Payment Card Industry

Use the IBM® QRadar® Payment Card Industry (PCI) Reporting Content Extension for compliance with PCI reports.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar PCI Content Extension V1.1.0
IBM Security QRadar PCI Content Extension V1.0.3
IBM Security QRadar PCI Content Extension V1.0.2
IBM Security QRadar PCI Content Extension V1.0.1
IBM Security QRadar PCI Content Extension V1.0.0

IBM Security QRadar PCI Content Extension V1.1.0

The following table shows the custom properties in IBM Security QRadar PCI Content Extension V1.1.0.

Table 1. Custom Properties in IBM Security QRadar PCI Content Extension V1.1.0
Name	Optimized	Found in
File Hash	Yes	Bit9 Security Platform Carbon Black Protection Carbon Black Response Cisco AMP Cisco Firepower FireEye MPS Lastline Enterprise McAfee EPO Microsoft 365 Defender osquery Sysmon
Filename	Yes	Amazon AWS Azure Bit9 Security Platform Blue Coat Carbon Black Protection Cisco AMP Cisco Firepower Cisco Ironport Endpoint FireEye MPS Fortinet FortiAnalyzer Linux McAfee EPO Microsoft Office 365 Microsoft Windows osquery Palo Alto PA Series Postfix Squid Sysmon VMware Microsoft 365 Defender
Initiator User Name	Yes	Microsoft Windows
MD5 Hash	Yes	Cisco AMP Microsoft 365 Defender Microsoft Windows
SHA1 Hash	Yes	Cisco AMP Microsoft 365 Defender Microsoft Windows Sysmon
SHA256 Hash	Yes	Cisco AMP Microsoft 365 Defender osquery Sysmon
Target User Name	Yes	Amazon AWS Azure Kubernetes Microsoft Office 365 Microsoft Windows osquery VMware
Threat Category	No	McAfee EPO Microsoft 365 Defender
Threat Family	No	Check Point Cisco Firepower Syslog Microsoft 365 Defender
Threat Name	Yes	Amazon AWS Cisco AMP Cisco Ironport Fortinet FortiAnalyzer McAfee EPO Threat Monitoring Microsoft 365 Defender Zscaler
Threat Severity	No	F5 Networks Big IP Fortinet FortiAnalyzer McAfee EPO Microsoft 365 Defender

All expressions are deleted from the following custom properties:

AccountName
VirusName

The following table shows the building block added in IBM Security QRadar PCI Content Extension V1.1.0.

Table 2. Building block in IBM Security QRadar PCI Content Extension V1.1.0
Name	Description
BB:DeviceDefinition: Endpoint Protection Devices	Replaces BB:DeviceDefinition: Antivirus. This rule defines all endpoint protection devices on the system.

The following rules and building blocks are removed in IBM Security QRadar PCI Content Extension V1.1.0.

BB:CategoryDefinition: Authentication Failures
BB:CategoryDefinition: Authentication Success
BB:CategoryDefinition: Firewall or ACL Accept
BB:CategoryDefinition: Firewall or ACL Denies
BB:CategoryDefinition: Superuser Accounts
BB:DeviceDefinition: Antivirus
BB:DeviceDefinition: IDS / IPS
BB:NetworkDefinition: Trusted Network Segment
Device Stopped Sending Events
Malware or Virus Clean Failed

The following searches are updated to use advanced searches.

Malware Clean Failed
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Accepted)
PCI 1.2.1a - Internal Network (not DMZ) to Internet (All)
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Denied)
PCI 1.2.1b - Inbound Allowed Traffic
PCI 1.2.1b - Outbound Allowed Traffic
PCI 1.3.1 - Allowed Traffic Into DMZ from Internal
PCI 1.3.2 - Allow Traffic from Internet to Internal Networks (Not DMZ)
PCI 1.3.3 - Traffic Between Internet and Cardholder Data
PCI 1.3.5 - Traffic Between Cardholder Data and Internet (Not DMZ)
PCI 2.3 - Protocols to Trusted Network Zones
PCI 4.1 - Protocols to Trusted Network Zones
PCI 5.2 - Malware Events by Event Name or Action
PCI 6.6 - Attacks against Public Facing Applications and Services
PCI 7.1 - Access to CardHolder and Trusted System
PCI 10.5.4 Verification of Logs Received
Remote Access Failures (VPN and Others)
Remote Access Success (VPN and Others)

The following saved searched are removed.

