Baseline Maintenance

The IBM® QRadar® Baseline Maintenance Content Extension updates several rules, building blocks, and other content from the core enterprise template in QRadar.

About the Baseline Maintenance extension

Installing this extension does not impact user modified rules, but instead updates the rule template to correct rule and building block issues and performance tuning across multiple categories. Custom properties, searches, or dashboard items that are installed by the app overwrite existing values to keep them up to date.

IBM Security QRadar Baseline Maintenance Content Extension 2.0.0 and later requires QRadar 7.3.3 Fix Pack 4 or later. If you are using an earlier version of QRadar, use IBM Security QRadar Baseline Maintenance Content Extension 1.1.0 instead.

IBM Security QRadar Baseline Maintenance Content Extension 2.0.0 does not include any of the content from IBM Security QRadar Baseline Maintenance Content Extension 1.1.0 or earlier. That content is included in QRadar 7.3.3 Fix Pack 4 and later by default.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

Default Baseline Maintenance extension version

IBM Security QRadar is installed with the following Baseline Maintenance extension as default.

  • IBM Security QRadar version 7.4.0 FP3, 7.4.1, 7.4.2, and 7.4.3 are installed with IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.
  • IBM Security QRadar version 7.3.3 FP4 and 7.4.0 are installed with IBM Security QRadar Baseline Maintenance Content Extension 1.0.10, which was later renumbered to 1.1.0.
  • IBM Security QRadar version 7.3.3 is installed with IBM Security QRadar Baseline Maintenance Content Extension 1.0.8.
  • IBM Security QRadar version 7.3.2 is installed with IBM Security QRadar Baseline Maintenance Content Extension 1.0.4.

IBM Security QRadar Baseline Maintenance Content Extensions

IBM Security QRadar Baseline Maintenance Content Extension 2.2.4

The following table shows the rules that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.4.

Table 1. Rules in IBM Security QRadar Baseline Maintenance Content Extension 2.2.4
Name Description
System: Notification Added two new QIDs. This rule ensures that the notification events are sent to the notification framework.

IBM Security QRadar Baseline Maintenance Content Extension 2.2.3

The following table shows the custom properties that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3.

Table 2. Custom Properties updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3
Name Optimized Capture Group Regex
SHA1 Hash Yes 1
\bSHA1[":]+"([^"]*)"
Sha1":"(.*?)"
Threat Category No 1
ThreatCategory":"(.*?)"
Threat Family No 1
ThreatFamily":"(.*?)"
Threat Severity No 1
Severity":"(.*?)"

The following table shows the rules that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3.

Table 3. building blocks and rules in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3
Type Name Description
Building Block BB:CategoryDefinition: Superuser Accounts Defines all events where usernames are superuser accounts.
Building Block BB:DeviceDefinition: Endpoint Protection Devices Defines all endpoint protection devices on the system
Building Block BB:NetworkDefinition: Trusted Destination Network Segment Defines trusted destination network segments.
Building Block BB:NetworkDefinition: Trusted Source Network Segment Defines trusted source network segments
Rule Load Basic Building Blocks Loads building blocks that need to run to assist with reporting. This rule has no actions or responses.
Rule System: Notification Ensures that notification events are sent to the notification framework.

The following table shows the saved search that is updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3.

Table 4. Saved Search in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3
Saved search Description
Malware Events by Name Search to describe Malware found in the system by name.

IBM Security QRadar Baseline Maintenance Content Extension 2.2.2

The following table shows the rules that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.2.

Table 5. Rules in IBM Security QRadar Baseline Maintenance Content Extension 2.2.2
Name Description
Botnet: Potential Botnet Connection (DNS) Triggers when a host is connecting or attempting to connect to a DNS server on the internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Local Mass Mailing Host Detected Triggers when a local host is sending more than 20 SMTP flows in 1 minute. This may indicate a host used as a spam relay or infected with a form of mass mailing worm.
Local: FTP Detected on Non-Standard Port Triggers when a local FTP communication is observed on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate a compromised host, where the attacker installed this service to provide backdoor access to the host.
Local: SSH or Telnet Detected on Non-Standard Port Triggers when a local SSH or Telnet communication is observed on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate a compromised host, where the attacker installed these servers to provide backdoor access to the host.
Potential Honeypot Access Triggers when an event involves a source or destination that is defined as a honeypot or tarpit address. Before enabling this rule, you must configure the BB:NetworkDefinition: Honeypot like addresses building block.
System: Notification Ensures that notification events are sent to the notification framework. Added a new QID.

IBM Security QRadar Baseline Maintenance Content Extension 2.2.1

The following table shows the rules that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.1.

