Compliance
Use the IBM Security QRadar Compliance Content Extension to enhance the base compliance content set for new QRadar installations.
- IBM Security QRadar Compliance Content Extension 1.1.2
- IBM Security QRadar Compliance Content Extension 1.1.1
- IBM Security QRadar Compliance Content Extension 1.1.0
- IBM Security QRadar Compliance Content Extension 1.0.8
- IBM Security QRadar Compliance Content Extension 1.0.7
- IBM Security QRadar Compliance Content Extension 1.0.6
- IBM Security QRadar Compliance Content Extension 1.0.5
- IBM Security QRadar Compliance Content Extension 1.0.4
- IBM Security QRadar Compliance Content Extension 1.0.3
- IBM Security QRadar Compliance Content Extension 1.0.2
- IBM Security QRadar Compliance Content Extension 1.0.1
- IBM Security QRadar Compliance Content Extension 1.0.0
IBM Security QRadar Compliance Content Extension 1.1.2
The AccountName custom property has been removed.
IBM Security QRadar Compliance Content Extension 1.1.1
The following rules and building blocks are removed in the IBM Security QRadar Compliance Content Extension 1.1.1 and have been added to the Network Anomaly content pack.
- BB:Policy Violation: IRC IM Policy Violation: IM Communications
- Compliance: Traffic from DMZ to Internal Network
- Remote: FTP Detected on Non-Standard Port
- Remote: Local P2P Client Connected to more than 100 Servers
- Remote: Local P2P Client Detected
- Remote: Local P2P Server Detected
- Remote: SSH or Telnet Detected on Non-Standard Port
- Remote: Suspicious Amount of IM/Chat Traffic
IBM Security QRadar Compliance Content Extension 1.1.0
The following table shows the rules that are updated in IBM Security QRadar Compliance Content Extension 1.1.0.
Name | Description |
---|---|
Excessive Firewall Accepts From Multiple Sources to a Single Destination | Triggers when repeated firewall requests from different sources to a single host. This could indicate a denial of service attack or a network flooding from a malicious attacker. |
Remote: Usenet Usage | Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy. |
The following rules and building blocks are removed in IBM Security QRadar Compliance Content Extension 1.1.0. They are available for use in the Endpoint Content Extension.
- BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts
- BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts
- Remote: Remote Desktop Access from the Internet
- Remote: VNC Access from the Internet to a Local Host
IBM Security QRadar Compliance Content Extension 1.0.8
The following table shows the rules and building blocks that are updated in IBM Security QRadar Compliance Content Extension 1.0.8.
Name | Description | |
---|---|---|
Building Block | Trusted Destination Network Segment | Changed the name from Trusted Source Network Segment. Set the rule filter to use destination network. |
Building Block | Trusted Source Network Segment | Changed the name from Trusted Destination Network Segment. Added Network Definition as the group. Set the rule filter to use source network. |
Rule | Remote: FTP Detected on Non-Standard Port | Changed the name from Remote: Hidden FTP Server. |
Rule | Remote: Suspicious Amount of IM/Chat Traffic | Changed the name from Remote: IM/Chat. |
IBM Security QRadar Compliance Content Extension 1.0.7
Default QRadar content that was previously included in this content extension has been removed. Removing this content from the content extension prevents unnecessary reimporting the content during the content extension installation.
The following table shows the reports that are updated in IBM Security QRadar Compliance Content Extension 1.0.7.
Report Name | Search Name and Dependencies |
---|---|
Weekly Login Failures to Disabled or Expired Accounts | Displays failed login attempts to accounts that are disabled or expired. |
IBM Security QRadar Compliance Content Extension 1.0.6
Saved searches are now shared by default. All building blocks are now in groups.
IBM Security QRadar Compliance Content Extension 1.0.5
The following table shows the custom properties that are included in IBM Security QRadar Compliance Content Extension 1.0.5.
Custom Property | Found in |
---|---|
AccountName | Microsoft Windows |
The following table shows the building block in IBM Security QRadar Compliance Content Extension 1.0.5.
