Compliance

Use the IBM Security QRadar Compliance Content Extension to enhance the base compliance content set for new QRadar installations.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Compliance Content Extension 1.1.2

The AccountName custom property has been removed.

IBM Security QRadar Compliance Content Extension 1.1.1

The following rules and building blocks are removed in the IBM Security QRadar Compliance Content Extension 1.1.1 and have been added to the Network Anomaly content pack.

  • BB:Policy Violation: IRC IM Policy Violation: IM Communications
  • Compliance: Traffic from DMZ to Internal Network
  • Remote: FTP Detected on Non-Standard Port
  • Remote: Local P2P Client Connected to more than 100 Servers
  • Remote: Local P2P Client Detected
  • Remote: Local P2P Server Detected
  • Remote: SSH or Telnet Detected on Non-Standard Port
  • Remote: Suspicious Amount of IM/Chat Traffic

IBM Security QRadar Compliance Content Extension 1.1.0

The following table shows the rules that are updated in IBM Security QRadar Compliance Content Extension 1.1.0.

Table 1. Rules in IBM Security QRadar Compliance Content Extension 1.1.0
Name Description
Excessive Firewall Accepts From Multiple Sources to a Single Destination Triggers when repeated firewall requests from different sources to a single host. This could indicate a denial of service attack or a network flooding from a malicious attacker.
Remote: Usenet Usage Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy.

The following rules and building blocks are removed in IBM Security QRadar Compliance Content Extension 1.1.0. They are available for use in the Endpoint Content Extension.

  • BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts
  • BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts
  • Remote: Remote Desktop Access from the Internet
  • Remote: VNC Access from the Internet to a Local Host

IBM Security QRadar Compliance Content Extension 1.0.8

The following table shows the rules and building blocks that are updated in IBM Security QRadar Compliance Content Extension 1.0.8.

Table 2. Rules and Building Blocks in IBM Security QRadar Compliance Content Extension 1.0.8
  Name Description
Building Block Trusted Destination Network Segment Changed the name from Trusted Source Network Segment. Set the rule filter to use destination network.
Building Block Trusted Source Network Segment Changed the name from Trusted Destination Network Segment. Added Network Definition as the group. Set the rule filter to use source network.
Rule Remote: FTP Detected on Non-Standard Port Changed the name from Remote: Hidden FTP Server.
Rule Remote: Suspicious Amount of IM/Chat Traffic Changed the name from Remote: IM/Chat.

(Back to top)

IBM Security QRadar Compliance Content Extension 1.0.7

Default QRadar content that was previously included in this content extension has been removed. Removing this content from the content extension prevents unnecessary reimporting the content during the content extension installation.

The following table shows the reports that are updated in IBM Security QRadar Compliance Content Extension 1.0.7.

Table 3. Reports in IBM Security QRadar Compliance Content Extension 1.0.7
Report Name Search Name and Dependencies
Weekly Login Failures to Disabled or Expired Accounts Displays failed login attempts to accounts that are disabled or expired.

(Back to top)

IBM Security QRadar Compliance Content Extension 1.0.6

Saved searches are now shared by default. All building blocks are now in groups.

(Back to top)

IBM Security QRadar Compliance Content Extension 1.0.5

The following table shows the custom properties that are included in IBM Security QRadar Compliance Content Extension 1.0.5.

Note: The custom properties that are included in the following table are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.
Table 4. Custom Properties in IBM Security QRadar Compliance Content Extension 1.0.5
Custom Property Found in
AccountName Microsoft Windows

The following table shows the building block in IBM Security QRadar Compliance Content Extension 1.0.5.

Table 5. Building Block in IBM Security QRadar Compliance Content Extension 1.0.5
Name Description
BB:CategoryDefinition: Auditing Changed Added new QIDs and removed some other QIDs.

(Back to top)

IBM Security QRadar Compliance Content Extension 1.0.4

The following table shows the custom properties that are new or updated in IBM Security QRadar Compliance Content Extension 1.0.4.

Table 6. Custom Properties in IBM Security QRadar Compliance Content Extension 1.0.4
Name Optimized Capture Group Regex
AccountName Yes 2 Account Name:\s*(.+?)\s+Account Name:\s*(.+?)\s+

The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Compliance Content Extension 1.0.4.

