QRadar Network Insights Content Extension
The IBM® QRadar® Network Insights Content Extension provides more QRadar rules, reports, searches, and custom properties for administrators. This custom rule engine content focuses on providing analysis, alerts, and reports for QRadar Network Insights deployments.
QRadar Network Insights provides in-depth visibility into network communications on a real-time basis to extend the capabilities of your IBM QRadar SIEM deployment. Through the deep analysis of network activity and application content, QRadar Network Insights empowers QRadar Sense Analytics to detect threat activity that would otherwise go unnoticed.
- IBM QRadar Network Insights Content Extension 1.6.0
- IBM QRadar Network Insights Content Extension 1.5.2
- IBM QRadar Network Insights Content Extension 1.5.1
- IBM QRadar Network Insights Content Extension 1.5.0
- IBM QRadar Network Insights Content Extension 1.4.0
- IBM QRadar Network Insights Content Extension 1.3.0
- IBM QRadar Network Insights Content Extension 1.2.2
- IBM QRadar Network Insights Content Extension 1.2.0
- IBM QRadar Network Insights Content Extension 1.1.0
IBM QRadar Network Insights Content Extension 1.6.0
The following table shows the rules that are new in IBM QRadar Network Insights Content Extension 1.6.0.
| Name | Description | Minimum QRadar Version Required |
|---|---|---|
| QNI : Access to Improperly Secured Service - BitTorrent Handshake Verification Failure | Triggers when a failed handshake verification is observed in BitTorrent network communications. | 7.4.0 |
| QNI : Access to Improperly Secured Service - Certificate Has Non-DNS Subject Alternative Name | Triggers when an X509 certificate is observed with a subject alternative name that is not a DNS entry. This connection might be considered suspicious. | 7.3.3 |
| QNI : Access to Improperly Secured Service - Deprecated TLS Version in Use | Triggers when IBM QRadar Network Insights detects a deprecated TLS session. According to NIST publication 800-52 and ACSC's advice on implementing TLS, TLS 1.0 and 1.1 are discouraged. | 7.3.3 |
| QNI : Access to Improperly Secured Service - Kerberos Deprecated or Unknown Cipher Suite in use | Triggers when a deprecated or unknown cipher suite is being used for Kerberos communications. | 7.4.3 |
| QNI : Access to Improperly Secured Service - RDP Session Without Encryption | Triggers when RDP sessions without encryption are used. For more information, see ACSC advice (https://www.cyber.gov.au/acsc/view-all-content/publications/using-remote-desktop-clients). | 7.3.3 |
| QNI : Access to Improperly Secured Service - RDP Session Without Enhanced RDP Security | Triggers when any RDP encryption level is detected which can mean that enhanced RDP Security is not being used and the connection might be insecure. Enhanced RDP security results in other network protocols appear on your network rather than RDP. For example, TLS-encrypted RDP sessions will appear as TLS. | 7.3.3 |
| QNI : Access to Improperly Secured Service - Signature Algorithm Does Not Match To-Be-Signed Signature Algorithm | Triggers when an X509 certificate is observed with a Signature Algorithm that does not match the To-Be-Signed Signature Algorithm. This connection might be considered suspicious. | 7.3.3 |
| QNI : Access to Improperly Secured Service - SSL in Use | Triggers when IBM QRadar Network Insights detects an SSL session. According to NIST publication 800-52, all versions of SSL should not be used. Use recent versions of TLS instead. | 7.3.3 |
| QNI : Access to Improperly Secured Service - TLS Unrecommended Cipher Suite in Use | Triggers when IBM
QRadar Network Insights
detects that either a TLS 1.3 or TLS 1.2 session is using a cipher suite not recommended by NIST
publication 800-52r2. Note: The QNI : TLS 1.3 Recommended Cipher Suites and
QNI : TLS 1.2 Recommended Cipher Suites reference sets are prepopulated. Tune
these reference sets with relevant cipher suites.
|
7.3.3 |
| QNI : Embedded Script Detected | Triggers when an embedded script is detected inside a file observed on the network. This might include macros in Office documents or JavaScript embedded in PDF files. | 7.3.3 |
IBM QRadar Network Insights Content Extension 1.5.2
IBM QRadar Network Insights Content Extension 1.5.2 supports QRadar Network Insights 7.3.3 and later.