Name | Description |
---|---|
BB:CategoryDefinition: Auditing Changed | Added new QIDs and removed some other QIDs. |
IBM Security QRadar Compliance Content Extension 1.0.4
The following table shows the custom properties that are new or updated in IBM Security QRadar Compliance Content Extension 1.0.4.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
AccountName | Yes | 2 | Account Name:\s*(.+?)\s+Account Name:\s*(.+?)\s+ |
The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Compliance Content Extension 1.0.4.
Type | Name | Description |
---|---|---|
Building Block | BB:DeviceDefinition: FW / Router / Switch | Defines all firewalls, routers, and switches on the system. |
Building Block | BB:DeviceDefinition: IDS / IPS |
Defines all intrusion detections systems (IDS) and intrusion prevention systems (IPS) on the system. |
Building Block | BB:DeviceDefinition: VPN |
Defines all virtual private networks (VPN) on the system. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination |
Identifies flows that have an illegal TCP flag combination. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code |
Identifies Internet Control Message Protocol (ICMP) flows with suspicious ICMP type codes. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 | Identifies suspicious flows using port 0. |
Building Block | BB:CategoryDefinition: Superuser Accounts | Defines usernames that are superuser accounts, such as admin and root. |
Rule | Possible Shared Accounts | Detects shared accounts. You will need to add additional false positive system accounts. |
IBM Security QRadar Compliance Content Extension 1.0.3
The following table shows the rules and building blocks in IBM Security QRadar Compliance Content Extension 1.0.3.
Type | Name | Description |
---|---|---|
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added the following QIDs:
|
Rule | Compliance: Traffic from Untrusted Network to trusted Network | The rule test for this rule now triggers when a flow or event matches
BB:NetworkDefinition: Untrusted Network Segment plus any of the following
rules:
|
IBM Security QRadar Compliance Content Extension 1.0.2
The following table shows the rules and building blocks in IBM Security QRadar Compliance Content Extension 1.0.2.
Type | Name | Description |
---|---|---|
Building Block | BB:Suspicious: Remote: Unidirectional UDP or Misc Flows | The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows. |
Building Block | BB:Suspicious: Local: Unidirectional UDP or Misc Flows | The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows. |
IBM Security QRadar Compliance Content Extension 1.0.1
The following table shows the rules and building blocks in IBM Security QRadar Compliance Content Extension 1.0.1.
Type | Name | Description |
---|---|---|
Building Block | BB:NetworkDefinition: Trusted Destination Network Segemnt | References the default network hierarchy. Update this building block if you are using a different network hierarchy. |
Building Block | BB:NetworkDefinition: Trusted Source Network Segemnt | Updated the building block name to include Source Network. References the default network hierarchy. Update this building block if you are using a different network hierarchy. |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added QID 5000475: Failure Audit: An account failed to log on. |
Building Block | BB:CategoryDefinition: Authentication to Expired Account | Added the following QIDs:
|
Building Block | BB:DeviceDefinition: FW/Router/Switch | No updates. Dependent on another rule and must be included in the extension framework. |
Rule | Compliance: Traffic from Untrusted Network to Internal Network | Added new BB:NetworkDefinition: Trusted Destination Network Segemnt. |
Rule | Compliance: Traffic from DMZ to Internal Network | Added new rule test: BB:DeviceDefinition: FW/Router/Switch.
References the default network hierarchy. Update this rule if you are using a different network hierarchy. |
IBM Security QRadar Compliance Content Extension 1.0.0
The following table shows the custom properties, searches, reference sets, and reports in IBM Security QRadar Compliance Content Extension 1.0.0.