Table 6. Rules in IBM Security QRadar Baseline Maintenance Content Extension 2.2.1
Name Description
AssetExclusion: Exclude DNS Name By IP Blocklists a DNS name that is associated with N different IP addresses over a certain timeframe.
AssetExclusion: Exclude DNS Name By MAC Address Blocklists a DNS name that is associated with N different MACs over a certain timeframe.
AssetExclusion: Exclude DNS Name By NetBIOS Name Blocklists a DNS name that is associated with N different NetBIOS names over a certain timeframe.
AssetExclusion: Exclude IP By DNS Name Blocklists an IP address that is associated with N different DNS names over a certain timeframe.
AssetExclusion: Exclude IP By MAC Address Blocklists an IP address that is associated with N different MAC addresses over a certain timeframe.
AssetExclusion: Exclude IP By NetBIOS Name Blocklists an IP address that is associated with N different NetBIOS names over a certain timeframe.
AssetExclusion: Exclude MAC Address By DNS Name Blocklists a MAC address that is associated with N different DNS Names over a certain timeframe.
AssetExclusion: Exclude MAC Address By IP Blocklists a MAC address that is associated with N different IPv4 addresses over a certain timeframe.
AssetExclusion: Exclude MAC Address By NetBIOS Name Blocklists a MAC address that is associated with N different NetBIOS names over a certain timeframe.
AssetExclusion: Exclude NetBIOS Name By DNS Name Blocklists a NetBIOS name that is associated with N different DNS names over a certain timeframe.
AssetExclusion: Exclude NetBIOS Name By IP Blocklists a NetBIOS name that is associated with N different IPv4 addresses over a certain timeframe.
AssetExclusion: Exclude NetBIOS Name By MAC Address Blocklists a NetBIOS name that is associated with N different MAC addresses over a certain timeframe.
System: Notification Added new QIDs.

The following table shows the reference sets that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.1.

Table 7. Reference Sets in IBM Security QRadar Baseline Maintenance Content Extension 2.2.1
Name Description
Asset Reconciliation DNS Blacklist A blocklist of DNS names.
Asset Reconciliation DNS Whitelist An allowlist of DNS names.
Asset Reconciliation IPv4 Blacklist A blocklist of IP addresses.
Asset Reconciliation IPv4 Whitelist An allowlist of IP addresses.
Asset Reconciliation MAC Blacklist A blocklist of MAC addresses.
Asset Reconciliation MAC Whitelist An allowlist of MAC addresses.
Asset Reconciliation NetBIOS Blacklist A blocklist of NetBIOS host names.
Asset Reconciliation NetBIOS Whitelist An allowlist of NetBIOS host names.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 2.1.0

The following table shows the building blocks that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.1.0.

Table 8. Building blocks in IBM Security QRadar Baseline Maintenance Content Extension 2.1.0
Name Description
BB:CategoryDefinition: Authentication Success Edit this building block to include all events that indicate successful attempts to access the network.
BB:CategoryDefinition: Auditing Changed Identifies auditing changed events.
BB:DeviceDefinition: Cloud Defines all cloud sources on the system.
BB:FalsePositive: Windows AD Source Authentication Events Defines the addresses of Windows Authentication or Active Directory Servers.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 2.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0.

Table 9. Custom Properties updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0
Name Optimized Capture Group Regex
Events per Second Coalesced - Average 1 Min Yes 1 StatFilter.+60s\:(\d+)\,\d+\s
Events per Second Coalesced - Peak 1 Sec Yes 1 StatFilter.+1s\:(\d+)\,\d+\s
Events per Second Raw - Average 1 Min Yes 1 StatFilter.+60s\:\d+\,(\d+)\s
Events per Second Raw - Peak 1 Sec Yes 1 StatFilter.+1s\:\d+\,(\d+)\s
Parent Yes 1 \[parent=(.+?)\].+StatFilter

The following table shows the rules that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0.

Table 10. Rules in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0
Name Description
First-Time User Access to Critical Asset Rule was correctly linked to the User-System Authentication or Usage - IP reference map of sets.
Large Outbound Transfer High Rate of Transfer Updated the threshold to 500MB
Large Outbound Transfer Slow Rate of Transfer Updated the threshold to 500MB
Malware or Virus Clean Failed Detects when a system detected a virus and failed to clean or remove it. Added new QIDs.
System: Notification Ensures that notification events will be sent to the notification framework. Added a new QID.

The following table shows the reference data that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0.

Table 11. Reference Data in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0
Type Name Description
Reference Set Critical Assets No updates. Dependent on another rule and must be included in the extension framework.
Reference Map of Sets User-System Authentication or Usage No updates. Dependent on another rule and must be included in the extension framework.

The following table shows the saved search that is updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0.

Table 12. Saved Search in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0
Saved search Description
Event Rate (EPS) Updated Saved Search to use an additional filter on Parent is not N/A.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.1.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.

Table 13. Custom Properties updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0
Name Optimized Capture Group Regex
Event Summary Yes 1 sum=([^\t]+)

The following table shows the building blocks that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.