Table 7. Rules and Building Blocks in IBM Security QRadar Compliance Content Extension 1.0.4
Type Name Description
Building Block BB:DeviceDefinition: FW / Router / Switch Defines all firewalls, routers, and switches on the system.
Building Block BB:DeviceDefinition: IDS / IPS

Defines all intrusion detections systems (IDS) and intrusion prevention systems (IPS) on the system.

Building Block BB:DeviceDefinition: VPN

Defines all virtual private networks (VPN) on the system.

Building Block BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination

Identifies flows that have an illegal TCP flag combination.

Building Block BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code

Identifies Internet Control Message Protocol (ICMP) flows with suspicious ICMP type codes.

Building Block BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 Identifies suspicious flows using port 0.
Building Block BB:CategoryDefinition: Superuser Accounts Defines usernames that are superuser accounts, such as admin and root.
Rule Possible Shared Accounts Detects shared accounts. You will need to add additional false positive system accounts.

(Back to top)

IBM Security QRadar Compliance Content Extension 1.0.3

The following table shows the rules and building blocks in IBM Security QRadar Compliance Content Extension 1.0.3.

Table 8. Rules and Building Blocks in IBM Security QRadar Compliance Content Extension 1.0.3
Type Name Description
Building Block BB:CategoryDefinition: Authentication to Disabled Account Added the following QIDs:
  • 5001948: Failure Audit: An account failed to log on: Account Disabled
  • 5001959: An account failed to log on: Account Disabled
  • 5001954: Failure Audit: An account failed to log on: User Locked Out
  • 5001949: Failure Audit: An account failed to log on: Account Expired
  • 5001960: An account failed to log on: Account Expired
  • 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time
  • 5001962: An account failed to log on: Logon Outside Normal Time
Rule Compliance: Traffic from Untrusted Network to trusted Network The rule test for this rule now triggers when a flow or event matches BB:NetworkDefinition: Untrusted Network Segment plus any of the following rules:
  • BB:NetworkDefinition: Trusted Source Network Segment
  • BB:NetworkDefinition: Trusted Destination Network Segment

(Back to top)

IBM Security QRadar Compliance Content Extension 1.0.2

The following table shows the rules and building blocks in IBM Security QRadar Compliance Content Extension 1.0.2.

Table 9. Rules and Building Blocks in IBM Security QRadar Compliance Content Extension 1.0.2
Type Name Description
Building Block BB:Suspicious: Remote: Unidirectional UDP or Misc Flows The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows.
Building Block BB:Suspicious: Local: Unidirectional UDP or Misc Flows The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows.

(Back to top)

IBM Security QRadar Compliance Content Extension 1.0.1

The following table shows the rules and building blocks in IBM Security QRadar Compliance Content Extension 1.0.1.

Table 10. Rules and Building Blocks in IBM Security QRadar Compliance Content Extension 1.0.1
Type Name Description
Building Block BB:NetworkDefinition: Trusted Destination Network Segemnt References the default network hierarchy. Update this building block if you are using a different network hierarchy.
Building Block BB:NetworkDefinition: Trusted Source Network Segemnt Updated the building block name to include Source Network.

References the default network hierarchy. Update this building block if you are using a different network hierarchy.

Building Block BB:CategoryDefinition: Authentication to Disabled Account Added QID 5000475: Failure Audit: An account failed to log on.
Building Block BB:CategoryDefinition: Authentication to Expired Account Added the following QIDs:
  • 5001653: An account failed to log on. The specified account's password has expired.
  • 5001654: The domain controller failed to validate the credentials for an account.
Building Block BB:DeviceDefinition: FW/Router/Switch No updates. Dependent on another rule and must be included in the extension framework.
Rule Compliance: Traffic from Untrusted Network to Internal Network Added new BB:NetworkDefinition: Trusted Destination Network Segemnt.
Rule Compliance: Traffic from DMZ to Internal Network Added new rule test: BB:DeviceDefinition: FW/Router/Switch.

