Baseline Maintenance

About the Baseline Maintenance extension

Installing this extension does not impact user modified rules, but instead updates the rule template to correct rule and building block issues and performance tuning across multiple categories. Custom properties, searches, or dashboard items that are installed by the app overwrite existing values to keep them up to date.

IBM Security QRadar Baseline Maintenance Content Extension 2.0.0 and later requires QRadar 7.3.3 Fix Pack 4 or later. If you are using an earlier version of QRadar, use IBM Security QRadar Baseline Maintenance Content Extension 1.1.0 instead.

IBM Security QRadar Baseline Maintenance Content Extension 2.0.0 does not include any of the content from IBM Security QRadar Baseline Maintenance Content Extension 1.1.0 or earlier. That content is included in QRadar 7.3.3 Fix Pack 4 and later by default.

Default Baseline Maintenance extension version

IBM Security QRadar is installed with the following Baseline Maintenance extension as default.

IBM Security QRadar version 7.4.0 FP3, 7.4.1, 7.4.2, and 7.4.3 are installed with IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.
IBM Security QRadar version 7.3.3 FP4 and 7.4.0 are installed with IBM Security QRadar Baseline Maintenance Content Extension 1.0.10, which was later renumbered to 1.1.0.
IBM Security QRadar version 7.3.3 is installed with IBM Security QRadar Baseline Maintenance Content Extension 1.0.8.
IBM Security QRadar version 7.3.2 is installed with IBM Security QRadar Baseline Maintenance Content Extension 1.0.4.

IBM Security QRadar Baseline Maintenance Content Extensions

IBM Security QRadar Baseline Maintenance Content Extension 2.2.3
IBM Security QRadar Baseline Maintenance Content Extension 2.2.2
IBM Security QRadar Baseline Maintenance Content Extension 2.2.1
IBM Security QRadar Baseline Maintenance Content Extension 2.1.0
IBM Security QRadar Baseline Maintenance Content Extension 2.0.0
IBM Security QRadar Baseline Maintenance Content Extension 1.1.0
IBM Security QRadar Baseline Maintenance Content Extension 1.0.9
IBM Security QRadar Baseline Maintenance Content Extension 1.0.8
IBM Security QRadar Baseline Maintenance Content Extension 1.0.7
IBM Security QRadar Baseline Maintenance Content Extension 1.0.6
IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
IBM Security QRadar Baseline Maintenance Content Extension 1.0.4
IBM Security QRadar Baseline Maintenance Content Extension 1.0.3
IBM Security QRadar Baseline Maintenance Content Extension 1.0.2
IBM Security QRadar Baseline Maintenance Content Extension 1.0.1
IBM Security QRadar Baseline Maintenance Content Extension 1.0.0

IBM Security QRadar Baseline Maintenance Content Extension 2.2.3

The following table shows the custom properties that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3.

Table 1. Custom Properties updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3
Name	Optimized	Capture Group	Regex
SHA1 Hash	Yes	1	\bSHA1[":]+"([^"])" Sha1":"(.?)"
Threat Category	No	1	ThreatCategory":"(.*?)"
Threat Family	No	1	ThreatFamily":"(.*?)"
Threat Severity	No	1	Severity":"(.*?)"

The following table shows the rules that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3.

Table 2. building blocks and rules in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3
Type	Name	Description
Building Block	BB:CategoryDefinition: Superuser Accounts	Defines all events where usernames are superuser accounts.
Building Block	BB:DeviceDefinition: Endpoint Protection Devices	Defines all endpoint protection devices on the system
Building Block	BB:NetworkDefinition: Trusted Destination Network Segment	Defines trusted destination network segments.
Building Block	BB:NetworkDefinition: Trusted Source Network Segment	Defines trusted source network segments
Rule	Load Basic Building Blocks	Loads building blocks that need to run to assist with reporting. This rule has no actions or responses.
Rule	System: Notification	Ensures that notification events are sent to the notification framework.

The following table shows the saved search that is updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3.

Table 3. Saved Search in IBM Security QRadar Baseline Maintenance Content Extension 2.2.3
Saved search	Description
Malware Events by Name	Search to describe Malware found in the system by name.

IBM Security QRadar Baseline Maintenance Content Extension 2.2.2

The following table shows the rules that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.2.

Table 4. Rules in IBM Security QRadar Baseline Maintenance Content Extension 2.2.2
Name	Description
Botnet: Potential Botnet Connection (DNS)	Triggers when a host is connecting or attempting to connect to a DNS server on the internet. This may indicate a host connecting to a Botnet. The host should be investigated for malicious code.
Local Mass Mailing Host Detected	Triggers when a local host is sending more than 20 SMTP flows in 1 minute. This may indicate a host used as a spam relay or infected with a form of mass mailing worm.
Local: FTP Detected on Non-Standard Port	Triggers when a local FTP communication is observed on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate a compromised host, where the attacker installed this service to provide backdoor access to the host.
Local: SSH or Telnet Detected on Non-Standard Port	Triggers when a local SSH or Telnet communication is observed on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate a compromised host, where the attacker installed these servers to provide backdoor access to the host.
Potential Honeypot Access	Triggers when an event involves a source or destination that is defined as a honeypot or tarpit address. Before enabling this rule, you must configure the BB:NetworkDefinition: Honeypot like addresses building block.
System: Notification	Ensures that notification events are sent to the notification framework. Added a new QID.

