Tuning building blocks

You can edit building blocks to reduce the number of false positives that are generated by IBM QRadar.

About this task

To edit building blocks, you must add the IP address or IP addresses of the server or servers into the appropriate building blocks.

Procedure

  1. Click the Offenses tab.
  2. On the navigation menu, click Rules.
  3. From the Display list, select Building Blocks.
  4. Double-click the building block that you want to edit.
  5. Update the building block.
  6. Click Finish.

    The following table describes editable building blocks.

    Table 1. Building blocks to edit.

    Building Block

    Description
    BB:NetworkDefinition: NAT Address Range

    Edit the and where either the source or destination IP is one of the following test to include the IP addresses of the Network Address Translation (NAT) servers.

    Edit this building block only if you have a detection in the non-NATd address space. Editing this building block means that offenses are not created for attacks that are targeted or sourced from this IP address range.
    BB:HostDefinition: Network Management Servers

    Network management systems create traffic, such as ICMP (Internet Control Message Protocol) sweeps to discover hosts. QRadar SIEM might consider this threatening traffic. To ignore this behavior and define network management systems, edit the and when either the source or destination IP is one of the following test to include the IP addresses of the Network Management Servers (NMS), and other hosts that normally perform network discovery or monitoring.
    BB:HostDefinition: Proxy Servers

    Edit the and when either the source or destination IP is one of the following test to include the IP addresses of the proxy servers.

    Edit this building block if you have sufficient detection on the proxy server. Editing this building block prevents offense creation for attacks that are targeted or sourced from the proxy server. This adjustment is useful when hundreds of hosts use a single proxy server and that single IP address of the proxy server might be infected with spyware.
    BB:HostDefinition: VA Scanner Source IP

    Vulnerability assessment products launch attacks that can result in offense creation. To avoid this behavior and define vulnerability assessment products or any server that you want to ignore as a source, edit the and when the source IP is one of the following test to include the IP addresses of the following scanners:

    • VA Scanners
    • Authorized Scanners
    BB:HostDefinition: Virus Definition and Other Update Servers

    Edit the and when either the source or destination IP is one of the following test to include the IP addresses of virus protection and update function servers.
    BB:Category Definition: Countries with no Remote Access

    Edit the and when the source is located in test to include geographic locations that you want to prevent from accessing your network. This change enables the use of rules, such as anomaly: Remote Access from Foreign Country to create an offense when successful logins are detected from remote locations.
    BB:ComplianceDefinition: GLBA Servers

    Edit the and when either the source or destination IP is one of the following test to include the IP addresses of servers that are used for Gramm-Leach-Bliley Act (GLBA) compliance. By populating this building block, you can use rules such as Compliance: Excessive Failed Logins to Compliance IS, which create offenses for compliance and regulation-based situations.
    BB:ComplianceDefinition: HIPAA Servers

    Edit the and when either the source or destination IP is one of the following test to include the IP addresses of servers that are used for Health Insurance Portability and Accountability Act (HIPAA) compliance. By populating this building block, you can use rules, such as Compliance: Excessive Failed Logins to Compliance IS, which create offenses for compliance and regulation-based situations.
    BB:ComplianceDefinition: SOX Servers

    Edit the and when either the source or destination IP is one of the following test to include the IP addresses of servers that are used for SOX (Sarbanes-Oxley Act) compliance. By populating this building block, you can use rules, such as Compliance: Excessive Failed Logins to Compliance IS, which create offenses for compliance and regulation-based situations.
    BB:ComplianceDefinition: PCI DSS Servers

    Edit the and when either the source or destination IP is one of the following test to include the IP addresses of servers that are used for PCI DSS (Payment Card Industry Data Security Standards) compliance. By populating this building block, you can use rules such as Compliance: Excessive Failed Logins to Compliance IS, which creates offenses for compliance and regulation-based situations.
    BB:NetworkDefinition: Broadcast Address Space

    Edit the and when either the source or destination IP is one of the following test to include the broadcast addresses of your network. This change removes false positive events that might be caused by the use of broadcast messages.
    BB:NetworkDefinition: Client Networks

    Edit the and when the local network is test to include workstation networks that users are operating.
    BB:NetworkDefinition: Server Networks

    Edit the when the local network is test to include any server networks.
    BB:NetworkDefinition: Darknet Addresses

    Edit the and when the local network is test to include the IP addresses that are considered to be a dark net. Any traffic or events that are directed towards a dark net is considered suspicious.

    BB:NetworkDefinition: DLP Addresses

    Edit the and when the any IP is a part of any of the following test to include the remote services that might be used to obtain information from the network. This change can include services, such as WebMail hosts or file sharing sites.
    BB:NetworkDefinition: DMZ Addresses

    Edit the and when the local network test to include networks that are considered to be part of the network’s DMZ.
    BB:PortDefinition: Authorized L2R Ports

    Edit the and when the destination port is one of the following test to include common outbound ports that are allowed on the network.
    BB:NetworkDefinition: Watch List Addresses

    Edit the and when the local network is to include the remote networks that are on a watch list. This change helps to identify events from hosts that are on a watch list.
    BB:FalsePositive: User Defined Server Type False Positive Category

    Edit this building block to include any categories that you want to consider as false positives for hosts that are defined in the BB:HostDefinition: User Defined Server Type building block.
    BB:FalsePositive: User Defined Server Type False Positive Events

    Edit this building block to include any events that you want to consider as false positives for hosts that are defined in the BB:HostDefinition: User Defined Server Type building block.
    BB:HostDefinition: User Defined Server Type

    Edit this building block to include the IP address of your custom server type. After you add the servers, you must add any events or categories that you want to consider as false positives to this server, as defined in the BB:FalsePositives: User Defined Server Type False Positive Category or the BB:False Positives: User Defined Server Type False Positive Events building blocks.

    You can include a CIDR range or subnet in any of the building blocks instead of listing the IP addresses. For example, 192.168.1/24 includes addresses 192.168.1.0 to 192.168.1.255. You can also include CIDR ranges in any of the BB:HostDefinition building blocks.

    Tip: For more information, see the IBM QRadar Administration Guide.

    Use the IBM QRadar Use Case Manager to review your building blocks. Download the app at the IBM® Security App Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/bf01ee398bde8e5866fe51d0e1ee684a).