Good Practice Guide 13 (GPG13)

Use the IBM® QRadar® GPG13 Content Extension to help ensure GPG13 compliance.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar GPG13 Content Extension 1.1.0

The following table shows the building blocks and rules that are updated in IBM Security QRadar GPG13 Content Extension 1.1.0.

Table 1. Building Blocks and Rules in IBM Security QRadar GPG13 Content Extension 1.1.0
Type Name Description
Building Block BB:CategoryDefinition: Failed Object Accesses Rule condition updated to use a category instead of a QID.

Renamed. Used to be called BB:CategoryDefinition: Failed File Accesses.
Rule Configuration Change Made to Device in Perimeter Network Added the BB:DeviceDefinition: VPN building block to the rule condition.

Renamed. Used to be called Configuration Change Made to Device in Perimeter network.
Rule Configuration Changes Made to Endpoint Protection Devices Renamed. Used to be called Configuration Changes Made to AV/Malware Devices.
Rule Failed VPN Accesses Renamed. Used to be called Failed VPN Acceses.
Rule Object Access Failure Renamed. Used to be called File System Access Failure.
Rule Packets Dropped by Perimeter Network Devices Added the BB:DeviceDefinition: VPN building block to the rule condition.
Rule User Authentication Failures on Internal Systems Added the BB:DeviceDefinition: VPN building block to the rule condition.
Rule User Authentication Failures on Perimeter Systems Added the BB:DeviceDefinition: VPN building block to the rule condition.
Rule User Sessions on non-Perimeter Devices Added the BB:DeviceDefinition: VPN building block to the rule condition.

The following rules and building blocks that are removed in IBM Security QRadar GPG13 Content Extension 1.1.0.

  • BB:CategoryDefinition: Application or Service Installed or Modified
  • BB:CategoryDefinition: Authentication Failures
  • BB:CategoryDefinition: Authentication Success
  • BB:CategoryDefinition: Authentication to Disabled Account
  • BB:CategoryDefinition: Authentication to Expired Account
  • BB:CategoryDefinition: Logout Events
  • BB:CategoryDefinition: SIEM User and Role Modifications
  • BB:DeviceDefinition: FW / Router / Switch
  • BB:DeviceDefinition: IDS / IPS
  • BB:DeviceDefinition: VPN
  • BB:HostDefinition: Database Servers
  • BB:HostDefinition: DHCP Servers
  • BB:HostDefinition: DNS Servers
  • BB:HostDefinition: FTP Servers
  • BB:HostDefinition: LDAP Servers
  • BB:HostDefinition: Mail Servers
  • BB:HostDefinition: Network Management Servers
  • BB:HostDefinition: Protected Assets
  • BB:HostDefinition: Proxy Servers
  • BB:HostDefinition: RPC Servers
  • BB:HostDefinition: Servers
  • BB:HostDefinition: SNMP Sender or Receiver
  • BB:HostDefinition: SSH Servers
  • BB:HostDefinition: Virus Definition and Other Update Servers
  • BB:HostDefinition: Web Servers
  • BB:HostDefinition: Windows Servers
  • BB:PortDefinition: Database Ports
  • BB:PortDefinition: DHCP Ports
  • BB:PortDefinition: DNS Ports
  • BB:PortDefinition: FTP Ports
  • BB:PortDefinition: LDAP Ports
  • BB:PortDefinition: Mail Ports
  • BB:PortDefinition: P2P Ports
  • BB:PortDefinition: RPC Ports
  • BB:PortDefinition: SNMP Ports
  • BB:PortDefinition: SSH Ports
  • BB:PortDefinition: Web Ports
  • BB:PortDefinition: Windows Ports
  • BB:ProtocolDefinition: Windows Protocols
  • Device Stopped Sending Events
  • Device Stopped Sending Events (Firewall, IPS, VPN or Switch)

The GPG13 (PMC4) Failing File System Access Attempts (Daily) report is now called GPG13 (PMC4) Failing Object Access Attempts (Daily).

The File System Access Failures in the last 24 hours saved search is now called Object Access Failures in the last 24 hours.

(Back to top)

IBM Security QRadar GPG13 Content Extension 1.0.6

The following table shows the custom properties that are updated in IBM Security QRadar GPG13 Content Extension 1.0.6.

Table 2. Updated Custom Properties in IBM Security QRadar GPG13 Content Extension 1.0.6
Custom Property Capture Group Optimized Regex
GroupID 1 Yes Group ID[:\s\\=]*(\d+)

(Back to top)

IBM Security QRadar GPG13 Content Extension 1.0.5

The following rules and building blocks that are removed in IBM Security QRadar GPG13 Content Extension 1.0.5.

