Hybrid Cloud Use Cases

Use the IBM® Security QRadar® Content Extension for Hybrid Cloud Use Cases to closely monitor your hybrid cloud deployment.

About the IBM Security QRadar Content Extension for Hybrid Cloud Use Cases

The IBM Security QRadar Content Extension for Hybrid Cloud Use Cases adds several rules and saved searches that focus on detecting Virtualization activities.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0

This content extension was renamed from IBM QRadar Virtualized Environment Content Extension to IBM Security QRadar Content Extension for Hybrid Cloud Use Cases.

The following table shows the custom event properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases V2.0.0.

Note: The custom properties that are included in the following table are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.
Table 1. Custom Event Properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0
Custom Property Found in
Access Key ID Amazon AWS
Alert Severity
Audit Flags
MFA Used
Object ID Azure
ObjectName Microsoft Office 365
ObjectType
Search Executed Microsoft Office 365
Target Access Key ID Amazon AWS
Target User ID Azure
User ID Azure
UserType Amazon AWS
Volume ID Amazon AWS

The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0.

Table 2. Rules and Building Blocks in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0
Type Name Description
Building Block BB:BehaviorDefinition: Access Key Creation for Another User (AWS) Defines a user creating an access key for another user. In AWS, a user with iam:CreateAccessKey permission can create access keys for a user they have access to. An attacker can potentially gain access to an admin user. AWS access keys are credentials used for requests to AWS CLI or API.
Building Block BB:BehaviorDefinition: Credential Exfiltration in Amazon GuardDuty Defines when credential exfiltration in Amazon GuardDuty is detected.
Building Block BB:BehaviorDefinition: Default Policy Creation (AWS) Defines when a user created a new policy version and set it to default(current) version. In AWS, a user with the iam:CreatePolicyVersion permission can overwrite an existing policy, by creating a new version on top. An attacker can assign themselves the highest privileges, or revoke security managers permissions which are privilege escalation and defense evasion techniques.
Building Block BB:BehaviorDefinition: Default Policy Version Modification (AWS) Defines when the default policy version is changed for a user. In AWS, a user with the iam:SetDefaultPolicyVersion permission can change the policy to a different version, which is called default(current) policy version. This requires the policy version to be prepopulated, as the user has no permission to rewrite the policy.

For example, a policy called Example-Policy has a 7 version history. The default(current) version is v.7 with limited rights, while v.1 had administrative rights. By switching the policy back to v.1, the attacker has regained administrative privileges. This can potentially be a privilege escalation activity. Further, the attacker can modify any policy they have access to, which the attacker may also use to revoke privileges from security managers as a defense evasion technique.

Building Block BB:BehaviorDefinition: Medium or High Severity Virtualization Events Defines medium and high severity events in a virtualization environment. The following indicators have been used as a base to define each level of severity.
  • Low / 0 to 3.9
  • Medium / 4 to 6.9
  • High / 7 to 10

Tune the thresholds accordingly to your needs.

In Azure, the event severity is based on the Azure Security Center and Azure Defender. The alerts shown in your environment depend on the resources and services as well as your custom configuration.

In AWS GuardDuty, the following definitions define the severity:

