National Institute of Standards and Technology (NIST)
Use the IBM® QRadar® Content Extension for NIST to meet NIST control requirements.
Baseline Maintenance V1.09 or higher is required for the NIST Content Extension to perform correctly. Install Baseline Maintenance before you install the NIST Content Extension.
IBM Security QRadar NIST Content Extensions
IBM Security QRadar Content Extension for NIST V1.1.0
The following list shows the saved searches that are updated to be shared across users in IBM Security QRadar Content Extension for NIST V1.1.0.
- Insider Threat (UBA)
- ISO 27001 (11.4) - Malicious Attacks
- Non-Filtered Internet Connection
- Privileged Activities
- Priviledged Escalations
IBM Security QRadar Content Extension for NIST V1.0.1
The following table shows the rules and building blocks that are removed in IBM Security QRadar Content Extension for NIST V1.0.1.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:CategoryDefinition: Privileged Activity : UBA | Indicates when a user has performed an action which is considered to be privileged. |
| Rule | Load Basic Building Blocks | This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses. |
The IBM Security QRadar Content Extension for NIST RMF 800-53 content extension includes reports, rules, and saved searches. QRadar also includes some features that meet NIST control requirements, such as offenses and data obfuscation.
IBM Security QRadar Content Extension for NIST V1.0.0
The following table shows the rules and building blocks in IBM Security QRadar Content Extension for NIST V1.0.0.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:CategoryDefinition: Malicious Attacks | Edit this building block to define malicious attacks like buffer overlow, cross site scripting, database exploit, and others. |
| Building Block | BB:CategoryDefinition: Privileged Escalations | Edit this building block to define events related to successful privileged escalations. |
| Building Block | BB:CategoryDefinition: Privileged Activity : UBA | Indicates when a user has performed an action which is considered to be privileged. |
| Rule | Load Basic Building Blocks | This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses. |
The following table shows the reports in IBM Security QRadar Content Extension for NIST V1.0.0.
| Report | Description |
|---|---|
| NIST RMF (AC-20) Use of External Information Systems |
Provides a list of connections initiated from a Remote Network to a network that is not the DMZ. Configure the Network Hierarchy to define the assets in DMZ that apply in your environment. |
| NIST RMF (AC-6) Least Privilege |
Provides an overview of privileged escalations and activities to ensure authorized accesses. Define privilege activity and escalation on events in the following building block:
|
| NIST RMF (AC-7) Unsuccessful Logon Attempts |
Provides a historical trend of the number of login failures by low level category, as well as the top 20 users with failed logins. Define privilege activity and escalation on events in the following building block:
|
| NIST RMF (CA-3) System Interconnections |
Provides a historical trend of requests made from the local to the remote network, that are not reported by a Proxy. It include a top 10 graphs per Log Source / Destination IP couples, and a Top 50 list. |
| NIST RMF (CM-2) Baseline Configuration |
Provides a summary of automated mechanisms used to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| NIST RMF (CP-2-8) Contingency Plan - Identify Critical Assets |
Provides the top 50 critical assets that have been backed up successfully and the top 50 of the attempts or failures. Configure the Critical Assets reference set to define the IPs that apply in your environment. |
| NIST RMF (IR-4) Incident Handling |
Provides an overview of the top 20 security and policy offenses for the day. You can also refer to Offense Source Summary for a report on offenses by source IP, destination IP, user, and rule name. |
| NIST RMF (PM-12) Insider Threat Program |
Provides an overview of insider threat activities from User Behavioural Analytics for QRadar (UBA) app. |
| NIST RMF (RA-5) Vulnerability Scanning |
Provides a summary of new, remediated, high risk, and overdue vulnerability count. Refer to the Vulnerabilities tab in QRadar for more information. |
| NIST RMF (SI-3) Malicious Code Protection |
Provides an overview of the malicious attacks in the network. Define privilege activity and escalation on events in the following building block:
|
| NIST RMF (PM-5) System Inventory |
Shows the top 50 assets sorted by vulnerability instances. Refer to the Assets tab in QRadar for more information. |
| NIST RMF (SI-4-16) Information System Monitoring - Correlate Monitoring Information |
Provides the top 10 offenses over time by magnitude. Refer to the Offenses tab in QRadar for more information. |
The following table shows the saved searches in IBM Security QRadar Content Extension for NIST V1.0.0.
| Saved Search Name |
|---|
| Login Failures by User |
| Login Failures By Low Level Category |
| Direct Remote Connection |
| Critical Assets Backup Success |
| Non Success Backup events on Critical Assets |
| Privileged Escalations |
| Privileged Activities |
| Insider Threat (UBA) |
| Automated Assets Management |
| ISO 27001 (11.4) - Malicious Attacks |