Network Anomaly
Use the IBM® QRadar® Network Anomaly Content Extension to closely monitor for anomalies.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
This content extension includes one or more Pulse dashboards. For more information about Pulse dashboards, see QRadar Pulse app.
- IBM Security QRadar Network Anomaly Content Extension 1.1.1
- IBM Security QRadar Network Anomaly Content Extension 1.1.0
- IBM Security QRadar Network Anomaly Content Extension 1.0.3
- IBM Security QRadar Network Anomaly Content Extension 1.0.2
- IBM Security QRadar Network Anomaly Content Extension 1.0.1
- IBM Security QRadar Network Anomaly Content Extension 1.0.0
IBM Security QRadar Network Anomaly Content Extension 1.1.1
The following table shows the rules that are updated in IBM Security QRadar Network Anomaly Content Extension 1.1.1.
| Name | Description |
|---|---|
| Suspicious Number of Account Lockouts | Triggers when the same user is locked out an unusual amount of times. Note: Tune this rule
according to your compliance requirements.
Used to be called Unusually High Number of Account Lockouts for Same User. |
| Suspicious Number of Same User Logins to Multiple Devices | Triggers when the same user attempts to login to multiple devices in a short
duration. Note: Tune this rule according to your compliance requirements.
|
IBM Security QRadar Network Anomaly Content Extension 1.1.0
The following table shows the rules and building blocks that are updated in IBM Security QRadar Network Anomaly Content Extension 1.1.0.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:HostDefinition: Mail Servers | Edit this building block to define typical mail servers. This building block is used in conjunction with the BB:False Positive: Mail Server False Positives Categories and BB:FalsePositve: Mail Server False Positive Events building blocks. |
| Building Block | BB:Policy Violation: IRC IM Policy Violation: IM Communications | Identifies flows that have been identified as instant messaging communications. |
| Building Block | BB:Policy Violation: Mail Policy Violation: Outbound Mail Sender | Identifies flows that show a host sending mail to remote hosts. |
| Rule | Anomaly: DMZ Jumping | Triggers when connections seem to be bridged across the network DMZ. |
| Rule | Compliance: Traffic from DMZ to Internal Network | Triggers when traffic is passed from the DMZ to an internal network. This is typically not allowed under compliance regulations. You should make sure the DMZ object in the network hierarchy in defined before enabling this rule. |
| Rule | Impossible Travel Detected | Triggers when successful authentication is detected from locations that are impossible to travel to within a short period of time based on speed of travel and distance. |
| Rule | Local: SSH or Telnet Detected on Non-Standard Port | Triggers when a remote FTP communication is observed on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this service to provide backdoor access to the host. |
| Rule | Local: SSH or Telnet Detected on Non-Standard Port | Triggers when a local SSH or Telnet communication is observed on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host. |
| Rule | Remote: FTP Detected on Non-Standard Port | Triggers when a remote FTP communication is observed on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this service to provide backdoor access to the host. |
| Rule | Remote: Local P2P Client Connected to more than 100 Servers | Triggers when a local host is operating as a Peer-to-Peer (P2P) client. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. |
| Rule | Remote: Local P2P Client Detected | Triggers when a local host is operating as a Peer-to-Peer (P2P) client. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. |
| Rule | Remote: Local P2P Server Detected | Triggers when a local host is operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. |
| Rule | Remote: Possible Tunneling | Triggers when possible tunneling, which can indicate a bypass of policy, or an infected system is detected. |
| Rule | Remote: SMTP Mail Sender | Triggers when a local host is sending a large number of SMTP flows from the same source to the Internet, in one interval. This could indicate a mass mailing, worm, or spam relay is present. |
| Rule | Remote: SSH or Telnet Detected on Non-Standard Port | Triggers when a remote SSH or Telnet communication is observed on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host. |
| Rule | Remote: Suspicious Amount of IM/Chat Traffic | Triggers when an excessive amount of IM/Chat traffic from a single source is detected. |
| Rule | Single IP with Multiple MAC Addresses | Triggers when the MAC address associated with a single IP address changes multiple times over a period of time. |
| Rule | Successful Login from Specific City | Returns location data, provided by MaxMind, for a selected IP address and populates the Impossible Travel reference table. |
| Rule | Systems using many different protocols | Triggers when local systems are connecting to the internet on more than 50 DST ports in one hour. Connections must be successful. This rule can be edited to also detect failed communications which may also be useful. |
| Rule | Unusual Number of Devices Logged on by Same User | Triggers when the same user seems to log on an abnormal number of devices within a short period of time. |
| Rule | Unusually High Number of Account Lockouts for Same User | Triggers when the same user is locked out an unusual amount of times. |
The following building blocks and rules are removed in IBM
Security QRadar Network Anomaly
Content Extension 1.1.0. They are available for use in the Compliance Content Extension.