IBM Security QRadar Baseline Maintenance Content Extension 2.2.1

The following table shows the rules that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.1.

Table 5. Rules in IBM Security QRadar Baseline Maintenance Content Extension 2.2.1
Name	Description
AssetExclusion: Exclude DNS Name By IP	Blocklists a DNS name that is associated with `N` different IP addresses over a certain timeframe.
AssetExclusion: Exclude DNS Name By MAC Address	Blocklists a DNS name that is associated with `N` different MACs over a certain timeframe.
AssetExclusion: Exclude DNS Name By NetBIOS Name	Blocklists a DNS name that is associated with `N` different NetBIOS names over a certain timeframe.
AssetExclusion: Exclude IP By DNS Name	Blocklists an IP address that is associated with `N` different DNS names over a certain timeframe.
AssetExclusion: Exclude IP By MAC Address	Blocklists an IP address that is associated with `N` different MAC addresses over a certain timeframe.
AssetExclusion: Exclude IP By NetBIOS Name	Blocklists an IP address that is associated with `N` different NetBIOS names over a certain timeframe.
AssetExclusion: Exclude MAC Address By DNS Name	Blocklists a MAC address that is associated with `N` different DNS Names over a certain timeframe.
AssetExclusion: Exclude MAC Address By IP	Blocklists a MAC address that is associated with `N` different IPv4 addresses over a certain timeframe.
AssetExclusion: Exclude MAC Address By NetBIOS Name	Blocklists a MAC address that is associated with `N` different NetBIOS names over a certain timeframe.
AssetExclusion: Exclude NetBIOS Name By DNS Name	Blocklists a NetBIOS name that is associated with `N` different DNS names over a certain timeframe.
AssetExclusion: Exclude NetBIOS Name By IP	Blocklists a NetBIOS name that is associated with `N` different IPv4 addresses over a certain timeframe.
AssetExclusion: Exclude NetBIOS Name By MAC Address	Blocklists a NetBIOS name that is associated with `N` different MAC addresses over a certain timeframe.
System: Notification	Added new QIDs.

The following table shows the reference sets that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.2.1.

Table 6. Reference Sets in IBM Security QRadar Baseline Maintenance Content Extension 2.2.1
Name	Description
Asset Reconciliation DNS Blacklist	A blocklist of DNS names.
Asset Reconciliation DNS Whitelist	An allowlist of DNS names.
Asset Reconciliation IPv4 Blacklist	A blocklist of IP addresses.
Asset Reconciliation IPv4 Whitelist	An allowlist of IP addresses.
Asset Reconciliation MAC Blacklist	A blocklist of MAC addresses.
Asset Reconciliation MAC Whitelist	An allowlist of MAC addresses.
Asset Reconciliation NetBIOS Blacklist	A blocklist of NetBIOS host names.
Asset Reconciliation NetBIOS Whitelist	An allowlist of NetBIOS host names.

_{(Back to top)}

IBM Security QRadar Baseline Maintenance Content Extension 2.1.0

The following table shows the building blocks that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.1.0.

Table 7. Building blocks in IBM Security QRadar Baseline Maintenance Content Extension 2.1.0
Name	Description
BB:CategoryDefinition: Authentication Success	Edit this building block to include all events that indicate successful attempts to access the network.
BB:CategoryDefinition: Auditing Changed	Identifies auditing changed events.
BB:DeviceDefinition: Cloud	Defines all cloud sources on the system.
BB:FalsePositive: Windows AD Source Authentication Events	Defines the addresses of Windows Authentication or Active Directory Servers.

_{(Back to top)}

IBM Security QRadar Baseline Maintenance Content Extension 2.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0.

Table 8. Custom Properties updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0
Name	Optimized	Capture Group	Regex
Events per Second Coalesced - Average 1 Min	Yes	1	StatFilter.+60s\:(\d+)\,\d+\s
Events per Second Coalesced - Peak 1 Sec	Yes	1	StatFilter.+1s\:(\d+)\,\d+\s
Events per Second Raw - Average 1 Min	Yes	1	StatFilter.+60s\:\d+\,(\d+)\s
Events per Second Raw - Peak 1 Sec	Yes	1	StatFilter.+1s\:\d+\,(\d+)\s
Parent	Yes	1	\[parent=(.+?)\].+StatFilter

The following table shows the rules that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0.

Table 9. Rules in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0
Name	Description
First-Time User Access to Critical Asset	Rule was correctly linked to the User-System Authentication or Usage - IP reference map of sets.
Large Outbound Transfer High Rate of Transfer	Updated the threshold to 500MB
Large Outbound Transfer Slow Rate of Transfer	Updated the threshold to 500MB
Malware or Virus Clean Failed	Detects when a system detected a virus and failed to clean or remove it. Added new QIDs.
System: Notification	Ensures that notification events will be sent to the notification framework. Added a new QID.

The following table shows the reference data that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0.

Table 10. Reference Data in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0
Type	Name	Description
Reference Set	Critical Assets	No updates. Dependent on another rule and must be included in the extension framework.
Reference Map of Sets	User-System Authentication or Usage	No updates. Dependent on another rule and must be included in the extension framework.

The following table shows the saved search that is updated in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0.

Table 11. Saved Search in IBM Security QRadar Baseline Maintenance Content Extension 2.0.0
Saved search	Description
Event Rate (EPS)	Updated Saved Search to use an additional filter on Parent is not N/A.

_{(Back to top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.1.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.

