Threat Monitoring

IBM Security QRadar Threat Monitoring Content Extension

IBM Security QRadar Threat Monitoring Content Extension 2.6.0
IBM Security QRadar Threat Monitoring Content Extension 2.5.6
IBM Security QRadar Threat Monitoring Content Extension 2.5.5
IBM Security QRadar Threat Monitoring Content Extension 2.5.0
IBM Security QRadar Threat Monitoring Content Extension 2.4.1
IBM Security QRadar Threat Monitoring Content Extension 2.4.0
IBM Security QRadar Threat Monitoring Content Extension 2.3.1
IBM Security QRadar Threat Monitoring Content Extension 2.3.0
IBM Security QRadar Threat Monitoring Content Extension 2.2.1
IBM Security QRadar Threat Monitoring Content Extension 2.2.0
IBM Security QRadar Threat Monitoring Content Extension 2.1.1
IBM Security QRadar Threat Monitoring Content Extension 2.1.0
IBM Security QRadar Threat Monitoring Content Extension 2.0.0
IBM Security QRadar Threat Monitoring Content Extension 1.2.1
IBM Security QRadar Threat Monitoring Content Extension 1.2.0
IBM Security QRadar Threat Monitoring Content Extension 1.1.0
IBM Security QRadar Threat Monitoring Content Extension 1.0.3
IBM Security QRadar Threat Monitoring Content Extension 1.0.2
IBM Security QRadar Threat Monitoring Content Extension 1.0.1
IBM Security QRadar Threat Monitoring Content Extension 1.0.0

IBM Security QRadar Threat Monitoring Content Extension 2.6.0

The following table shows the rules that are updated in IBM Security QRadar Threat Monitoring Content Extension 2.60.

Table 1. Rules updated in IBM Security QRadar Threat Monitoring Content Extension 2.6.0
Type	Name	Description
Rule	New High Priority Target Detected	Triggers when a new high priority target is detected.

Updated New High Risk Targets and High Risk Targets-Pie widgets in the attack surface management pulse dashboard.

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.5.6

The following table shows the rules that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.6.

Table 2. New rules in IBM Security QRadar Threat Monitoring Content Extension 2.5.6
Type	Name	Description
Building Block	BB:DeviceDefinition: Web Servers	Defines events which are detected by the Local system and when the event(s) were detected by Apache HTTP Server, Microsoft IIS, NGINX HTTP Server, or Amazon AWS Route 53.
Rule	Website Manipulations via SQL Injection	Triggers when abnormal behaviors such as SQL Injection is observed. Forces the detected event to create a new offense and select the offense by source IP address.
Rule	Microsoft Windows RCE Vulnerability - Suspicious Download Using Certutil	This rule detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082" Exchange Server. Force the detected event to create a new offense and select the offense by source IP address.

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.5.5

The following table shows the rules that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.5.

Table 3. New rules in IBM Security QRadar Threat Monitoring Content Extension 2.5.5
Type	Name	Description
Rule	Microsoft Windows RCE Vulnerability - File Modification	Detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082".
Rule	Microsoft Windows RCE Vulnerability - Suspicious Download Using Certutil	Detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082".
Rule	Microsoft Windows RCE Vulnerability - Suspicious Files	Detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082".
Rule	Microsoft Windows RCE Vulnerability - Suspicious Hashes	Detects known Windows RCE SHA256 hashes.
Rule	Microsoft Windows RCE Vulnerability - Suspicious Ips	Detects known Windows RCE IPs. Note: Tune the rule based on log sources to reduce number of events matching against this rule.

The following table shows the custom properties that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.5.

Table 4. New custom properties in IBM Security QRadar Threat Monitoring Content Extension 2.5.5
Name	Optimized	Description
File Directory	Yes	Default custom extraction of File Directory from DSM payload.
Filename	Yes	Default custom extraction of Filename from DSM payload.
Process Commandline	Yes	Default custom extraction of Process Commandline from DSM payload.
UrlHost	Yes	Default custom extraction of UrlHost from DSM payload.

The following table shows the reference sets that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.5.

Table 5. New reference sets in IBM Security QRadar Threat Monitoring Content Extension 2.5.5
Name
Windows RCE IPs
Windows RCE SHA256 Hashes

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.5.0

The following table shows the rules that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.0.

Table 6. New rules in IBM Security QRadar Threat Monitoring Content Extension 2.5.0
Type	Name	Description
Building Block	BB:DeviceDefinition: Attack Surface Management	Defines all attack surface management devices on the system.
Rule	New Critical Temptation Target Detected	Triggers when a new critical temptation target is detected.
Rule	New High Priority Target Detected	Triggers when a new high priority target is detected.
Rule	New High Temptation Target Detected	Triggers when a new high temptation target is detected.
Rule	Critical Temptation Target Changed to Lower Temptation	Triggers when a critical temptation target has decreased to medium or low temptation.
Rule	High Priority Target Changed to Low Priority	Triggers when a high priority target decreased in priority value.
Rule	High Temptation Target Changed to Lower Temptation	Triggers when a high temptation target has decreased to medium or low temptation.

The following table shows the custom properties that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.0.

Table 7. New custom properties in IBM Security QRadar Threat Monitoring Content Extension 2.5.0
Name	Description
Priority	Default custom extraction of Priority from DSM payload.
Target ID	Default custom extraction of Target ID from DSM payload.
Temptation	Default custom extraction of Temptation from DSM payload.

The following table shows the reference sets that are new in IBM Security QRadar Threat Monitoring Content Extension 2.5.0.

Table 8. New reference sets in IBM Security QRadar Threat Monitoring Content Extension 2.5.0
Name	Description
Critical Temptation Target	Maintains list of critical temptation targets.
High Priority Target	Maintains list of high priority targets.
High Temptation Target	Maintains list of high temptation targets.

A new Pulse Dashboard is added, Attack Surface Management Devices Overview.

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.4.1

The following is a list of rules that are now based on Machine ID instead of Source Address.

