Intrusions
Use the IBM Security QRadar Intrusions Content Extension to focus on intrusion detection.
IBM Security QRadar Intrusions Content Extension
- IBM Security QRadar Compliance Content Extension
- IBM Security QRadar Endpoint Content Extension
- IBM Security QRadar Threat Monitoring Content Extension
- IBM Security QRadar Network Anomaly Content Extension
The following list shows the rules added to the IBM Security QRadar Compliance Content Extension.
- BB:CategoryDefinition: Countries/Regions with no Remote Access
- Excessive Firewall Accepts From Multiple Sources to a Single Destination
The following list shows the rules added to the IBM Security QRadar Endpoint Content Extension.
- Remote: Remote Desktop Access from the Internet
- BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts - UUID SYSTEM-1055 (New name - BB:BehaviorDefinition: Remote Desktop Access from a Remote Host)
- BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts - SYSTEM-1056 (New name - BB:BehaviorDefinition: VNC Activity from a Remote Host)
- Remote: VNC Access from the Internet to a Local Host - UUID SYSTEM-1108 (New name - Remote: VNC Access from the Internet)
The following list shows the rules added to the IBM Security QRadar Threat Monitoring Content Extension.
- BB:CategoryDefinition: Countries/Regions with no Remote Access
- BB:CategoryDefinition: Database Access Denied
- BB:CategoryDefinition: Malware Annoyances
- BB:CategoryDefinition: Virus Detected
- BB:CategoryDefinition: Worm Events
- BB:FalseNegative: Events That Indicate Successful Compromise
- BB:NetworkDefinition: Undefined IP Space
- BB:NetworkDefinition: Watch List Addresses
- Exploit Followed by Suspicious Host Activity
- Exploit/Malware Events Across Multiple Destinations
- Exploit: Exploits Followed by Firewall Accepts
- Multiple Vector Attack Source
- Source Vulnerable to any Exploit
- Source Vulnerable to this Exploit
- 100% Accurate Events - SYSTEM-1459(New name - Successful Signature Compromise)
The following list shows the rules added to the IBM Security QRadar Network Anomaly Content Extension.
- Anomaly: DMZ Jumping
- Remote: Possible Tunneling
IBM Security QRadar Intrusions Content Extension V1.0.4
The following table shows the rule that updated in IBM Security QRadar Intrusions Content Extension V1.0.4.
Name | Description |
---|---|
Excessive Firewall Accepts From Multiple Sources to a Single Destination | Changed the name from Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination. |
The following rules and building blocks are removed in IBM Security QRadar Intrusions Content Extension V1.0.4 because they are now included in IBM Security QRadar by default.
- BB:BehaviorDefinition: Compromise Activities
- BB:CategoryDefinition: Authentication Failures
- BB:CategoryDefinition: Authentication to Disabled Account
- BB:CategoryDefinition: Authentication to Expired Account
- BB:CategoryDefinition: DDoS Attack Events
- BB:CategoryDefinition: Exploits Backdoors and Trojans
- BB:CategoryDefinition: Firewall or ACL Accept
- BB:CategoryDefinition: Firewall or ACL Denies
- BB:CategoryDefinition: Key Loggers
- BB:CategoryDefinition: Mail Policy Violation
- BB:CategoryDefinition: Network DoS Attack
- BB:CategoryDefinition: Post DMZ Jump
- BB:CategoryDefinition: Post Exploit Account Activity
- BB:CategoryDefinition: Pre DMZ Jump
- BB:CategoryDefinition: Recon Event Categories
- BB:CategoryDefinition: Recon Events
- BB:CategoryDefinition: Recon Flows
- BB:CategoryDefinition: Service DoS
- BB:CategoryDefinition: Successful Communication
- BB:Database: System Action Deny
- BB:DeviceDefinition: Database
- BB:DeviceDefinition: FW / Router / Switch
- BB:HostDefinition: Database Servers
- BB:HostReference: Database Servers
- BB:NetworkDefinition: Darknet Addresses
- BB:NetworkDefinition: DMZ Addresses
- BB:NetworkDefinition: Honeypot like Addresses
- BB:PortDefinition: Common Worm Ports
- BB:PortDefinition: Database Ports
- BB:Threats: Port Scans: Host Scans
- BB:Threats: Port Scans: UDP Port Scan
- BB:Threats: Scanning: Empty Responsive Flows High
- BB:Threats: Scanning: Empty Responsive Flows Low
- BB:Threats: Scanning: Empty Responsive Flows Medium
- BB:Threats: Scanning: ICMP Scan High
- BB:Threats: Scanning: ICMP Scan Low
- BB:Threats: Scanning: ICMP Scan Medium
- BB:Threats: Scanning: Potential Scan
- BB:Threats: Scanning: Scan High
- BB:Threats: Scanning: Scan Low
- BB:Threats: Scanning: Scan Medium
- BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets
- BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets
- Destination Vulnerable to Detected Exploit
- Destination Vulnerable to Detected Exploit on a Different Port
- Malware or Virus Clean Failed
IBM Security QRadar Intrusions Content Extension V1.0.3
The following table shows the rules and building blocks in IBM Security QRadar Intrusions Content Extension V1.0.3.