Table 12. Custom Properties updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0
Name	Optimized	Capture Group	Regex
Event Summary	Yes	1	sum=([^\t]+)

The following table shows the building blocks that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.

Table 13. Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0
Name	Description
BB:HostDefinition: DHCP Servers	Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks.
BB:HostDefinition: DNS Servers	Edit this building block to define typical DNS servers. This building block is used in conjunction with the BB:FalsePositive: DNS Server False Positives Categories and BB:FalsePositve: DNS Server False Positive Events building blocks.
BB:HostDefinition: Proxy Servers	Edit this building block to define typical proxy servers. This building block is used in conjunction with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositve: Proxy Server False Positive Events building blocks.
BB:HostReference: Database Servers	Include database server IP addresses in the Database Servers - IP reference set.
BB:HostReference: DHCP Servers	Include DHCP server IP addresses in the DHCP Servers - IP reference set.
BB:HostReference: DNS Servers	Include DNS server IP addresses in the DNS Servers - IP reference set.
BB:HostReference: FTP Servers	Include FTP server IP addresses in the FTP Servers - IP reference set.
BB:HostReference: LDAP Servers	Include LDAP server IP addresses in the LDAP Servers - IP reference set.
BB:HostReference: Mail Servers	Include mail server IP addresses in the Mail Servers - IP reference set.
BB:HostReference: Proxy Servers	Include proxy server IP addresses in the Proxy Servers - IP reference set .
BB:HostReference: SSH Servers	Include SSH server IP addresses in the SSH Servers - IP reference set.
BB:HostReference: Web Servers	Include web server IP addresses in the Web Servers - IP reference set.
BB:HostReference: Windows Servers	Include Windows server IP addresses in the Windows Servers - IP reference set.

The following table shows the reference set that is updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.

Table 14. Reference Set updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0
Reference set	Description
QRadar Deployment	Corrected the number of IP addresses contained in this reference set.

The following table shows the saved searches that are new or updated in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0.

Table 15. Saved Searches in IBM Security QRadar Baseline Maintenance Content Extension 1.1.0
Saved search	Description
Deviating Asset Growth: Asset Report	Updated to allow the search to be translated.
Deviating Asset Growth: Log Source Report	Updated to allow the search to be translated.
Event Rate (EPS)	Updated from an EPS function to a count function by changing the search value from Average to Count.
Flow Rate (FPS)	Updated from an FPS function to a Count function by changing the search value from Average to Count.

_{(Back to top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.9

The following table shows the new or updated rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.9.

Table 16. New or Updated Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.9
Type	Name	Description
Rule	Load Basic Building Blocks	This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses. The following building blocks were added to this rule: BB:CategoryDefinition: Malicious Attacks BB:CategoryDefinition: SIEM User and Role Modifications BB:DeviceDefinition: Proxy BB:DeviceDefinition: Cloud BB:DeviceDefinition: Operating System BB:DeviceDefinition: Mail BB:DeviceDefinition: DLP Devices
Building Block	BB:CategoryDefinition: SIEM User and Role Modifications	Added new Building Block. Checks the QID specific to QRadar user and role creation and modification.

_{(Back to
top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.8

The following table shows the new or updated custom properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.8.

Table 17. New or Updated Custom Properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.8
Name	Optimized	Capture Group	Regex
File Path	No	1	filePath=([^\t]+)[\t]*
Accesses	Yes	1	Accesses: (.*?) Privileges:
Access intent	Yes	1	intent=([^\t]+)

The Avt-App-VolumePackets, AVT-App-NAme, AVT-App-VolumeBytes, and AVT-App-Category custom properties were removed in this release.

The following table shows the new or updated rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.8.

Table 18. New or Updated Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.8
Type	Name	Description
Rule	System: Notification	Removed QID 38750002 for general warning.
Building Block	BB:DeviceDefinition: Proxy	Added new devices: Forcepoint V Series, Microsoft ISA, McAfee Web Gateway.
Building Block	BB:DeviceDefinition: Cloud	Added new Building Block. Defines all Cloud devices on the system.
Building Block	BB:DeviceDefinition: DLP Devices	Added new Building Block. Defines all data loss prevention (DLP) devices on the system.
Building Block	BB:DeviceDefinition: Mail	Added new Building Block. Defines all Mail devices on the system.
Building Block	BB:DeviceDefinition: Operating System	Added new Building Block. Defines all Operating Systems on the system.

_{(Back to
top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.7

The following table shows the new or changed custom properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7.

Table 19. New or Changed Custom Properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7
Name	Optimized	Capture Group	Regex
Destination Host Name	Yes	1	dstHostName=([^\t]+)[\t]*
EventID	Yes	1	\d{1,2}\s\d{1,2}[:\s]\d{1,2}[:\s]\d{1,2}\s+\d{1,4}\s+(\d+)

The following table shows the new or changed rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7.

