AWS)	Triggers when at least 10 failed API requests have been initiated from the same username in two minutes.
Rule	Potential Change To AWS Trail Logging Configurations	Triggers when there are alerts on configuration changes to the Cloud Trail logs.
Rule	Potential Privilege Escalation via Instance Profile (AWS)	Triggers when an admin action is performed after an AWS instance profile has changed. A user may change an AWS instance profile to assign a different role. If an admin activity follows this action, it can indicate a potential privilege escalation event.
Rule	Security Rule Created or Deleted (Azure)	Triggers when a security rule is created or deleted by a low privileged user. This can indicate an attacker creating or deleting a security rule to either grant access or deny access to a virtual machine or resource.

The following table shows the custom properties that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0.

Table 7. Custom Properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0
Name	Optimized	Description
Federated User	No	This property is a placeholder for default custom extraction of Federated User from DSM payloads.
Group Name	Yes	This property is a placeholder for default custom extraction of Group Name from DSM payloads.
Local Network Gateway	No	This property is a placeholder for default custom extraction of Local Network Gateway from DSM payloads.
Network Interface	No	This property is a placeholder for default custom extraction of Network Interface from DSM payloads.
Network Security Group	No	This property is a placeholder for default custom extraction of Network Security Group from DSM payloads.
Network Watcher	No	This property is a placeholder for default custom extraction of Network Watcher from DSM payloads.
Profile	Yes	This property is a placeholder for default custom extraction of Profile from DSM payloads.
Security Rule	No	This property is a placeholder for default custom extraction of Security Rule from DSM payloads.
UserType	Yes	This property is a placeholder for default custom extraction of UserType from DSM payloads.
Virtual Network	No	This property is a placeholder for default custom extraction of Virtual Network from DSM payloads.
VPC ID	Yes	This property is a placeholder for default custom extraction of VPC ID from DSM payloads.

The following table shows the reference sets that are new in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0.

Table 8. Reference Sets in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0
Type	Name
Reference Set	AWS - Audit Events
Reference Set	AWS - VPC Events

The following table shows the reports that are new in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0.

Table 9. Reports in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0
Report Name	Description
AWS Audit Events - Monthly	Provides greater monitoring and trending of AWS audit activities.
AWS Audit Events - Weekly	Provides greater monitoring and trending of AWS audit activities.
AWS Failed Console Logins Federated Users - Monthly	Provides greater monitoring and trending of AWS login activities.
AWS Failed Console Logins Federated Users - Weekly	Provides greater monitoring and trending of AWS login activities.
AWS Failed Console Logins Non-Federated Users - Monthly	Provides greater monitoring and trending of AWS login activities.
AWS Failed Console Logins Non-Federated Users - Weekly	Provides greater monitoring and trending of AWS login activities.
AWS Policy Changes Audit - Monthly	Provides greater monitoring and trending of AWS policy change activities.
AWS Policy Changes Audit - Weekly	Provides greater monitoring and trending of AWS policy change activities.
AWS Security Group Ingress - Monthly	Provides greater monitoring and trending of AWS security group ingress activities.
AWS Security Group Ingress - Weekly	Provides greater monitoring and trending of AWS security group ingress activities.
AWS Successful Console Logins Federated Users - Monthly	Provides greater monitoring and trending of AWS login activities.
AWS Successful Console Logins Federated Users - Weekly	Provides greater monitoring and trending of AWS login activities.
AWS Successful Console Logins Non-Federated Users - Monthly	Provides greater monitoring and trending of AWS login activities.
AWS Successful Console Logins Non-Federated Users - Weekly	Provides greater monitoring and trending of AWS login activities.
AWS VPC Event Audit - Monthly	Provides trending for events from the Amazon Virtual Private Cloud.
AWS VPC Event Audit - Weekly	Provides trending for events from the Amazon Virtual Private Cloud.
Azure Network Security Group Created or Updated - Monthly	Provides greater monitoring and trending for Azure security groups.
Azure Network Security Group Created or Updated - Weekly	Provides greater monitoring and trending for Azure security groups.
Azure Security Rule Created, Updated or Deleted - Monthly	Provides greater monitoring and trending for Azure security rules.
Azure Security Rule Created, Updated or Deleted - Weekly	Provides greater monitoring and trending for Azure security rules.
Azure Virtual Network Created or Updated - Monthly	Provides greater monitoring and trending for Azure virtual networks.
Azure Virtual Network Created or Updated - Weekly	Provides greater monitoring and trending for Azure virtual networks.
Azure Web Apps Virtual Connections Deleted - Monthly	Provides greater monitoring and trending for Azure web app virtual connections.
Azure Web Apps Virtual Connections Deleted - Weekly	Provides greater monitoring and trending for Azure web app virtual connections.
Virtualization - Group Auditing - Monthly	Provides greater monitoring and trending of Cloud group auditing activities.
Virtualization - Group Auditing - Weekly	Provides greater monitoring and trending of Cloud group auditing activities.
Virtualization - Role Creations, Deletions and Updates - Monthly	Provides greater monitoring and trending of Cloud role activities.
Virtualization - Role Creations, Deletions and Updates - Weekly	Provides greater monitoring and trending of Cloud role activities.
Virtualization - User Account Created - Monthly	Provides greater monitoring and trending of Cloud user account creation activities.
Virtualization - User Account Created - Weekly	Provides greater monitoring and trending of Cloud user account creation activities.