Multiple Threats Detected on Same Host (by Machine Identifier)
Same Threat Detected on Same Host (by Machine Identifier)
Same Threat Detected on Same Network Different Hosts (by Machine Identifier)
Same Threat Detected on Multiple Hosts (by Machine Identifier)
Same Threat Detected on Multiple Servers (by Machine Identifier)
Multiple Unclean Threats Detected on Same Host (by Machine Identifier)

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.4.0

The following table shows the rules that are updated in IBM Security QRadar Threat Monitoring Content Extension 2.4.0.

Table 9. Rules updated in IBM Security QRadar Threat Monitoring Content Extension 2.4.0
Type	Name	Update
Rule	Multiple Unclean Threats Detected on Same Host	Rule condition updated.
Rule	Multiple Vector Attack Source	Rule updated to use BB:CategoryDefinition: Virus Detected instead of BB:CategoryDefinition: Malware Annoyances.
Rule	Potential HTTP DoS Flooding	Rule condition updated.
Rule	SMB Traffic Permitted From a Compromised Host	Fixed incorrect reference set link.
Rule	Successful Login From a Compromised Host	Fixed incorrect reference set link.
Rule	Suspicious Web Server Activities	Rule condition updated.

The following is a list of building blocks that are removed.

BB:CategoryDefinition: Malware Annoyances
BB:Policy Violation: Application Policy Violation: NNTP to Internet
BB:Policy Violation: IRC IM Policy Violation: IM Communications
BB:Policy Violation: Mail Policy Violation: Outbound Mail Sender

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.3.1

IBM Security QRadar Threat Monitoring Content Extension 2.3.1 includes a fix for an issue that caused installation to fail on QRadar 7.4.1 and earlier.

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.3.0

The following table shows the building blocks that are new in IBM Security QRadar Threat Monitoring Content Extension 2.3.0.

Table 10. Building Blocks in IBM Security QRadar Threat Monitoring Content Extension 2.3.0
Type	Name	Description
Building Block	BB:BehaviorDefinition: Communication with a Potential Hostile Host (Flows Reference Sets)	Defines communication with a potential hostile host, categorized by reference sets. The reference sets starting with "XFE ATPF" prefixes are automatically managed by the Threat Intelligence app and required a paid subscription. The other reference sets provided by the Threat Intelligence app can be used to included third party Threat Intelligence feeds.
Building Block	BB:BehaviorDefinition: Communication with a Potential Hostile Host (Flows X-Force Categorization)	Defines communication with a potential hostile host, categorized by X-Force. The confidence factor ranges between 0-100.
Building Block	BB:BehaviorDefinition: Communication with a Potential Hostile IP Address (Flows Reference Sets)	Defines communication with a potential hostile IP address, categorized by reference sets. The reference sets starting with "XFE ATPF" prefixes are automatically managed by the Threat Intelligence app and required a paid subscription. The other reference sets provided by the Threat Intelligence app can be used to included third party Threat Intelligence feeds.
Building Block	BB:BehaviorDefinition: Communication with a Potential Hostile IP Address (Flows X-Force Categorization)	Defines communication with a potential hostile IP address, categorized by X-Force.

The following list shows the rules and building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 2.3.0.

The confidence level for the following are set to 75 which depicts a high confidence level.

Note: When tuning these rules, 50 should be considered as the tipping point. On assets of lower importance, an X-Force rule can be set to trigger at a higher confidence factor above 75.

BB:Threats: Suspicious Network Traffic
BB:Threats: Suspicious IP Network Traffic
BB:Threats: X-Force Premium: Internal Connection to Host Categorized as Cryptocurrency Mining
Communication with a Potential Hostile Host (Flows)
Communication with a Potential Hostile IP Address (Flows)
X-Force: Internal Connection to Host Categorized as Malware
X-Force: Internal Host Communicating with Host Categorized as Anonymizer
X-Force: Mail Server Sending Mail to Server Categorized as SPAM
X-Force: Non-Mail Server Sending Mail to Servers Categorized as SPAM
X-Force: Non-Servers Communicating with External IP Classified as Dynamic
X-Force: Servers Communicating with External IP Classified as Dynamic
X-Force: Successful Inbound connection from a Remote Proxy or Anonymization Service
X-Force: Successful Outbound Connection to a Remote Proxy or Anonymization Service

The following list shows the rules and building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 2.3.0.

Table 11. Rules and Building Blocks in IBM Security QRadar Threat Monitoring Content Extension 2.3.0
Type	Name	Update Details
Building Block	DeviceDefinition: DNS	Added additional log sources.
Building Block	DeviceDefinition: Web Servers	Added additional log sources.
Rule	Log4Shell Base Pattern in Flows	Removed BB:CategoryDefinition Successful Communication
Rule	Log4Shell Evasion Pattern in Flows	Removed BB:CategoryDefinition Successful Communication

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.2.1

The following table shows the rules that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.2.1.

Table 12. Rules in IBM Security QRadar Threat Monitoring Content Extension 2.2.1
Type	Name	Description
Rule	Multiple Threats Detected on Same Host	Triggers when multiple threats are detected on the same host.
Rule	Same Threat Detected on Multiple Hosts	Triggers when the same threat is detected on multiple hosts that are not servers, which may indicate the presence of malware that is spreading in a network.
Rule	Same Threat Detected on Multiple Servers	Triggers when the same threat is detected on multiple hosts that are servers, which may indicate the presence of malware that is spreading in a network.
Rule	Same Threat Detected on Same Host	Triggers when the same threat is detected multiple times on the same host. This rule may indicate that the AV is cleaning a file that is generated by the threat and not the threat itself. The time window should be large enough to cover at least two cycles of checks made by the AV.
Rule	Same Threat Detected on Same Network Different Hosts	Triggers when the same threat is detected on different hosts in the same segment of a network hierarchy, which may indicate the presence of malware that is spreading in the network.
Rule	X-Force: Successful Outbound Connection to a Remote Proxy or Anonymization Service	Triggers when communication with a remote proxy or an anonymization service is observed. These services typically hide in the originating address of the Source IP.

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.2.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.2.0.

