Good Practice Guide 13 (GPG13)
Use the IBM® QRadar® GPG13 Content Extension to help ensure GPG13 compliance.
- IBM Security QRadar GPG13 Content Extension 1.1.0
- IBM Security QRadar GPG13 Content Extension 1.0.6
- IBM Security QRadar GPG13 Content Extension 1.0.5
- IBM Security QRadar GPG13 Content Extension 1.0.4
- IBM Security QRadar GPG13 Content Extension 1.0.3
- IBM Security QRadar GPG13 Content Extension 1.0.2
- IBM Security QRadar GPG13 Content Extension 1.0.1
- IBM Security QRadar GPG13 Content Extension 1.0.0
IBM Security QRadar GPG13 Content Extension 1.1.0
The following table shows the building blocks and rules that are updated in IBM Security QRadar GPG13 Content Extension 1.1.0.
Type | Name | Description |
---|---|---|
Building Block | BB:CategoryDefinition: Failed Object Accesses | Rule condition updated to use a category instead of a QID. Renamed. Used to be called BB:CategoryDefinition: Failed File Accesses. |
Rule | Configuration Change Made to Device in Perimeter Network | Added the BB:DeviceDefinition: VPN building block to the rule
condition. Renamed. Used to be called Configuration Change Made to Device in Perimeter network. |
Rule | Configuration Changes Made to Endpoint Protection Devices | Renamed. Used to be called Configuration Changes Made to AV/Malware Devices. |
Rule | Failed VPN Accesses | Renamed. Used to be called Failed VPN Acceses. |
Rule | Object Access Failure | Renamed. Used to be called File System Access Failure. |
Rule | Packets Dropped by Perimeter Network Devices | Added the BB:DeviceDefinition: VPN building block to the rule condition. |
Rule | User Authentication Failures on Internal Systems | Added the BB:DeviceDefinition: VPN building block to the rule condition. |
Rule | User Authentication Failures on Perimeter Systems | Added the BB:DeviceDefinition: VPN building block to the rule condition. |
Rule | User Sessions on non-Perimeter Devices | Added the BB:DeviceDefinition: VPN building block to the rule condition. |
The following rules and building blocks that are removed in IBM Security QRadar GPG13 Content Extension 1.1.0.
- BB:CategoryDefinition: Application or Service Installed or Modified
- BB:CategoryDefinition: Authentication Failures
- BB:CategoryDefinition: Authentication Success
- BB:CategoryDefinition: Authentication to Disabled Account
- BB:CategoryDefinition: Authentication to Expired Account
- BB:CategoryDefinition: Logout Events
- BB:CategoryDefinition: SIEM User and Role Modifications
- BB:DeviceDefinition: FW / Router / Switch
- BB:DeviceDefinition: IDS / IPS
- BB:DeviceDefinition: VPN
- BB:HostDefinition: Database Servers
- BB:HostDefinition: DHCP Servers
- BB:HostDefinition: DNS Servers
- BB:HostDefinition: FTP Servers
- BB:HostDefinition: LDAP Servers
- BB:HostDefinition: Mail Servers
- BB:HostDefinition: Network Management Servers
- BB:HostDefinition: Protected Assets
- BB:HostDefinition: Proxy Servers
- BB:HostDefinition: RPC Servers
- BB:HostDefinition: Servers
- BB:HostDefinition: SNMP Sender or Receiver
- BB:HostDefinition: SSH Servers
- BB:HostDefinition: Virus Definition and Other Update Servers
- BB:HostDefinition: Web Servers
- BB:HostDefinition: Windows Servers
- BB:PortDefinition: Database Ports
- BB:PortDefinition: DHCP Ports
- BB:PortDefinition: DNS Ports
- BB:PortDefinition: FTP Ports
- BB:PortDefinition: LDAP Ports
- BB:PortDefinition: Mail Ports
- BB:PortDefinition: P2P Ports
- BB:PortDefinition: RPC Ports
- BB:PortDefinition: SNMP Ports
- BB:PortDefinition: SSH Ports
- BB:PortDefinition: Web Ports
- BB:PortDefinition: Windows Ports
- BB:ProtocolDefinition: Windows Protocols
- Device Stopped Sending Events
- Device Stopped Sending Events (Firewall, IPS, VPN or Switch)
The GPG13 (PMC4) Failing File System Access Attempts (Daily) report is now called GPG13 (PMC4) Failing Object Access Attempts (Daily).