  • BB:DeviceDefinition: AntiVirus
  • User Privilege Changes on Protected Assets
  • VPN Session Tracking

(Back to top)

IBM Security QRadar GPG13 Content Extension 1.0.4

The following table shows the custom properties that are updated in IBM Security QRadar GPG13 Content Extension 1.0.4.

Table 3. Updated Custom Properties in IBM Security QRadar GPG13 Content Extension 1.0.4
Custom Property Capture Group Optimized Regex
GroupID 1 No Group ID[:\s\\=]*(\d+)

(Back to top)

IBM Security QRadar GPG13 Content Extension 1.0.3

The following table shows the custom properties in IBM Security QRadar GPG13 Content Extension 1.0.3.

Table 4. Custom Properties in IBM Security QRadar GPG13 Content Extension 1.0.3
Name Optimized Capture Group Regex
SSH Login Audit Yes 1 \[Authentication\] \[User\] \[(UserLogin|LoginAttempt)\] .*? on host .*
Log Source Host Yes 1 \s+hostName=(\S+)
Audit Object ID Yes 1 \s+id=(\S+)

(Back to top)

IBM Security QRadar GPG13 Content Extension 1.0.2

The following table shows the building blocks that are updated in IBM Security QRadar GPG13 Content Extension 1.0.2.

Table 5. Building Blocks in IBM Security QRadar GPG13 Content Extension 1.0.2
Type Name Description
Building Block BB:DeviceDefinition: IDS / IPS Updated building block with IDS/IPS devices.
Building Block BB:DeviceDefinition: FW / Router / Switch Updated building block with FW/Router/Switch devices.
Building Block BB:DeviceDefinition: VPN Updated building block with VPN devices.
Building Block BB:HostDefinition: Proxy Servers Added BB:PortDefinition: Proxy Ports to the rule test.
Building Block BB:HostDefinition: Servers Updated building block with server definition.
Building Block BB:CategoryDefinition: Authentication to Disabled Account Added the following QIDs:
  • 5001948: Failure Audit: An account failed to log on: Account Disabled
  • 5001959: An account failed to log on: Account Disabled
  • 5001954: Failure Audit: An account failed to log on: User Locked Out
  • 5001965: An account failed to log on: User Locked Out
  • 5001949: Failure Audit: An account failed to log on: Account Expired
  • 5001960: An account failed to log on: Account Expired
  • 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time
  • 5001962: An account failed to log on: Logon Outside Normal Time

(Back to top)

IBM Security QRadar GPG13 Content Extension 1.0.1

The following table shows the building block that are updated in IBM Security QRadar GPG13 Content Extension 1.0.1.

Table 6. Building Block in IBM Security QRadar GPG13 Content Extension 1.0.1
Type Name Description
Building Block BB:CategoryDefinition: Authentication to Disabled Account Added QID 5000475: Failure Audit: An account failed to log on.

(Back to top)

IBM Security QRadar GPG13 Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar GPG13 Content Extension 1.0.0.

Table 7. Custom Properties in IBM Security QRadar GPG13 Content Extension 1.0.0
Name Regex
Audit Object ID \s+id=(\S+)
AccountDomain Target Domain: (.*?)
AccountID Target Account ID: (.*?)
Computer \s+Computer=(\S+)
Version \s+Version:\s+(\S+)
GroupID Group ID: (\d+)
ChangedAttributes Changed Attributes: (.*)
Log Source Hostname \s+hostName=(\S+)

The following table shows the rules and building blocks that are in IBM Security QRadar GPG13 Content Extension 1.0.0.