The following table shows the custom functions that are new or updated in IBM QRadar Network Insights Content Extension 1.5.2.
| Name | Description |
|---|---|
| get_extension | Extracts the file extension from an inputted file name. |
The following table shows the rules that are updated in IBM QRadar Network Insights Content Extension 1.5.2.
| Name | Description |
|---|---|
| QNI : Access to Improperly Secured Service - Weak Public Key Length | QRadar Network Insights has detected a SSL/TLS session that uses a certificate that, has a low public key bit count. A server that provides a weak Public Key Certificate (less than 1024 bits) may represent a security risk. According to NIST publication 800-57, the recommended minimum key length beginning in 2011 is 2048 bits for RSA and 256 bits for ECDSA. |
| QNI : File Extension / Content Type Verification | Extracts the file extension from the file name, and compares it with the content type as
determined by QRadar Network
Insights. These two values are then compared against the QNI-Extension-ContentType-Pairs reference set , which holds expected file extension/content type pairs. This rule triggers on cases where a file extension is in disagreement with the usually accepted Content-Type for the extension, and the extension is not contained in the QNI : File Extension / Content Type Verification Exclusions reference set. As an example, the file extension
.txt is generally associated with By default this rule does not create offenses. To view the flows that triggered this rule, use the File Extension / Content Type Mismatches search. |
The following table shows the reference map of sets that is updated in IBM QRadar Network Insights Content Extension 1.5.2.
| Name | Description |
|---|---|
| QNI-Extension-ContentType-Pairs | Maps a file extension to its expected content types. This reference map of sets comes
populated with 1234 entries. For example, .html maps to
text/html. |
IBM QRadar Network Insights Content Extension 1.5.1
IBM QRadar Network Insights Content Extension 1.5.1 supports QRadar Network Insights 7.3.2 and later.
The following table shows the rule that was updated in IBM QRadar Network InsightsContent Extension 1.5.1.
| Name | Description |
|---|---|
| QNI : File Extension / Content Type Verification | Extracts the file extension from the file name, and compares it with the content type as
determined by QRadar Network
Insights. These
two values are then compared against the QNI-Extension-ContentType-Pairs
reference set that hold expected file extension/content type pairs. Triggers on cases where a file extension is in disagreement with the usually accepted content type for the extension, and the extension is not contained in the QNI : File Extension / Content Type Verification Exclusions reference set. For example, the file extension
.txt is generally associated with By default this rule does not create offenses. To view the flows that triggered this rule, use the File Extension / Content Type Mismatches search. |
The following table shows the reference data that is new or updated in IBM QRadar Network Insights Content Extension 1.5.1.
| Type | Name | Description |
|---|---|---|
| Reference Set | QNI : File Extension / Content Type Verification Exclusions | Contains file extensions to exclude from verification by the QNI : File Extension / Content Type Verification rule. This reference set is prepopulated with four entries. |
| Reference Map of Sets | QNI-Extension-ContentType-Pairs | Maps a file extension to its expected content types. This reference map of sets is
prepopulated with 1227 entries. For example, .html maps to
text/html. |
The following table shows the saved searches that are new or updated in IBM QRadar Network Insights Content Extension 1.5.1.
| Name | Description |
|---|---|
| File Extension / Content Type Mismatches | Shows the flows that triggered the QNI : File Extension / Content Type Verification rule. |
IBM QRadar Network Insights Content Extension 1.5.0
IBM QRadar Network Insights Content Extension 1.5.0 supports QRadar Network Insights 7.3.2 and later.
The following table shows the custom properties that are removed in IBM QRadar Network Insights Content Extension 1.5.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Reject Code | Yes | 1 | Reject=([0-9]+) |
| Recipient User | Yes | 1 | <([A-Za-z0-9._+\-]+@[A-Za-z0-9.\-]+)> |
The isReply custom AQL function is removed in IBM QRadar Network Insights Content Extension 1.5.0.
The following table shows the rules and building blocks in IBM QRadar Network Insights Content Extension 1.5.0.