Type | Name | Description |
---|---|---|
Rule | Destination Vulnerable to Detected Exploit | Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack. |
Rule | Destination Vulnerable to Detected Exploit on a Different Port | Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port. |
Rule | Destination Vulnerable to Different Exploit than Attempted on Targeted Port | Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to some attack but not the one being attempted. |
The following table shows the reference data in IBM Security QRadar Intrusions Content Extension V1.0.3.
Type | Name | Description |
---|---|---|
Reference Set | Database Servers | List of Database IP addresses. |
IBM Security QRadar Intrusions Content Extension V1.0.2
The following table shows the rules and building blocks that are updated in IBM Security QRadar Intrusions Content Extension V1.0.2.
Type | Name | Description |
---|---|---|
Building Block | BB:DeviceDefinition: FW / Router / Switch | Updated building block with FW/Router/Switch devices. |
Building Block | BB:DeviceDefinition: Database | Updated building block with database devices. |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added the following QIDs:
|
Rule | Malware or Virus Clean Failed | New QIDs added to rule:
|
IBM Security QRadar Intrusions Content Extension V1.0.1
The following table shows the rules and building blocks in IBM Security QRadar Intrusions Content Extension V1.0.1.
Type | Name | Description |
---|---|---|
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added QID 5000475: Failure Audit: An account failed to log on. |
Building Block | BB:DeviceDefinition: FW / Router / Switch | No updates. Dependent on another rule and must be included in the extension framework. |
Rule | Exploit: Exploits Followed by Firewall Accepts | Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule |
Rule | Anomaly: DMZ Jumping | Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule |
Rule | Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination | Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule |
Rule | Exploit: Destination Vulnerable to Detected Exploit on a Different Port | Updated user interface name and rule text description. |
IBM Security QRadar Intrusions Content Extension V1.0.0
The IBM Security QRadar Intrusions Content Extension V1.0.0 adds the Database Servers reference set to QRadar.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Compromise Activities | Edit this building block to include categories that are considered the be part of events seen during typical compromises. |
Building Block | BB:CategoryDefinition: Authentication Failures | Edit this building block to include all events that indicate an unsuccessful attempt to access the network. |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Edit this building block to include all events that indicate failed attempts to access the network using a disabled account. |
Building Block | BB:CategoryDefinition: Authentication to Expired Account | Edit this building block to include all events that indicate failed attempts to access the network using an expired account. |
Building Block | BB:CategoryDefinition: Countries/Regions with no Remote Access | Edit this building block to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Anomaly: Remote Access from Foreign Country/Region rule. |
Building Block | BB:CategoryDefinition: Database Access Denied | Identifies database events that are considered denied access. |
Building Block | BB:CategoryDefinition: DDoS Attack Events | Edit this building block to include all event categories that you wish to categorize as a DDoS attack. |
Building Block | BB:CategoryDefinition: Exploits Backdoors and Trojans | Edit this building block to include all events that are typically exploits, backdoor, or trojans. |
Building Block | BB:CategoryDefinition: Firewall or ACL Accept | Edit this building block to include all events that indicate access to the firewall. |
Building Block | BB:CategoryDefinition: Firewall or ACL Denies | Edit this building block to include all events that indicate unsuccessful attempts to access the firewall. |
Building Block | BB:CategoryDefinition: Key Loggers | Edit this building block to include all events associated with the monitoring of user activities through a key logger. |
Building Block | BB:CategoryDefinition: Mail Policy Violation | Edit this building block to include anything you would consider to be a mail based policy violation. An example might be outbound traffic on port 25 not originating from a mail server. |
Building Block | BB:CategoryDefinition: Malware Annoyances | Edit this building block to include event categories that are typically associated with spyware infections. |
Building Block | BB:CategoryDefinition: Network DoS Attack | Edit this building block to include all event categories that you wish to categorize as a network DoS attack. |
Building Block | BB:CategoryDefinition: Post DMZ Jump | Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by the Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel rules. |
Building Block | BB:CategoryDefinition: Post Exploit Account Activity | Identifies events that generally happen after an exploit. |
Building Block | BB:CategoryDefinition: Pre DMZ Jump | Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by the Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel rules. |