The File System Access Failures in the last 24 hours saved search is now called Object Access Failures in the last 24 hours.
IBM Security QRadar GPG13 Content Extension 1.0.6
The following table shows the custom properties that are updated in IBM Security QRadar GPG13 Content Extension 1.0.6.
Custom Property | Capture Group | Optimized | Regex |
---|---|---|---|
GroupID | 1 | Yes | Group ID[:\s\\=]*(\d+) |
IBM Security QRadar GPG13 Content Extension 1.0.5
The following rules and building blocks that are removed in IBM Security QRadar GPG13 Content Extension 1.0.5.
- BB:DeviceDefinition: AntiVirus
- User Privilege Changes on Protected Assets
- VPN Session Tracking
IBM Security QRadar GPG13 Content Extension 1.0.4
The following table shows the custom properties that are updated in IBM Security QRadar GPG13 Content Extension 1.0.4.
Custom Property | Capture Group | Optimized | Regex |
---|---|---|---|
GroupID | 1 | No | Group ID[:\s\\=]*(\d+) |
IBM Security QRadar GPG13 Content Extension 1.0.3
The following table shows the custom properties in IBM Security QRadar GPG13 Content Extension 1.0.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
SSH Login Audit | Yes | 1 | \[Authentication\] \[User\] \[(UserLogin|LoginAttempt)\] .*? on host .* |
Log Source Host | Yes | 1 | \s+hostName=(\S+) |
Audit Object ID | Yes | 1 | \s+id=(\S+) |
IBM Security QRadar GPG13 Content Extension 1.0.2
The following table shows the building blocks that are updated in IBM Security QRadar GPG13 Content Extension 1.0.2.
Type | Name | Description |
---|---|---|
Building Block | BB:DeviceDefinition: IDS / IPS | Updated building block with IDS/IPS devices. |
Building Block | BB:DeviceDefinition: FW / Router / Switch | Updated building block with FW/Router/Switch devices. |
Building Block | BB:DeviceDefinition: VPN | Updated building block with VPN devices. |
Building Block | BB:HostDefinition: Proxy Servers | Added BB:PortDefinition: Proxy Ports to the rule test. |
Building Block | BB:HostDefinition: Servers | Updated building block with server definition. |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added the following QIDs:
|
IBM Security QRadar GPG13 Content Extension 1.0.1
The following table shows the building block that are updated in IBM Security QRadar GPG13 Content Extension 1.0.1.
Type | Name | Description |
---|---|---|
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added QID 5000475: Failure Audit: An account failed to log on. |
IBM Security QRadar GPG13 Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar GPG13 Content Extension 1.0.0.
Name | Regex |
---|---|
Audit Object ID | \s+id=(\S+) |
AccountDomain | Target Domain: (.*?) |
AccountID | Target Account ID: (.*?) |
Computer | \s+Computer=(\S+) |
Version | \s+Version:\s+(\S+) |
GroupID | Group ID: (\d+) |
ChangedAttributes | Changed Attributes: (.*) |
Log Source Hostname | \s+hostName=(\S+) |
The following table shows the rules and building blocks that are in IBM Security QRadar GPG13 Content Extension 1.0.0.