Table 13. Custom Properties in IBM Security QRadar Threat Monitoring Content Extension 2.2.0
Name	Optimized	Found in
File Hash	Yes	Carbon Black Protection Cisco AMP
HTTP Content-Type	Yes	Baseline Maintenance
HTTP GET Request	Yes	Baseline Maintenance
HTTP Host	Yes	Baseline Maintenance
HTTP Referer	Yes	Baseline Maintenance
HTTP Server	Yes	Baseline Maintenance
HTTP User-Agent	Yes	Baseline Maintenance

The following table shows the custom functions that are new in IBM Security QRadar Threat Monitoring Content Extension 2.2.0.

Table 14. Custom Functions in IBM Security QRadar Threat Monitoring Content Extension 2.2.0
Name	Description
Log4j Detected	Detects log4j obfuscation techniques.

The following table shows the rules that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.2.0.

Table 15. Rules in IBM Security QRadar Threat Monitoring Content Extension 2.2.0
Type	Name	Description
Building Block	BB:CategoryDefinition: Database Access Denied	Identifies database events that are considered denied access.
Building Block	BB:CategoryDefinition: Malware Annoyances	Defines spyware infection events.
Building Block	BB:CategoryDefinition: Virus Detected	Defines virus detection events.
Building Block	BB:FalseNegative: Events That Indicate Successful Compromise	Defines successful compromise events.
Building Block	BB:NetworkDefinition: Undefined IP Space	Defines areas of your network that does not contain any valid hosts.
Building Block	BB:NetworkDefinition: Watch List Addresses	Defines networks to be included into a watch list.
Rule	Exploit Followed by Suspicious Host Activity	Triggers when exploit or attack events are followed by suspicious activity event, which may indicate a successful attack.
Rule	Exploit: Exploits Followed by Firewall Accepts	Triggers when exploit or attack events are followed by firewall accept events, which may indicate a successful attack.
Rule	Exploit/Malware Events Across Multiple Destinations	Triggers when exploit or malware events are seen on multiple destination hosts. This could indicate a malicious software or an attacker exploiting vulnerable hosts on the network.
Rule	Log4Shell Base Pattern in Flows	Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations.
Rule	Log4Shell Evasion Pattern in Flows	Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations.
Rule	Log4Shell Hash in Events	Added File Hash to the rule condition
Rule	Multiple Unclean Threats Detected on Same Host	Triggers when multiple threats have been detected on the same host where the antivirus action taken is neither clean or quarantine. Note: This rule should be tuned to reflect the acceptable antivirus actions.
Rule	Multiple Vector Attack Source	Triggers when a source host tries multiple attack vectors. This could indicate the source host is specifically targeting an asset.
Rule	Potential DoS Attack via Web Server Response Time	Updated rule to match the QID.
Rule	Potential Log4Shell Activity	Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations.
Rule	Potential Log4Shell Activity (Flows)	Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations.
Rule	Source Vulnerable to any Exploit	Triggers when a local host is attacked where the source has at least one vulnerability. This could indicate the host was targeted in a previous exploit.
Rule	Source Vulnerable to this Exploit	Triggers when a local host is attacked where the source host is vulnerable to the attack being used. This could indicate the host was targeted in a previous exploit or vulnerability.
Rule	Successful Signature Compromise	Triggers when a host signature is successfully compromised.
Rule	Website Manipulation via SQL Injection	Updated the AQL filter.

The following rules and building blocks are removed in IBM Security QRadar Threat Monitoring Content Extension 2.2.0.

BB:CategoryDefinition: Any Flow
BB:CategoryDefinition: Authentication Success
BB:CategoryDefinition: Exploits Backdoors and Trojans
BB:CategoryDefinition: Firewall or ACL Accept
BB:CategoryDefinition: Firewall or ACL Denies
BB:CategoryDefinition: IRC Detected Based on Application
BB:CategoryDefinition: IRC Detected Based on Event Category
BB:CategoryDefinition: IRC Detection Based on Firewall Events
BB:CategoryDefinition: Mail Policy Violation
BB:CategoryDefinition: Post Exploit Account Activity
BB:CategoryDefinition: Recon Event Categories
BB:CategoryDefinition: Recon Events
BB:CategoryDefinition: Recon Flows
BB:CategoryDefinition: Successful Communication
BB:CategoryDefinition: Suspicious Event Categories
BB:CategoryDefinition: Suspicious Events
BB:CategoryDefinition: Suspicious Flows
BB:CategoryDefinition: Unidirectional Flow
BB:CategoryDefinition: Unidirectional Flow DST
BB:CategoryDefinition: Unidirectional Flow SRC
BB:DeviceDefinition: AV/AM
BB:DeviceDefinition: FW / Router / Switch
BB:DeviceDefinition: IDS / IPS
BB:DeviceDefinition: Proxy
BB:Flowshape: Inbound Only
BB:Flowshape: Outbound Only
BB:HostDefinition: Database Servers
BB:HostDefinition: DHCP Servers
BB:HostDefinition: DNS Servers
BB:HostDefinition: FTP Servers
BB:HostDefinition: LDAP Servers
BB:HostDefinition: Mail Servers
BB:HostDefinition: Network Management Servers
BB:HostDefinition: Proxy Servers
BB:HostDefinition: RPC Servers
BB:HostDefinition: Servers
BB:HostDefinition: SNMP Sender or Receiver
BB:HostDefinition: SSH Servers
BB:HostDefinition: Virus Definition and Other Update Servers
BB:HostDefinition: Web Servers
BB:HostDefinition: Windows Servers
BB:HostReference: Database Servers
BB:HostReference: DHCP Servers
BB:HostReference: DNS Servers
BB:HostReference: FTP Servers
BB:HostReference: LDAP Servers
BB:HostReference: Mail Servers
BB:HostReference: Proxy Servers
BB:HostReference: SSH Servers
BB:HostReference: Web Servers
BB:HostReference: Windows Servers
BB:NetworkDefinition: Honeypot like Addresses
BB:PortDefinition: Common Worm Ports
BB:PortDefinition: Database Ports
BB:PortDefinition: DHCP Ports
BB:PortDefinition: DNS Ports
BB:PortDefinition: FTP Ports
BB:PortDefinition: IRC Ports
BB:PortDefinition: LDAP Ports
BB:PortDefinition: Mail Ports
BB:PortDefinition: Proxy Ports
BB:PortDefinition: RPC Ports
BB:PortDefinition: SNMP Ports
BB:PortDefinition: SSH Ports
BB:PortDefinition: Web Ports
BB:PortDefinition: Windows Ports
BB:ProtocolDefinition: Windows Protocols
Local: FTP Detected on Non-Standard Port
Local: SSH or Telnet Detected on Non-Standard Port
Possible Local IRC Server
Potential Honeypot Access
Remote: FTP Detected on Non-Standard Port
Remote: Local P2P Client Connected to more than 100 Servers
Remote: Local P2P Client Detected
Remote: Local P2P Server Detected
Remote: SMTP Mail Sender
Remote: SSH or Telnet Detected on Non-Standard Port
Remote: Suspicious Amount of IM/Chat Traffic
Remote: Usenet Usage