Table 20. New or Changed Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7
Type	Name	Description
Rule	System: Notification	This rule ensures that notification events shall be sent to the notification framework. Added new QIDs.
Building Block	BB:HostReference: Database Servers	This building block defines typical database servers.
Building Block	BB:HostReference: DHCP Servers	This building block defines typical DHCP servers.
Building Block	BB:HostReference: DNS Servers	This building block defines typical DNS servers.
Building Block	BB:HostReference: FTP Servers	This building block defines typical FTP servers.
Building Block	BB:HostReference: LDAP Servers	This building block defines typical LDAP servers.
Building Block	BB:HostReference: Mail Servers	This building block defines typical mail servers.
Building Block	BB:HostReference: SSH Servers	This building block defines typical SSH servers.
Building Block	BB:HostReference: Web Servers	This building block defines typical web servers.
Building Block	BB:HostReference: Windows Servers	This building block defines typical Microsoft Windows servers.
Building Block	BB:CategoryDefinition: Authentication Success	Updated this building block to remove 2 LLCs: Privilege Escalation Succeeded and Password Changed Succeeded.
Building Block	BB:CategoryDefinition: Authentication Fail	Updated this building block to remove 2 LLCs: Privilege Escalation Failed and Password Changed Failed.

The following table shows the new or changed saved searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7.

Table 21. New or Changed Saved Searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.7
Name	Description
SSH Logins	Search retrieving the authentication successes on the QRadar system itself (web and SSH).
UI Logins	Search retrieving the authentication successes on the QRadar system itself (web and SSH).
Offences over time	Search retrieving the authentication successes on the QRadar system itself (web and SSH).
Deviating asset growth: Asset Report	Search retrieving the authentication successes on the QRadar system itself (web and SSH).
Deviating asset growth: log Source Report	Search retrieving the authentication successes on the QRadar system itself (web and SSH).

_{(Back to
top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.6

The following table shows the custom properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6.

Table 22. Custom Properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6
Name	Optimized	Capture Group	Regex
ObjectName	Yes	1	ObjectName: (.*)
Event Summary	Yes	1	sum=([^\t]+)
EventID	Yes	1	\d{1,2}\:\d{1,2}\:\d{1,2}\s+\d{1,4}\s+(\d+)
SSH Login Audit	Yes	1	\[Authentication\] \[User\] \[(UserLogin\|LoginAttempt)\] .? on host .
Log Source Host	Yes	1	\s+hostName=(\S+)
VirusName	Yes	1	Virus Name: (.*?),
Audit Object ID	Yes	1	\s+id=(\S+)

The following table shows the rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6.

Table 23. Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6
Type	Name	Description
Building Block	BB:CategoryDefinition: Auditing Changed	Added new QIDs and removed some other QIDs.
Building Block	BB:CategoryDefinition: Successful Database Connections	Changed the name from BB:CategoryDefinition: Database Connections. Removed Oracle RDBMS Audit Record and added BB:DeviceDefinition: Database.
Building Block	BB:CategoryDefinition: Malicious Attacks	Changed the name from BB:Malicious Attacks. Edit this building block to define malicious attacks.
Rule	Destination Vulnerable to Detected Exploit	Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack.
Rule	Destination Vulnerable to Detected Exploit on a Different Port	Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port.
Rule	Destination Vulnerable to Different Exploit than Attempted on Targeted Port	Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to some attack but not the one being attempted.

The following table shows the saved searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6.

Table 24. Saved Searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.6
Name	Description
SSH Logins	Search retrieving the ssh authentication successes on the QRadar system itself.
UI Logins	Search retrieving the UI authentication successes on the QRadar system itself.

_{(Back to
top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.5

The following table shows the custom properties that are updated in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 25. Custom Properties in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Name	Optimized	Capture Group	Regex
Events per Second Raw - Peak 1 Sec	Yes	1	StatFilter.+1s\:\d+\,\d+\s\(peak\s\d+\,(\d+)
Events per Second Coalesced - Peak 1 Sec	Yes	1	StatFilter.+1s\:\d+\,\d+\s\(peak\s(\d+)
AccountName	Yes	2	Account Name:\s(.+?)\s+Account Name:\s(.+?)\s+

The following table shows the rules and building blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 26. Rules and Building Blocks in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Type	Name	Description
Building Block	BB:DeviceDefinition: IDS / IPS	Defines all intrusion detections systems (IDS) and intrusion prevention systems (IPS) on the system.
Building Block	BB:DeviceDefinition: FW / Router / Switch	Defines all firewalls, routers, and switches on the system.
Building Block	BB:DeviceDefinition: VPN	Defines all virtual private networks (VPN) on the system.
Building Block	BB:DeviceDefinition: Database	Defines all databases on the system.
Building Block	BB:DeviceDefinition: Proxy	Defines all proxy sources on the system.
Building Block	BB:DeviceDefinition: AV/AM	Defines all anti-virus (AV) and anti-malware (AM) systems on the system.
Building Block	BB:HostDefinition: Servers	Edit this building block to define generic servers.
Building Block	BB:Failed Events	Edit this building block to define failed events.
Building Block	BB:IT Admin Events	Edit this building block to define actions performed by IT admin staff.
Building Block	BB:External Contractor Policy Violation Events	Edit this building block to define policy violations caused by external contractors.
Building Block	BB:Mobile Worker Policy Violation Events	Edit this building block to define policy violations caused by mobile workers.
Building Block	BB:Teleworker Policy Violation Events	Edit this building block to define policy violations caused by teleworkers.
Building Block	BB:External Contractor Failed Events	Edit this building block to define failures caused by external contractors.
Building Block	BB:Mobile Worker Failed Events	Edit this building block to define failures caused by mobile workers.
Building Block	BB:Teleworker Failed Events	Edit this building block to define failures caused by teleworkers.
Building Block	BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination	Identifies flows that have an illegal TCP flag combination.
Building Block	BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code	Identifies Internet Control Message Protocol (ICMP) flows with suspicious ICMP type codes.
Building Block	BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0	Identifies suspicious flows using port 0.
Building Block	BB:CategoryDefinition: Privileged Escalations	Identifies a privilege escalation on an event.
Building Block	BB:CategoryDefinition: Privileged Escalation Failed	Identifies a failed privilege escalation on an event.
Building Block	BB:Malicious Attacks	Edit this building block to define malicious attacks.
Rule	Malware or Virus Clean Failed	Detects when a system detected a virus and failed to clean or remove it. Added the following new QIDs: 42002845: Virus Detected, Actual action: Left alone 42002836: Security risk found, Actual action: Left alone 42002833: Security risk found, Actual action: All actions failed 42003869: Virus Detected, Actual action: Actions failed
Rule	Vulnerabilities: Vulnerability Reported by Scanner	Detects when a vulnerability has been discovered on a local host.
Rule	Policy: New Service Discovered	Detects when an existing host has a new service discovered on it.
Rule	Policy: New Service Discovered in DMZ	Detects when an existing host has a new service discovered on it.
Rule	Policy: New Host Discovered	Detects when a new host has been discovered on the network.
Rule	Policy: New Host Discovered in DMZ	Detects when a new host has been discovered on the network.
Rule	Destination Vulnerable to Detected Exploit	Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack.
Rule	Destination Vulnerable to Detected Exploit on a Different Port	Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port.