The following table shows the saved searches that are new in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0.

Table 10. Saved Searches in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.2.0
Name	Description
AWS Audit Events	This saved search is used in the Audit Event reports.
AWS Failed Console Logins Fed User - Group by Username and Source IP	This saved search is used in the Failed Console Logins Federated User reports.
AWS Failed Console Logins Non-Fed User - Grouped by Username and Source IP	This saved search is used in the Failed Console Logins Non-Federated User reports.
AWS Policy Change Audit	This saved search is used in the Policy Change reports.
AWS Security Group Ingress	This saved search is used in the Security Group Ingress reports.
AWS Success Console Logins Fed User - Group by Username and Source IP	This saved search is used in the Successful Console Logins Federated User reports.
AWS Success Console Logins Non-Fed User - Group by Username and Source IP	This saved search is used in the Successful Console Logins Non-Federated User reports.
AWS VPC Audit Event	This saved search is used in the VPC Event Audit reports.
Azure Network Security Group Created or Updated	This saved search is used in the Security Group Created or Updated reports.
Azure Security Rule Created, Updated or Deleted	This saved search is used in the Security Rule Created, Updated or Deleted reports.
Azure Virtual Network Created or Updated	This saved search is used in the Virtual Network Created or Updated reports.
Azure Web Apps Virtual Network Connections Deleted	This saved search is used in the Web Apps Virtual Network Connections Deleted reports.
Virtualization - Group Changes Audit	This saved search is used in the Group Changes reports.
Virtualization - Role Creations, Deletions and Updates	This saved search is used in the Role reports.
Virtualization - User Account Created	This saved search is used in the User Account Created reports.

_{(Back to top)}

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.1.0

The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.1.0.

Table 11. Rules and Building Blocks in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.1.0
Type	Name	Description
Building Block	BB:DeviceDefinition: Cloud	Defines all cloud sources on the system.
Rule	Hybrid Cloud Multiple Login Failures from Same Source	Triggers when there are multiple authentication failures to virtualization or cloud systems from the same source address.
Rule	Hybrid Cloud Multiple Login Failures from Same Username	Triggers when there are multiple authentication failures to virtualization or cloud systems from the same username.

_{(Back to top)}

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0

This content extension was renamed from IBM Security QRadar Virtualized Environment Content Extension to IBM Security QRadar Content Extension for Hybrid Cloud Use Cases.

The following table shows the custom event properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases V2.0.0.

Note: The custom properties that are included in the following table are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.

Table 12. Custom Event Properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0
Custom Property	Found in
Access Key ID	Amazon AWS
Alert Severity	Amazon AWS Azure
Audit Flags	Amazon AWS Microsoft Office 365
MFA Used	Amazon AWS Azure
Object ID	Azure
ObjectName	Microsoft Office 365
ObjectType	Azure Microsoft Office 365
Search Executed	Microsoft Office 365
Target Access Key ID	Amazon AWS
Target User ID	Azure
User ID	Azure
UserType	Amazon AWS
Volume ID	Amazon AWS

The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0.