Type | Name |
---|---|
Custom Event Property | Account Name |
Event searches | Admin Logout by IP |
Event searches | By Host Virus Summary |
Event searches | By User Virus Summary |
Event searches | Daily Policy Violation Summary |
Event searches | DOS Attack by Source IP |
Event searches | DOS Attack by Type |
Event searches | DOS Attacks by Destination IP |
Event searches | Event Category Distribution |
Event searches | Exploit by Source |
Event searches | Exploits by Destination |
Event searches | Exploits by Type |
Event searches | Groups Changed from Remote Hosts |
Event searches | IDP Activity by Category |
Event searches | IDP Activity by Event |
Event searches | IDP Activity by Log Source |
Event searches | Log Failures to Expired or Disabled Accounts |
Event searches | Remote Access Failures (VPN and Others) |
Event searches | Remote Access Success (VPN and Other) |
Event searches | Top Authentication Failures by User |
Event searches | Top Authentications by User |
Event searches | Top IDS/IDP/IPS Rules |
Event searches | Top IDS/IPS Alerts by Destination IP |
Event searches | User Account Added by User |
Event searches | User Account Modified by User |
Event searches | User Account Removed by User |
Event searches | VPN Activity by Category |
Event searches | VPN Activity by event |
Event searches | VPN Activity by Log Source |
Event searches | Web Requests by Destination |
Event searches | Web Requests by Log Source |
Event searches | Web Requests by Source |
Event search | Top IDS/IPS Alert by Country/Region |
Flow search | Bytes in by Destination ASN |
Flow search | Bytes in by Destination IF Index |
Flow search | Bytes in by Source ASN |
Flow search | Bytes in by Source IF Index |
Flow search | Link Utilization |
Flow search | Top Destination Networks - Internal |
Flow search | Top Source Networks |
Reference set | Database Servers |
Reference set | DHCP Servers |
Reference set | DNS Servers |
Reference set | FTP Servers |
Reference set | LDAP Servers |
Reference set | Mail Servers |
Reference set | Proxy Servers |
Reference set | SSH Servers |
Reference set | Web Servers |
Reference set | Windows Servers |
Reports | Daily ASN Traffic Summary |
Reports | Daily Attacker and Target Summary |
Reports | Daily Category Distribution |
Reports | Daily IDP-IDS Activity Summary |
Reports | Daily IfIndex Traffic Summary |
Reports | Daily Log/Event Distribution by Category |
Reports | Daily Network DOS Summary |
Reports | Daily Network Exploit Summary |
Reports | Daily Policy Violation Summary |
Reports | Daily User Account Activity Summary |
Reports | Daily Virus Summary |
Reports | Daily VPN Activity Summary |
Reports | Daily Web Access Summary |
Reports | Last 20 Failed Logins |
Reports | Last 20 Logoffs |
Reports | Last 20 Successful Logins |
Reports | Monthly ASN Traffic Summary |
Reports | Monthly Category Distribution |
Reports | Monthly IDP-IDS Activity Summary |
Reports | Monthly IfIndex Traffic Summary |
Reports | Monthly Network DOS Summary |
Reports | Monthly Network Exploit Summary |
Reports | Monthly Policy Violation Summary |
Reports | Monthly User Account Activity Summary |
Reports | Monthly Virus Summary |
Reports | Monthly VPN Activity Summary |
Reports | Monthly Web Access Summary |
Reports | Network Traffic Volume |
Reports | Weekly ASN Traffic Summary |
Reports | Weekly Category Distribution |
Reports | Weekly Group Changes from Remote Hosts |
Reports | Weekly IDP-IDS Activity Summary |
Reports | Weekly IfIndex Traffic Summary |
Reports | Weekly Login Failures to Disabled or Enabled Accounts |
Reports | Weekly Network DOS Summary |
Reports | Weekly Network Exploit Summary |
Reports | Weekly Policy Violation Summary |
Reports | Weekly User Account Activity Summary |
Reports | Weekly Virus Summary |
Reports | Weekly VPN Activity Summary |
Reports | Weekly Web Access Summary |
The following table shows the rules and building blocks in IBM Security QRadar Compliance Content Extension 1.0.0.