The following table shows the reports in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 27. Reports in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Report Name	Search Name and Dependencies
Successful Login Events	Saved Search: SSH Logins, UI Logins Reference Set: QRadar Deployment Edit the saved searches and the reference set to refine the results.

The following table shows the reference data in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 28. Reference Data in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Type	Name	Description
Reference Set	QRadar Deployment	List of QRadar IP addresses. This reference set is used by the UI Logins saved search. By default it contains 127.0.0.1 and the range assigned to apps (169.254.3.1 to 169.254.3.10). Edit this list as needed.
Reference Map of Sets	CorrelatedAttackMap	This reference map of sets maps Destination IP addresses with the QID.

The following table shows the saved searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5.

Table 29. Saved Searches in IBM Security QRadar Baseline Maintenance Content Extension 1.0.5
Name	Description
Deviating Asset Growth: Asset Report	This search shows system notification warning messages with Vortex Asset IDs.
Deviating Asset Growth: Log Source Report	This search shows the Asset Deviation Report category.
Firewall Deny by DST Port	This search shows firewall or ACL deny events from firewall, router, or switch devices grouped by destination port.
UI Logins	This search shows UI logins.
SSH Logins	This search shows SSH logins.

_{(Back to
top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.4

Updates in IBM Security QRadar Baseline Maintenance Content Extension 1.0.4

Type	Name	Change description
Building Block	BB:CategoryDefinition: Authentication to Disabled Account	Added the following QIDs: 5001959: An account failed to log on: Account Disabled 5001959: An account failed to log on: Account Disabled 5001954: Failure Audit: An account failed to log on: User Locked Out 5001965: An account failed to log on: User Locked Out 5001949: Failure Audit: An account failed to log on: Account Expired 5001960: An account failed to log on: Account Expired 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time 5001962: An account failed to log on: Logon Outside Normal Time
Building Block	BB:DeviceDefinition: Consumer Grade Routers	Added an identity check to improve performance. This building block now only checks for a MAC address for events with an identity.
Building Block	BB:DeviceDefinition: FW / Router / Switch	Rule updated to include additional devices.
Rule	All Exploits Become Offenses	Reports leverage attacks on events. By default, this rule is disabled. Enable this rule if you want all events that are categorized as leverages to create an offense.
Rule	Flow Source Stopped Sending Flows	The dispatched events for this rule are now categorized as System > System Failure instead of as Access > ACL Deny.
Rule	Device Stopped Sending Events (Firewall, IPS, VPN or Switch)	Fixed the import issue for this rule.
Report	Accessible files vulnerability	Updated this report so that it returns accessible file vulnerabilities only, instead of all vulnerabilities. Also replaced all occurrences of fiiles with files in this report.
Reference data	Asset Reconciliation IPv4 Blacklist, Asset Reconciliation NetBIOS Blacklist, Asset Reconciliation DNS Blacklist, and Asset Reconciliation MAC blocklist	Sets a default 7-day expiry time on the following reference data: Asset Reconciliation IPv4 Blacklist Asset Reconciliation NetBIOS Blacklist Asset Reconciliation DNS Blacklist Asset Reconciliation MAC Blacklist After the extension is installed, all of the existing elements that were last seen more than 7 days ago will be removed from the reference data. This default value can be changed to reflect your needs and environment.