Table 13. Rules and Building Blocks in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0
Type	Name	Description
Building Block	BB:BehaviorDefinition: Access Key Creation for Another User (AWS)	Defines a user creating an access key for another user. In AWS, a user with iam:CreateAccessKey permission can create access keys for a user they have access to. An attacker can potentially gain access to an admin user. AWS access keys are credentials used for requests to AWS CLI or API.
Building Block	BB:BehaviorDefinition: Credential Exfiltration in Amazon GuardDuty	Defines when credential exfiltration in Amazon GuardDuty is detected.
Building Block	BB:BehaviorDefinition: Default Policy Creation (AWS)	Defines when a user created a new policy version and set it to default(current) version. In AWS, a user with the iam:CreatePolicyVersion permission can overwrite an existing policy, by creating a new version on top. An attacker can assign themselves the highest privileges, or revoke security managers permissions which are privilege escalation and defense evasion techniques.
Building Block	BB:BehaviorDefinition: Default Policy Version Modification (AWS)	Defines when the default policy version is changed for a user. In AWS, a user with the iam:SetDefaultPolicyVersion permission can change the policy to a different version, which is called default(current) policy version. This requires the policy version to be prepopulated, as the user has no permission to rewrite the policy. For example, a policy called Example-Policy has a 7 version history. The default(current) version is v.7 with limited rights, while v.1 had administrative rights. By switching the policy back to v.1, the attacker has regained administrative privileges. This can potentially be a privilege escalation activity. Further, the attacker can modify any policy they have access to, which the attacker may also use to revoke privileges from security managers as a defense evasion technique.
Building Block	BB:BehaviorDefinition: Medium or High Severity Virtualization Events	Defines medium and high severity events in a virtualization environment. The following indicators have been used as a base to define each level of severity. Low / 0 to 3.9 Medium / 4 to 6.9 High / 7 to 10 Tune the thresholds accordingly to your needs. In Azure, the event severity is based on the Azure Security Center and Azure Defender. The alerts shown in your environment depend on the resources and services as well as your custom configuration. In AWS GuardDuty, the following definitions define the severity: Low: Suspicious activities that were attempted but did not compromise the system. Medium: Suspicious activities that may have compromised the system. High: Suspicious activities that have compromised the system, and resources are being used.
Building Block	BB:BehaviorDefinition: Regular Virtualization Administration	Defines regular virtual environment administration activity, such as machine management, and rights management.
Building Block	BB:BehaviorDefinition: Role Assigned to a Resource with Managed Identity (Azure)	Defines when an Azure resource instance with managed identity is assigned a role to another resource. Resources with managed identity can access and managed other resources through Azure Active Directory Authentication.
Building Block	BB:BehaviorDefinition: Suspicious Virtualization Activities	Defines suspicious virtualization activities.
Building Block	BB:BehaviorDefinition: Volume Detached and Attached on the Same Machine	Detects a volume being detached from a machine, and reattached to that machine within one hour.
Building Block	BB:CategoryDefinition: Cloud Object Shared (O365)	Defines the Policy Sharing category in Office 365, such as policy regarding calendar, contacts, and email.
Building Block	BB:CategoryDefinition: Network Configuration Update on Virtual Machines	This building block was removed from the content extension.
Building Block	BB:CategoryDefinition: Virtual Machine Configuration Change	The rule filter of this building block was updated.
Rule	Credential Exfiltration and Administration Task from the Same User	Triggers when a credential exfiltration alert occurs in a short time span before or after an administration task has been observed, which could indicate the attacker made use of their access to the platform.
Rule	High Privilege Virtual Machine Performing Suspicious Actions	Triggers when a virtual machine that can access storage that contains personal information such as credit card numbers performs suspicious activities. This action can indicate a virtual machine changing the permissions to perform malicious actions.
Rule	Multi-Factor Authentication Bypass	Triggers on login attempts to virtualization or cloud systems without multi-factor authentication (MFA). Note: This rule is disabled by default because MFA may not be enabled or used in some business scenarios. Only those environments where MFA is used should enable this rule.
Rule	Suspicious Activity Followed by Virtualization Administration Task	Triggers when suspicious activities are discovered followed by regular administration tasks in a virtualized environment. Suspicious activities include multiple virtual machines being deleted, and credential exfiltration detected. Regular administrative tasks include creation or deletion of a virtual machine, and roles updates.
Rule	Suspicious Number of Modifications Made on Virtual Machines	Renamed from Abnormal Number of Modifications Made on Virtual Machines.
Rule	Suspicious Number of Virtual Machines Created	Renamed from Abnormal Number of Virtual Machines Created.
Rule	User Assumed a Privileged Access (AWS)	Triggers when a user with temporary privileged access is detected. On AWS, assume role returns temporary credentials to resources the user has requested access for. The user's temporary security credentials or access key will be added to the Temporary Access Keys reference set, which by default has a time-to-live interval of 1 hour. Adjust the time depending on the environment's expiry configuration. Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this reference set is considered as suspicious in terms of privileges.
Rule	User Changed to High Privilege Role	Renamed from User Role Changed to High Privilege Role Names.
Rule	User Changed to Low Privilege Role	Renamed from User Role Changed to Low Privilege Role Names.
Rule	User with Temporary Access Performing Suspicious Activities (AWS)	Triggers when a user with temporary access performs suspicious activities. On AWS, assume role returns temporary credentials to resources the user has requested access for. This alone does not indicate an attack as the credentials may not even be used or the user may be legitimate but further activities should be monitored.
Rule	Virtual Machine High Privilege Role Assigned	Adds the Machine ID of a virtual machine to the Resources with High Privilege Roles reference set, if it was assigned a high privilege role. Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this reference set is considered as suspicious in terms of privileges.
Rule	Virtual Machine High Privilege Role Unassigned	Removes the Machine ID of a virtual machine to the Resources with High Privilege Roles reference set, if it was unassigned a high privilege role. Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this reference set is considered as suspicious in terms of privileges.
Rule	Volume Attached and Detached on Different Machines	Triggers when a single volume is being attached and detached on multiple machines. For example, replacing an SSH key pair in an AWS environment involves switching volumes on different instances. Such manipulation of volumes could reveal a malicious behavior.