Table 14. Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0
Name Description
BB:HostDefinition: DHCP Servers Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks.
BB:HostDefinition: DNS Servers Edit this building block to define typical DNS servers. This building block is used in conjunction with the BB:FalsePositive: DNS Server False Positives Categories and BB:FalsePositve: DNS Server False Positive Events building blocks.
BB:HostDefinition: Proxy Servers Edit this building block to define typical proxy servers. This building block is used in conjunction with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositve: Proxy Server False Positive Events building blocks.
BB:HostReference: Database Servers Include database server IP addresses in the Database Servers - IP reference set.
BB:HostReference: DHCP Servers Include DHCP server IP addresses in the DHCP Servers - IP reference set.
BB:HostReference: DNS Servers Include DNS server IP addresses in the DNS Servers - IP reference set.
BB:HostReference: FTP Servers Include FTP server IP addresses in the FTP Servers - IP reference set.
BB:HostReference: LDAP Servers Include LDAP server IP addresses in the LDAP Servers - IP reference set.
BB:HostReference: Mail Servers Include mail server IP addresses in the Mail Servers - IP reference set.
BB:HostReference: Proxy Servers Include proxy server IP addresses in the Proxy Servers - IP reference set .
BB:HostReference: SSH Servers Include SSH server IP addresses in the SSH Servers - IP reference set.
BB:HostReference: Web Servers Include web server IP addresses in the Web Servers - IP reference set.
BB:HostReference: Windows Servers Include Windows server IP addresses in the Windows Servers - IP reference set.

The following table shows the reference set that is updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.

Table 15. Reference Set updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0
Reference set Description
QRadar Deployment Corrected the number of IP addresses contained in this reference set.

The following table shows the saved searches that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.

Table 16. Saved Searches in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0
Saved search Description
Deviating Asset Growth: Asset Report Updated to allow the search to be translated.
Deviating Asset Growth: Log Source Report Updated to allow the search to be translated.
Event Rate (EPS) Updated from an EPS function to a count function by changing the search value from Average to Count.
Flow Rate (FPS) Updated from an FPS function to a Count function by changing the search value from Average to Count.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.9

The following table shows the new or updated rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.9.

Table 17. New or Updated Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.9
Type Name Description
Rule Load Basic Building Blocks This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses.
The following building blocks were added to this rule:
  • BB:CategoryDefinition: Malicious Attacks

  • BB:CategoryDefinition: SIEM User and Role Modifications

  • BB:DeviceDefinition: Proxy

  • BB:DeviceDefinition: Cloud

  • BB:DeviceDefinition: Operating System

  • BB:DeviceDefinition: Mail

  • BB:DeviceDefinition: DLP Devices

Building Block BB:CategoryDefinition: SIEM User and Role Modifications Added new Building Block.

Checks the QID specific to QRadar user and role creation and modification.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.8

The following table shows the new or updated custom properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.8.

Table 18. New or Updated Custom Properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.8
Name Optimized Capture Group Regex
File Path No 1 filePath=([^\t]+)[\t]*
Accesses Yes 1 Accesses: (.*?) Privileges:
Access intent Yes 1 intent=([^\t]+)

The Avt-App-VolumePackets, AVT-App-NAme, AVT-App-VolumeBytes, and AVT-App-Category custom properties were removed in this release.

The following table shows the new or updated rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.8.

Table 19. New or Updated Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.8
Type Name Description
Rule System: Notification Removed QID 38750002 for general warning.
Building Block BB:DeviceDefinition: Proxy Added new devices: Forcepoint V Series, Microsoft ISA, McAfee Web Gateway.
Building Block BB:DeviceDefinition: Cloud Added new Building Block.

Defines all Cloud devices on the system.

Building Block BB:DeviceDefinition: DLP Devices Added new Building Block.

Defines all data loss prevention (DLP) devices on the system.

Building Block BB:DeviceDefinition: Mail Added new Building Block.

Defines all Mail devices on the system.

Building Block BB:DeviceDefinition: Operating System Added new Building Block.

Defines all Operating Systems on the system.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.7

The following table shows the new or changed custom properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7.

Table 20. New or Changed Custom Properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7
Name Optimized Capture Group Regex
Destination Host Name Yes 1 dstHostName=([^\t]+)[\t]*
EventID Yes 1 \d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)

The following table shows the new or changed rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7.

Table 21. New or Changed Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7
Type Name Description
Rule System: Notification This rule ensures that notification events shall be sent to the notification framework. Added new QIDs.
Building Block BB:HostReference: Database Servers This building block defines typical database servers.
Building Block BB:HostReference: DHCP Servers This building block defines typical DHCP servers.
Building Block BB:HostReference: DNS Servers This building block defines typical DNS servers.
Building Block BB:HostReference: FTP Servers This building block defines typical FTP servers.
Building Block BB:HostReference: LDAP Servers This building block defines typical LDAP servers.
Building Block BB:HostReference: Mail Servers This building block defines typical mail servers.
Building Block BB:HostReference: SSH Servers This building block defines typical SSH servers.
Building Block BB:HostReference: Web Servers This building block defines typical web servers.
Building Block BB:HostReference: Windows Servers This building block defines typical Microsoft Windows servers.
Building Block BB:CategoryDefinition: Authentication Success  Updated this building block to remove 2 LLCs: Privilege Escalation Succeeded and Password Changed Succeeded.
Building Block BB:CategoryDefinition: Authentication Fail Updated this building block to remove 2 LLCs: Privilege Escalation Failed and Password Changed Failed.

The following table shows the new or changed saved searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7.

Table 22. New or Changed Saved Searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7
Name Description
SSH Logins Search retrieving the authentication successes on the QRadar system itself (web and SSH).
UI Logins Search retrieving the authentication successes on the QRadar system itself (web and SSH).
Offences over time Search retrieving the authentication successes on the QRadar system itself (web and SSH).
Deviating asset growth: Asset Report Search retrieving the authentication successes on the QRadar system itself (web and SSH).
Deviating asset growth: log Source Report Search retrieving the authentication successes on the QRadar system itself (web and SSH).