| Type | Name | Description |
|---|---|---|
| Rule | QNI : Access to Improperly Secured Service - Certificate Expired | Removed UBA elements from rule response, changed response limiter, and updated the low level category of the dispatched event. |
| Rule | QNI : Access to Improperly Secured Service - Certificate Invalid | Removed UBA elements from rule response, changed response limiter, and updated the low level category of the dispatched event. |
| Rule | QNI : Access to Improperly Secured Service - Self Signed Certificate | Removed UBA elements from rule response, changed response limiter, and updated the low level category of the dispatched event. |
| Rule | QNI : Access to Improperly Secured Service - Weak Public Key Length | Removed UBA elements from rule response, changed response limiter, and updated the low level category of the dispatched event. |
| Rule | QNI : Confidential Content Being Transferred to Foreign Geography | Removed UBA elements from rule response and changed response limiter. |
| Rule | QNI : File Extension / Content Type Verification | This rule triggers on cases where a file extension is in disagreement with the usually accepted Content-Type for the extension. |
| Rule | QNI : Observed File Hash Associated with Malware Threat | Removed UBA elements from rule response and changed response limiter. |
| Rule | QNI : Same Threat Detected on Multiple Hosts | Renamed from QNI : Observed File Hash Seen Across Multiple Hosts, removed UBA elements from rule response and changed response limiter. |
| Rule | QNI : Suspicious Website Access | This rule triggers when a website categorized as suspicious by X-Force® is accessed. |
The following table shows the rules and building blocks that are removed in IBM QRadar Network Insights Content Extension 1.5.0.
| Type | Name |
|---|---|
| Building Block | BB:CategoryDefinition: Rejected Email Recipient |
| Building Block | BB:HostDefinition: Mail Servers |
| Building Block | BB:HostReference: Mail Servers |
| Building Block | BB:PortDefinition: Mail Ports |
| Rule | UBA : QNI - Confidential Content Being Transferred to Foreign Geography |
| Rule | UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers |
| Rule | UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email Recipient |
| Rule | UBA : QNI - Observed File Hash Associated with Malware Threat |
| Rule | UBA : QNI - Observed File Hash Seen Across Multiple Hosts |
| Rule | UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length |
| Rule | UBA : QNI - Access to Improperly Secured Service - Certificate Invalid |
| Rule | UBA : QNI - Access to Improperly Secured Service - Certificate Expired |
| Rule | UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate |
| Rule | QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers |
| Rule | QNI : Potential Spam/Phishing Attempt Detected on Rejected Email Recipient |
The following table shows the reports in IBM QRadar Network Insights Content Extension 1.5.0.
| Report Name | Search Name and Dependencies |
|---|---|
| User File Transfer by Content Type (QNI) | Updated container size limits. |
| Top Phishing Subjects by Recipient User (QNI) | Added description. |
| Top Malware by Asset (QNI) | Added description and unchecked run report nowin wizard. |
| Malware Distribution by File (QNI) | Added description and unchecked run report nowin wizard. |
The following table shows the reference data in IBM QRadar Network Insights Content Extension 1.5.0.
| Type | Name | Description |
|---|---|---|
| Reference Map of Sets | QNI-Extension-ContentType-Pairs | Maps a file extension to its expected content types. This reference map of sets comes
pre-populated with 1218 entries. (ex. .htmlmaps to text/html.) |
The following table shows the saved searches in IBM QRadar Network Insights Content Extension 1.5.0.
| Name | Description |
|---|---|
| File Transfer by Originating User and Content Type | Updated search parameters (removed HTTP Response Code check), shared by default. |
| File Transfer by Source IP and Content Type | Updated search parameters (removed HTTP Response Code check and Originating User check), shared by default. |
| Malware by Hash and Source Asset | Updated result limit number. |
| Malware Traffic Summary | Updated rule name referenced in AQL query, |
| Phishing Subjects by Recipient User | Search now shared by default. |
IBM QRadar Network Insights Content Extension 1.4.0
IBM QRadar Network Insights Content Extension 1.4.0 supports QRadar Network Insights 7.3.0 and later.
The following table shows the custom AQL functions in IBM QRadar Network Insights Content Extension 1.4.0.
| Name | Description |
|---|---|
| isReply | Returns true or false if a string is the typical subject line of a response email. |
The following table shows the rules and building blocks in IBM QRadar Network Insights Content Extension 1.4.0.