PCI 8.1 - User Account Added By User
PCI 8.1 - User Account Modified By User

The PCI 6.6 - Attacks against Public Facing Applications and Servies saved search is now called PCI 6.6 - Attacks against Public Facing Applications and Services.

The PCI 10.5.4 Verification of Logs Recieved saved search is now called PCI 10.5.4 Verification of Logs Received.

In the Malware Events by Name and PCI 5.2 - Malware Events by Event Name or Action saved searches, VirusName is replaced with Threat Name, and the following columns are added to the search.

File Hash
Filename
MD5
SHA 1
SHA 256
Threat Category
Threat Family
Threat Severity

In the PCI 10.2 - PCI 8.1 - User Account Added By Admin User saved search, use of BB:CategoryDefinition: Superuser Accounts is replaced with LOWER(username) in ('admin', 'superuser', 'root', 'toor', 'init', 'administrator', 'sys', 'system').

In the following reports, use of the PCI 8.1 - User Account Added By User search has been replaced with the User Account Added By User search, and use of the PCI 8.1 - User Account Modified By User search has been replaced with the User Account Modified By User search.

PCI 8.1 - User Account Additions and Changes (Monthly)
PCI 8.1 - User Account Additions and Changes (Weekly)
PCI 8.1 - User Account Additions and Changes

IBM Security QRadar PCI Content Extension V1.0.3

Saved searches are now shared with all users. Saved searches that were in the Other group are now in the PCI group.

_{(Back to top)}

IBM Security QRadar PCI Content Extension V1.0.2

The following table shows the custom properties in IBM Security QRadar PCI Content Extension V1.0.2.

Table 3. Custom Properties in IBM Security QRadar PCI Content Extension V1.0.2
Name	Optimized	Capture Group	Regex
VirusName	Yes	1	Virus Name: (.*?),

_{(Back to top)}

IBM Security QRadar PCI Content Extension V1.0.1

The following table shows the rule and building block updated in IBM Security QRadar PCI Content Extension V1.0.1.

Table 4. Rule and Building Block in IBM Security QRadar PCI Content Extension V1.0.1
Type	Name	Description
Building Block	BB:DeviceDefinition: IDS/IPS	Updated building block with IDS/IPS devices.
Rule	Malware or Virus Clean Failed	New QIDs added to rule: 42002833: Security risk found, Actual action: All actions failed 42002836: Security risk found, Actual action: Left alone 42002845: Virus Detected, Actual action: Left alone 42003869: Virus Detected, Actual action: Actions failed

_{(Back to top)}

IBM Security QRadar PCI Content Extension V1.0.0

The following reports are added by the IBM Security QRadar PCI Content Extension V1.0.0.