Type | Name | Description |
---|---|---|
Building Block | BB:DeviceDefinition: IDS / IPS | Defines all IDS and IPSs on the system. |
Building Block | BB:CategoryDefinition: Suspicious Flows | Edit this building block to include all events that indicate suspicious activity. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow | Identifies flows that have been active for more than 48 hours |
Building Block | BB:CategoryDefinition: Suspicious Events | Edit this building block to include all events that indicate suspicious activity. |
Building Block | BB:CategoryDefinition: Unidirectional Flow SRC | |
Building Block | BB:Flowshape: Outbound Only | Matches flows that are outbound only. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets | Identifies flows with abnormally large ICMP packets |
Building Block | BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 | Identifies suspicious flows using port 0. |
Building Block | BB:CategoryDefinition: System Errors and Failures | Edit this building block to include all events that may indicate a system error or failure. By default, this buildig block applies when the event category for the event is one of the following System categories: Service Failure, System Error, System Failure. |
Building Block | BB:CategoryDefinition: Suspicious Event Categories | Edit this building block to include all events that indicate suspicious activity. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows | Identifies bidirectional traffic that doesn't include payload. |
Building Block | BB:CategoryDefinition: Unidirectional Flow | |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys | Identifies traffic where ICMP replies are seen with no request. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows | Identifies unidirectional ICMP flows. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination | Identifies flows that have an illegal TCP flag combination. |
Building Block | BB:Flowshape: Inbound Only | This building block will match flows that are inbound only. |
Building Block | BB:CategoryDefinition: Unidirectional Flow DST | |
Building Block | BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows | Identifies unidirectional TCP flows. |
Building Block | BB:NetworkDefinition: Honeypot like Addresses | Edit this building block by replacing the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code | Identifies ICMP flows with suspicious ICMP type codes. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets | Identifies flows with abnormally large DNS packets |
Building Block | BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows | Identifies unidirectional UDP and other miscellaneous flows. |
Building Block | BB:DeviceDefinition: VPN | This rule defines all VPNs on the system. |
Building Block | BB:CategoryDefinition: Authentication Success | Edit this building block to include all events that indicate successful attempts to access the network. |
Building Block | BB:CategoryDefinition: Authentication Failures | Edit this building block to include all events that indicate an unsuccessful attempt to access the network. |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Edit this building block to include all events that indicate failed attempts to access the network using a disabled account. |
Building Block | BB:CategoryDefinition: Authentication to Expired Account | Edit this building block to include all events that indicate failed attempts to access the network using an expired account. |
Building Block | BB:HostDefinition: Database Servers | Edit this building block to define typical database servers. This building block is used in conjunction with the BB:FalsePositive: Database Server False Positive Categories and BB:FalsePositive: Database Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: Database Ports | Edit this building block to include all common database ports. |
Building Block | BB:HostReference: Database Servers | |
Building Block | BB:CategoryDefinition: Countries/Regions with no Remote Access | Edit this building block to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Anomaly: Remote Access from Foreign Country/Region rule. |
Building Block | BB:CategoryDefinition: Successful Communication | Defines flows which are typical of a successful communication. If you are paranoid you may wish to drop the ratio to 64 bytes/packet however this will cause a lot of false positives and may require further tuning using flags and other properties. |
Building Block | BB:CategoryDefinition: Superuser Accounts | |
Building Block | BB:CategoryDefinition: IRC Detected Based on Application | Identifies IRC traffic that has been identified by application testing. |
Building Block | BB:CategoryDefinition: IRC Detected Based on Event Category | Identifies IRC traffic that has been identified by events or categories. |
Building Block | BB:Policy Violation: IRC IM Policy Violation: IRC Connection to Internet | Identifies an IRC connection to a remote host. |
Building Block | BB:CategoryDefinition: IRC Detection Based on Firewall Events | Identifies IRC traffic that has been identified by events or categories. |
Building Block | BB:CategoryDefinition: Firewall or ACL Accept | Edit this building block to include all events that indicate access to the firewall. |