References the default network hierarchy. Update this rule if you are using a different network hierarchy.

(Back to top)

IBM Security QRadar Compliance Content Extension 1.0.0

The following table shows the custom properties, searches, reference sets, and reports in IBM Security QRadar Compliance Content Extension 1.0.0.

Table 11. Custom Properties, Searches, Reference Sets, and Reports in IBM Security QRadar Compliance Content Extension 1.0.0
Type Name
Custom Event Property Account Name
Event searches Admin Logout by IP
Event searches By Host Virus Summary
Event searches By User Virus Summary
Event searches Daily Policy Violation Summary
Event searches DOS Attack by Source IP
Event searches DOS Attack by Type
Event searches DOS Attacks by Destination IP
Event searches Event Category Distribution
Event searches Exploit by Source
Event searches Exploits by Destination
Event searches Exploits by Type
Event searches Groups Changed from Remote Hosts
Event searches IDP Activity by Category
Event searches IDP Activity by Event
Event searches IDP Activity by Log Source
Event searches Log Failures to Expired or Disabled Accounts
Event searches Remote Access Failures (VPN and Others)
Event searches Remote Access Success (VPN and Other)
Event searches Top Authentication Failures by User
Event searches Top Authentications by User
Event searches Top IDS/IDP/IPS Rules
Event searches Top IDS/IPS Alerts by Destination IP
Event searches User Account Added by User
Event searches User Account Modified by User
Event searches User Account Removed by User
Event searches VPN Activity by Category
Event searches VPN Activity by event
Event searches VPN Activity by Log Source
Event searches Web Requests by Destination
Event searches Web Requests by Log Source
Event searches Web Requests by Source
Event search Top IDS/IPS Alert by Country/Region
Flow search Bytes in by Destination ASN
Flow search Bytes in by Destination IF Index
Flow search Bytes in by Source ASN
Flow search Bytes in by Source IF Index
Flow search Link Utilization
Flow search Top Destination Networks - Internal
Flow search Top Source Networks
Reference set Database Servers
Reference set DHCP Servers
Reference set DNS Servers
Reference set FTP Servers
Reference set LDAP Servers
Reference set Mail Servers
Reference set Proxy Servers
Reference set SSH Servers
Reference set Web Servers
Reference set Windows Servers
Reports Daily ASN Traffic Summary
Reports Daily Attacker and Target Summary
Reports Daily Category Distribution
Reports Daily IDP-IDS Activity Summary
Reports Daily IfIndex Traffic Summary
Reports Daily Log/Event Distribution by Category
Reports Daily Network DOS Summary
Reports Daily Network Exploit Summary
Reports Daily Policy Violation Summary
Reports Daily User Account Activity Summary
Reports Daily Virus Summary
Reports Daily VPN Activity Summary
Reports Daily Web Access Summary
Reports Last 20 Failed Logins
Reports Last 20 Logoffs
Reports Last 20 Successful Logins
Reports Monthly ASN Traffic Summary
Reports Monthly Category Distribution
Reports Monthly IDP-IDS Activity Summary
Reports Monthly IfIndex Traffic Summary
Reports Monthly Network DOS Summary
Reports Monthly Network Exploit Summary
Reports Monthly Policy Violation Summary
Reports Monthly User Account Activity Summary
Reports Monthly Virus Summary
Reports Monthly VPN Activity Summary
Reports Monthly Web Access Summary
Reports Network Traffic Volume
Reports Weekly ASN Traffic Summary
Reports Weekly Category Distribution
Reports Weekly Group Changes from Remote Hosts
Reports Weekly IDP-IDS Activity Summary
Reports Weekly IfIndex Traffic Summary
Reports Weekly Login Failures to Disabled or Enabled Accounts
Reports Weekly Network DOS Summary
Reports Weekly Network Exploit Summary
Reports Weekly Policy Violation Summary
Reports Weekly User Account Activity Summary
Reports Weekly Virus Summary
Reports Weekly VPN Activity Summary
Reports Weekly Web Access Summary

The following table shows the rules and building blocks in IBM Security QRadar Compliance Content Extension 1.0.0.