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.6

The following table shows the custom properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6.

Table 23. Custom Properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6
Name Optimized Capture Group Regex
ObjectName Yes 1 ObjectName: (.*)
Event Summary Yes 1 sum=([^\t]+)
EventID Yes 1 \d{1,2}\:\d{1,2}\:\d{1,2}\s+\d{1,4}\s+(\d+)
SSH Login Audit Yes 1 \[Authentication\] \[User\] \[(UserLogin|LoginAttempt)\] .*? on host .*
Log Source Host Yes 1 \s+hostName=(\S+)
VirusName Yes 1 Virus Name: (.*?),
Audit Object ID Yes 1 \s+id=(\S+)

The following table shows the rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6.

Table 24. Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6
Type Name Description
Building Block BB:CategoryDefinition: Auditing Changed Added new QIDs and removed some other QIDs.
Building Block BB:CategoryDefinition: Successful Database Connections Changed the name from BB:CategoryDefinition: Database Connections. Removed Oracle RDBMS Audit Record and added BB:DeviceDefinition: Database.
Building Block BB:CategoryDefinition: Malicious Attacks Changed the name from BB:Malicious Attacks. Edit this building block to define malicious attacks.
Rule Destination Vulnerable to Detected Exploit Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack.
Rule Destination Vulnerable to Detected Exploit on a Different Port Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port.
Rule Destination Vulnerable to Different Exploit than Attempted on Targeted Port Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to some attack but not the one being attempted.

The following table shows the saved searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6.

Table 25. Saved Searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6
Name Description
SSH Logins Search retrieving the ssh authentication successes on the QRadar system itself.
UI Logins Search retrieving the UI authentication successes on the QRadar system itself.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.5

The following table shows the custom properties that are updated in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 26. Custom Properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Name Optimized Capture Group Regex
Events per Second Raw - Peak 1 Sec Yes 1 StatFilter.+1s\:\d+\,\d+\s\(peak\s\d+\,(\d+)
Events per Second Coalesced - Peak 1 Sec Yes 1 StatFilter.+1s\:\d+\,\d+\s\(peak\s(\d+)
AccountName Yes 2 Account Name:\s*(.+?)\s+Account Name:\s*(.+?)\s+

The following table shows the rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 27. Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Type Name Description
Building Block BB:DeviceDefinition: IDS / IPS Defines all intrusion detections systems (IDS) and intrusion prevention systems (IPS) on the system.
Building Block BB:DeviceDefinition: FW / Router / Switch Defines all firewalls, routers, and switches on the system.
Building Block BB:DeviceDefinition: VPN Defines all virtual private networks (VPN) on the system.
Building Block BB:DeviceDefinition: Database Defines all databases on the system.
Building Block BB:DeviceDefinition: Proxy Defines all proxy sources on the system.
Building Block BB:DeviceDefinition: AV/AM Defines all anti-virus (AV) and anti-malware (AM) systems on the system.
Building Block BB:HostDefinition: Servers Edit this building block to define generic servers.
Building Block BB:Failed Events Edit this building block to define failed events.
Building Block BB:IT Admin Events Edit this building block to define actions performed by IT admin staff.
Building Block BB:External Contractor Policy Violation Events Edit this building block to define policy violations caused by external contractors.
Building Block BB:Mobile Worker Policy Violation Events Edit this building block to define policy violations caused by mobile workers.
Building Block BB:Teleworker Policy Violation Events Edit this building block to define policy violations caused by teleworkers.
Building Block BB:External Contractor Failed Events Edit this building block to define failures caused by external contractors.
Building Block BB:Mobile Worker Failed Events Edit this building block to define failures caused by mobile workers.
Building Block BB:Teleworker Failed Events Edit this building block to define failures caused by teleworkers.
Building Block BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination Identifies flows that have an illegal TCP flag combination.
Building Block BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code Identifies Internet Control Message Protocol (ICMP) flows with suspicious ICMP type codes.
Building Block BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 Identifies suspicious flows using port 0.
Building Block BB:CategoryDefinition: Privileged Escalations Identifies a privilege escalation on an event.
Building Block BB:CategoryDefinition: Privileged Escalation Failed Identifies a failed privilege escalation on an event.
Building Block BB:Malicious Attacks Edit this building block to define malicious attacks.
Rule Malware or Virus Clean Failed Detects when a system detected a virus and failed to clean or remove it.

Added the following new QIDs:

  • 42002845: Virus Detected, Actual action: Left alone
  • 42002836: Security risk found, Actual action: Left alone
  • 42002833: Security risk found, Actual action: All actions failed
  • 42003869: Virus Detected, Actual action: Actions failed
Rule Vulnerabilities: Vulnerability Reported by Scanner Detects when a vulnerability has been discovered on a local host.
Rule Policy: New Service Discovered Detects when an existing host has a new service discovered on it.
Rule Policy: New Service Discovered in DMZ Detects when an existing host has a new service discovered on it.
Rule Policy: New Host Discovered Detects when a new host has been discovered on the network.
Rule Policy: New Host Discovered in DMZ Detects when a new host has been discovered on the network.
Rule Destination Vulnerable to Detected Exploit Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack.
Rule Destination Vulnerable to Detected Exploit on a Different Port Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port.