| Type | Name | Description |
|---|---|---|
| Building Block | BB: Category Definition: Countries/Regions with Restricted Access | Edit this building block to include any geographic location that typically would not be allowed to access the enterprise. After it is configured, you can enable the Confidential Content Being Transferred to Foreign Geography rule. |
| Rule | QNI: Confidential Content Being Transferred to Foreign Geography | Detects confidential content that is being transferred to countries/regions with restricted access. |
| Rule | UBA : QNI - Confidential Content Being Transferred to Foreign Geography | Sends events to the User Behavior Analytics app based on the QNI: Confidential Content Being Transferred to Foreign Geography rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user. |
| Rule | UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers | Sends events to the User Behavior Analytics app based on the QNI: Potential Spam/Phishing Subject Detected from Multiple Sending Servers rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user. |
| Rule | UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email Recipient | Sends events to User Behavior Analytics app based on the QNI: Potential Spam/Phishing Attempt Detected on Rejected Email Recipient rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user. |
| Rule | UBA : QNI - Observed File Hash Associated with Malware Threat | Sends events to the User Behavior Analytics app based on the QNI: Observed File Hash Associated with Malware Threat rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user. |
| Rule | UBA : QNI - Observed File Hash Seen Across Multiple Hosts | Sends events to the User Behavior Analytics app based on the QNI: Observed File Hash Seen Across Multiple Hosts rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user. |
| Rule | UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length | Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Weak Public Key Length rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user. |
| Rule | UBA : QNI - Access to Improperly Secured Service - Certificate Invalid | Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Certificate Invalid rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user. |
| Rule | UBA : QNI - Access to Improperly Secured Service - Certificate Expired | Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Certificate Expired rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user. |
| Rule | UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate | Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Self Signed Certificate rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user. |
The following table shows the report in IBM QRadar Network Insights Content Extension 1.4.0.
| Report Name | Search Name and Dependencies |
|---|---|
| User File Transfer by Content Type | Saved Searches: File Transfer by Originating User and Content Type And File Transfer by Source IP and Content Type |
The following table shows the saved searches in IBM QRadar Network Insights Content Extension 1.4.0.
| Name | Description |
|---|---|
| File Transfer by Originating User and Content Type | This log and network activity search matches file transfers by their originating users and content types. |
| File Transfer by Source IP and Content Type | This log and network activity search matches file transfers by their source IP addresses and content types. |
IBM QRadar Network Insights Content Extension 1.3.0
The IBM QRadar Network Insights Content Extension 1.3.0 adds support for QRadar versions 7.3.0 and later. Custom properties from previous versions of the QRadar Network Insights Content Extension are now type-length-value (TLV) fields. Changes to these TLV fields come from QRadar updates, not from updating this content extension.
IBM QRadar Network Insights Content Extension 1.2.2
The IBM QRadar Network Insights Content Extension 1.2.2 provides performance improvements by setting the default categories for the existing custom flow properties. You can change the categories for the custom properties to suit your needs.
The following table shows the custom properties in IBM QRadar Network Insights Content Extension 1.2.2.
| Custom property | Default categories |
|---|---|
| Content Subject |
|
| File Hash |
|
| File Name |
|
| Recipient Users |
|
| Action |
|
| Content_Type |
|
| DNS_Query_String |
|
| DNS_Response_String |
|
| File_Size |
|
| HTTP Host |
|
| HTTP Referer |
|
| HTTP Response Code |
|
| HTTP Server |
|
| HTTP User-Agent |
|
| HTTP Version |
|
| IP_Dest_Reputation |
|
| Originating_User |
|
| Password |
|
| Request_URL |
|
| SMTP HELO | |
| Search_Arguments |
|
| Suspect_Content |
|
| Web_Categories |
|
IBM QRadar Network Insights Content Extension 1.2.0
The following table shows the custom properties in IBM QRadar Network Insights Content Extension 1.2.0.
| Name | Regex |
|---|---|
| File_Size | Updated the File_Size custom property to change the field type from alphanumeric to numeric. This update also optimizes the custom property for both Source Payloads and Destination Payloads. |
The following table shows the rules in IBM QRadar Network Insights Content Extension 1.2.0.
| Type | Name | Description |
|---|---|---|
| Rule | Potential Spam/Phishing Attempt Detected on Rejected Email Recipient | Updated the rule action to select "Ensure the detected event is part of an offense". In 1.1.0, this check box was not selected and 1.2.0 corrects this to ensure that offenses are created. |
| Rule | Access to Improperly Secured Service - Certificate Invalid | Detects a SSL/TLS session that uses invalid certificates. |
| Rule | Access to Improperly Secured Service - Weak Public Key Length | Detects a SSL/TLS session that uses weak public key lengths. |
| Rule | Access to Improperly Secured Service - Certificate Expired | Detects a SSL/TLS session that uses expired certificates. |
| Rule | Access to Improperly Secured Service - Self Signed Certificate | Detects a SSL/TLS session that uses a self-signed certificate. |
IBM QRadar Network Insights Content Extension 1.1.0
The following table shows the custom properties in IBM QRadar Network Insights Content Extension 1.1.0.