Building Block | BB:PortDefinition: IRC Ports | Edit this building block to include all common IRC ports. |
Building Block | BB:ComplianceDefinition: GLBA Servers | Edit this building block to include your GLBA IP systems. You must then apply this building block to rules related to failed logins, remote access, etc. |
Building Block | BB:ComplianceDefinition: HIPAA Servers | Edit this building block to include your HIPAA Servers by IP address. You must then apply this building block to rules related to failed logins, remote access, etc. |
Building Block | BB:ComplianceDefinition: SOX Servers | Edit this building block to include your SOX IP Servers. You must then apply this building block to rules related to failed logins, remote access, etc. |
Building Block | BB:ComplianceDefinition: PCI DSS Servers | Edit this building block to include your PCI DSS Servers by IP address. You must then apply this building block to rules related to failed logins, remote access, etc. |
Building Block | BB:NetworkDefinition: Untrusted Network Segment | Untrusted network locations typically used in rules to detect when an untrusted location is communicating to a trusted location. |
Building Block | BB:NetworkDefinition: Untrusted Local Networks | |
Building Block | BB:NetworkDefinition: Inbound Communication from Internet to Local Host | |
Building Block | BB:NetworkDefinition: Trusted Source Network Segment | |
Building Block | BB:CategoryDefinition: System or Device Configuration Change | |
Building Block | BB:CategoryDefinition: Auditing Changed | |
Building Block | BB:PortDefinition: Authorized L2R Ports | Defines ports that commonly seen in local to remote traffic. |
Building Block | BB:Policy Violation: Compliance Policy Violation: Clear Text Application Usage | Identifies flows that are using unencrypted protocols like telnet and FTP. |
Building Block | BB:HostDefinition: DHCP Servers | Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: DHCP Ports | Edit this building block to include all common DHCP ports. |
Building Block | BB:Policy Violation: IRC IM Policy Violation: IM Communications | Identifies flows that have been identified as Instant Messaging communications. |
Building Block | BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts | Identifies flows where a remote desktop application is being accessed from a remote host |
Building Block | BB:Policy Violation: Application Policy Violation: NNTP to Internet | Identifies NNTP traffic to the internet |
Building Block | BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts | Identifies flows where a VNC service is being accessed from a remote host. |
Building Block | BB:HostDefinition: Servers | Edit this building block to define generic servers. |
Building Block | BB:HostDefinition: DNS Servers | Edit this building block to define typical DNS servers. this building block is used in conjunction with the BB:FalsePositive: DNS Server False Positives Categories and BB:FalsePositve: DNS Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: DNS Ports | Edit this building block to include all common DNS ports. |
Building Block | BB:HostDefinition: FTP Servers | Edit this building block to define typical FTP servers. this building block is used in conjunction with the BB:False Positive: FTP Server False Positives Categories and BB:FalsePositive: FTP Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: FTP Ports | Edit this building block to include all common FTP ports. |
Building Block | BB:HostDefinition: LDAP Servers | Edit this building block to define typical LDAP servers. this building block is used in conjunction with the BB:False Positive: LDAP Server False Positives Categories and BB:FalsePositive: LDAP Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: LDAP Ports | Edit this building block to include all common ports used by LDAP servers. |
Building Block | BB:HostDefinition: Mail Servers | Edit this building block to define typical mail servers. this building block is used in conjunction with the BB:False Positive: Mail Server False Positives Categories and BB:FalsePositive: Mail Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: Mail Ports | Edit this building block to include all common ports used by mail servers. |
Building Block | BB:HostDefinition: Network Management Servers | Edit this building block to define typical network management servers. |
Building Block | BB:HostDefinition: Proxy Servers | Edit this building block to define typical proxy servers. this building block is used in conjunction with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositive: Proxy Server False Positive Events building blocks. |
Building Block | BB:HostDefinition: RPC Servers | Edit this building block to define typical RPC servers. this building block is used in conjunction with the BB:False Positive: RPC Server False Positives Categories and BB:FalsePositive: RPC Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: RPC Ports | Edit this building block to include all common ports used by RPC servers. |
Building Block | BB:HostDefinition: SNMP Sender or Receiver | Edit this building block to define SNMP senders or receivers. this building block is used in conjunction with the BB:PortDefinition: SNMP Ports building block. |