The following table shows the reports in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 28. Reports in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Report Name Search Name and Dependencies
Successful Login Events Saved Search: SSH Logins, UI Logins

Reference Set: QRadar Deployment

Edit the saved searches and the reference set to refine the results.

The following table shows the reference data in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 29. Reference Data in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Type Name Description
Reference Set QRadar Deployment List of QRadar IP addresses.

This reference set is used by the UI Logins saved search. By default it contains 127.0.0.1 and the range assigned to apps (169.254.3.1 to 169.254.3.10). Edit this list as needed.

Reference Map of Sets CorrelatedAttackMap This reference map of sets maps Destination IP addresses with the QID.

The following table shows the saved searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 30. Saved Searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Name Description
Deviating Asset Growth: Asset Report This search shows system notification warning messages with Vortex Asset IDs.
Deviating Asset Growth: Log Source Report This search shows the Asset Deviation Report category.
Firewall Deny by DST Port This search shows firewall or ACL deny events from firewall, router, or switch devices grouped by destination port.
UI Logins This search shows UI logins.
SSH Logins This search shows SSH logins.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.4

Updates in IBM Security QRadar Baseline Maintenance Content Extension 1.0.4

Type Name Change description
Building Block BB:CategoryDefinition: Authentication to Disabled Account
Added the following QIDs:
  • 5001959: An account failed to log on: Account Disabled
  • 5001959: An account failed to log on: Account Disabled
  • 5001954: Failure Audit: An account failed to log on: User Locked Out
  • 5001965: An account failed to log on: User Locked Out
  • 5001949: Failure Audit: An account failed to log on: Account Expired
  • 5001960: An account failed to log on: Account Expired
  • 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time
  • 5001962: An account failed to log on: Logon Outside Normal Time
Building Block BB:DeviceDefinition: Consumer Grade Routers Added an identity check to improve performance. This building block now only checks for a MAC address for events with an identity.
Building Block BB:DeviceDefinition: FW / Router / Switch Rule updated to include additional devices.
Rule All Exploits Become Offenses Reports leverage attacks on events. By default, this rule is disabled. Enable this rule if you want all events that are categorized as leverages to create an offense.
Rule Flow Source Stopped Sending Flows The dispatched events for this rule are now categorized as System > System Failure instead of as Access > ACL Deny.
Rule Device Stopped Sending Events (Firewall, IPS, VPN or Switch) Fixed the import issue for this rule.
Report Accessible files vulnerability Updated this report so that it returns accessible file vulnerabilities only, instead of all vulnerabilities. Also replaced all occurrences of fiiles with files in this report.
Reference data Asset Reconciliation IPv4 Blacklist, Asset Reconciliation NetBIOS Blacklist, Asset Reconciliation DNS Blacklist, and Asset Reconciliation MAC blocklist
Sets a default 7-day expiry time on the following reference data:
  • Asset Reconciliation IPv4 Blacklist
  • Asset Reconciliation NetBIOS Blacklist
  • Asset Reconciliation DNS Blacklist
  • Asset Reconciliation MAC Blacklist

After the extension is installed, all of the existing elements that were last seen more than 7 days ago will be removed from the reference data. This default value can be changed to reflect your needs and environment.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.3

Updates in IBM QRadar Baseline Maintenance Content Extension 1.0.3

Type Name Change description
Rule / Building Block Recon Followed by Accept

Updated the Recon Followed by Accept rule in QRadar to use the BB:ReconDetected Basic Recon Rule building block and remove the All Recon Rules building block reference.

Old Rule:
Used as an extra mark if all the following rules match, in order, from the same source IP to any destination IP, over a 5-minute period:
  • BB:ReconDetected: All Recon Rules
  • BB:CategoryDefinition: Firewall or ACL Accept
  • BB:DeviceDefinition: FW / Router / Switch
Updated Rule:
Used as an extra mark if all the following rules match, in order, from the same source IP to any destination IP, over a 5-minute period:
  • BB:ReconDetected: Basic Recon Rules
  • BB:CategoryDefinition: Firewall or ACL Accept
  • BB:DeviceDefinition: FW / Router / Switch
Rule / Building Block DoS Events with High Magnitude Become Offenses

Updated the DoS Events with High Magnitude Become Offenses rule in QRadar to change the associated building block BB:CategoryDefinition: High Magnitude Events to trigger when the severity is greater than 7.

This change allows the offense to be generated on an event with a severity of 8, 9, or 10.

Rule / Building Block FalsePositive: False Positive Rules and Building Blocks

Updated the core FalsePositive: False Positive Rules and Building Blocks to remove three building blocks to reduce false negative rule triggers.