Type | Name | Description |
---|---|---|
Building Block | BB:CategoryDefinition: Access Denied | Defines events in different Access Denied categories. |
Building Block | BB:CategoryDefinition: Account Lockout Events | Defines account lockout events. |
Building Block | BB:CategoryDefinition: Accountable User Activities | Defines accountable user activity events such as backup activity, and general audit events. |
Building Block | BB:CategoryDefinition: Backup and Restore Events | Defines backup and restore events. |
Building Block | BB:CategoryDefinition: Backup Categories | Defines backup categories. |
Building Block | BB:CategoryDefinition: Backup Events | Defines backup events. |
Building Block | BB:CategoryDefinition: Changed File or Folder Access Rights | Defines permission change on a file or folder events. |
Building Block | BB:CategoryDefinition: CISCO Session Events | Defines Cisco session events. |
Building Block | BB:CategoryDefinition: Failed File Accesses | Defines file access failed events. |
Building Block | BB:CategoryDefinition: Failure Service or Hardware | Defines event categories that indicate failures within services or hardware. |
Building Block | BB:CategoryDefinition: Log File Manipulation Events | Defines log file manipulation events. |
Building Block | BB:CategoryDefinition: Service Started | Defines service started events. |
Building Block | BB:CategoryDefinition: Service Status Change Events | Defines service status change events. |
Building Block | BB:CategoryDefinition: Service Stopped | Defines service stopped events. |
Building Block | BB:CategoryDefinition: Session Closed | Defines all Session Closed events by categories. |
Building Block | BB:CategoryDefinition: Session Opened | Defines all Session Opened events by categories. |
Building Block | BB:CategoryDefinition: SIEM Authentication | Defines SIEM Audit user authentication events. |
Building Block | BB:CategoryDefinition: SIEM Authentication Failures | Defines SIEM authentication failure events. |
Building Block | BB:CategoryDefinition: SIEM IP Lockouts | Defines SIEM IP lockout event. |
Building Block | BB:CategoryDefinition: Superuser Accounts | Defines events from superuser accounts. |
Building Block | BB:CategoryDefinition: System or Device Configuration Change | Defines system or device configuration change events. |
Building Block | BB:CategoryDefinition: System Start/Stop Events | Defines system start or stop events. |
Building Block | BB:CategoryDefinition: System Status Change Events | Defines system status change events. |
Building Block | BB:CategoryDefinition: VoIP Session Opened | Defines events that indicate the start of a VoIP session. |
Building Block | BB:CategoryDefinition: VPN Access Denied | Defines VPN events that are considered denied access. |
Building Block | BB:CategoryDefinition: VPN Status Changes | Defines VPN status change events. |
Building Block | BB:Compliance: Session Tracking | Defines session tracking events. |
Building Block | BB:Compliance: SIEM Detection Configuration Changes | Defines SIEM detection configuration change events. |
Building Block | BB:DeviceDefinition: Perimeter Network Devices | Defines perimeter network devices. Note: Populate the Perimeter Network
Devices log source group with applicable log sources.
|
Building Block | BB:External Contractor Failed Events | Defines failures caused by external contractors. |
Building Block | BB:External Contractor Policy Violation Events | Defines policy violations caused by external contractors. |
Building Block | BB:Failed Events | Defines failed events. |
Building Block | BB:CategoryDefinition: Failed File Accesses | Defines object access failed events. |
Building Block | BB:HostBased: Critical Events | Defines event categories that indicate critical events. |
Building Block | BB:IT Admin Events | Defines actions performed by IT Admin staff. |
Building Block | BB:Mobile Worker Failed Events | Defines failures caused by mobile workers. |
Building Block | BB:Mobile Worker Policy Violation Events | Defines policy violations caused by mobile workers. |
Building Block | BB:Review Of Access Rights | Defines actions performed by administrators on users. |
Building Block | BB:Teleworker Failed Events | Defines failures caused by teleworkers. |
Building Block | BB:Teleworker Policy Violation Events | Defines policy violations caused by teleworkers. |
Building Block | BB:VMware: Session Activity | Defines VMware session activity events. |
Rule | Blocked Inbound File Transfer on Perimeter | Triggers when there is a blocked attempt to communicate to a Perimeter Device on a port
usually used to transfer files. Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events. |
Rule | Blocked Outbound File Transfer on Perimeter | Triggers when there is a blocked attempt to communicate from a Perimeter Device on a port
usually used to transfer files. Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events. |
Rule | Configuration Change Made to Device in Perimeter network | Triggers when an event categorized as a configuration modification is observed on a perimeter
device. Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events. |
Rule | Configuration Changes Made to AV/Malware Devices | Triggers when an event categorized as a configuration modification is observed on an endpoint
protection device. Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events. |
Rule | Critical Server Messages | Triggers when an event categorized as an emergency or critical is observed. |
Rule | Failed VPN Acceses | Triggers when an authentication failure, an authentication attempt to a disabled account or an authentication attempt to a disabled account is detected. |
Rule | File System Access Failure | Triggers when an access to an object is being denied. Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events. |
Rule | Packets Dropped by Perimeter Network Devices | Triggers when traffic is denied by a perimeter device. Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events. |
Rule | Service Stopped and not Restarted | Triggers when a service has been stopped on a system and not restarted. |
Rule | User Authentication Failures on Internal Systems | Triggers when an authentication failure is observed on a device that is not a perimeter one. |
Rule | User Authentication Failures on Perimeter Systems | Triggers when an authentication failure is observed on a device that is a perimeter one. |
Rule | User Privilege Changes on Protected Assets | Triggers when rights are assigned or removed for a user on an asset that is in the Protected
Assets Building Block. Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events. |
Rule | User Responsibilities and Password Use | Triggers when a user account is locked out. |
Rule | User Sessions on non-Perimeter Devices | This rule tracks session opening and closure on non-perimeter devices. Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events. |
Rule | VPN Session Tracking | Tracks session opening and closure on VPN devices. Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events. |
The following reports are included in IBM Security QRadar GPG13 Content Extension 1.0.0.