_{(Back to
top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.3

Updates in IBM QRadar Baseline Maintenance Content Extension 1.0.3

Type	Name	Change description
Rule / Building Block	Recon Followed by Accept	Updated the Recon Followed by Accept rule in QRadar to use the BB:ReconDetected Basic Recon Rule building block and remove the All Recon Rules building block reference. Old Rule: Used as an extra mark if all the following rules match, in order, from the same source IP to any destination IP, over a 5-minute period: BB:ReconDetected: All Recon Rules BB:CategoryDefinition: Firewall or ACL Accept BB:DeviceDefinition: FW / Router / Switch Updated Rule: Used as an extra mark if all the following rules match, in order, from the same source IP to any destination IP, over a 5-minute period: BB:ReconDetected: Basic Recon Rules BB:CategoryDefinition: Firewall or ACL Accept BB:DeviceDefinition: FW / Router / Switch
Rule / Building Block	DoS Events with High Magnitude Become Offenses	Updated the DoS Events with High Magnitude Become Offenses rule in QRadar to change the associated building block BB:CategoryDefinition: High Magnitude Events to trigger when the severity is greater than 7. This change allows the offense to be generated on an event with a severity of 8, 9, or 10.
Rule / Building Block	FalsePositive: False Positive Rules and Building Blocks	Updated the core FalsePositive: False Positive Rules and Building Blocks to remove three building blocks to reduce false negative rule triggers. Old rule: Apply FalsePositive: False Positive Rules and Building Blocks on events or flows that are detected by the local system, and when a flow or an event matches any of the following rules: BB:FalsePositive: All Default False Positive BBs BB:HostDefinition: VA Scanner Source IP BB:NetworkDefinition: NAT Address Range BB:HostDefinition: Proxy Servers Updated rule: Apply FalsePositive: False Positive Rules and Building Blocks on events or flows that are detected by the local system, and when a flow or an event matches BB:FalsePositive: All Default False Positive BBs
Rule / Building Block	BB:FalsePositive: All Default False Positive BBs	Added BB:HostDefinition: VA Scanner Source IP to the BB:FalsePositive: All Default False Positive rule.
Rule / Building Block	BB:HostDefinition: Proxy Servers	Updated Proxy Servers Host Definition to add a new line in the building block to check for the BB:PortDefinition: Proxy Ports Building Block. Old Rule: Apply BB:HostDefinition: Proxy Servers on events or flows that are detected by the local system, and when either the source or destination IP is 127.0.0.2. Updated Rule: Apply Apply BB:HostDefinition: Proxy Servers on events or flows that are detected by the local system, and when the following conditions are met: A flow or event matches BB:PortDefinition: Proxy Ports. Either the source or destination IP is 127.0.0.2.
Rule / Building Block	Multiple Login Failures to the Same Destination	Updated the Multiple Login Failures to the Same Destination rule to ensure that it does not generate false positives from proxy server events. Old Rule: Apply Multiple Login Failures to the Same Destination on events that are detected by the local system that match BB:CategoryDefinition: Authentication Failures. Multiple Login Failures to the Same Destination also needs to be applied when at least 10 events are seen that have the same Destination IP but different Source IPs and user names in a 5-minute period. Updated Rule: Apply Multiple Login Failures to the Same Destination on events that are detected by the local system that match BB:CategoryDefinition: Authentication Failures, and when at least 10 events are seen that have the same Destination IP but different Source IPs and user names in a 5-minute period, but NOT when an event matches any of the following building blocks: BB:HostDefinition: Proxy Servers BB:HostReference: Proxy Servers
Rule / Building Block	Excessive Firewall Denies from Local Host	Updated the Excessive Firewall Denies from Local Host rule to ensure that it does not generate false positives from proxy server events. Old Rule: Apply Excessive Firewall Denies from Local Host on events that are detected by the local system, when the event context is Local to Local, or Local to Remote, and when an event matches either BB:CategoryDefinition: Firewall or ACL Denies with the same Source IP more than 40 times, across more than 40 Destination IPs within a 5-minute period. Updated Rule: Apply Excessive Firewall Denies from Local Host on events that are detected by the local system, when the event context is Local to Local, or Local to Remote, and when an event matches either BB:CategoryDefinition: Firewall or ACL Denies with the same Source IP more than 40 times, across more than 40 Destination IPs within a 5-minute period, but NOT when an event matches any of the following rules: BB:HostDefinition: Proxy Servers BB:HostReference: Proxy Servers
Rule / Building Block	Policy: Large Outbound Transfer Slow Rate of TransferPolicy: Large Outbound Transfer High Rate of Transfer	Updated the performance of both fast and slow data transfer policy rules. This update changes the order of the rule test to move this phrase: 'and when at least X flows are seen with the same Source IP, Destination IP in Y minutes' to the last line for both policy rules (slow transfer and fast transfer). The following updated rule example describes the rule change in more detail. Old rule: Apply Large Outbound Transfer Slow Rate of Transfer on flows that are detected by the local system when the following conditions are met: The source bytes are greater than 20000. At least 100 flows are seen with the same Source IP, Destination Port, and Destination IP in a 120-minute period. The flow context is Local to Remote. The flow bias is mostly outbound. Updated rule: Apply Large Outbound Transfer Slow Rate of Transfer on flows that are detected by the local system when the following conditions are met: The source bytes are greater than 20000. The flow context is Local to Remote. The flow bias is mostly outbound. At least 100 flows are seen with the same Source IP, Destination Port, and Destination IP in a 120-minute period.
Rule / Building Block	Updated reference set rule responses for all Asset Reconciliation Exclusion rules	This change updates the rule response for Asset Exclusion rules to ensure that identity data is added to the correct reference set blacklist when the rule response triggers. The following rules were updated to include this change: AssetExclusion: Exclude DNS Name by IP AssetExclusion: Exclude DNS Name by MAC Address AssetExclusion: Exclude DNS Name by NetBIOS Name AssetExclusion: Exclude IP by DNS Name AssetExclusion: Exclude IP by MAC Address AssetExclusion: Exclude IP by NetBIOS Name AssetExclusion: Exclude MAC Address by DNS Name AssetExclusion: Exclude MAC Address by IP AssetExclusion: Exclude MAC Address by NetBIOS Name AssetExclusion: Exclude NetBIOS Name by DNS Name AssetExclusion: Exclude NetBIOS Name by IP AssetExclusion: Exclude NetBIOS Name by MAC Address