Old rule:
Apply FalsePositive: False Positive Rules and Building Blocks on events or flows that are detected by the local system, and when a flow or an event matches any of the following rules:
  • BB:FalsePositive: All Default False Positive BBs
  • BB:HostDefinition: VA Scanner Source IP
  • BB:NetworkDefinition: NAT Address Range
  • BB:HostDefinition: Proxy Servers
Updated rule:

Apply FalsePositive: False Positive Rules and Building Blocks on events or flows that are detected by the local system, and when a flow or an event matches BB:FalsePositive: All Default False Positive BBs

Rule / Building Block BB:FalsePositive: All Default False Positive BBs Added BB:HostDefinition: VA Scanner Source IP to the BB:FalsePositive: All Default False Positive rule.
Rule / Building Block BB:HostDefinition: Proxy Servers

Updated Proxy Servers Host Definition to add a new line in the building block to check for the BB:PortDefinition: Proxy Ports Building Block.

Old Rule:

Apply BB:HostDefinition: Proxy Servers on events or flows that are detected by the local system, and when either the source or destination IP is 127.0.0.2.

Updated Rule:
Apply Apply BB:HostDefinition: Proxy Servers on events or flows that are detected by the local system, and when the following conditions are met:
  • A flow or event matches BB:PortDefinition: Proxy Ports.
  • Either the source or destination IP is 127.0.0.2.
Rule / Building Block Multiple Login Failures to the Same Destination

Updated the Multiple Login Failures to the Same Destination rule to ensure that it does not generate false positives from proxy server events.

Old Rule:

Apply Multiple Login Failures to the Same Destination on events that are detected by the local system that match BB:CategoryDefinition: Authentication Failures. Multiple Login Failures to the Same Destination also needs to be applied when at least 10 events are seen that have the same Destination IP but different Source IPs and user names in a 5-minute period.

Updated Rule:
Apply Multiple Login Failures to the Same Destination on events that are detected by the local system that match BB:CategoryDefinition: Authentication Failures, and when at least 10 events are seen that have the same Destination IP but different Source IPs and user names in a 5-minute period, but NOT when an event matches any of the following building blocks:
  • BB:HostDefinition: Proxy Servers
  • BB:HostReference: Proxy Servers
Rule / Building Block Excessive Firewall Denies from Local Host

Updated the Excessive Firewall Denies from Local Host rule to ensure that it does not generate false positives from proxy server events.

Old Rule:

Apply Excessive Firewall Denies from Local Host on events that are detected by the local system, when the event context is Local to Local, or Local to Remote, and when an event matches either BB:CategoryDefinition: Firewall or ACL Denies with the same Source IP more than 40 times, across more than 40 Destination IPs within a 5-minute period.

Updated Rule: Apply Excessive Firewall Denies from Local Host on events that are detected by the local system, when the event context is Local to Local, or Local to Remote, and when an event matches either BB:CategoryDefinition: Firewall or ACL Denies with the same Source IP more than 40 times, across more than 40 Destination IPs within a 5-minute period, but NOT when an event matches any of the following rules:
  • BB:HostDefinition: Proxy Servers
  • BB:HostReference: Proxy Servers
Rule / Building Block Policy: Large Outbound Transfer Slow Rate of TransferPolicy: Large Outbound Transfer High Rate of Transfer

Updated the performance of both fast and slow data transfer policy rules. This update changes the order of the rule test to move this phrase: 'and when at least X flows are seen with the same Source IP, Destination IP in Y minutes' to the last line for both policy rules (slow transfer and fast transfer). The following updated rule example describes the rule change in more detail.

Old rule:
Apply Large Outbound Transfer Slow Rate of Transfer on flows that are detected by the local system when the following conditions are met:
  • The source bytes are greater than 20000.
  • At least 100 flows are seen with the same Source IP, Destination Port, and Destination IP in a 120-minute period.
  • The flow context is Local to Remote.
  • The flow bias is mostly outbound.
Updated rule:
Apply Large Outbound Transfer Slow Rate of Transfer on flows that are detected by the local system when the following conditions are met:
  • The source bytes are greater than 20000.
  • The flow context is Local to Remote.
  • The flow bias is mostly outbound.
  • At least 100 flows are seen with the same Source IP, Destination Port, and Destination IP in a 120-minute period.
Rule / Building Block Updated reference set rule responses for all Asset Reconciliation Exclusion rules
This change updates the rule response for Asset Exclusion rules to ensure that identity data is added to the correct reference set blacklist when the rule response triggers. The following rules were updated to include this change:
  • AssetExclusion: Exclude DNS Name by IP
  • AssetExclusion: Exclude DNS Name by MAC Address
  • AssetExclusion: Exclude DNS Name by NetBIOS Name
  • AssetExclusion: Exclude IP by DNS Name
  • AssetExclusion: Exclude IP by MAC Address
  • AssetExclusion: Exclude IP by NetBIOS Name
  • AssetExclusion: Exclude MAC Address by DNS Name
  • AssetExclusion: Exclude MAC Address by IP
  • AssetExclusion: Exclude MAC Address by NetBIOS Name
  • AssetExclusion: Exclude NetBIOS Name by DNS Name
  • AssetExclusion: Exclude NetBIOS Name by IP
  • AssetExclusion: Exclude NetBIOS Name by MAC Address

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.2

Type Name Change description
Saved search Flow Rate (FPS)

Updated the Flow Rate (FPS) saved search from a count function to an FPS function by changing the search value from Count to Average.

Old:

Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Count)

New:

Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Average)

Dashboard Added 'Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Average)' to the System Monitoring Dashboard.

