RFISI

Use the IBM Security QRadar Ready for IBM Security Intelligence (RFISI) Content Extension to complement the RFISI Threat Intelligence app.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar RFISI Content Extension V1.0.1

The following building blocks are removed in IBM Security QRadar RFISI Content Extension V1.0.1, because they are already included in QRadar by default.

  • BB:HostDefinition: Mail Servers
  • BB:HostReference: Mail Servers
  • BB:PortDefinition: Mail Ports

The following table shows the reference sets that are updated in IBM Security QRadar RFISI Content Extension V1.0.1.

Table 1. Reference Sets in IBM Security QRadar RFISI Content Extension V1.0.1
Name Description
Malicious URLs Changed the refset element type toAlphaNumeric (Ignore Case).
Malware URLs Changed the refset element type toAlphaNumeric (Ignore Case).
Phishing URLs Changed the refset element type toAlphaNumeric (Ignore Case).
Rogue Process Names Changed the refset element type toAlphaNumeric (Ignore Case).
Malware Hostnames Changed the refset element type toAlphaNumeric (Ignore Case).
Malware Hashes MD5 Changed the refset element type toAlphaNumeric (Ignore Case).
Malware Hashes SHA Changed the refset element type toAlphaNumeric (Ignore Case).

IBM Security QRadar RFISI Content Extension V1.0.0

The following table shows the rules and building blocks in IBM Security QRadar RFISI Content Extension V1.0.0.

Table 2. Rules in IBM Security QRadar RFISI Content Extension V1.0.0
Name Description
RFISI: Internal Communication with a Malware URL Notifies when an internal client loads a URL that is known to host malware.
RFISI: Internal Connection to Address Hosting Malware Notifies when an internal system communicates with an IP address that is considered to be hosting malware.
RFISI: Internal Connection with Botnet Command and Control Notifies when an internal host communicates with an IP address known to be a botnet command and control server.
RFISI: Internal Hosts Communicating with Anonymizer Host Notifies when an internal host appears to be using an anonymous proxy or VPN. This generally indicates a policy violation but may also signal insider threat activity.
RFISI: Mail Server Sending Mail to SPAM Servers Notifies when an internal mail server communicates with an IP address that is known to send spam. Typically no legitimate mail server will be considered a spam server so this may indicate illicit activity or an internal infection.
RFISI: Phishing Email sent to Internal Mail Server Notifies when mail is received from a server associated with phishing campaigns. May indicate that insiders are being targeted for attack.
BB:HostReference: Mail Servers No updates. Dependent on another rule and must be included in the extension framework.
BB:HostDefinition: Mail Servers No updates. Dependent on another rule and must be included in the extension framework.
BB:PortDefinition: Mail Ports No updates. Dependent on another rule and must be included in the extension framework.

The following table shows the reference data in IBM Security QRadar RFISI Content Extension V1.0.0.

Table 3. Reference Data in IBM Security QRadar RFISI Content Extension V1.0.0
Type Name Description
Reference Set Malware Senders Gets IP addresses of mail hosts known to send malicious emails (such as virus/malware attachments, and html exploits). If the providers don’t distinguish between these and other spam then all should go to the Spam Senders set.
Reference Set Anonymizer IPs Gets IP addresses of known anonymized services, such as VPN providers, TOR exit nodes and other proxies.
Reference Set Botnet C&C IPs Gets IP addresses known to be C&C servers rather than nodes. Where the provider doesn’t distinguish between nodes and C&C, all should go to the Botnet IP addresses set.
Reference Set Botnet IPs Gets IP addresses associated with botnet activity. Intended for nodes rather than C&C IP addresses but if the provider doesn’t distinguish between them then both go in this set.
Reference Set Mail Servers A list of mail servers in your environment.
Reference Set Malicious URLs Gets URLs for browser exploits and some other exploit types.
Reference Set Malware Hashes MD5 Gets MD5 sums of malware files.
Reference Set Malware Hashes SHA Gets SHA (SHA-1, SHA-256, etc) sums of malware files.
Reference Set Malware Hostnames Gets the hosts (or IP addresses) of servers providing malware downloads. Hostnames are better due to virtual hosting.
Reference Set Malware IPs Meant for IP addresses associated with malware post-exploit communications.
Reference Set Malware URLs Gets URLs know to be malware downloads.
Reference Set Phishing IPs Gets IP address associated with phishing attempts.
Reference Set Phishing Senders Gets IP addresses of hosts that are known or suspected of sending phishing attempts.
Reference Set Phishing Subjects Gets subject lines from email campaigns that are known to be phishing attempts.
Reference Set Phishing URLs Gets the URLs associated with phishing emails.
Reference Set Rogue Process Names Gets process names or executable names for known malware, Trojans, and other rogue processes.
Reference Set Spam Senders Gets IP addresses of known spam servers. If the provider doesn’t distinguish between phishing and other spam then both go in this set.
Reference Map of Maps Malware Senders Data Holds extended data related to the Malware Senders reference set.
Reference Map of Maps Anonymizer IPs Data Holds extended data related to the Anonymizer IPs reference set.
Reference Map of Maps Botnet C&C IPs Data Holds extended data related to the Botnet C&C IPs reference set.
Reference Map of Maps Botnet IPs Data Holds extended data related to the Botnet IPs reference set.
Reference Map of Maps Malicious URLs Data Holds extended data related to the Malicious URLs reference set.
Reference Map of Maps Malware Hashes MD5 Data Holds extended data related to the Malware Hashes MD5 reference set.
Reference Map of Maps Malware Hashes SHA Data Holds extended data related to the Malware Hashes SHA reference set.
Reference Map of Maps Malware Hostnames Data Holds extended data related to the Malware Hostnames reference set.
Reference Map of Maps Malware IPs Data Holds extended data related to the Malware IPs reference set.
Reference Map of Maps Malware URLs Data Holds extended data related to the Malware URLs reference set.
Reference Map of Maps Phishing IPs Data Holds extended data related to the Phishing IPs reference set.
Reference Map of Maps Phishing Senders Data Holds extended data related to the Phishing Senders reference set.
Reference Map of Maps Phishing Subjects Data Holds extended data related to the Phishing Subjects reference set.
Reference Map of Maps Phishing URLs Data Holds extended data related to the Phishing URLs reference set.
Reference Map of Maps Rogue Process Names Data Holds extended data related to the Rogue Process Names reference set.
Reference Map of Maps Spam Senders Data Holds extended data related to the Spam Senders reference set.