The following table shows the saved searches that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.2.0.

Table 16. Saved Searches in IBM Security QRadar Threat Monitoring Content Extension 2.2.0
Name	Description
Potential Log4Shell Detected	Searches to detect Log4j activity in events.
Potential Log4Shell Detected (Flows)	Searches to detect Log4j activity in flows.

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.1.1

Updated the error handling in the HOMOGLYPH::DETECTED custom function that is used in several rules and saved searches.

The following table shows the reference data that is new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.1.

Table 17. Reference Sets in IBM Security QRadar Threat Monitoring Content Extension 2.1.1
Name	Description
Malicious URLs	Lists identified malicious URLs.
Malware URLs	Lists identified malware URLs.
Phishing URLs	Lists identified phishing URLs.

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.1.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.0.

Table 18. Custom Properties in IBM Security QRadar Threat Monitoring Content Extension 2.1.0
Name	Optimized	Found in
API Path	No	Amazon AWS
MD5 Hash	No	Cisco AMP
Parent MD5 Hash	No	Cisco AMP
Parent SHA1 Hash	No	Cisco AMP
Parent SHA256 Hash	No	Cisco AMP
Referrer URL	Yes	Apache Amazon AWS Microsoft IIS NGINX
Request URI	No	Amazon AWS
SHA1 Hash	No	Cisco AMP
SHA256 Hash	No	Cisco AMP
URL	Yes	Cisco AMP McAfee ePolicy Orchestrator (EPO)
URL Path	No	Cisco AMP
UrlHost	Yes	Apache Amazon AWS Microsoft IIS NGINX
User Agent	No	Apache Amazon AWS Microsoft IIS NGINX

The following table shows the rules that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.0.

Table 19. Rules in IBM Security QRadar Threat Monitoring Content Extension 2.1.0
Type	Name	Description
Rule	Log4Shell Base Pattern	Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations.
Rule	Log4Shell Evasion Pattern	Triggers when potential Remote Code Execution related to Log4Shell Exploit (CVE-2021-44228) is observed. This could indicate an attacker bypassing it via techniques such as system environment variables, lower or upper lookup, invalid Unicode characters with upper, system properties, HTML URL encoding and notations.
Rule	Log4Shell Hash in Events	Triggers when an IOC (File Hash) related to Log4Shell Exploit (CVE-2021-44228) is observed in an event. Note: The Log4Shell MD5, Log4Shell SHA1, and Log4Shell SHA256 reference sets have been prepopulated. Tune these reference sets with relevant IOC.
Rule	Log4Shell Hash in Flows	Triggers when an IOC (File Hash) related to Log4Shell Exploit (CVE-2021-44228) is observed in a flow. Note: The Log4Shell MD5, Log4Shell SHA1, and Log4Shell SHA256 reference sets have been prepopulated. Tune these reference sets with relevant IOC.

The following table shows the reference data that is new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.0.

Table 20. Reference Sets in IBM Security QRadar Threat Monitoring Content Extension 2.1.0
Name	Description
Log4Shell MD5	This reference set lists MD5 hashes associated with Log4Shell (CVE-2021-44228).
Log4Shell SHA1	This reference set lists SHA1 hashes associated with Log4Shell (CVE-2021-44228).
Log4Shell SHA256	This reference set lists SHA256 hashes associated with Log4Shell (CVE-2021-44228).

The following table shows the saved searches that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.1.0.

Table 21. Saved Searches in IBM Security QRadar Threat Monitoring Content Extension 2.1.0
Name	Description
Historical Instances of Log4Shell - Events	Searches to detect Log4j activity in events.
Historical Instances of Log4Shell - Flows	Searches to detect Log4j activity in flows.
Log4Shell Base Pattern	Searches to detect Log4j activity.
Log4Shell Evasion Pattern	Searches to detect Log4j activity.

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 2.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.0.0.

Table 22. Custom Properties in IBM Security QRadar Threat Monitoring Content Extension 2.0.0
Name	Optimized	Found in
BytesReceived	Yes	Apache Microsoft IIS NGINX
BytesSent	Yes	Apache Microsoft IIS NGINX
Method	No	Apache Microsoft IIS NGINX
Referrer URL	Yes	Apache Microsoft IIS NGINX
Response Code	No	Apache Microsoft IIS NGINX
Server Response Time	Yes	Apache
URL Query String	No	Apache Microsoft IIS NGINX

The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.0.0.