The corrected Flow Rate Results (FPS) saved search is added to the System Monitoring dashboard for all users.

This graph displays on the Log Activity tab as Top 10 Flow Source (custom) Results By Flows per Second - Peak 1 Min (custom) (Average).

Report System Summary Updated the System Summary report, which has a dependency on the Flow Rate (FPS) search results.
Included in the content pack as a dependency
Saved search Event Rate (EPS) No updates. Dependent on another property and must be included in the extension framework.
Saved search Offenses Over Time No updates. Dependent on another property and must be included in the extension framework.
Saved search Link Utilization No updates. Dependent on another property and must be included in the extension framework.
Saved search Event Processor Distribution No updates. Dependent on another property and must be included in the extension framework.
Accumulator References AVG(flows per second - peak 1 min) No updates. Dependent on another property and must be included in the extension framework.
Accumulator References AVG(flows per second - average 15 min) No updates. Dependent on another property and must be included in the extension framework.
Accumulator References AVG(events per second coalesced - average 1 min) No updates. Dependent on another property and must be included in the extension framework.
Accumulator References AVG(eventsper second raw - average 1 min) No updates. Dependent on another property and must be included in the extension framework.
Accumulator References Offenses Over Time - SUM(dormant offense count) No updates. Dependent on another property and must be included in the extension framework.
Accumulator References Offenses Over Time - SUM(active offense count) No updates. Dependent on another property and must be included in the extension framework.
Accumulator References Event Processor Distribution - Count No updates. Dependent on another property and must be included in the extension framework.
Accumulator References Event Processor Distribution - Sum(eventCount) No updates. Dependent on another property and must be included in the extension framework.
Accumulator References Event Processor Distribution - UniqueCount(device) No updates. Dependent on another property and must be included in the extension framework.
Custom Property Flow Source: SourceMonitor.+\[NOT\:\d+\]\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\] No updates. Dependent on another property and must be included in the extension framework.
Custom Property Flows per Second - Average 15 Min: SourceMonitor.+900s\:\s\([\d|\.]+\)\:\(([\d|\.]+)\) No updates. Dependent on another property and must be included in the extension framework.
Custom Property Parent \[parent=(.+?)\].+StatFilter No updates. Dependent on another property and must be included in the extension framework.
Custom Property Events per Second Coalesced - Peak 1 Sec: StatFilter.+1s\:(\d+)\,\d+\s No updates. Dependent on another property and must be included in the extension framework.
Custom Property Events per Second Raw - Peak 1 Sec: StatFilter.+1s\:\d+\,(\d+)\s No updates. Dependent on another property and must be included in the extension framework.
Custom Property Events per Second Coalesced - Average 1 Min: StatFilter.+60s\:(\d+)\,\d+\s No updates. Dependent on another property and must be included in the extension framework.
Custom Property Events per Second Raw - Average 1 Min: StatFilter.+60s\:\d+\,(\d+)\s No updates. Dependent on another property and must be included in the extension framework.
Custom Property Dormant Offense Count: \,\sdormant\:\s(\d+)\, No updates. Dependent on another property and must be included in the extension framework.
Custom Property Active Offense Count: \,\sactive\:\s(\d+)\, No updates. Dependent on another property and must be included in the extension framework.
Dashboard System Monitoring: 5 (system) 10 (admin) No updates. Dependent on another property and must be included in the extension framework.
FGroup Configuration and Change Management No updates. Dependent on another property and must be included in the extension framework.
FGroup System Monitoring (Information, Failures and Errors) No updates. Dependent on another property and must be included in the extension framework.
FGroup Network Monitoring and Management No updates. Dependent on another property and must be included in the extension framework.

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.1

Rules and building blocks that are updated in IBM Security QRadar Baseline Maintenance Content Extension 1.0.1

Type Name Change Description
Rule First-Time User Access to Critical Asset Added a user name is not N/A as a rule test to the "First-Time User Access" rule.
Rule Remote SSH Server Scanner Corrected rule test order to move the following test to the last position in the rule test order: and when BB:CategoryDefinition: Recon Events, BB:CategoryDefinition: Suspicious Events with the same Source IP more than five times, across more than 29 Destination IPs within 10 minutes
Building Block BB:Suspicious: Remote: Unidirectional UDP or Misc Flows

Corrects the following building block in the rule test:

Old:

and when BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows match at least 15 times in 1 minute

Updated:

and when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows match at least 15 times in 1 minute

Rule BB:Suspicious: Local: Unidirectional UDP or Misc Flows

Corrects the following building block in the rule test:

Old:

and when BB:Threats: Suspicious IP Protocol Usage: Unidirectional TCP Flows match at least 15 times in 1 minute

Updated:

and when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows match at least 15 times in 1 minute

Rule BB:External Contractor Policy Violation Events

Resolves a rule test issue to do the Reference Set look-up as the last rule test.

Correct order:
  • Apply BB:External Contractor Policy Violation Events on events that are detected by the local system
  • and when the event category for the event is Policy.Application Policy Violation
  • and when any user name is contained in External Contractor - AlphaNumeric
Rule BB:External Contractor Failed Events

Resolves a rule test issue to do the Reference Set look-up as the last rule test.