_{(Back to
top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.2

Type	Name	Change description
Saved search	Flow Rate (FPS)	Updated the Flow Rate (FPS) saved search from a count function to an FPS function by changing the search value from Count to Average. Old: Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Count) New: Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Average)
Dashboard	Added 'Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Average)' to the System Monitoring Dashboard.	The corrected Flow Rate Results (FPS) saved search is added to the System Monitoring dashboard for all users. This graph displays on the Log Activity tab as Top 10 Flow Source (custom) Results By Flows per Second - Peak 1 Min (custom) (Average).
Report	System Summary	Updated the System Summary report, which has a dependency on the Flow Rate (FPS) search results.

Type

Name

Change description

Saved search

Flow Rate (FPS)

Updated the Flow Rate (FPS) saved search from a count function to an FPS function by changing the search value from Count to Average.

Old:

Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Count)

New:

Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Average)

Dashboard

Added 'Top 10 Flow Source Results By Flows per Second - Peak 1 Min (Average)' to the System Monitoring Dashboard.

The corrected Flow Rate Results (FPS) saved search is added to the System Monitoring dashboard for all users.

This graph displays on the Log Activity tab as Top 10 Flow Source (custom) Results By Flows per Second - Peak 1 Min (custom) (Average).

Report

System Summary

Updated the System Summary report, which has a dependency on the Flow Rate (FPS) search results.

Included in the content pack as a dependency
Saved search	Event Rate (EPS)	No updates. Dependent on another property and must be included in the extension framework.
Saved search	Offenses Over Time	No updates. Dependent on another property and must be included in the extension framework.
Saved search	Link Utilization	No updates. Dependent on another property and must be included in the extension framework.
Saved search	Event Processor Distribution	No updates. Dependent on another property and must be included in the extension framework.
Accumulator References	AVG(flows per second - peak 1 min)	No updates. Dependent on another property and must be included in the extension framework.
Accumulator References	AVG(flows per second - average 15 min)	No updates. Dependent on another property and must be included in the extension framework.
Accumulator References	AVG(events per second coalesced - average 1 min)	No updates. Dependent on another property and must be included in the extension framework.
Accumulator References	AVG(eventsper second raw - average 1 min)	No updates. Dependent on another property and must be included in the extension framework.
Accumulator References	Offenses Over Time - SUM(dormant offense count)	No updates. Dependent on another property and must be included in the extension framework.
Accumulator References	Offenses Over Time - SUM(active offense count)	No updates. Dependent on another property and must be included in the extension framework.
Accumulator References	Event Processor Distribution - Count	No updates. Dependent on another property and must be included in the extension framework.
Accumulator References	Event Processor Distribution - Sum(eventCount)	No updates. Dependent on another property and must be included in the extension framework.
Accumulator References	Event Processor Distribution - UniqueCount(device)	No updates. Dependent on another property and must be included in the extension framework.
Custom Property	Flow Source: SourceMonitor.+\[NOT\:\d+\]\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\]	No updates. Dependent on another property and must be included in the extension framework.
Custom Property	Flows per Second - Average 15 Min: SourceMonitor.+900s\:\s\([\d\|\.]+\)\:\(([\d\|\.]+)\)	No updates. Dependent on another property and must be included in the extension framework.
Custom Property	Parent \[parent=(.+?)\].+StatFilter	No updates. Dependent on another property and must be included in the extension framework.
Custom Property	Events per Second Coalesced - Peak 1 Sec: StatFilter.+1s\:(\d+)\,\d+\s	No updates. Dependent on another property and must be included in the extension framework.
Custom Property	Events per Second Raw - Peak 1 Sec: StatFilter.+1s\:\d+\,(\d+)\s	No updates. Dependent on another property and must be included in the extension framework.
Custom Property	Events per Second Coalesced - Average 1 Min: StatFilter.+60s\:(\d+)\,\d+\s	No updates. Dependent on another property and must be included in the extension framework.
Custom Property	Events per Second Raw - Average 1 Min: StatFilter.+60s\:\d+\,(\d+)\s	No updates. Dependent on another property and must be included in the extension framework.
Custom Property	Dormant Offense Count: \,\sdormant\:\s(\d+)\,	No updates. Dependent on another property and must be included in the extension framework.
Custom Property	Active Offense Count: \,\sactive\:\s(\d+)\,	No updates. Dependent on another property and must be included in the extension framework.
Dashboard	System Monitoring: 5 (system) 10 (admin)	No updates. Dependent on another property and must be included in the extension framework.
FGroup	Configuration and Change Management	No updates. Dependent on another property and must be included in the extension framework.
FGroup	System Monitoring (Information, Failures and Errors)	No updates. Dependent on another property and must be included in the extension framework.
FGroup	Network Monitoring and Management	No updates. Dependent on another property and must be included in the extension framework.