Table 23. Rules and Building Blocks in IBM Security QRadar Threat Monitoring Content Extension 2.0.0
Type	Name	Description
Building Block	BB:DeviceDefinition: Web Servers	Defines DNS devices on the system.
Building Block	BB:Threats: HTTP Client Status	Detects malformed web server client requests.
Building Block	BB:Threats: HTTP Server Status	Detects malformed web server requests.
Building Block	BB:Threats: HTTP Service Unavailable	Detects when the web server service is unavailable.
Building Block	BB:Threats: Potential DoS Attack	Detects potential Denial-of-Service attacks on a web server.
Building Block	BB:Threats: Suspicious IP Network Traffic	Detects suspicious network traffic on a web server from an IP address categorized by X-Force as malicious.
Building Block	BB:Threats: Suspicious Network Traffic	Detects suspicious network traffic on a web server from an IP address categorized by X-Force as malicious.
Building Block	BB:Threats: Unsafe HTTP Methods	Detects when the web server unsafe http methods.
Rule	Communication with a web site known to be delivering code which may be a trojan	Updated the rule response.
Rule	Potential Continued Risky Web Server Activity	Triggers when unsafe HTTP methods are seen continuously. This could be a malicious attacker updating web application contents.
Rule	Potential DoS Attack on a Web Server	Triggers when a potential Denial-of-Service attack is detected from a single source IP address.
Rule	Potential DoS Attack via Web Server Response Time	Triggers when a server response time increases exponentially as a result of too many traffic from an IP address. This could indicate abusive users, misbehaving bots, and potential denial-of-service attacks.
Rule	Potential HTTP DoS Flooding	Triggers when a web server is flooded with an HTTP request. This could indicate a malicious attacker initiating a series of HTTP requests to a web server thereby flooding it with more HTTP requests than it can process.
Rule	Potential Malicious Activity Identified by Referrer URL	Triggers when a referrer url attributed to potentially malicious activity is observed.
Rule	Potential Website Content Update	Triggers when a change or update is made to a web application. This could be a malicious attacker updating the content of a web page causing defacement.
Rule	Same Threat Detected on Same Host	Updated to include IP addresses.
Rule	Suspicious DNS Query Length	Updated the rule condition.
Rule	Suspicious Network Traffic to Internal Web Server	Triggers when an IP address that matches known hostile IP addresses categorized by X-Force scans the same URL multiple times.
Rule	Suspicious Web Server Activities	Triggers when either a web server client error or server error is detected. This could indicate suspicious activity.
Rule	Website Manipulations via SQL Injection	Triggers when abnormal behaviour such as SQL Injection is observed.

The following table shows the reference data that is new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.0.0.

Table 24. Reference Data in IBM Security QRadar Threat Monitoring Content Extension 2.0.0
Type	Name	Description
Reference Set	Malware URLs	This reference set lists identified malware URLs.
Reference Set	XFE ATPF-mw_url	This reference set lists identified malware URLs.

The following table shows the saved searches that are new or updated in IBM Security QRadar Threat Monitoring Content Extension 2.0.0.

Table 25. Saved Searches in IBM Security QRadar Threat Monitoring Content Extension 2.0.0
Name	Description
Response Time By Server	This search shows the average request time by server.

_{(Back to top)}

IBM Security QRadar Threat Monitoring Content Extension 1.2.1

The following table shows the custom properties in IBM Security QRadar Threat Monitoring Content Extension 1.2.1.

Table 26. Custom Properties in IBM Security QRadar Threat Monitoring Content Extension 1.2.1
Name	Optimized	Capture Group	Regex
Threat Name	Yes	1	emailThreats=([^\s]+) EVC_EV_VIRUS_NAME=([^\s]+) malware_signature=([^\t]+) Spyware\/Grayware: ([^\s]+) threatName=([^\s]+) virus_name: "(.*?)" Virus\/Malware: ([^\s]+) VirusName=([^\t]+)

IBM Security QRadar Threat Monitoring Content Extension 1.2.0

The following table shows the custom properties in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.

Table 27. Custom Properties in IBM Security QRadar Threat Monitoring Content Extension 1.2.0
Name	Optimized	Capture Group	Regex
DNS Request Type	No	1 1 2	cat=([^_]+) Question Type=([^\s]+) query:\s([^\s]+)\s\w+\s(\w+)
Subtype	No	1	Send/Receive indicator=([^\s]+)

The following table shows the custom properties used in IBM Security QRadar Threat Monitoring Content Extension 1.2.0 that are found in other content extensions.

Table 28. Custom Properties used in IBM Security QRadar Threat Monitoring Content Extension 1.2.0
Custom Property	Optimized	Found In
Error Code	Yes	Linux Microsoft Windows
Process Name	Yes	Carbon Black Response Endpoint FireEye MPS Linux Microsoft Windows ObserveIT osquery
UrlHost	Yes	Blue Coat Cisco Ironport IBM Cloud Discovery App for QRadar McAfee EPO Squid Microsoft 365 Defender

The following table shows the rules and building blocks in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.

Table 29. Rules and Building Blocks in IBM Security QRadar Threat Monitoring Content Extension 1.2.0
Type	Name	Description
Building Block	BB:DeviceDefinition: DNS	Defines DNS devices on the system.
Rule	Communication with a Potential Hostile Host (Flows)	Triggers when flow content includes a host that matches known hostile host categorized by X-force or in the reference set collection. Note: The Malicious URLs, Malware URLs, and Phishing URLs reference sets must be populated. The Threat Intelligence App can be used to import threat intel feeds in these reference sets.
Rule	Communication with a Potential Hostile IP Address (Flows)	Triggers when flow content includes an IP that matches known hostile IP addresses categorized by X-force or in the reference set collection. Note: The Malware IPs, Botnet IPs, Botnet C&C IPs, Phishing IPs, Anonymizer IPs reference sets must be populated. The Threat Intelligence App can be used to import threat intel feeds in these reference sets.
Rule	Excessive Denied SMB Traffic from a Compromised Host	Triggers when excessive SMB connections tentative are performed from a host categorized as compromised.
Rule	Potential Homoglyph Usage	Triggers when a domain name contains a homoglyph character(s), which could make a domain appear the same as a trusted domain and redirects to a malicious host. The custom function HOMOGLYPH::DETECTED, which is pre-filled with 1792 entries of homoglyph characters, accepts a string and returns true if the string contains a homoglyph character. Note: To view the events that would trigger this rule, use the Potential Homoglyph Usage search. Tune the rule with valid characters before enabling the rule and offense creation.
Rule	Potential Homoglyph Usage (Flows)	Triggers when a domain name contains a homoglyph character(s), which could make a domain appear the same as a trusted domain and redirects to a malicious host. The custom function HOMOGLYPH::DETECTED, which is pre-filled with 1792 entries of homoglyph characters, accepts a string and returns true if the string contains a homoglyph character. Note: To view the flows that would trigger this rule, use the Potential Homoglyph Usage (Flows) search. Tune the rule with valid characters before enabling the rule and offense creation.
Rule	SMB Traffic Permitted from a Compromised Host	Triggers when SMB traffic has been allowed from a host categorized as compromized.
Rule	Successful Login From a Compromised Host	Triggers when a successful authentication is performed on a host that has been categorized as compromized.
Rule	Suspicious DNS Query Length	Triggers when a DNS is abnormally long, this could indicate DGA domains & onion domains.
Rule	Suspicious program initiating DNS Query (Window)	Triggers when a program that is not referenced as legitimate is initiating a DNS query. Note: The DNS Application Whitelist reference set must be populated with applications allowed to generate DNS queries