- GPG13 (PMC3) User Authentication Failures on Boundary Systems (Daily)
- GPG13 (PMC3) Packets Being Dropped by Boundary Firewalls (Daily)
- GPG13 (PMC7) Recording of session activity by user and workstation - Review Access Rights (Daily)
- GPG13 (PMC7) Accountable User Activites or Transactions (Daily)
- GPG13 (PMC4) Host Messages at Critical and Above (Daily)
- GPG13 (PMC7) Network Account Status Changes (Daily)
- GPG13 (PMC5) User Authentication Failures on Internal Monitoring Systems (Daily)
- GPG13 (PMC8) Backup and Restore Events
- GPG13 (PMC2) Configuration and Signature Changes in Boundary Devices
- GPG13 (PMC6) VPN User Session Activity (Daily)
- GPG13 (PMC4) Changes to File or Path Access Rights (Daily)
- GPG13 (PMC4) Changes in System Status (Daily)
- GPG13 (PMC9) Configuration Changes to SIEM, Alerts, Rules (Daily)
- GPG13 (PMC6) Changes in Status of VPN Node Registration (Daily)
- GPG13 (PMC7) Use of Administrative Facilities (Daily)
- GPG13 (PMC4) Configuration Changes to AV/Malware Devices (Daily)
- GPG13 (PMC7) User Network Account Status Change (Daily)
- GPG13 (PMC4) Failing File System Access Attempts (Daily)
- GPG13 (PMC10) Log File Resets, Errors and Threshold Conditions
- GPG13 (PMC2) Blocked Inbound File Transfers at the Boundary (Daily)
- GPG13 (PMC7) Changes in Privilege Status on Critical Assets (Daily)
- GPG13 (PMC4) Changes in Service Status (Daily)
- GPG13 (PMC6) Unsuccessful VPN Node Registrations (Daily)
- GPG13 (PMC3) Changes in status of external attack recognition software (Daily)
- GPG13 (PMC2) Blocked Outbound File Transfers at the Boundary (Daily)
- GPG13 (PMC3) User Sessions on Boundary Devices (Daily)
- GPG13 (PMC5) User Sessions on Internal Devices (Daily)
- GPG13 (PMC7) User Network Sessions (Daily)
- GPG13 (PMC4) Changes to any host A/V signature base
The following saved searches are included in IBM Security QRadar GPG13 Content Extension 1.0.0.
- Packets Dropped by Perimeter Network Devices in the last 24 hours
- User Authentication Failures on Perimeter Systems by User in the last 24 hours
- Compliance: System Status Change Events
- Critical Server Messages in the last 24 hours
- Compliance: Changed File or Folder Access Rights
- Compliance: Administrator Authentications and Sessions
- Packets Dropped by Perimeter Network Devices by Source and Destination IP in the last 24 hours
- Backup and Restore Events
- User Authentication Failures on Perimeter Systems in the last 24 hours
- Compliance: Windows Host A/V Signature Changes
- Log File Manipulation Events in the last 24 hours
- File System Access Failures in the last 24 hours
- Compliance: Network Account Status Changes
- Compliance: Blocked Outbound Transfer
- Compliance: Failed VPN Accesses
- Review of Access Rights, SIEM
- Compliance: Accountable User Activity Events
- Compliance: Blocked Inbound Transfers
- User Authentication Failures on Internal Monitoring Systems in the last 24 hours
- Compliance: User Privilege Change Events on Protected Assets
- Compliance: VPN SessionTracking Events
- Compliance: Service Status Change Events
- Compliance: VPN Status Change Events
- Review of Access Rights, Windows
- Compliance: SIEM Configuration Changes
- Compliance: All User Sessions
- Review of Access Rights, Network
- Compliance: Internal User Sessions
- GPG13 (PMC7) - Review of Access Rights
- Configuration and Signature Changes Made to Perimeter Devices
- Compliance: SIEM Detection Configuration Changes
- Compliance: Perimeter Device User Sessions
- Compliance: Configuration Change Events on AV/Malware Devices