_{(Back to
top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.1

Rules and building blocks that are updated in IBM Security QRadar Baseline Maintenance Content Extension 1.0.1

Type	Name	Change Description
Rule	First-Time User Access to Critical Asset	Added a user name is not N/A as a rule test to the "First-Time User Access" rule.
Rule	Remote SSH Server Scanner	Corrected rule test order to move the following test to the last position in the rule test order: `and when BB:CategoryDefinition: Recon Events, BB:CategoryDefinition: Suspicious Events with the same Source IP more than five times, across more than 29 Destination IPs within 10 minutes`
Building Block	BB:Suspicious: Remote: Unidirectional UDP or Misc Flows	Corrects the following building block in the rule test: Old: and when BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows match at least 15 times in 1 minute Updated: and when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows match at least 15 times in 1 minute
Rule	BB:Suspicious: Local: Unidirectional UDP or Misc Flows	Corrects the following building block in the rule test: Old: and when BB:Threats: Suspicious IP Protocol Usage: Unidirectional TCP Flows match at least 15 times in 1 minute Updated: and when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows match at least 15 times in 1 minute
Rule	BB:External Contractor Policy Violation Events	Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order: Apply BB:External Contractor Policy Violation Events on events that are detected by the local system and when the event category for the event is Policy.Application Policy Violation and when any user name is contained in External Contractor - AlphaNumeric
Rule	BB:External Contractor Failed Events	Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order: Apply BB:External Contractor Policy Violation Events on events that are detected by the local system and when the event category for the event is Policy.Application Policy Violation and when any user name is contained in External Contractor - AlphaNumeric
Rule	BB:Mobile Worker Policy Violation Events	Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order: Apply BB:External Contractor Policy Violation Events on events that are detected by the local system and when the event category for the event is Policy.Application Policy Violation and when any user name is contained in External Contractor - AlphaNumeric
Rule	BB:Mobile Worker Failed Events	Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order: Apply BB:External Contractor Policy Violation Events on events that are detected by the local system and when the event category for the event is Policy.Application Policy Violation and when any user name is contained in External Contractor - AlphaNumeric
Rule	BB:Teleworker Policy Violation Events	Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order: Apply BB:External Contractor Policy Violation Events on events that are detected by the local system and when the event category for the event is Policy.Application Policy Violation and when any user name is contained in External Contractor - AlphaNumeric
Rule	BB:Teleworker Failed Events	Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order: Apply BB:External Contractor Policy Violation Events on events that are detected by the local system and when the event category for the event is Policy.Application Policy Violation and when any user name is contained in External Contractor - AlphaNumeric
Rule	BB:IT Admin Events	Resolves a rule test issue to do the Reference Set look-up as the last rule test. Correct order: Apply BB:External Contractor Policy Violation Events on events that are detected by the local system and when the event category for the event is Policy.Application Policy Violation and when any user name is contained in External Contractor - AlphaNumeric

_{(Back to
top)}

IBM Security QRadar Baseline Maintenance Content Extension 1.0.0

QRadar rules and building blocks that are updated in IBM Security QRadar Baseline Maintenance Content Extension 1.0.0

Category	Name	Description of change
X-Force Rule	X-Force Premium: Non-Mail Server Sending Mail to Servers Categorized as SPAM	Updated rule to resolve a performance issue.
Custom Event Property	Events per Second Raw - Peak 1 Sec	Updated regex to StatFilter to use: `+1s\:\d+\,\d+ \(peak \d+\,(\d+)`
Building Block	BB:CategoryDefinition: Authentication to Disabled Account	Added QID 5000475: Failure Audit: An account failed to log on.
Building Block	BB:CategoryDefinition: Authentication to Expired Account	Added the following two QIDs: 5001653: An account failed to log on. The specified account's password expired. 5001654: The domain controller failed to validate the credentials for an account.
Building Block	BB:DeviceDefinition: Consumer Grade Routers	Added a rule test: BB:DeviceDefinition: DHCP Server
Rule	Anomaly: Excessive Firewall Accepts Across Multiple Hosts	Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule
Rule	Botnet: Potential Botnet Connection (DNS)	Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule
Rule	Recon: Recon Followed by Accept	Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule
Rule	Policy: Host has well-known vulnerability	Updated user interface name and rule text description.
Rule	Exploit: Destination Vulnerable to Detected Exploit	Updated user interface name and rule text description.
Rule	Exploit: Destination Vulnerable to Detected Exploit on a Different Port	Updated user interface name and rule text description.
Rule	Large Outbound Transfer High Rate of Transfer	Updated user interface name and rule text description.
Rule	Large Outbound Transfer Slow Rate of Transfer	Updated user interface name and rule text description.
Rule	Source Network Weight is High	Updated user interface name and rule text description.
Rule	Source Network Weight is Medium	Updated user interface name and rule text description.
Rule	Source Network Weight is Low	Updated user interface name and rule text description.
Rule	Destination Network Weight is High	Updated user interface name and rule text description.
Rule	Destination Network Weight is Medium	Updated user interface name and rule text description.
Rule	Destination Network Weight is Low	Updated user interface name and rule text description.
Rule	Multiple Exploit Types Against Single Destination	Updated user interface name and rule text description.
Building Block	BB:HostDefinition: DNS Servers	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:HostDefinition: Servers	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:HostDefinition: DHCP Servers	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:ReconDetected: All Recon Rules	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:CategoryDefinition: Exploits Backdoors and Trojans	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:CategoryDefinition: Firewall or ACL Accept	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:CategoryDefinition: Firewall or ACL Denies	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:DeviceDefinition: FW / Router / Switch	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:CategoryDefinition: Any Flow	No updates. Dependent on another rule and must be included in the extension framework.

_{(Back to
top)}