The severity, credibility, relevance, and response limiter are updated in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.

The following table shows the rules that are renamed in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.

Table 30. Rules renamed in IBM Security QRadar Threat Monitoring Content Extension 1.2.0
Old Name	New Name
Local: Hidden FTP Server	Local: FTP Detected on Non-Standard Port
Remote: IM/Chat	Remote: Suspicious Amount of IM/Chat Traffic
X-Force Premium: Internal Connection to Host Categorized as Malware	X-Force: Internal Connection to Host Categorized as Malware
X-Force Premium: Internal Host Communicating with Botnet Command and Control URL	X-Force: Internal Host Communicating with Botnet Command and Control URL
X-Force Premium: Internal Host Communication with Malware URL	X-Force: Internal Host Communication with Malware URL
X-Force Premium: Internal Hosts Communicating with Host Categorized as Anonymizers	X-Force: Internal Host Communicating with Host Categorized as Anonymizer
X-Force Premium: Mail Server Sending Mail to Servers Categorized as SPAM	X-Force: Mail Server Sending Mail to Server Categorized as SPAM
X-Force Premium: Non-Mail Server Sending Mail to Servers Categorized as SPAM	X-Force: Non-Mail Server Sending Mail to Servers Categorized as SPAM
X-Force Premium: Non-Servers Communicating with External IP Classified as Dynamic	X-Force: Non-Servers Communicating with External IP Classified as Dynamic
X-Force Premium: Servers Communicating with External IP Classified as Dynamic	X-Force: Servers Communicating with External IP Classified as Dynamic

The following rules were updated in IBM Security QRadar Threat Monitoring Content Extension 1.2.0 to use Source Address instead of Source IP:

Failed Communication to a Malicious Website
Multiple Threats Detected on Same Host
Same Threat Detected on Multiple Hosts
Same Threat Detected on Multiple Servers
Same Threat Detected on Same Host
Same Threat Detected on Same Network Different Hosts

The following rules were updated in IBM Security QRadar Threat Monitoring Content Extension 1.2.0 to use Destination Address instead of Destination IP:

Excessive Denied SMB Traffic From a Compromised Host
SMB Traffic Permitted From a Compromised Host
Successful Login From a Compromised Host

The following table shows the reference sets in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.

Table 31. Reference Sets in IBM Security QRadar Threat Monitoring Content Extension 1.2.0
Type	Name	Description
Reference Data	pulse_imports	Part of the Pulse dashboard.
Reference Set	Anonymizer IPs	This reference set lists identified anonymizer IP addresses.
Reference Set	Botnet C&C IPs	This reference set lists identified botnet command and control server IP addresses.
Reference Set	Botnet IPs	This reference set lists identified botnet IP addresses.
Reference Set	Compromised Hosts	This reference set lists identified compromised hosts.
Reference Set	DNS Application Allowlist	This reference set lists DNS applications allow list.
Reference Set	Malicious URLs	This reference set lists identified malicious URLs.
Reference Set	Malicious Web Categories	This reference set lists identified malicious web categories.
Reference Set	Malware IPs	This reference set lists identified malware IP addresses.
Reference Set	Malware URLs	This reference set lists identified malware URLs.
Reference Set	Phishing IPs	This reference set lists identified phishing IP addresses.
Reference Set	Phishing URLs	This reference set lists identified phishing URLs.

The following table shows the saved searches in IBM Security QRadar Threat Monitoring Content Extension 1.2.0.

Table 32. Saved Searches in IBM Security QRadar Threat Monitoring Content Extension 1.2.0
Name	Description
Potential Homoglyph Usage	Detects usage of homoglyph characters.
Potential Homoglyph Usage (Flows)	Detects usage of homoglyph characters in flows.

IBM Security QRadar Threat Monitoring Content Extension 1.1.0

The following table shows the custom properties that are included in IBM Security QRadar Threat Monitoring Content Extension 1.1.0.

Note: The custom properties that are included in this content extension are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.

Table 33. Custom Properties in IBM Security QRadar Threat Monitoring Content Extension 1.1.0
Custom Property	Found in
Threat Name	Amazon AWS Cisco AMP Cisco Ironport Fortinet FortiAnalyzer McAfee EPO Threat Monitoring Microsoft 365 Defender Zscaler
URL	Blue Coat Check Point Cisco Ironport IBM Security QRadar DNS Analyzer FireEye MPS Fortinet FortiAnalyzer Juniper SSL VPN McAfee EPO Palo Alto PA Series Squid Symantec Endpoint Protection Threat Monitoring Microsoft 365 Defender
Web Category	Blue Coat Cisco Ironport

The following table shows the rules and building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 1.1.0.

