RFISI
Use the IBM Security QRadar Ready for IBM Security Intelligence (RFISI) Content Extension to complement the RFISI Threat Intelligence app.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar RFISI Content Extension V1.0.1
The following building blocks are removed in IBM Security QRadar RFISI Content Extension V1.0.1, because they are already included in QRadar by default.
- BB:HostDefinition: Mail Servers
- BB:HostReference: Mail Servers
- BB:PortDefinition: Mail Ports
The following table shows the reference sets that are updated in IBM Security QRadar RFISI Content Extension V1.0.1.
Name | Description |
---|---|
Malicious URLs | Changed the refset element type toAlphaNumeric (Ignore Case). |
Malware URLs | Changed the refset element type toAlphaNumeric (Ignore Case). |
Phishing URLs | Changed the refset element type toAlphaNumeric (Ignore Case). |
Rogue Process Names | Changed the refset element type toAlphaNumeric (Ignore Case). |
Malware Hostnames | Changed the refset element type toAlphaNumeric (Ignore Case). |
Malware Hashes MD5 | Changed the refset element type toAlphaNumeric (Ignore Case). |
Malware Hashes SHA | Changed the refset element type toAlphaNumeric (Ignore Case). |
IBM Security QRadar RFISI Content Extension V1.0.0
The following table shows the rules and building blocks in IBM Security QRadar RFISI Content Extension V1.0.0.
Name | Description |
---|---|
RFISI: Internal Communication with a Malware URL | Notifies when an internal client loads a URL that is known to host malware. |
RFISI: Internal Connection to Address Hosting Malware | Notifies when an internal system communicates with an IP address that is considered to be hosting malware. |
RFISI: Internal Connection with Botnet Command and Control | Notifies when an internal host communicates with an IP address known to be a botnet command and control server. |
RFISI: Internal Hosts Communicating with Anonymizer Host | Notifies when an internal host appears to be using an anonymous proxy or VPN. This generally indicates a policy violation but may also signal insider threat activity. |
RFISI: Mail Server Sending Mail to SPAM Servers | Notifies when an internal mail server communicates with an IP address that is known to send spam. Typically no legitimate mail server will be considered a spam server so this may indicate illicit activity or an internal infection. |
RFISI: Phishing Email sent to Internal Mail Server | Notifies when mail is received from a server associated with phishing campaigns. May indicate that insiders are being targeted for attack. |
BB:HostReference: Mail Servers | No updates. Dependent on another rule and must be included in the extension framework. |
BB:HostDefinition: Mail Servers | No updates. Dependent on another rule and must be included in the extension framework. |
BB:PortDefinition: Mail Ports | No updates. Dependent on another rule and must be included in the extension framework. |
The following table shows the reference data in IBM Security QRadar RFISI Content Extension V1.0.0.
Type | Name | Description |
---|---|---|
Reference Set | Malware Senders | Gets IP addresses of mail hosts known to send malicious emails (such as virus/malware attachments, and html exploits). If the providers don’t distinguish between these and other spam then all should go to the Spam Senders set. |
Reference Set | Anonymizer IPs | Gets IP addresses of known anonymized services, such as VPN providers, TOR exit nodes and other proxies. |
Reference Set | Botnet C&C IPs | Gets IP addresses known to be C&C servers rather than nodes. Where the provider doesn’t distinguish between nodes and C&C, all should go to the Botnet IP addresses set. |
Reference Set | Botnet IPs | Gets IP addresses associated with botnet activity. Intended for nodes rather than C&C IP addresses but if the provider doesn’t distinguish between them then both go in this set. |
Reference Set | Mail Servers | A list of mail servers in your environment. |
Reference Set | Malicious URLs | Gets URLs for browser exploits and some other exploit types. |
Reference Set | Malware Hashes MD5 | Gets MD5 sums of malware files. |
Reference Set | Malware Hashes SHA | Gets SHA (SHA-1, SHA-256, etc) sums of malware files. |
Reference Set | Malware Hostnames | Gets the hosts (or IP addresses) of servers providing malware downloads. Hostnames are better due to virtual hosting. |
Reference Set | Malware IPs | Meant for IP addresses associated with malware post-exploit communications. |
Reference Set | Malware URLs | Gets URLs know to be malware downloads. |
Reference Set | Phishing IPs | Gets IP address associated with phishing attempts. |
Reference Set | Phishing Senders | Gets IP addresses of hosts that are known or suspected of sending phishing attempts. |
Reference Set | Phishing Subjects | Gets subject lines from email campaigns that are known to be phishing attempts. |
Reference Set | Phishing URLs | Gets the URLs associated with phishing emails. |
Reference Set | Rogue Process Names | Gets process names or executable names for known malware, Trojans, and other rogue processes. |
Reference Set | Spam Senders | Gets IP addresses of known spam servers. If the provider doesn’t distinguish between phishing and other spam then both go in this set. |
Reference Map of Maps | Malware Senders Data | Holds extended data related to the Malware Senders reference set. |
Reference Map of Maps | Anonymizer IPs Data | Holds extended data related to the Anonymizer IPs reference set. |
Reference Map of Maps | Botnet C&C IPs Data | Holds extended data related to the Botnet C&C IPs reference set. |
Reference Map of Maps | Botnet IPs Data | Holds extended data related to the Botnet IPs reference set. |
Reference Map of Maps | Malicious URLs Data | Holds extended data related to the Malicious URLs reference set. |
Reference Map of Maps | Malware Hashes MD5 Data | Holds extended data related to the Malware Hashes MD5 reference set. |
Reference Map of Maps | Malware Hashes SHA Data | Holds extended data related to the Malware Hashes SHA reference set. |
Reference Map of Maps | Malware Hostnames Data | Holds extended data related to the Malware Hostnames reference set. |
Reference Map of Maps | Malware IPs Data | Holds extended data related to the Malware IPs reference set. |
Reference Map of Maps | Malware URLs Data | Holds extended data related to the Malware URLs reference set. |
Reference Map of Maps | Phishing IPs Data | Holds extended data related to the Phishing IPs reference set. |
Reference Map of Maps | Phishing Senders Data | Holds extended data related to the Phishing Senders reference set. |
Reference Map of Maps | Phishing Subjects Data | Holds extended data related to the Phishing Subjects reference set. |
Reference Map of Maps | Phishing URLs Data | Holds extended data related to the Phishing URLs reference set. |
Reference Map of Maps | Rogue Process Names Data | Holds extended data related to the Rogue Process Names reference set. |
Reference Map of Maps | Spam Senders Data | Holds extended data related to the Spam Senders reference set. |