PCI Compliance Failures
Network Traffic Volume
Network Traffic Volume
Top Users by Remote Access Activity
Weekly PCI Compliance Failures
PCI 1.2.1a - Internal Network (not DMZ) to Internet
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Monthly)
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Weekly)
PCI 1.2.1b - Inbound and Outbound Traffic
PCI 1.2.1b - Inbound and Outbound Traffic (Monthly)
PCI 1.2.1b - Inbound and Outbound Traffic (Weekly)
PCI 1.3 - Traffic Summaries (Details)
PCI 1.3 - Traffic Summaries (Monthly)
PCI 1.3 - Traffic Summaries (Time Series)
PCI 1.3 - Traffic Summaries (Weekly)
PCI 2.1 - Vendor Defaults
PCI 2.1 - Vendor Defaults (Monthly)
PCI 2.2 - Server Function
PCI 2.3 - Traffic to Trusted Segments
PCI 2.3 - Traffic to Trusted Segments (Monthly)
PCI 2.3 - Traffic to Trusted Segments (Weekly)
PCI 4.1 - Traffic to Trusted Segments from Untrusted Segments
PCI 4.1 - Traffic to Trusted Segments from Untrusted Segments (Monthly)
PCI 4.1 - Traffic to Trusted Segments from Untrusted Segments (Weekly)
PCI 5.2 - Malware PCI 5.2 - Malware (Monthly)
PCI 5.2 - Malware (Weekly)
PCI 5.2 - Malware or Virus Clean Failed
PCI 5.2 - Top Malware Activity
PCI 6.1 - Vulnerabilities
PCI 6.6 - Attacks against Public Facing Applications or Services
PCI 6.6 - Attacks against Public Facing Applications or Services (Monthly)
PCI 6.6 - Attacks against Public Facing Applications or Services (Weekly)
PCI 7.1 - Access to Cardholder and Trusted Systems
PCI 7.1 - Access to Cardholder and Trusted Systems (Monthly)
PCI 7.1 - Access to Cardholder and Trusted Systems (Weekly)
PCI 8.1 - User Account Additions and Changes
PCI 8.1 - User Account Additions and Changes (Monthly)
PCI 8.1 - User Account Additions and Changes (Weekly)
PCI 10 - Audit of Data PCI 10 - Audit of Data (Monthly)
PCI 10 - Audit of Data (Weekly)
PCI 10.2 - User Accounts Additions by Admin
PCI 10.2 - User Accounts Additions by Admin (Monthly)
PCI 10.2 - User Accounts Additions by Admin (Weekly)
PCI 11.3/11.2 Vulnerability Report
PCI 12.9 Incident Response (Offense Summary) - Weekly

The following table shows the rule and building blocks added by IBM Security QRadar PCI Content Extension V1.0.0.

Table 5. Rules and Building Blocks in IBM Security QRadar PCI Content Extension V1.0.0
Type	Name
Rule	Device Stopped Sending Events
Rule	Malware or Virus Clean Failed
Building Block	BB:DeviceDefinition: AntiVirus
Building Block	BB:DeviceDefinition: IDS / IPS
Building Block	BB:CategoryDefinition: Authentication Failures
Building Block	BB:CategoryDefinition: Authentication Success
Building Block	BB:CategoryDefinition: Firewall or ACL Accept
Building Block	BB:CategoryDefinition: Firewall or ACL Denies
Building Block	BB:CategoryDefinition: Superuser Accounts
Building Block	BB:NetworkDefinition: Inbound Communication from Internet to Local Host
Building Block	BB:NetworkDefinition: Untrusted Network Segment
Building Block	BB:NetworkDefinition: Trusted Network Segment Note: This building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.
Building Block	BB:NetworkDefinition: Untrusted Local Networks Note: This building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.

The following searches are added by IBM Security QRadar PCI Content Extension V1.0.0.

Link Utilization
Malware Clean Failed
Malware Events by IP
Malware Events by Name
Remote Access Failures (VPN and Others)
Top Destination Networks - Internal
Top Source Networks
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Accepted)
PCI 1.2.1a - Internal Network (not DMZ) to Internet (All)
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Denied)
PCI 1.2.1b - Inbound Allowed Traffic
PCI 1.2.1b - Outbound Allowed Traffic
PCI 1.3.1 - Allowed Traffic Into DMZ from Internal
PCI 1.3.2 - Allow Traffic from Internet to Internal Networks (Not DMZ)
PCI 1.3.3 - Traffic Between Internet and Cardholder Data
PCI 1.3.5 - Traffic Between Cardholder Data and Internet (Not DMZ)
PCI 2.1 - Vendor Supplied Defaults Accepted
PCI 2.2.1 - Primary Function Per Server
PCI 2.3 - Protocols to Trusted Network Zones
PCI 4.1 - Protocols to Trusted Network Zones
PCI 5.2 - Malware Events by Event Name or Action
PCI 6.1 - Vulnerabilities Discovered
PCI 6.6 - Attacks against Public Facing Applications and Servies
PCI 7.1 - Access to CardHolder and Trusted System
PCI 8.1 - User Account Added By User
PCI 8.1 - User Account Modified By User
PCI 10.2 - PCI 8.1 - User Account Added By Admin User
PCI 10.5.4 Verification of Logs Recieved
PCI 10.6 SIEM Audit Overview
PCI 10.7 SIEM Backup Activity

The following custom properties are added by IBM Security QRadar PCI Content Extension V1.0.0.

AccountName
VirusName

_{(Back to top)}