Correct order:
  • Apply BB:External Contractor Policy Violation Events on events that are detected by the local system
  • and when the event category for the event is Policy.Application Policy Violation
  • and when any user name is contained in External Contractor - AlphaNumeric
Rule BB:Mobile Worker Policy Violation Events

Resolves a rule test issue to do the Reference Set look-up as the last rule test.

Correct order:
  • Apply BB:External Contractor Policy Violation Events on events that are detected by the local system
  • and when the event category for the event is Policy.Application Policy Violation
  • and when any user name is contained in External Contractor - AlphaNumeric
Rule BB:Mobile Worker Failed Events

Resolves a rule test issue to do the Reference Set look-up as the last rule test.

Correct order:
  • Apply BB:External Contractor Policy Violation Events on events that are detected by the local system
  • and when the event category for the event is Policy.Application Policy Violation
  • and when any user name is contained in External Contractor - AlphaNumeric
Rule BB:Teleworker Policy Violation Events

Resolves a rule test issue to do the Reference Set look-up as the last rule test.

Correct order:
  • Apply BB:External Contractor Policy Violation Events on events that are detected by the local system
  • and when the event category for the event is Policy.Application Policy Violation
  • and when any user name is contained in External Contractor - AlphaNumeric
Rule BB:Teleworker Failed Events

Resolves a rule test issue to do the Reference Set look-up as the last rule test.

Correct order:
  • Apply BB:External Contractor Policy Violation Events on events that are detected by the local system
  • and when the event category for the event is Policy.Application Policy Violation
  • and when any user name is contained in External Contractor - AlphaNumeric
Rule BB:IT Admin Events

Resolves a rule test issue to do the Reference Set look-up as the last rule test.

Correct order:
  • Apply BB:External Contractor Policy Violation Events on events that are detected by the local system
  • and when the event category for the event is Policy.Application Policy Violation
  • and when any user name is contained in External Contractor - AlphaNumeric

(Back to top)

IBM Security QRadar Baseline Maintenance Content Extension 1.0.0

QRadar rules and building blocks that are updated in IBM Security QRadar Baseline Maintenance Content Extension 1.0.0

Category Name Description of change
X-Force Rule X-Force Premium: Non-Mail Server Sending Mail to Servers Categorized as SPAM Updated rule to resolve a performance issue.
Custom Event Property Events per Second Raw - Peak 1 Sec Updated regex to StatFilter to use: +1s\:\d+\,\d+ \(peak \d+\,(\d+)
Building Block BB:CategoryDefinition: Authentication to Disabled Account Added QID 5000475: Failure Audit: An account failed to log on.
Building Block BB:CategoryDefinition: Authentication to Expired Account
Added the following two QIDs:
  • 5001653: An account failed to log on. The specified account's password expired.
  • 5001654: The domain controller failed to validate the credentials for an account.
Building Block BB:DeviceDefinition: Consumer Grade Routers Added a rule test: BB:DeviceDefinition: DHCP Server
Rule Anomaly: Excessive Firewall Accepts Across Multiple Hosts Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule
Rule Botnet: Potential Botnet Connection (DNS) Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule
Rule Recon: Recon Followed by Accept Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule
Rule Policy: Host has well-known vulnerability Updated user interface name and rule text description.
Rule Exploit: Destination Vulnerable to Detected Exploit Updated user interface name and rule text description.
Rule Exploit: Destination Vulnerable to Detected Exploit on a Different Port Updated user interface name and rule text description.
Rule Large Outbound Transfer High Rate of Transfer Updated user interface name and rule text description.
Rule Large Outbound Transfer Slow Rate of Transfer Updated user interface name and rule text description.
Rule Source Network Weight is High Updated user interface name and rule text description.
Rule Source Network Weight is Medium Updated user interface name and rule text description.
Rule Source Network Weight is Low Updated user interface name and rule text description.
Rule Destination Network Weight is High Updated user interface name and rule text description.
Rule Destination Network Weight is Medium Updated user interface name and rule text description.
Rule Destination Network Weight is Low Updated user interface name and rule text description.
Rule Multiple Exploit Types Against Single Destination Updated user interface name and rule text description.
Building Block BB:HostDefinition: DNS Servers No updates. Dependent on another rule and must be included in the extension framework.
Building Block BB:HostDefinition: Servers No updates. Dependent on another rule and must be included in the extension framework.
Building Block BB:HostDefinition: DHCP Servers No updates. Dependent on another rule and must be included in the extension framework.
Building Block BB:ReconDetected: All Recon Rules No updates. Dependent on another rule and must be included in the extension framework.
Building Block BB:CategoryDefinition: Exploits Backdoors and Trojans No updates. Dependent on another rule and must be included in the extension framework.
Building Block BB:CategoryDefinition: Firewall or ACL Accept No updates. Dependent on another rule and must be included in the extension framework.
Building Block BB:CategoryDefinition: Firewall or ACL Denies No updates. Dependent on another rule and must be included in the extension framework.
Building Block BB:DeviceDefinition: FW / Router / Switch No updates. Dependent on another rule and must be included in the extension framework.
Building Block BB:CategoryDefinition: Any Flow No updates. Dependent on another rule and must be included in the extension framework.

(Back to top)