Table 34. Rules and Building Blocks in IBM Security QRadar Threat Monitoring Content Extension 1.1.0
Type	Name	Description
Building Block	BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination	Identifies flows that have an illegal TCP flag combination.
Building Block	BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code	Identifies ICMP flows with suspicious Internet Control Message Protocol (ICMP) type codes.
Building Block	BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0	Identifies suspicious flows that use port 0.
Building Block	BB:HostDefinition:Proxy Servers	Edit this building block to define typical proxy servers. Used with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositve: Proxy Server False Positive Events building blocks.
Building Block	BB:CategoryDefinition: Firewall or ACL Accept Event for a FW/Router/Switch Device	Defines firewall or ACL Accept events from firewall, router, and switch devices.
Building Block	BB:DeviceDefinition: AV/AM	Defines all anti-virus (AV) and anti-malware (AM) on the system.
Building Block	BB:DeviceDefinition: Proxy	Defines all proxy sources on the system.
Building Block	BB:DeviceDefinition: FW / Router / Switch	Defines all firewalls, routers, and switches on the system.
Building Block	BB:CategoryDefinition: Worm Events	Edit this building block to define worm events. This building block only applies to events that are not detected by a custom rule.
Building Block	BB:CategoryDefinition: Unidirectional Flow SRC
Building Block	BB:Flowshape: Outbound Only	Matches flows that are outbound only.
Building Block	BB:CategoryDefinition: Recon Event Categories	Edit this building block to include all events that indicate reconnaissance activity.
Building Block	BB:CategoryDefinition: Suspicious Event Categories	Edit this building block to include all events that indicate suspicious activity.
Building Block	BB:Threats: Scanning: ICMP Scan Low	Identifies a low level of ICMP reconnaissance.
Building Block	BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows	Identifies bidirectional traffic that doesn't include payload.
Building Block	BB:Threats: Scanning: Scan High	Identifies a high level of potential reconnaissance.
Building Block	BB:CategoryDefinition: Unidirectional Flow
Building Block	BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys	Identifies traffic where ICMP replies are seen with no request.
Building Block	BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows	Identifies unidirectional ICMP flows.
Building Block	BB:Flowshape: Inbound Only	Matches flows that are inbound only.
Building Block	BB:CategoryDefinition: Recon Flows	Edit this building block to include all events that indicate suspicious activity.
Building Block	BB:Threats: Port Scans: UDP Port Scan	Identifies UDP based port scans.
Building Block	BB:Threats: Scanning: ICMP Scan Medium	Identifies a medium level of ICMP reconnaissance.
Building Block	BB:Threats: Scanning: Empty Responsive Flows Low	Detects potential reconnaissance activity where the source packet count is greater than 500.
Building Block	BB:CategoryDefinition: Suspicious Flows	Edit this building block to include all events that indicate suspicious activity.
Building Block	BB:CategoryDefinition: Suspicious Events	Edit this building block to include all events that indicate suspicious activity.
Building Block	BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow	Identifies flows that have been active for more than 48 hours.
Building Block	BB:Threats: Scanning: Empty Responsive Flows Medium	Detects potential reconnaissance activity where the source packet count is greater than 5,000.
Building Block	BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets	Identifies flows with abnormally large ICMP packets.
Building Block	BB:Threats: Scanning: ICMP Scan High	Identifies a high level of ICMP reconnaissance.
Building Block	BB:Threats: Port Scans: Host Scans	Identifies potential reconnaissance by flows.
Building Block	BB:Threats: Scanning: Scan Medium	Identifies a medium level of potential reconnaissance.
Building Block	BB:Threats: Scanning: Scan Low	Identifies a low level of potential reconnaissance.
Building Block	BB:CategoryDefinition: Recon Events	Edit this building block to include all events that indicate reconnaissance activity.
Building Block	BB:Threats: Scanning: Potential Scan	Identifies potential reconnaissance by flows.
Building Block	BB:CategoryDefinition: Unidirectional Flow DST
Building Block	BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows	Identifies unidirectional TCP flows.
Building Block	BB:CategoryDefinition: Mail Policy Violation	Edit this building block to include anything you consider to be a mail based policy violation. For example, outbound traffic on port 25 not originating from a mail server.
Building Block	BB:Threats: Scanning: Empty Responsive Flows High	Detects potential reconnaissance activity where the source packet count is greater than 100,000.
Building Block	BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets	Identifies flows with abnormally large DNS packets.
Building Block	BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows	Identifies unidirectional UDP and other miscellaneous flows.
Rule	Remote Proxy or Anonymization Service (Inbound)	New rule condition: "and when Source or Destination IP is categorized by X-Force® as Anonymization Services with confidence value greater than 75" Rule conditions reordered.
Rule	Remote Proxy or Anonymization Service (Outbound)	New rule condition: "and when Source or Destination IP is categorized by X-Force as Anonymization Services with confidence value greater than 75" Rule conditions reordered.
Rule	WormDetection: Successful Connections to the Internet on Common Worm Ports	Updated a rule test to remove two building blocks and use a new one to validate against successful connections only: `and when any of these BB:CategoryDefinition: Successful Communication, BB:CategoryDefinition: Firewall or ACL Accept Event for a FW/Router/Switch Device with the same source IP more than 300 times, across more than 300 destination IP within 20 minutes`
Rule	Successful Inbound Connection from a Known Botnet CandC	Rule conditions updated to filter events/flows correctly.
Rule	Communication with a web site that has been involved in previous SQL injection	Rule renamed (used to be site rather than web site.)
Rule	Communication with a web site that is listed on a know blacklist or uses fast flux	Rule renamed (used to be site rather than web site.)
Rule	Chained Exploit Followed by Suspicious Events on Third Host	Reports an exploit or attack type activity from the same source IP followed by suspicious account activity from the same destination IP as the original event within 15 minutes, if the source IP is not equal to the destination IP. This rule is disabled by default because it is intended as an alternative to the Chained Exploit Followed by Suspicious Events rule that ignores events with the same source and destination IP.
Rule	Multiple Threats Detected on Same Host	Indicates that multiple threats are detected on the same host.
Rule	Same Threat Detected on Multiple Hosts	Indicates that the same threat is detected on multiple hosts that are not servers.
Rule	Same Threat Detected on Multiple Servers	Indicates that the same threat is detected on multiple hosts that are servers.
Rule	Same Threat Detected on Same Host	Indicates that the same threat is detected on the same host. This might indicate that the AV is cleaning a file that is generated by the threat and not the threat itself. The time window should be large enough to cover at least two cycles of checks made by the AV.
Rule	Same Threat Detected on Same Network Different Hosts	Indicates that the same threat is detected on different hosts in the same network hierarchy.
Rule	Failed Communication to a Malicious Website	Alerts when a failed communication to a malicious website is made.
Rule	Successful Communication to a Malicious Website	Alerts when a successful communication to a malicious website is made.