Building Block | BB:PortDefinition: SNMP Ports | Edit this building block to include all common ports used by SNMP senders or receivers. |
Building Block | BB:HostDefinition: SSH Servers | Edit this building block to define typical SSH servers. this building block is used in conjunction with the BB:False Positive: SSH Server False Positives Categories and BB:FalsePositive: SSH Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: SSH Ports | Edit this building block to include all common ports used by SSH servers. |
Building Block | BB:HostDefinition: Virus Definition and Other Update Servers | Edit this building block to include all servers that include virus protection and update functions. |
Building Block | BB:HostDefinition: Web Servers | Edit this building block to define typical web servers. this building block is used in conjunction with the BB:False Positive: Web Server False Positives Categories and BB:FalsePositive: Web Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: Web Ports | Edit this building block to include all common ports used by Web servers. |
Building Block | BB:HostDefinition: Windows Servers | Edit this building block to define typical Windows servers, such as domain controllers or exchange servers. this building block is used in conjunction with the BB:False Positive: Windows Server False Positives Categories and BB:FalsePositive: Windows Server False Positive Events building blocks. |
Building Block | BB:PortDefinition: Windows Ports | Edit this building block to include all common ports used by Windows servers. |
Building Block | BB:ProtocolDefinition: Windows Protocols | Edit this building block to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules. |
Building Block | BB:HostReference: DHCP Servers | |
Building Block | BB:HostReference: DNS Servers | |
Building Block | BB:HostReference: FTP Servers | |
Building Block | BB:HostReference: LDAP Servers | |
Building Block | BB:HostReference: Mail Servers | |
Building Block | BB:HostReference: Proxy Servers | |
Building Block | BB:HostReference: SSH Servers | |
Building Block | BB:HostReference: Web Servers | |
Building Block | BB:HostReference: Windows Servers | |
Building Block | BB:CategoryDefinition: Failure Service or Hardware | Defines event categories that indicate failures within services or hardware. |
Building Block | BB:HostBased: Critical Events | Defines event categories that indicate critical events. |
Building Block | BB:CategoryDefinition: Service Started | |
Building Block | BB:CategoryDefinition: Service Stopped | |
Building Block | BB:DeviceDefinition: FW / Router / Switch | This rule defines all firewalls, routers, and switches on the system. |
Building Block | BB:NetworkDefinition: Trusted Destination Network Segment | |
Building Block | BB:Suspicious: Remote: Unidirectional UDP or Misc Flows | Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source. |
Building Block | BB:Suspicious: Local: Unidirectional UDP or Misc Flows | Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source. |
Rule | Login Failure to Disabled Account | Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user. |
Rule | Login Failure to Expired Account | Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages. |
Rule | Database Groups Changed from Remote Host | Responds when changes to groups on a database are changed from a remote network. |
Rule | Remote Access from Foreign Country/Region | Reports successful logins or access from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, we recommend that you configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block. |
Rule | Remote Inbound Communication from a Foreign Country/Region | Reports traffic from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, we recommend that you configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block. SMTP and DNS have been removed from this test as you have little control over that activity. You may also have to remove WebServers in the DMZ that are often probed by remote hosts with web scanners |
Rule | No Activity for 60 Days | This account has not logged in for over 60 days |
Rule | Possible Shared Accounts | Detection of shared accounts. You will need to add in additional false positive system
accounts to the and NOT when the event username matches the following .... |
Rule | Remote: IRC Connections | Detects a local host issuing an excessive number of IRC connections to the Internet. |
Rule | Compliance Events Become Offenses | Reports compliance-based events, such as, clear text passwords. |
Rule | Excessive Failed Logins to Compliance IS | Reports excessive authentication failures to a compliance server within 10 minutes. |
Rule | Multiple Failed Logins to a Compliance Asset | |
Rule | Multiple Login Failures for Single Username | Reports authentication failures for the same username |
Rule | Multiple Login Failures from the Same Source | Reports authentication failures on the same source IP address with different usernames more than 10 times within 5 minutes. |
Rule | Multiple Login Failures to the Same Destination | Reports when an authentication failure event happens at least 10 times to the same destination IP address from different source IP address and username within 5 minutes. |