Table 12. Rules and Building Blocks in IBM Security QRadar Compliance Content Extension 1.0.0
Type Name Description
Building Block BB:DeviceDefinition: IDS / IPS Defines all IDS and IPSs on the system.
Building Block BB:CategoryDefinition: Suspicious Flows Edit this building block to include all events that indicate suspicious activity.
Building Block BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow Identifies flows that have been active for more than 48 hours
Building Block BB:CategoryDefinition: Suspicious Events Edit this building block to include all events that indicate suspicious activity.
Building Block BB:CategoryDefinition: Unidirectional Flow SRC  
Building Block BB:Flowshape: Outbound Only Matches flows that are outbound only.
Building Block BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets Identifies flows with abnormally large ICMP packets
Building Block BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 Identifies suspicious flows using port 0.
Building Block BB:CategoryDefinition: System Errors and Failures Edit this building block to include all events that may indicate a system error or failure. By default, this buildig block applies when the event category for the event is one of the following System categories: Service Failure, System Error, System Failure.
Building Block BB:CategoryDefinition: Suspicious Event Categories Edit this building block to include all events that indicate suspicious activity.
Building Block BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows Identifies bidirectional traffic that doesn't include payload.
Building Block BB:CategoryDefinition: Unidirectional Flow  
Building Block BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys Identifies traffic where ICMP replies are seen with no request.
Building Block BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows Identifies unidirectional ICMP flows.
Building Block BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination Identifies flows that have an illegal TCP flag combination.
Building Block BB:Flowshape: Inbound Only This building block will match flows that are inbound only.
Building Block BB:CategoryDefinition: Unidirectional Flow DST  
Building Block BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows Identifies unidirectional TCP flows.
Building Block BB:NetworkDefinition: Honeypot like Addresses Edit this building block by replacing the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access
Building Block BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code Identifies ICMP flows with suspicious ICMP type codes.
Building Block BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets Identifies flows with abnormally large DNS packets
Building Block BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows Identifies unidirectional UDP and other miscellaneous flows.
Building Block BB:DeviceDefinition: VPN This rule defines all VPNs on the system.
Building Block BB:CategoryDefinition: Authentication Success Edit this building block to include all events that indicate successful attempts to access the network.
Building Block BB:CategoryDefinition: Authentication Failures Edit this building block to include all events that indicate an unsuccessful attempt to access the network.
Building Block BB:CategoryDefinition: Authentication to Disabled Account Edit this building block to include all events that indicate failed attempts to access the network using a disabled account.
Building Block BB:CategoryDefinition: Authentication to Expired Account Edit this building block to include all events that indicate failed attempts to access the network using an expired account.
Building Block BB:HostDefinition: Database Servers Edit this building block to define typical database servers. This building block is used in conjunction with the BB:FalsePositive: Database Server False Positive Categories and BB:FalsePositive: Database Server False Positive Events building blocks.
Building Block BB:PortDefinition: Database Ports Edit this building block to include all common database ports.
Building Block BB:HostReference: Database Servers  
Building Block BB:CategoryDefinition: Countries/Regions with no Remote Access Edit this building block to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Anomaly: Remote Access from Foreign Country/Region rule.
Building Block BB:CategoryDefinition: Successful Communication Defines flows which are typical of a successful communication. If you are paranoid you may wish to drop the ratio to 64 bytes/packet however this will cause a lot of false positives and may require further tuning using flags and other properties.
Building Block BB:CategoryDefinition: Superuser Accounts  
Building Block BB:CategoryDefinition: IRC Detected Based on Application Identifies IRC traffic that has been identified by application testing.
Building Block BB:CategoryDefinition: IRC Detected Based on Event Category Identifies IRC traffic that has been identified by events or categories.
Building Block BB:Policy Violation: IRC IM Policy Violation: IRC Connection to Internet Identifies an IRC connection to a remote host.