Table 8. Rules and Building Blocks in IBM Security QRadar GPG13 Content Extension 1.0.0
Type Name Description
Building Block BB:CategoryDefinition: Access Denied Defines events in different Access Denied categories.
Building Block BB:CategoryDefinition: Account Lockout Events Defines account lockout events.
Building Block BB:CategoryDefinition: Accountable User Activities Defines accountable user activity events such as backup activity, and general audit events.
Building Block BB:CategoryDefinition: Backup and Restore Events Defines backup and restore events.
Building Block BB:CategoryDefinition: Backup Categories Defines backup categories.
Building Block BB:CategoryDefinition: Backup Events Defines backup events.
Building Block BB:CategoryDefinition: Changed File or Folder Access Rights Defines permission change on a file or folder events.
Building Block BB:CategoryDefinition: CISCO Session Events Defines Cisco session events.
Building Block BB:CategoryDefinition: Failed File Accesses Defines file access failed events.
Building Block BB:CategoryDefinition: Failure Service or Hardware Defines event categories that indicate failures within services or hardware.
Building Block BB:CategoryDefinition: Log File Manipulation Events Defines log file manipulation events.
Building Block BB:CategoryDefinition: Service Started Defines service started events.
Building Block BB:CategoryDefinition: Service Status Change Events Defines service status change events.
Building Block BB:CategoryDefinition: Service Stopped Defines service stopped events.
Building Block BB:CategoryDefinition: Session Closed Defines all Session Closed events by categories.
Building Block BB:CategoryDefinition: Session Opened Defines all Session Opened events by categories.
Building Block BB:CategoryDefinition: SIEM Authentication Defines SIEM Audit user authentication events.
Building Block BB:CategoryDefinition: SIEM Authentication Failures Defines SIEM authentication failure events.
Building Block BB:CategoryDefinition: SIEM IP Lockouts Defines SIEM IP lockout event.
Building Block BB:CategoryDefinition: Superuser Accounts Defines events from superuser accounts.
Building Block BB:CategoryDefinition: System or Device Configuration Change Defines system or device configuration change events.
Building Block BB:CategoryDefinition: System Start/Stop Events Defines system start or stop events.
Building Block BB:CategoryDefinition: System Status Change Events Defines system status change events.
Building Block BB:CategoryDefinition: VoIP Session Opened Defines events that indicate the start of a VoIP session.
Building Block BB:CategoryDefinition: VPN Access Denied Defines VPN events that are considered denied access.
Building Block BB:CategoryDefinition: VPN Status Changes Defines VPN status change events.
Building Block BB:Compliance: Session Tracking Defines session tracking events.
Building Block BB:Compliance: SIEM Detection Configuration Changes Defines SIEM detection configuration change events.
Building Block BB:DeviceDefinition: Perimeter Network Devices Defines perimeter network devices.
Note: Populate the Perimeter Network Devices log source group with applicable log sources.
Building Block BB:External Contractor Failed Events Defines failures caused by external contractors.
Building Block BB:External Contractor Policy Violation Events Defines policy violations caused by external contractors.
Building Block BB:Failed Events Defines failed events.
Building Block BB:CategoryDefinition: Failed File Accesses Defines object access failed events.
Building Block BB:HostBased: Critical Events Defines event categories that indicate critical events.
Building Block BB:IT Admin Events Defines actions performed by IT Admin staff.
Building Block BB:Mobile Worker Failed Events Defines failures caused by mobile workers.
Building Block BB:Mobile Worker Policy Violation Events Defines policy violations caused by mobile workers.
Building Block BB:Review Of Access Rights Defines actions performed by administrators on users.
Building Block BB:Teleworker Failed Events Defines failures caused by teleworkers.
Building Block BB:Teleworker Policy Violation Events Defines policy violations caused by teleworkers.
Building Block BB:VMware: Session Activity Defines VMware session activity events.
Rule Blocked Inbound File Transfer on Perimeter Triggers when there is a blocked attempt to communicate to a Perimeter Device on a port usually used to transfer files.

Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events.
Rule Blocked Outbound File Transfer on Perimeter Triggers when there is a blocked attempt to communicate from a Perimeter Device on a port usually used to transfer files.

Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events.
Rule Configuration Change Made to Device in Perimeter network Triggers when an event categorized as a configuration modification is observed on a perimeter device.

Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events.
Rule Configuration Changes Made to AV/Malware Devices Triggers when an event categorized as a configuration modification is observed on an endpoint protection device.

Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events.
Rule Critical Server Messages Triggers when an event categorized as an emergency or critical is observed.
Rule Failed VPN Acceses Triggers when an authentication failure, an authentication attempt to a disabled account or an authentication attempt to a disabled account is detected.
Rule File System Access Failure Triggers when an access to an object is being denied.

Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events.
Rule Packets Dropped by Perimeter Network Devices Triggers when traffic is denied by a perimeter device.

Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events.
Rule Service Stopped and not Restarted Triggers when a service has been stopped on a system and not restarted.
Rule User Authentication Failures on Internal Systems Triggers when an authentication failure is observed on a device that is not a perimeter one.
Rule User Authentication Failures on Perimeter Systems Triggers when an authentication failure is observed on a device that is a perimeter one.
Rule User Privilege Changes on Protected Assets Triggers when rights are assigned or removed for a user on an asset that is in the Protected Assets Building Block.

Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events.
Rule User Responsibilities and Password Use Triggers when a user account is locked out.
Rule User Sessions on non-Perimeter Devices This rule tracks session opening and closure on non-perimeter devices.

Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events.
Rule VPN Session Tracking Tracks session opening and closure on VPN devices.

Tune the rule accordingly to your compliance requirement and enable rule responses. It is highly recommended to apply response limiter due to the probability of matching a high number of events.

The following reports are included in IBM Security QRadar GPG13 Content Extension 1.0.0.

  • GPG13 (PMC3) User Authentication Failures on Boundary Systems (Daily)
  • GPG13 (PMC3) Packets Being Dropped by Boundary Firewalls (Daily)
  • GPG13 (PMC7) Recording of session activity by user and workstation - Review Access Rights (Daily)
  • GPG13 (PMC7) Accountable User Activites or Transactions (Daily)
  • GPG13 (PMC4) Host Messages at Critical and Above (Daily)
  • GPG13 (PMC7) Network Account Status Changes (Daily)
  • GPG13 (PMC5) User Authentication Failures on Internal Monitoring Systems (Daily)
  • GPG13 (PMC8) Backup and Restore Events
  • GPG13 (PMC2) Configuration and Signature Changes in Boundary Devices
  • GPG13 (PMC6) VPN User Session Activity (Daily)
  • GPG13 (PMC4) Changes to File or Path Access Rights (Daily)
  • GPG13 (PMC4) Changes in System Status (Daily)
  • GPG13 (PMC9) Configuration Changes to SIEM, Alerts, Rules (Daily)
  • GPG13 (PMC6) Changes in Status of VPN Node Registration (Daily)
  • GPG13 (PMC7) Use of Administrative Facilities (Daily)
  • GPG13 (PMC4) Configuration Changes to AV/Malware Devices (Daily)
  • GPG13 (PMC7) User Network Account Status Change (Daily)
  • GPG13 (PMC4) Failing File System Access Attempts (Daily)
  • GPG13 (PMC10) Log File Resets, Errors and Threshold Conditions
  • GPG13 (PMC2) Blocked Inbound File Transfers at the Boundary (Daily)
  • GPG13 (PMC7) Changes in Privilege Status on Critical Assets (Daily)
  • GPG13 (PMC4) Changes in Service Status (Daily)
  • GPG13 (PMC6) Unsuccessful VPN Node Registrations (Daily)
  • GPG13 (PMC3) Changes in status of external attack recognition software (Daily)
  • GPG13 (PMC2) Blocked Outbound File Transfers at the Boundary (Daily)
  • GPG13 (PMC3) User Sessions on Boundary Devices (Daily)
  • GPG13 (PMC5) User Sessions on Internal Devices (Daily)
  • GPG13 (PMC7) User Network Sessions (Daily)
  • GPG13 (PMC4) Changes to any host A/V signature base

The following saved searches are included in IBM Security QRadar GPG13 Content Extension 1.0.0.

  • Packets Dropped by Perimeter Network Devices in the last 24 hours
  • User Authentication Failures on Perimeter Systems by User in the last 24 hours
  • Compliance: System Status Change Events
  • Critical Server Messages in the last 24 hours
  • Compliance: Changed File or Folder Access Rights
  • Compliance: Administrator Authentications and Sessions
  • Packets Dropped by Perimeter Network Devices by Source and Destination IP in the last 24 hours
  • Backup and Restore Events
  • User Authentication Failures on Perimeter Systems in the last 24 hours
  • Compliance: Windows Host A/V Signature Changes
  • Log File Manipulation Events in the last 24 hours
  • File System Access Failures in the last 24 hours
  • Compliance: Network Account Status Changes
  • Compliance: Blocked Outbound Transfer
  • Compliance: Failed VPN Accesses
  • Review of Access Rights, SIEM
  • Compliance: Accountable User Activity Events
  • Compliance: Blocked Inbound Transfers
  • User Authentication Failures on Internal Monitoring Systems in the last 24 hours
  • Compliance: User Privilege Change Events on Protected Assets
  • Compliance: VPN SessionTracking Events
  • Compliance: Service Status Change Events
  • Compliance: VPN Status Change Events
  • Review of Access Rights, Windows
  • Compliance: SIEM Configuration Changes
  • Compliance: All User Sessions
  • Review of Access Rights, Network
  • Compliance: Internal User Sessions
  • GPG13 (PMC7) - Review of Access Rights
  • Configuration and Signature Changes Made to Perimeter Devices
  • Compliance: SIEM Detection Configuration Changes
  • Compliance: Perimeter Device User Sessions
  • Compliance: Configuration Change Events on AV/Malware Devices

(Back to top)