Supported QRadar content

Several rules were designed to feed events to QRadar® User Behavior Analytics (UBA) from other apps. These rules require you to install the content for the other apps.

Content dependencies

For more information about other supported QRadar content and required apps, see the following table. The rules that are listed in the table are scored by the app.

Tip: To adjust the score, you must change it in the IBM® QRadar Use Case Manager app or the Rules and Tuning page in the UBA app.

Required Apps	Supported Rules
IBM QRadar DNS Analyzer	QRadar DNS Analyzer
QRadar Network Insights Content for V7.3.0+	QNI : Confidential Content Being Transferred to Foreign Geography QNI : Access to Improperly Secured Service - Certificate Expired QNI : Access to Improperly Secured Service - Certificate Invalid QNI : Potential Spam/Phishing Subject Detected from Multiple Sending ServersQNI : Observed File Hash Seen Across Multiple Hosts QNI : Observed File Hash Associated with Malware Threat QNI : Potential Spam/Phishing Attempt Detected on Rejected Email Recipient QNI : Access to Improperly Secured Service - Self Signed Certificate QNI : Access to Improperly Secured Service - Weak Public Key Length
IBM Security Reconnaissance Content	Local L2L TCP Scanner Local L2L Windows Server Scanner Local L2L Game Server Scanner Local L2L DNS Scanner Local L2L Mail Server Scanner Local L2L Proxy Server Scanner Local L2L IM Server Scanner Local L2L Web Server Scanner Local L2L P2P Server Scanner Local L2L SNMP Scanner Local L2L RPC Server Scanner Local L2L UDP Scanner Local L2L DHCP Scanner Local L2L ICMP Scanner
IBM QRadar Content for Sysmon	Detected a Possible Keylogger Detected a New Unseen Process Started with a System User Privileges Detected a Remotely Executed Process over Multiple Hosts Process Started from Unusual Directories (Recycle.bin, ..) A Hidden Network Share Has Been Added Powershell Malicious Usage Detected Powershell Malicious Usage Detected with Encoded Command Unusual Process (ex: word, iexplore, AcroRd..) Launched a Command Shell Command Shell Started With a System Privileges Detected a Successful Login From a Compromised Host Into Other Hosts Detected a Possible Credential Dumping Tool Childless Process Launched/Spawned a Process Process Launched From Temp Directory Abnormal Parent for a System Process Detected a Suspicious Svchost Process A Network Share Has Been Accessed From a Compromised Host An Administrative share Has Been Accessed An Administrative share Has Been Accessed From a Compromised Machine Process Launched From a Shared Folder and Created Thread into Another Process Detected Excessive Usage of System Tools From a Single Machine Excessive Failed Attempts to Access a Network Shared Resource From a Compromised Host Excessive Failed Attempts to Access an Administrative Share From a Single source Powershell Has Been Launched in a Compromised Host PsExec Has Been Launched From a Compromised Host Detected SMB Traffic From a Compromised Host Into Other Hosts A Command Shell or Powershell Has been Launched From a Remote System A Scheduled Task Has Been Created in a Compromised Host A Malicious Service Has Been Installed in a System Detected a Service Configured to Use Powershell Detected a Service Configured to Use a Pipe
IBM QRadar Content Extension for Amazon AWS	AWS Cloud: Cloud activity by root user AWS Cloud: Critical EC2 Instance Has Been Stopped OR Terminated AWS Cloud: Detected A Successful Login To AWS Console From Different Geographies AWS Cloud: Logs Have Been Deleted / Disabled or Stopped AWS Cloud: Multiple Console Login Failures From Different Source IPs AWS Cloud: Multiple Console Login Failures from Same Source IP AWS Cloud: Multiple Failed API Requests From Different Source IPs AWS Cloud: Multiple Failed API Requests From Same Source IP AWS Cloud: Multiple Failed API Requests From The Same Username