Building Block | BB:CategoryDefinition: Recon Event Categories | Edit this building block to include all events that indicate reconnaissance activity. |
Building Block | BB:CategoryDefinition: Recon Events | Edit this building block to include all events that indicate reconnaissance activity. |
Building Block | BB:CategoryDefinition: Recon Flows | Edit this building block to include all events that indicate suspicious activity. |
Building Block | BB:CategoryDefinition: Service DoS | Edit this building block to define Denial of Service (DoS) attack events. |
Building Block | BB:CategoryDefinition: Successful Communication | Defines flows which are typical of a successful communication. If you are paranoid you may wish to drop the ratio to 64 bytes/packet however this will cause a lot of false positives and may require further tuning using flags and other properties. |
Building Block | BB:CategoryDefinition: Virus Detected | This rule defines all virus detection events. |
Building Block | BB:CategoryDefinition: Worm Events | Edit this building block to define worm events. This building block only applies to events not detected by a custom rule. |
Building Block | BB:Database: System Action Deny | Edit this building block to include any events that indicate unsuccessful actions within a database |
Building Block | BB:DeviceDefinition: Database | This rule defines all databases on the system. |
Building Block | BB:DeviceDefinition: FW / Router / Switch | This rule defines all firewalls, routers, and switches on the system. |
Building Block | BB:FalseNegative: Events That Indicate Successful Compromise | Defines events which indicate a successful compromise. These events generally have 100% accuracy. |
Building Block | BB:HostDefinition: Database Servers | Edit this building block to define typical database servers. This building block is used in conjunction with the BB:FalsePositive: Database Server False Positive Categories and BB:FalsePositive: Database Server False Positive Events building blocks. |
Building Block | BB:HostReference: Database Servers | |
Building Block | BB:NetworkDefinition: Darknet Addresses | Edit this building block to include networks which should be added into a Darknet list. |
Building Block | BB:NetworkDefinition: DMZ Addresses | Edit this building block to include addresses that are included in the DMZ |
Building Block | BB:NetworkDefinition: Honeypot like Addresses | Edit this building block by replace the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access |
Building Block | BB:NetworkDefinition: Undefined IP Space | Edit this building block to include areas of your network that does not contain any valid hosts. |
Building Block | BB:NetworkDefinition: Watch List Addresses | Edit this building block to include networks which should be added into a watch list. |
Building Block | BB:PortDefinition: Common Worm Ports | Defines ports that generally are not seen in local to remote traffic. |
Building Block | BB:PortDefinition: Database Ports | Edit this building block to include all common database ports. |
Building Block | BB:Threats: Port Scans: Host Scans | Identifies potential reconnaissance by flows. |
Building Block | BB:Threats: Port Scans: UDP Port Scan | Identifies UDP based port scans. |
Building Block | BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts | Identifies flows where a remote desktop application is being accessed from a remote host |
Building Block | BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts | Identifies flows where a VNC service is being accessed from a remote host. |
Building Block | BB:Threats: Scanning: Empty Responsive Flows High | This building block detects potential reconnaissance activity where the source packet count is greater than 100,000. |
Building Block | BB:Threats: Scanning: Empty Responsive Flows Low | This building block detects potential reconnaissance activity where the source packet count is greater than 500. |
Building Block | BB:Threats: Scanning: Empty Responsive Flows Medium | This building block detects potential reconnaissance activity where the source packet count is greater than 5,000. |
Building Block | BB:Threats: Scanning: ICMP Scan High | Identifies a high level of ICMP reconnaissance. |
Building Block | BB:Threats: Scanning: ICMP Scan Low | Identifies a low level of ICMP reconnaissance. |
Building Block | BB:Threats: Scanning: ICMP Scan Medium | Identifies a medium level of ICMP reconnaissance. |
Building Block | BB:Threats: Scanning: Potential Scan | Identifies potential reconnaissance by flows. |
Building Block | BB:Threats: Scanning: Scan High | Identifies a high level of potential reconnaissance. |
Building Block | BB:Threats: Scanning: Scan Low | Identifies a low level of potential reconnaissance. |
Building Block | BB:Threats: Scanning: Scan Medium | Identifies a medium level of potential reconnaissance. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets | Identifies flows with abnormaly large DNS packets |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets | Identifies flows with abnormaly large ICMP packets |
Rule | 100% Accurate Events | Creates an offense when an event matches a 100% accurate signature for successful compromises. |
Rule | Anomaly: DMZ Jumping | This rule will fire when connections seemed to be bridged across the network's DMZ. |