Rule | Compliance: Traffic from Untrusted Network to Trusted Network | Traffic from an "untrusted" network segment is passed to "trusted" network segment. You need to edit the building blocks for trusted and untrusted networks before enabling this rule. |
Rule | Compliance: Traffic from DMZ to Internal Network | Traffic is passed from the DMZ to an internal network. This is typically not allowed under compliance regulations. You should make sure the DMZ object in the network hierarchy in defined before enabling this rule. |
Rule | Configuration Changes Made to Compliance Devices | Detects when configuration changes made to compliance devices. Before enabling this rule, please add the compliance server log sources to the Compliance Servers log source group. |
Rule | Auditing Services Changed on Compliance Host | Auditing services were changed on a compliance host. Before enabling this rule be sure to define the hosts in the compliance definition building blocks and verify the events for audit service changed for your host are in the BB:CategoryDefinition: Auditing Changed building block. |
Rule | Connection to Internet on Unauthorized Port | Typically internet connections are limited to common applications such as web traffic and mail. Other communications may be suspicious and should be investigated. Before enabling this rule the BB:PortDefinition: Authorized L2R Ports building block must be edited with a list of acceptable ports. |
Rule | Create Offenses for All Chat Traffic based on Flows | |
Rule | Create Offenses for All Instant Messenger Traffic | Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination is remote. |
Rule | Create Offenses for All P2P Usage | Detects P2P traffic or any event categorized as P2P |
Rule | Create Offenses for All Policy Events | Reports policy events. By default, this rule is disabled. Enable this rule if you wish all events categorized as policy to create an offense. |
Rule | Create Offenses for All Porn Usage | Reports any traffic that contains illicit materials or any event categorized as porn. By default, this rule is disabled. Enable this rule if you wish all events categorized as porn to create an offense. |
Rule | Local: Clear Text Application Usage | Detects flows to or from the Internet where the application type uses clear text passwords. This may include applications such as Telnet, FTP, etc. |
Rule | New DHCP Server Discovered | This rule will fire when a DHCP server is discovered on the network. |
Rule | New Host Discovered | Detects when a new host has been discovered on the network. |
Rule | New Host Discovered in DMZ | Detects when a new host has been discovered on the network. |
Rule | New Service Discovered | Detects when an existing host has a new service discovered on it. |
Rule | New Service Discovered in DMZ | Detects when an existing host has a new service discovered on it. |
Rule | Possible Local IRC Server | Reports a local host running a service on a typical IRC port or a flow that was detected as IRC. This is not typical for enterprises and should be investigated. |
Rule | Remote: Clear Text Application Usage based on Flows | Detects flows to or from the Internet where the application type uses clear text passwords. This may include applications such as Telnet, FTP, etc. |
Rule | Remote: Hidden FTP Server | Detects a remote FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host. |
Rule | Remote: IM/Chat | Detects an excessive amount of IM/Chat traffic from a single source. |
Rule | Remote: Local P2P Client Connected to more than 100 Servers | Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. |
Rule | Remote: Local P2P Client Detected | Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. |
Rule | Remote: Local P2P Server connected to more than 100 Clients | Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. |
Rule | Remote: Local P2P Server Detected | Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement. |
Rule | Remote: Remote Desktop Access from the Internet | Detects the Microsoft Remote Desktop Protocol from the Internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should disable this rule. |
Rule | Remote: SSH or Telnet Detected on Non-Standard Port | Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host. |
Rule | Remote: Usenet Usage | Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy. |
Rule | Remote: VNC Access from the Internet to a Local Host | Detects VNC (a remote desktop access application) from the Internet to a local host. Many companies consider this a policy issue that should be addressed. If this is normal activity on your network, disable this rule. |
Rule | Potential P2P or VoIP Traffic Detected | Detects potential Peer to Peer traffic |
Rule | Multiple System Errors | Reports when as source has 10 system errors within 3 minutes. |
Rule | Host Based Failures | This rule fires when the system sees events that indicate failures within services or hardware. |
Rule | Critical System Events | This rule fires when the system sees critical events. |
Rule | Service Stopped and not Restarted | Detects when a service has been stopped on a system and not restarted. |