  • Low: Suspicious activities that were attempted but did not compromise the system.
  • Medium: Suspicious activities that may have compromised the system.
  • High: Suspicious activities that have compromised the system, and resources are being used.
Building Block BB:BehaviorDefinition: Regular Virtualization Administration Defines regular virtual environment administration activity, such as machine management, and rights management.
Building Block BB:BehaviorDefinition: Role Assigned to a Resource with Managed Identity (Azure) Defines when an Azure resource instance with managed identity is assigned a role to another resource. Resources with managed identity can access and managed other resources through Azure Active Directory Authentication.
Building Block BB:BehaviorDefinition: Suspicious Virtualization Activities Defines suspicious virtualization activities.
Building Block BB:BehaviorDefinition: Volume Detached and Attached on the Same Machine Detects a volume being detached from a machine, and reattached to that machine within one hour.
Building Block BB:CategoryDefinition: Cloud Object Shared (O365) Defines the Policy Sharing category in Office 365, such as policy regarding calendar, contacts, and email.
Building Block BB:CategoryDefinition: Network Configuration Update on Virtual Machines This building block was removed from the content extension.
Building Block BB:CategoryDefinition: Virtual Machine Configuration Change The rule filter of this building block was updated.
Rule Credential Exfiltration and Administration Task from the Same User Triggers when a credential exfiltration alert occurs in a short time span before or after an administration task has been observed, which could indicate the attacker made use of their access to the platform.
Rule High Privilege Virtual Machine Performing Suspicious Actions Triggers when a virtual machine that can access storage that contains personal information such as credit card numbers performs suspicious activities. This action can indicate a virtual machine changing the permissions to perform malicious actions.
Rule Multi-Factor Authentication Bypass Triggers on login attempts to virtualization or cloud systems without multi-factor authentication (MFA).
Note: This rule is disabled by default because MFA may not be enabled or used in some business scenarios. Only those environments where MFA is used should enable this rule.
Rule Suspicious Activity Followed by Virtualization Administration Task Triggers when suspicious activities are discovered followed by regular administration tasks in a virtualized environment. Suspicious activities include multiple virtual machines being deleted, and credential exfiltration detected. Regular administrative tasks include creation or deletion of a virtual machine, and roles updates.
Rule Suspicious Number of Modifications Made on Virtual Machines Renamed from Abnormal Number of Modifications Made on Virtual Machines.
Rule Suspicious Number of Virtual Machines Created Renamed from Abnormal Number of Virtual Machines Created.
Rule User Assumed a Privileged Access (AWS) Triggers when a user with temporary privileged access is detected. On AWS, assume role returns temporary credentials to resources the user has requested access for. The user's temporary security credentials or access key will be added to the Temporary Access Keys reference set, which by default has a time-to-live interval of 1 hour. Adjust the time depending on the environment's expiry configuration.
Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this reference set is considered as suspicious in terms of privileges.
Rule User Changed to High Privilege Role Renamed from User Role Changed to High Privilege Role Names.
Rule User Changed to Low Privilege Role Renamed from User Role Changed to Low Privilege Role Names.
Rule User with Temporary Access Performing Suspicious Activities (AWS) Triggers when a user with temporary access performs suspicious activities. On AWS, assume role returns temporary credentials to resources the user has requested access for. This alone does not indicate an attack as the credentials may not even be used or the user may be legitimate but further activities should be monitored.
Rule Virtual Machine High Privilege Role Assigned Adds the Machine ID of a virtual machine to the Resources with High Privilege Roles reference set, if it was assigned a high privilege role.
Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this reference set is considered as suspicious in terms of privileges.
Rule Virtual Machine High Privilege Role Unassigned Removes the Machine ID of a virtual machine to the Resources with High Privilege Roles reference set, if it was unassigned a high privilege role.
Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this reference set is considered as suspicious in terms of privileges.
Rule Volume Attached and Detached on Different Machines Triggers when a single volume is being attached and detached on multiple machines. For example, replacing an SSH key pair in an AWS environment involves switching volumes on different instances. Such manipulation of volumes could reveal a malicious behavior.

The following table shows the reports that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0.

Table 3. Reports in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0
Report Name Search Name and Descriptions
Virtualization - Machine Creation Saved Searches: Virtualization - Machine Creation, Virtualization - Machine Creation per Username

Report of the virtual machines created over the last 24 hours.

Virtualization - User Creation by Country Saved Search: Cloud User Creation by Country

Show user creations by country.

The report content is collated by using the Cloud User Creation by Country search. Edit this search and any relevant search dependencies to refine the results.

The following table shows the reference data that is new or updated in IBM QRadar Virtualization Content Extension 2.0.0.

Table 4. Reference Data in IBM QRadar Virtualization Content Extension 2.0.0
Type Name Description
Reference Set Resources with High Privilege Roles Defines resources with high privilege roles.
Reference Set Temporary Access Keys Defines AWS temporary access keys.

The following table shows the saved searches that are new or updated in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0.

Table 5. Saved Searches in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 2.0.0
Name Description
Microsoft Office365 eDiscovery Search Created or Started Defines Azure eDiscovery events for search created or started.
Microsoft Office365 eDiscovery Search Deleted Defines Azure eDiscovery events for search deleted.
Microsoft Office365 eDiscovery Search Exported or Downloaded Defines Azure eDiscovery events for search exported or downloaded.
Virtualization - Machine Creation Defines virtual machine creation events.
Virtualization - Machine Creation per Username Defines virtual machine creation events grouped by username.
Virtualization - User Creation by Country Defines user creation events by country for cloud devices.
Virtualization - User Locked Accounts Defines locked user accounts for cloud devices.

(Back to top)

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0

The following table shows the custom event properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0.

Note: The custom properties that are included in the following table are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.
Table 6. Custom Event Properties in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0
Custom Property Optimized Found in
Machine ID Yes
  • Amazon AWS CloudTrail
  • Microsoft Azure
  • VMware custom properties
Role Name Yes
  • Amazon AWS CloudTrail
  • Microsoft Azure
  • VMware custom properties
Target User Name Yes
  • Amazon AWS CloudTrail
  • Microsoft Azure
  • Microsoft Office 365
  • Microsoft Windows
  • VMware custom properties

The following table shows the building blocks and rules in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0.