| Name | Regex |
|---|---|
| Content Subject | IBM\(SUBJECT\)=([^;]+); |
| File Hash | IBM\(HTTP_FILES_CKSUM\)=0x([^;]+); |
| File Name | IBM\(CONTENT_FILE_NAME\)=([^;]+); |
| Reject_Code | Multiple Regex expressions for Microsoft Exchange, Linux® OS, Solaris OS, and Barracuda Spam and Virus Firewall. |
| Recipient_User | Multiple Regex expressions for Microsoft Exchange, Linux OS, Solaris OS, and Barracuda Spam and Virus Firewall. |
| Recipient Users | IBM\(DEST_USER_LIST\)=\(([^)]+)\); |
| Action | IBM\(APP_ACTION\)=([^;]+); |
| Content_Type | IBM\(HTTP_CONT_TYPE\)=([^;]+); |
| DNS_Query_String | IBM\(DNS_QUERY_SDATA\)=\(([^)]+)\); |
| DNS_Response_String | IBM\(DNS_RESP_SDATA\)=\(([^)]+)\); |
| File_Size | IBM\(HTTP_FILES_SIZE\)=([^;]+); |
| HTTP Host | IBM\(HTTP_HOST\)=([^;]+); |
| HTTP Referer | IBM\(HTTP_REFER\)=([^;]+); |
| HTTP Response Code | IBM\(HTTP_RETURN_CODE\)=([^;]+); |
| HTTP Server | IBM\(HTTP_SRV\)=([^;]+); |
| HTTP User-Agent | IBM\(HTTP_UA\)=([A-Za-z0-9\s\-_.,:;()/\\]+); |
| HTTP Version | IBM\(HTTP_VRS\)=HTTP/([^;]+); |
| IP_Dest_Reputation | IBM\(IP_DST_REP\)=([^;]+); |
| Originating_User | IBM\(ORIG_USER\)=([^;]+); |
| Password | IBM\(ACTPASSWD\)=([^;]+); |
| Request_URL | IBM\(REQ_URL\)=([^;]+); |
| SMTP HELO | IBM\(SMTPHELO\)=([^;]+); |
| Search_Arguments | IBM\(HTTP_SEARCH_ARGS\)=([^;]+); |
| Suspect_Content | IBM\(SUSPECT_CONT_LIST\)=\(([^)]+)\); |
| Web_Categories | IBM\(HTTP_CONT_CATEGORY_LIST\)=\(([^)]+)\); |
The following table shows the rules and building blocks in IBM QRadar Network Insights Content Extension 1.1.0.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:HostDefinition: Mail Servers | |
| Building Block | BB:HostReference: Mail Servers | |
| Building Block | BB:PortDefinition: Mail Ports | |
| Building Block | BB:CategoryDefinition: Rejected Email Recipient | |
| Rule | Observed File Hash Associated with Malware Threat | Detects when flow content includes a file hash that matches known bad file hashes included in a Threat Intelligence data feed. Indicates that someone transferred malware over the network. |
| Rule | Observed File Hash Seen Across Multiple Hosts | Detects when the same file hash that is associated with malware is seen being transferred to multiple destinations. |
| Rule | Potential Spam/Phishing Attempt Detected on Rejected Email Recipient | Detects when rejected email events that are sent to a nonexisting recipient address are seen in the system, which may indicate a spam or phishing attempt. Configure the BB:CategoryDefinition: Rejected Email Recipient building block to include QIDs relevant to your organization. It is populated with QIDs for monitoring: Microsoft Exchange; Linux OS (running sendmail); Solaris Operating System Sendmail Logs and Barracuda Spam & Virus Firewall. |
| Rule | Potential Spam/Phishing Subject Detected from Multiple Sending Servers | Detects when multiple sending servers send the same email subject in a time frame, which may indicate spam or phishing. |
The following table shows the saved searches in IBM QRadar Network Insights Content Extension 1.1.0.
| Name | Description |
|---|---|
| Malware Distribution by File and Hash | |
| Malware by Hash and Source Asset | |
| Malware Traffic Summary | |
| Phishing Subjects by Recipient User |
The following table shows the reports in IBM QRadar Network Insights Content Extension 1.1.0.
| Report Name | Search Name and Dependencies |
|---|---|
| Top Phishing Subjects by Recipient User (QNI) - Weekly | |
| Top Malware by Asset (QNI) - Daily | |
| Malware Distribution by File (QNI) - Daily |
The following table shows the reference data in IBM QRadar Network Insights Content Extension 1.1.0.
| Type | Name | Description |
|---|---|---|
| Reference Set | Malware Hashes SHA | |
| Reference Set | Malware Hashes MD5 | |
| Reference Set | Phishing Subjects | |
| Reference Set | Mail Servers |