Payment Card Industry
Use the IBM® QRadar® Payment Card Industry (PCI) Reporting Content Extension for compliance with PCI reports.
IBM Security QRadar PCI Content Extension V1.1.0
The following table shows the custom properties in IBM Security QRadar PCI Content Extension V1.1.0.
Name | Optimized | Found in |
---|---|---|
File Hash | Yes | |
Filename | Yes | |
Initiator User Name | Yes | Microsoft Windows |
MD5 Hash | Yes | |
SHA1 Hash | Yes | |
SHA256 Hash | Yes | |
Target User Name | Yes | |
Threat Category | No | |
Threat Family | No | |
Threat Name | Yes | |
Threat Severity | No |
- AccountName
- VirusName
The following table shows the building block added in IBM Security QRadar PCI Content Extension V1.1.0.
Name | Description |
---|---|
BB:DeviceDefinition: Endpoint Protection Devices |
Replaces BB:DeviceDefinition: Antivirus. This rule defines all endpoint protection devices on the system. |
- BB:CategoryDefinition: Authentication Failures
- BB:CategoryDefinition: Authentication Success
- BB:CategoryDefinition: Firewall or ACL Accept
- BB:CategoryDefinition: Firewall or ACL Denies
- BB:CategoryDefinition: Superuser Accounts
- BB:DeviceDefinition: Antivirus
- BB:DeviceDefinition: IDS / IPS
- BB:NetworkDefinition: Trusted Network Segment
- Device Stopped Sending Events
- Malware or Virus Clean Failed
- Malware Clean Failed
- PCI 1.2.1a - Internal Network (not DMZ) to Internet (Accepted)
- PCI 1.2.1a - Internal Network (not DMZ) to Internet (All)
- PCI 1.2.1a - Internal Network (not DMZ) to Internet (Denied)
- PCI 1.2.1b - Inbound Allowed Traffic
- PCI 1.2.1b - Outbound Allowed Traffic
- PCI 1.3.1 - Allowed Traffic Into DMZ from Internal
- PCI 1.3.2 - Allow Traffic from Internet to Internal Networks (Not DMZ)
- PCI 1.3.3 - Traffic Between Internet and Cardholder Data
- PCI 1.3.5 - Traffic Between Cardholder Data and Internet (Not DMZ)
- PCI 2.3 - Protocols to Trusted Network Zones
- PCI 4.1 - Protocols to Trusted Network Zones
- PCI 5.2 - Malware Events by Event Name or Action
- PCI 6.6 - Attacks against Public Facing Applications and Services
- PCI 7.1 - Access to CardHolder and Trusted System
- PCI 10.5.4 Verification of Logs Received
- Remote Access Failures (VPN and Others)
- Remote Access Success (VPN and Others)
- PCI 8.1 - User Account Added By User
- PCI 8.1 - User Account Modified By User
The PCI 6.6 - Attacks against Public Facing Applications and Servies saved search is now called PCI 6.6 - Attacks against Public Facing Applications and Services.
The PCI 10.5.4 Verification of Logs Recieved saved search is now called PCI 10.5.4 Verification of Logs Received.
- File Hash
- Filename
- MD5
- SHA 1
- SHA 256
- Threat Category
- Threat Family
- Threat Severity
In the PCI 10.2 - PCI 8.1 - User Account Added By Admin User saved search,
use of BB:CategoryDefinition: Superuser Accounts is replaced with
LOWER(username) in ('admin', 'superuser', 'root', 'toor', 'init', 'administrator', 'sys',
'system')
.
- PCI 8.1 - User Account Additions and Changes (Monthly)
- PCI 8.1 - User Account Additions and Changes (Weekly)
- PCI 8.1 - User Account Additions and Changes
IBM Security QRadar PCI Content Extension V1.0.3
Saved searches are now shared with all users. Saved searches that were in the Other
group
are now in the PCI
group.
IBM Security QRadar PCI Content Extension V1.0.2
The following table shows the custom properties in IBM Security QRadar PCI Content Extension V1.0.2.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
VirusName | Yes | 1 | Virus Name: (.*?), |
IBM Security QRadar PCI Content Extension V1.0.1
The following table shows the rule and building block updated in IBM Security QRadar PCI Content Extension V1.0.1.
Type | Name | Description |
---|---|---|
Building Block | BB:DeviceDefinition: IDS/IPS | Updated building block with IDS/IPS devices. |
Rule | Malware or Virus Clean Failed | New QIDs added to rule:
|
IBM Security QRadar PCI Content Extension V1.0.0
The following reports are added by the IBM Security QRadar PCI Content Extension V1.0.0.