Building Block BB:CategoryDefinition: IRC Detection Based on Firewall Events Identifies IRC traffic that has been identified by events or categories.
Building Block BB:CategoryDefinition: Firewall or ACL Accept Edit this building block to include all events that indicate access to the firewall.
Building Block BB:PortDefinition: IRC Ports Edit this building block to include all common IRC ports.
Building Block BB:ComplianceDefinition: GLBA Servers Edit this building block to include your GLBA IP systems. You must then apply this building block to rules related to failed logins, remote access, etc.
Building Block BB:ComplianceDefinition: HIPAA Servers Edit this building block to include your HIPAA Servers by IP address. You must then apply this building block to rules related to failed logins, remote access, etc.
Building Block BB:ComplianceDefinition: SOX Servers Edit this building block to include your SOX IP Servers. You must then apply this building block to rules related to failed logins, remote access, etc.
Building Block BB:ComplianceDefinition: PCI DSS Servers Edit this building block to include your PCI DSS Servers by IP address. You must then apply this building block to rules related to failed logins, remote access, etc.
Building Block BB:NetworkDefinition: Untrusted Network Segment Untrusted network locations typically used in rules to detect when an untrusted location is communicating to a trusted location.
Building Block BB:NetworkDefinition: Untrusted Local Networks  
Building Block BB:NetworkDefinition: Inbound Communication from Internet to Local Host  
Building Block BB:NetworkDefinition: Trusted Source Network Segment  
Building Block BB:CategoryDefinition: System or Device Configuration Change  
Building Block BB:CategoryDefinition: Auditing Changed  
Building Block BB:PortDefinition: Authorized L2R Ports Defines ports that commonly seen in local to remote traffic.
Building Block BB:Policy Violation: Compliance Policy Violation: Clear Text Application Usage Identifies flows that are using unencrypted protocols like telnet and FTP.
Building Block BB:HostDefinition: DHCP Servers Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks.
Building Block BB:PortDefinition: DHCP Ports Edit this building block to include all common DHCP ports.
Building Block BB:Policy Violation: IRC IM Policy Violation: IM Communications Identifies flows that have been identified as Instant Messaging communications.
Building Block BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts Identifies flows where a remote desktop application is being accessed from a remote host
Building Block BB:Policy Violation: Application Policy Violation: NNTP to Internet Identifies NNTP traffic to the internet
Building Block BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts Identifies flows where a VNC service is being accessed from a remote host.
Building Block BB:HostDefinition: Servers Edit this building block to define generic servers.
Building Block BB:HostDefinition: DNS Servers Edit this building block to define typical DNS servers. this building block is used in conjunction with the BB:FalsePositive: DNS Server False Positives Categories and BB:FalsePositve: DNS Server False Positive Events building blocks.
Building Block BB:PortDefinition: DNS Ports Edit this building block to include all common DNS ports.
Building Block BB:HostDefinition: FTP Servers Edit this building block to define typical FTP servers. this building block is used in conjunction with the BB:False Positive: FTP Server False Positives Categories and BB:FalsePositive: FTP Server False Positive Events building blocks.
Building Block BB:PortDefinition: FTP Ports Edit this building block to include all common FTP ports.
Building Block BB:HostDefinition: LDAP Servers Edit this building block to define typical LDAP servers. this building block is used in conjunction with the BB:False Positive: LDAP Server False Positives Categories and BB:FalsePositive: LDAP Server False Positive Events building blocks.
Building Block BB:PortDefinition: LDAP Ports Edit this building block to include all common ports used by LDAP servers.
Building Block BB:HostDefinition: Mail Servers Edit this building block to define typical mail servers. this building block is used in conjunction with the BB:False Positive: Mail Server False Positives Categories and BB:FalsePositive: Mail Server False Positive Events building blocks.
Building Block BB:PortDefinition: Mail Ports Edit this building block to include all common ports used by mail servers.
Building Block BB:HostDefinition: Network Management Servers Edit this building block to define typical network management servers.
Building Block BB:HostDefinition: Proxy Servers Edit this building block to define typical proxy servers. this building block is used in conjunction with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositive: Proxy Server False Positive Events building blocks.
Building Block BB:HostDefinition: RPC Servers Edit this building block to define typical RPC servers. this building block is used in conjunction with the BB:False Positive: RPC Server False Positives Categories and BB:FalsePositive: RPC Server False Positive Events building blocks.