Rule | Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination | Reports excessive Firewall Accepts to the same destination from at least 100 unique source IP addresses in 5 minutes. |
Rule | Destination Vulnerable to Detected Exploit | Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack. |
Rule | Exploit Followed by Suspicious Host Activity | Reports an exploit or attack type activity from a source IP address followed by suspicious account activity on the same destination host within 15 minutes of the original event. |
Rule | Exploit: Destination Vulnerable to Detected Exploit on a Different Port | Reports an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port. |
Rule | Exploit: Exploits Followed by Firewall Accepts | Detects when exploit or attack events are followed by firewall accept events, which may indicate a successful attack. |
Rule | Exploit/Malware Events Across Multiple Destinations | Reports a source IP address generating multiple (at least 5) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device. |
Rule | Malware or Virus Clean Failed | System detected a virus and failed to clean or remote it |
Rule | Multiple Vector Attack Source | Detects when an source host tries multiple attack vectors, this may indicate the source host is specifically targeting an asset. |
Rule | Remote: Possible Tunneling | Detects possible tunneling, which can indicate a bypass of policy, or an infected system. |
Rule | Remote: Remote Desktop Access from the Internet | Detects the Microsoft Remote Desktop Protocol from the internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should disable this rule. |
Rule | Remote: VNC Access from the Internet to a Local Host | Detects VNC (a remote desktop access application) from the internet to a local host. Many companies consider this a policy issue that should be addressed. If this is normal activity on your network, disable this rule. |
Rule | Source Vulnerable to any Exploit | Reports an attack from a local host where the source has at least one vulnerability. It is possible the source was targeted in an earlier offense. |
Rule | Source Vulnerable to this Exploit | Reports an attack from a local host where the source host is vulnerable to the attack being used. It is possible the source host was the destination of an earlier offense. |
- Excessive Firewall Accepts From Multiple Sources to a Single Destination
- DMZ Jumping
- Destination Vulnerable to Detected Exploit
- Source Vulnerable to any Exploit
- Source Vulnerable to this Exploit
- Exploit/Malware Events Across Multiple Destinations
- Exploit Followed by Suspicious Host Activity
- Destination Vulnerable to Detected Exploit on a Different Port
- 100% Accurate Events
- Multiple Vector Attack Source
- Remote: Remote Desktop Access from the Internet
- Exploits Followed by Firewall Accepts
- Remote: VNC Access from the Internet to a Local Host
- Malware or Virus Clean Failed
- Remote: Possible Tunneling
- BB:Database: System Action Deny
- BB:HostDefinition: Database Servers
- BB:HostReference: Database Servers
- BB:PortDefinition: Database Ports
- BB:PortDefinition: Common Worm Ports
- BB:FalseNegative: Events That Indicate Successful Compromise
- BB:DeviceDefinition: Database
- BB:DeviceDefinition: FW / Router / Switch
- BB:Threats: Scanning: Scan Medium
- BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts
- BB:Threats: Scanning: ICMP Scan Low
- BB:Threats: Scanning: ICMP Scan High
- BB:Threats: Scanning: Scan Low
- BB:Threats: Scanning: ICMP Scan Medium
- BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts
- BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets
- BB:Threats: Scanning: Empty Responsive Flows High
- BB:Threats: Scanning: Scan High
- BB:Threats: Scanning: Empty Responsive Flows Low
- BB:Threats: Scanning: Empty Responsive Flows Medium
- BB:Threats: Port Scans: UDP Port Scan
- BB:Threats: Port Scans: Host Scans
- BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets
- BB:Threats: Scanning: Potential Scan
- BB:CategoryDefinition: Post Exploit Account Activity
- BB:CategoryDefinition: Recon Flows
- BB:CategoryDefinition: Successful Communication
- BB:CategoryDefinition: Firewall or ACL Denies
- BB:CategoryDefinition: Recon Events
- BB:CategoryDefinition: Mail Policy Violation
- BB:CategoryDefinition: Service DoS
- BB:CategoryDefinition: Worm Events
- BB:CategoryDefinition: Virus Detected
- BB:CategoryDefinition: Authentication to Expired Account
- BB:CategoryDefinition: Countries/Regions with no Remote Access
- BB:CategoryDefinition: Pre DMZ Jump
- BB:CategoryDefinition: Authentication to Disabled Account
- BB:CategoryDefinition: Network DoS Attack
- BB:CategoryDefinition: Recon Event Categories
- BB:CategoryDefinition: Firewall or ACL Accept
- BB:CategoryDefinition: Exploits Backdoors and Trojans
- BB:BehaviorDefinition: Compromise Activities
- BB:CategoryDefinition: Post DMZ Jump
- BB:CategoryDefinition: Authentication Failures
- BB:CategoryDefinition: Key Loggers
- BB:CategoryDefinition: Malware Annoyances
- BB:CategoryDefinition: DDoS Attack Events
- BB:CategoryDefinition: Database Access Denied
- BB:NetworkDefinition: DMZ Addresses Note: This building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.
- BB:NetworkDefinition: Honeypot like Addresses
- BB:NetworkDefinition: Undefined IP Space
- BB:NetworkDefinition: Darknet Addresses
- BB:NetworkDefinition: Watch List Addresses