Table 7. Building blocks and rules in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0
Type Name Description
Building Block BB:CategoryDefinition: User Role Assign Events Edit this Building Block to include any user role assignment events.
Building Block BB:DeviceDefinition: Virtualization This rule defines all Hypervisors on the system.
Building Block BB:DeviceDefinition: Cloud This rule defines all Cloud sources on the system.
Building Block BB:CategoryDefinition: Virtual Machine Restarted Edit this Building Block to include all events that indicate virtual machine restarted.
Building Block BB:CategoryDefinition: Virtual Machine Started Edit this Building Block to include all events that indicate virtual machine started.
Building Block BB:CategoryDefinition: Virtual Machine Stopped Edit this Building Block to include all events that indicate virtual machine stopped.
Building Block BB:CategoryDefinition: Virtual Machine Deleted Edit this Building Block to include all events that indicate virtual machine deleted.
Building Block BB:CategoryDefinition: Configuration Change Events on Virtual Machines Edit this Building Block to include any configure events.
Building Block BB:CategoryDefinition: Network Configuration Update on Virtual Machines Edit this Building Block to include all events that indicate network configuration update on virtual machines.
Building Block BB:CategoryDefinition: System Configuration This Building Block defines system configuration events.
Building Block BB:CategoryDefinition: Virtual Machine Created Edit this Building Block to include all events that indicate virtual machine created.
Rule User Role Changed to Low Privilege Role Names This rule removes a username from the reference set Users with High Privilege Role Names if the user is given lower privilege role.
Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this Reference Set is considered as suspicious in terms of privileges.
Rule Sensitive Virtual Machines Unavailable for a Long Period of Time

This rule triggers when a sensitive virtual machine has been stopped and unavailable for a long period of time.

Tune the rule by changing the down time for a sensitive virtual machine.

Rule User Role Changed to High Privilege Role Names This rule adds a username to the reference set User with High Privilege Role Names if the user achieved potential high privilege role.
Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this Reference Set is considered as suspicious in terms of privileges.
Rule High Privilege User Performing Suspicious Actions This rule triggers when a user role changes on a higher privilege (e.g. Administrator), followed by suspicious activities. This action can indicate a user changing the permissions to perform malicious actions or accessing unauthorized machines.
Rule Multiple Sensitive Virtual Machines Deleted within Short Period of Time This rule triggers when multiple sensitive machines or security devices are being deleted succinctly. This may indicate an intruder is compromising sensitive information or getting hidden before an attack.
Note: The Sensitive Virtual Machines reference set must be populated with the relevant machines name.
Note:

If authorized users perform this action often, exclude them by adding in a rule condition. See Abnormal Number of Modifications Made on Virtual Machines for an example.

Rule Multiple Virtual Security Devices Powered Off within Short Period of Time This rule triggers when multiple virtual security devices (e.g virtual IDS, virtual SIEM component) are powered off in a short period of time.
Note: The Security Devices reference set must be populated with the relevant machine names or IDs.
Note:

If authorized users perform this action often, exclude them by adding in a rule condition. See Abnormal Number of Modifications Made on Virtual Machines for an example.

Rule Abnormal Number of Modifications Made on Virtual Machines This rule triggers when an abnormal number of configuration updates are performed on virtual machines. A typical administration should not imply multiple configuration updates, such as adding more memory or reducing the storage size for one or multiple machines. This indicates suspicious behaviour
Note: Populate the Authorized Users reference set with users who are authorized to perform these actions.
Rule Abnormal Number of Virtual Machines Created This rule triggers when a high number of virtual machines is created in a short period of time. This can show a malicious user behaviour. See Abnormal Number of Modifications Made on Virtual Machines for an example.

The following table shows the reference data in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0.

Table 8. Reference Data in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0
Type Name Description
Reference Set Authorized Users Defines authorized users. This reference set can be used to exclude authorized users from triggering false positives when performing high privileged actions.
Reference Set Low Privilege Role Names Collects usernames with high privilege role names.
Reference Set Security Devices Defines security device names or IDs.
Reference Set Sensitive Virtual Machines Defines sensitive virtual machine names or IDs.
Reference Set Users with High Privilege Role Names Collects usernames with high privilege role names.

The following table shows the saved searches in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0.

Table 9. Saved Searches in IBM Security QRadar Content Extension for Hybrid Cloud Use Cases 1.0.0
Name Description
VMWare Audit Events Defines VMware audit events.
VMWare System Status Defines VMware system status events.

(Back to top)