Building Block BB:PortDefinition: RPC Ports Edit this building block to include all common ports used by RPC servers.
Building Block BB:HostDefinition: SNMP Sender or Receiver Edit this building block to define SNMP senders or receivers. this building block is used in conjunction with the BB:PortDefinition: SNMP Ports building block.
Building Block BB:PortDefinition: SNMP Ports Edit this building block to include all common ports used by SNMP senders or receivers.
Building Block BB:HostDefinition: SSH Servers Edit this building block to define typical SSH servers. this building block is used in conjunction with the BB:False Positive: SSH Server False Positives Categories and BB:FalsePositive: SSH Server False Positive Events building blocks.
Building Block BB:PortDefinition: SSH Ports Edit this building block to include all common ports used by SSH servers.
Building Block BB:HostDefinition: Virus Definition and Other Update Servers Edit this building block to include all servers that include virus protection and update functions.
Building Block BB:HostDefinition: Web Servers Edit this building block to define typical web servers. this building block is used in conjunction with the BB:False Positive: Web Server False Positives Categories and BB:FalsePositive: Web Server False Positive Events building blocks.
Building Block BB:PortDefinition: Web Ports Edit this building block to include all common ports used by Web servers.
Building Block BB:HostDefinition: Windows Servers Edit this building block to define typical Windows servers, such as domain controllers or exchange servers. this building block is used in conjunction with the BB:False Positive: Windows Server False Positives Categories and BB:FalsePositive: Windows Server False Positive Events building blocks.
Building Block BB:PortDefinition: Windows Ports Edit this building block to include all common ports used by Windows servers.
Building Block BB:ProtocolDefinition: Windows Protocols Edit this building block to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.
Building Block BB:HostReference: DHCP Servers  
Building Block BB:HostReference: DNS Servers  
Building Block BB:HostReference: FTP Servers  
Building Block BB:HostReference: LDAP Servers  
Building Block BB:HostReference: Mail Servers  
Building Block BB:HostReference: Proxy Servers  
Building Block BB:HostReference: SSH Servers  
Building Block BB:HostReference: Web Servers  
Building Block BB:HostReference: Windows Servers  
Building Block BB:CategoryDefinition: Failure Service or Hardware Defines event categories that indicate failures within services or hardware.
Building Block BB:HostBased: Critical Events Defines event categories that indicate critical events.
Building Block BB:CategoryDefinition: Service Started  
Building Block BB:CategoryDefinition: Service Stopped  
Building Block BB:DeviceDefinition: FW / Router / Switch This rule defines all firewalls, routers, and switches on the system.
Building Block BB:NetworkDefinition: Trusted Destination Network Segment  
Building Block BB:Suspicious: Remote: Unidirectional UDP or Misc Flows Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source.
Building Block BB:Suspicious: Local: Unidirectional UDP or Misc Flows Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source.
Rule Login Failure to Disabled Account Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user.
Rule Login Failure to Expired Account Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages.
Rule Database Groups Changed from Remote Host Responds when changes to groups on a database are changed from a remote network.
Rule Remote Access from Foreign Country/Region Reports successful logins or access from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, we recommend that you configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block.
Rule Remote Inbound Communication from a Foreign Country/Region Reports traffic from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, we recommend that you configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block. SMTP and DNS have been removed from this test as you have little control over that activity. You may also have to remove WebServers in the DMZ that are often probed by remote hosts with web scanners
Rule No Activity for 60 Days This account has not logged in for over 60 days
Rule Possible Shared Accounts Detection of shared accounts. You will need to add in additional false positive system accounts to the and NOT when the event username matches the following ....
Rule Remote: IRC Connections Detects a local host issuing an excessive number of IRC connections to the Internet.
Rule Compliance Events Become Offenses Reports compliance-based events, such as, clear text passwords.
Rule Excessive Failed Logins to Compliance IS Reports excessive authentication failures to a compliance server within 10 minutes.
Rule Multiple Failed Logins to a Compliance Asset  
Rule Multiple Login Failures for Single Username Reports authentication failures for the same username
Rule Multiple Login Failures from the Same Source Reports authentication failures on the same source IP address with different usernames more than 10 times within 5 minutes.