- PCI Compliance Failures
- Network Traffic Volume
- Network Traffic Volume
- Top Users by Remote Access Activity
- Weekly PCI Compliance Failures
- PCI 1.2.1a - Internal Network (not DMZ) to Internet
- PCI 1.2.1a - Internal Network (not DMZ) to Internet (Monthly)
- PCI 1.2.1a - Internal Network (not DMZ) to Internet (Weekly)
- PCI 1.2.1b - Inbound and Outbound Traffic
- PCI 1.2.1b - Inbound and Outbound Traffic (Monthly)
- PCI 1.2.1b - Inbound and Outbound Traffic (Weekly)
- PCI 1.3 - Traffic Summaries (Details)
- PCI 1.3 - Traffic Summaries (Monthly)
- PCI 1.3 - Traffic Summaries (Time Series)
- PCI 1.3 - Traffic Summaries (Weekly)
- PCI 2.1 - Vendor Defaults
- PCI 2.1 - Vendor Defaults (Monthly)
- PCI 2.2 - Server Function
- PCI 2.3 - Traffic to Trusted Segments
- PCI 2.3 - Traffic to Trusted Segments (Monthly)
- PCI 2.3 - Traffic to Trusted Segments (Weekly)
- PCI 4.1 - Traffic to Trusted Segments from Untrusted Segments
- PCI 4.1 - Traffic to Trusted Segments from Untrusted Segments (Monthly)
- PCI 4.1 - Traffic to Trusted Segments from Untrusted Segments (Weekly)
- PCI 5.2 - Malware PCI 5.2 - Malware (Monthly)
- PCI 5.2 - Malware (Weekly)
- PCI 5.2 - Malware or Virus Clean Failed
- PCI 5.2 - Top Malware Activity
- PCI 6.1 - Vulnerabilities
- PCI 6.6 - Attacks against Public Facing Applications or Services
- PCI 6.6 - Attacks against Public Facing Applications or Services (Monthly)
- PCI 6.6 - Attacks against Public Facing Applications or Services (Weekly)
- PCI 7.1 - Access to Cardholder and Trusted Systems
- PCI 7.1 - Access to Cardholder and Trusted Systems (Monthly)
- PCI 7.1 - Access to Cardholder and Trusted Systems (Weekly)
- PCI 8.1 - User Account Additions and Changes
- PCI 8.1 - User Account Additions and Changes (Monthly)
- PCI 8.1 - User Account Additions and Changes (Weekly)
- PCI 10 - Audit of Data PCI 10 - Audit of Data (Monthly)
- PCI 10 - Audit of Data (Weekly)
- PCI 10.2 - User Accounts Additions by Admin
- PCI 10.2 - User Accounts Additions by Admin (Monthly)
- PCI 10.2 - User Accounts Additions by Admin (Weekly)
- PCI 11.3/11.2 Vulnerability Report
- PCI 12.9 Incident Response (Offense Summary) - Weekly
The following table shows the rule and building blocks added by IBM Security QRadar PCI Content Extension V1.0.0.
Type | Name |
---|---|
Rule | Device Stopped Sending Events |
Rule | Malware or Virus Clean Failed |
Building Block | BB:DeviceDefinition: AntiVirus |
Building Block | BB:DeviceDefinition: IDS / IPS |
Building Block | BB:CategoryDefinition: Authentication Failures |
Building Block | BB:CategoryDefinition: Authentication Success |
Building Block | BB:CategoryDefinition: Firewall or ACL Accept |
Building Block | BB:CategoryDefinition: Firewall or ACL Denies |
Building Block | BB:CategoryDefinition: Superuser Accounts |
Building Block | BB:NetworkDefinition: Inbound Communication from Internet to Local Host |
Building Block | BB:NetworkDefinition: Untrusted Network Segment |
Building Block | BB:NetworkDefinition: Trusted Network Segment Note: This building block
references the default network hierarchy. Update this building block if you are using a different
network hierarchy.
|
Building Block | BB:NetworkDefinition: Untrusted Local Networks
Note: This building block references the default network hierarchy. Update this building block if
you are using a different network hierarchy.
|
The following searches are added by IBM Security QRadar PCI Content Extension V1.0.0.
- Link Utilization
- Malware Clean Failed
- Malware Events by IP
- Malware Events by Name
- Remote Access Failures (VPN and Others)
- Top Destination Networks - Internal
- Top Source Networks
- PCI 1.2.1a - Internal Network (not DMZ) to Internet (Accepted)
- PCI 1.2.1a - Internal Network (not DMZ) to Internet (All)
- PCI 1.2.1a - Internal Network (not DMZ) to Internet (Denied)
- PCI 1.2.1b - Inbound Allowed Traffic
- PCI 1.2.1b - Outbound Allowed Traffic
- PCI 1.3.1 - Allowed Traffic Into DMZ from Internal
- PCI 1.3.2 - Allow Traffic from Internet to Internal Networks (Not DMZ)
- PCI 1.3.3 - Traffic Between Internet and Cardholder Data
- PCI 1.3.5 - Traffic Between Cardholder Data and Internet (Not DMZ)
- PCI 2.1 - Vendor Supplied Defaults Accepted
- PCI 2.2.1 - Primary Function Per Server
- PCI 2.3 - Protocols to Trusted Network Zones
- PCI 4.1 - Protocols to Trusted Network Zones
- PCI 5.2 - Malware Events by Event Name or Action
- PCI 6.1 - Vulnerabilities Discovered
- PCI 6.6 - Attacks against Public Facing Applications and Servies
- PCI 7.1 - Access to CardHolder and Trusted System
- PCI 8.1 - User Account Added By User
- PCI 8.1 - User Account Modified By User
- PCI 10.2 - PCI 8.1 - User Account Added By Admin User
- PCI 10.5.4 Verification of Logs Recieved
- PCI 10.6 SIEM Audit Overview
- PCI 10.7 SIEM Backup Activity
The following custom properties are added by IBM Security QRadar PCI Content Extension V1.0.0.
- AccountName
- VirusName