The following table shows the reports that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0.

Table 14. Reports in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0
Report Name	Search Name and Descriptions
Virtualization - Machine Creation	Saved Searches: Virtualization - Machine Creation, Virtualization - Machine Creation per Username Report of the virtual machines created over the last 24 hours.
Virtualization - User Creation by Country	Saved Search: Cloud User Creation by Country Show user creations by country. The report content is collated by using the Cloud User Creation by Country search. Edit this search and any relevant search dependencies to refine the results.

The following table shows the reference data that is new or updated in IBM Security QRadar Virtualization Content Extension 2.0.0.

Table 15. Reference Data in IBM Security QRadar Virtualization Content Extension 2.0.0
Type	Name	Description
Reference Set	Resources with High Privilege Roles	Defines resources with high privilege roles.
Reference Set	Temporary Access Keys	Defines AWS temporary access keys.

The following table shows the saved searches that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0.

Table 16. Saved Searches in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0
Name	Description
Microsoft Office365 eDiscovery Search Created or Started	Defines Azure eDiscovery events for search created or started.
Microsoft Office365 eDiscovery Search Deleted	Defines Azure eDiscovery events for search deleted.
Microsoft Office365 eDiscovery Search Exported or Downloaded	Defines Azure eDiscovery events for search exported or downloaded.
Virtualization - Machine Creation	Defines virtual machine creation events.
Virtualization - Machine Creation per Username	Defines virtual machine creation events grouped by username.
Virtualization - User Creation by Country	Defines user creation events by country for cloud devices.
Virtualization - User Locked Accounts	Defines locked user accounts for cloud devices.

_{(Back to top)}

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0

The following table shows the custom event properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0.

Table 17. Custom Event Properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0
Custom Property	Optimized	Found in
Machine ID	Yes	Amazon AWS CloudTrail Microsoft Azure VMware custom properties
Role Name	Yes	Amazon AWS CloudTrail Microsoft Azure VMware custom properties
Target User Name	Yes	Amazon AWS CloudTrail Microsoft Azure Microsoft Office 365 Microsoft Windows VMware custom properties

The following table shows the building blocks and rules in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0.