Rule Multiple Login Failures to the Same Destination Reports when an authentication failure event happens at least 10 times to the same destination IP address from different source IP address and username within 5 minutes.
Rule Compliance: Traffic from Untrusted Network to Trusted Network Traffic from an "untrusted" network segment is passed to "trusted" network segment. You need to edit the building blocks for trusted and untrusted networks before enabling this rule.
Rule Compliance: Traffic from DMZ to Internal Network Traffic is passed from the DMZ to an internal network. This is typically not allowed under compliance regulations. You should make sure the DMZ object in the network hierarchy in defined before enabling this rule.
Rule Configuration Changes Made to Compliance Devices Detects when configuration changes made to compliance devices. Before enabling this rule, please add the compliance server log sources to the Compliance Servers log source group.
Rule Auditing Services Changed on Compliance Host Auditing services were changed on a compliance host. Before enabling this rule be sure to define the hosts in the compliance definition building blocks and verify the events for audit service changed for your host are in the BB:CategoryDefinition: Auditing Changed building block.
Rule Connection to Internet on Unauthorized Port Typically internet connections are limited to common applications such as web traffic and mail. Other communications may be suspicious and should be investigated. Before enabling this rule the BB:PortDefinition: Authorized L2R Ports building block must be edited with a list of acceptable ports.
Rule Create Offenses for All Chat Traffic based on Flows  
Rule Create Offenses for All Instant Messenger Traffic Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination is remote.
Rule Create Offenses for All P2P Usage Detects P2P traffic or any event categorized as P2P
Rule Create Offenses for All Policy Events Reports policy events. By default, this rule is disabled. Enable this rule if you wish all events categorized as policy to create an offense.
Rule Create Offenses for All Porn Usage Reports any traffic that contains illicit materials or any event categorized as porn. By default, this rule is disabled. Enable this rule if you wish all events categorized as porn to create an offense.
Rule Local: Clear Text Application Usage Detects flows to or from the Internet where the application type uses clear text passwords. This may include applications such as Telnet, FTP, etc.
Rule New DHCP Server Discovered This rule will fire when a DHCP server is discovered on the network.
Rule New Host Discovered Detects when a new host has been discovered on the network.
Rule New Host Discovered in DMZ Detects when a new host has been discovered on the network.
Rule New Service Discovered Detects when an existing host has a new service discovered on it.
Rule New Service Discovered in DMZ Detects when an existing host has a new service discovered on it.
Rule Possible Local IRC Server Reports a local host running a service on a typical IRC port or a flow that was detected as IRC. This is not typical for enterprises and should be investigated.
Rule Remote: Clear Text Application Usage based on Flows Detects flows to or from the Internet where the application type uses clear text passwords. This may include applications such as Telnet, FTP, etc.
Rule Remote: Hidden FTP Server Detects a remote FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.
Rule Remote: IM/Chat Detects an excessive amount of IM/Chat traffic from a single source.
Rule Remote: Local P2P Client Connected to more than 100 Servers Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement.
Rule Remote: Local P2P Client Detected Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement.
Rule Remote: Local P2P Server connected to more than 100 Clients Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement.
Rule Remote: Local P2P Server Detected Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement.
Rule Remote: Remote Desktop Access from the Internet Detects the Microsoft Remote Desktop Protocol from the Internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should disable this rule.
Rule Remote: SSH or Telnet Detected on Non-Standard Port Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.
Rule Remote: Usenet Usage Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy.
Rule Remote: VNC Access from the Internet to a Local Host Detects VNC (a remote desktop access application) from the Internet to a local host. Many companies consider this a policy issue that should be addressed. If this is normal activity on your network, disable this rule.
Rule Potential P2P or VoIP Traffic Detected Detects potential Peer to Peer traffic
Rule Multiple System Errors Reports when as source has 10 system errors within 3 minutes.
Rule Host Based Failures This rule fires when the system sees events that indicate failures within services or hardware.
Rule Critical System Events This rule fires when the system sees critical events.
Rule Service Stopped and not Restarted Detects when a service has been stopped on a system and not restarted.

(Back to top)