- BB:CategoryDefinition: Countries/Regions with no Remote Access
- Excessive Firewall Accepts From Multiple Sources to a Single Destination
- Remote Access from Foreign Country/Region
- Remote Inbound Communication from a Foreign Country/Region
The following table shows the new or updated reference data in IBM Security QRadarNetwork Anomaly Content Extension 1.1.0.
| Type | Name | Description |
|---|---|---|
| Reference table | Impossible Travel | Contains a list of IP addresses and usernames associated with specific cities. |
| Reference table | Impossible Travel Users | Contains a list of users associated with impossible travel based on speed and distance. |
| Reference data | pulse_imports | Part of the Pulse dashboard. |
IBM Security QRadar Network Anomaly Content Extension 1.0.3
Content extension no longer displays an incorrect number of rules.
IBM Security QRadar Network Anomaly Content Extension 1.0.2
The following table shows the rules and building blocks that are updated in IBM Security QRadar Network Anomaly Content Extension 1.0.2.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:DeviceDefinition: FW / Router / Switch | Updated building block with FW/Router/Switch devices. |
| Rule | Excessive Firewall Accepts From Multiple Sources to a Single Destination | Renamed rule to naming standard. |
| Rule | Systems using many different protocols | Renamed rule to naming standard. |
| Rule | Single IP with Multiple MAC Addresses | Renamed rule to naming standard. |
IBM Security QRadar Network Anomaly Content Extension 1.0.1
The following table shows the rules and building blocks that are updated in IBM Security QRadar Network Anomaly Content Extension 1.0.1.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:DeviceDefinition: FW / Router / Switch | No updates. Dependent on another rule and must be included in the extension framework. |
| Building Block | BB:HostDefinition: DHCP Servers | No updates. Dependent on another rule and must be included in the extension framework. |
| Building Block | BB:CategoryDefinition: Successful Communication | No updates. Dependent on another rule and must be included in the extension framework. |
| Rule | Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination | Added a rule test to the BB:DeviceDefinition: FW / Router / Switch building block. |
| Rule | Anomaly: Systems using many different protocols | Added a rule test to the BB:DeviceDefinition: FW / Router / Switch building block. |
| Rule | Single IP with Multiple MAC Addresses | Added a rule test to the BB:HostDefinition: DHCP Servers building block. |
IBM Security QRadar Network Anomaly Content Extension 1.0.0
The following table shows the rules and building blocks in IBM Security QRadar Network Anomaly Content Extension 1.0.0.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:CategoryDefinition: Pre Reverse DMZ Jump | Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel. |
| Building Block | BB:CategoryDefinition: Authentication Success | Edit this building block to include all events that indicate successful attempts to access the network. |
| Building Block | BB:CategoryDefinition: Countries/Regions with no Remote Access | Edit this building block to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Anomaly: Remote Access from Foreign Country/Region rule. |
| Building Block | BB:CategoryDefinition: Firewall or ACL Accept | Edit this building block to include all events that indicate access to the firewall. |
| Building Block | BB:CategoryDefinition: Reverse DMZ Jump | Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel. |
| Building Block | BB:CategoryDefinition: Successful Communication | Defines flows which are typical of a successful communication. You may wish to drop the ratio to 64 bytes/packet however this will cause a lot of false positives and may require further tuning using flags and other properties. |
| Building Block | BB:CategoryDefinition: Pre DMZ Jump | Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel. |
| Building Block | BB:CategoryDefinition: Post DMZ Jump | Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel. |
| Building Block | BB:DeviceDefinition: FW / Router / Switch | Defines all firewalls, routers, and switches on the system. |
| Building Block | BB:HostDefinition: DHCP Servers | Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks. |
| Building Block | BB:NetworkDefinition: DMZ Addresses | Update this building block to include addresses that are included in the DMZ. This building block references the default network hierarchy. Update this building block if you are using a different network hierarchy. |
| Rule | Excessive Firewall Accepts From Multiple Sources to a Single Destination | Reports excessive Firewall Accepts to the same destination from at least 100 unique source IP addresses in 5 minutes. |
| Rule | DMZ Reverse Tunnel | This rule will fire when connections seem to be bridged across the network's DMZ through a reverse tunnel. |
| Rule | Remote Inbound Communication from a Foreign Country/Region | Reports traffic from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block. You may have to remove web servers in the DMZ that are often probed by remote hosts with web scanners. |
| Rule | Remote Access from Foreign Country/Region | Reports successful logins or access from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block. |
| Rule | Single IP with Multiple MAC Addresses | This rule will fire when the MAC address changes for a single IP address multiple times over a period of time. |
| Rule | Systems using many different protocols | Local system connecting to the internet on more than 50 DST ports in one hour. Connections must be successful. This rule can be edited to also detect failed communications which may also be useful. |