Table 18. Building blocks and rules in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0
Type	Name	Description
Building Block	BB:CategoryDefinition: User Role Assign Events	Edit this Building Block to include any user role assignment events.
Building Block	BB:DeviceDefinition: Virtualization	This rule defines all Hypervisors on the system.
Building Block	BB:DeviceDefinition: Cloud	This rule defines all Cloud sources on the system.
Building Block	BB:CategoryDefinition: Virtual Machine Restarted	Edit this Building Block to include all events that indicate virtual machine restarted.
Building Block	BB:CategoryDefinition: Virtual Machine Started	Edit this Building Block to include all events that indicate virtual machine started.
Building Block	BB:CategoryDefinition: Virtual Machine Stopped	Edit this Building Block to include all events that indicate virtual machine stopped.
Building Block	BB:CategoryDefinition: Virtual Machine Deleted	Edit this Building Block to include all events that indicate virtual machine deleted.
Building Block	BB:CategoryDefinition: Configuration Change Events on Virtual Machines	Edit this Building Block to include any configure events.
Building Block	BB:CategoryDefinition: Network Configuration Update on Virtual Machines	Edit this Building Block to include all events that indicate network configuration update on virtual machines.
Building Block	BB:CategoryDefinition: System Configuration	This Building Block defines system configuration events.
Building Block	BB:CategoryDefinition: Virtual Machine Created	Edit this Building Block to include all events that indicate virtual machine created.
Rule	User Role Changed to Low Privilege Role Names	This rule removes a username from the reference set Users with High Privilege Role Names if the user is given lower privilege role. Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this Reference Set is considered as suspicious in terms of privileges.
Rule	Sensitive Virtual Machines Unavailable for a Long Period of Time	This rule triggers when a sensitive virtual machine has been stopped and unavailable for a long period of time. Tune the rule by changing the down time for a sensitive virtual machine.
Rule	User Role Changed to High Privilege Role Names	This rule adds a username to the reference set User with High Privilege Role Names if the user achieved potential high privilege role. Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this Reference Set is considered as suspicious in terms of privileges.
Rule	High Privilege User Performing Suspicious Actions	This rule triggers when a user role changes on a higher privilege (e.g. Administrator), followed by suspicious activities. This action can indicate a user changing the permissions to perform malicious actions or accessing unauthorized machines.
Rule	Multiple Sensitive Virtual Machines Deleted within Short Period of Time	This rule triggers when multiple sensitive machines or security devices are being deleted succinctly. This may indicate an intruder is compromising sensitive information or getting hidden before an attack. Note: The Sensitive Virtual Machines reference set must be populated with the relevant machines name. Note: If authorized users perform this action often, exclude them by adding in a rule condition. See Abnormal Number of Modifications Made on Virtual Machines for an example.
Rule	Multiple Virtual Security Devices Powered Off within Short Period of Time	This rule triggers when multiple virtual security devices (e.g virtual IDS, virtual SIEM component) are powered off in a short period of time. Note: The Security Devices reference set must be populated with the relevant machine names or IDs. Note: If authorized users perform this action often, exclude them by adding in a rule condition. See Abnormal Number of Modifications Made on Virtual Machines for an example.
Rule	Abnormal Number of Modifications Made on Virtual Machines	This rule triggers when an abnormal number of configuration updates are performed on virtual machines. A typical administration should not imply multiple configuration updates, such as adding more memory or reducing the storage size for one or multiple machines. This indicates suspicious behaviour Note: Populate the Authorized Users reference set with users who are authorized to perform these actions.
Rule	Abnormal Number of Virtual Machines Created	This rule triggers when a high number of virtual machines is created in a short period of time. This can show a malicious user behaviour. See Abnormal Number of Modifications Made on Virtual Machines for an example.

The following table shows the reference data in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0.

Table 19. Reference Data in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0
Type	Name	Description
Reference Set	Authorized Users	Defines authorized users. This reference set can be used to exclude authorized users from triggering false positives when performing high privileged actions.
Reference Set	Low Privilege Role Names	Collects usernames with high privilege role names.
Reference Set	Security Devices	Defines security device names or IDs.
Reference Set	Sensitive Virtual Machines	Defines sensitive virtual machine names or IDs.
Reference Set	Users with High Privilege Role Names	Collects usernames with high privilege role names.

The following table shows the saved searches in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0.

Table 20. Saved Searches in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0
Name	Description
VMWare Audit Events	Defines VMware audit events.
VMWare System Status	Defines VMware system status events.

_{(Back to top)}