The following table shows the reference data that is updated in IBM Security QRadar Threat Monitoring Content Extension 1.1.0.

Table 35. Reference Data in IBM Security QRadar Threat Monitoring Content Extension 1.1.0
Type	Name	Description
Reference Set	Malicious Web Categories	Defines malicious web categories. It is prepopulated with seven malicious web categories.

IBM Security QRadar Threat Monitoring Content Extension 1.0.3

The following table shows the rules that are updated in IBM Security QRadar Threat Monitoring Content Extension 1.0.3.

Table 36. Rules in IBM Security QRadar Threat Monitoring Content Extension 1.0.3
Type	Name	Change description
Rule	Successful Inbound Connection from a Known Botnet Command and Control	Updated a rule test to change an 'any' value to 'all'. Administrators who modified this rule need to review their rule tests to determine that the all value is set: `and when a flow or an event matches all of the following BB:CategoryDefinition: Firewall or ACL Accept, BB:CategoryDefinition: Successful Communication, BB:DeviceDefinition: FW / Router / Switch`

IBM Security QRadar Threat Monitoring Content Extension 1.0.2

The following table shows the building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 1.0.2.

Table 37. Building Blocks in IBM Security QRadar Threat Monitoring Content Extension 1.0.2
Type	Name	Change description
Building Block	BB:Suspicious: Remote: Unidirectional UDP or Misc Flows	Updated the last rule test of the remote flows BB to use one of the following tests: `and when BB:Threats:Suspicious IP Protocol Usage: Unidirectional UDP and Misc Flows match at least 15 times in 1 minutes`
Building Block	BB:Suspicious: Local: Unidirectional UDP or Misc Flows	Updated the last rule test of the local flows BB to use on of the following tests: `and when BB:Threats:Suspicious IP Protocol Usage: Unidirectional UDP and Misc Flows match at least 15 times in 1 minutes.`

IBM Security QRadar Threat Monitoring Content Extension 1.0.1

The following table shows the building blocks that are updated in IBM Security QRadar Threat Monitoring Content Extension 1.0.1.

Table 38. Rules and Building Blocks in IBM Security QRadar Threat Monitoring Content Extension 1.0.1
Type	Description	Change description
Rule	Botnet: Potential Botnet Connection (DNS)	Added a rule test: `BB:DeviceDefinition: FW/Router/Switch to rule`
Rule	WormDetection: Successful Connections to the internet on Common Worm Ports	Added a rule test: `BB:DeviceDefinition: FW/Router/Switch to rule`
Rule	Botnet: Successful Inbound Connection from a Known Botnet Command and Control	Added a rule test: `BB:DeviceDefinition: FW/Router/Switch to rule`
Building Block	BB:DeviceDefinition: FW / Router / Switch	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:CategoryDefinition: Pre DMZ Jump	No updates. Dependent on another rule and must be included in the extension framework.
Building Block	BB:CategoryDefinition: Post DMZ Jump	No updates. Dependent on another rule and must be included in the extension framework.

IBM Security QRadar Threat Monitoring Content Extension 1.0.0

The Threat Theme extension adds 2 custom event properties for identifying URLs, 10 reference sets, 58 threat-related rules, and 56 building blocks for a total of 126 content add-ons for QRadar. This extension / content pack is required for any administrators with X-Force Premium IP Reputation Feeds enabled on their IBM QRadar SIEM appliances. The installation of this content adds required X-Force rules that work with the reputation feeds from the IBM X-Force Exchange.

Custom event properties added by the threat extension

Name	Regex
URL	`\(URL=(.*?)\)`
URL	`(?:cs-uri=\| )(?:http\|ftp\|tcp\|https):\/\/(.+?)\s`

Reference sets that are added by the threat extension

Name	Type
DNS Servers	Reference set
Database Servers	Reference set
DHCP Servers	Reference set
FTP Servers	Reference set
LDAP Servers	Reference set
Mail Servers	Reference set
Proxy Servers	Reference set
SSH Servers	Reference set
Web Servers	Reference set
Windows Servers	Reference set

Rules added by the threat extension

Name	Category
X-Force Premium: Internal Host Communication with Malware URL	Threats (X-Force)
X-Force Premium: Internal Connection to Host Categorized as Malware	Threats (X-Force)
X-Force Premium: Internal Host Communicating with Botnet Command and Control URL	Threats (X-Force)
X-Force Premium: Internal Hosts Communicating with Host Categorized as Anonymizers	Threats (X-Force)
X-Force Premium: Servers Communicating with External IP Classified as Dynamic	Threats (X-Force)
X-Force Premium: Non-Servers Communicating with External IP Classified as Dynamic	Threats (X-Force)
X-Force Premium: Non-Mail Server Sending Mail to Servers Categorized as SPAM	Threats (X-Force)
X-Force Premium: Mail Server Sending Mail to Servers Categorized as SPAM	Threats (X-Force)
Local Mass Mailing Host Detected	Post-Intrusion Activity
Remote: Client Based DNS Activity to the Internet	Post-Intrusion Activity
Possible Local Worm Detected	Post-Intrusion Activity
Local: Hidden FTP Server	Post-Intrusion Activity
Local: SSH or Telnet Detected on Non-Standard Port	Post-Intrusion Activity
Successful Connections to the Internet on Common Worm Ports	Post-Intrusion Activity
Worm Detected (Events)	Post-Intrusion Activity
Local Host Sending Malware	Malware
Remote: IRC Connections	Compliance
Remote: IM/Chat	Compliance
Remote: Local P2P Server Detected	Compliance
Remote: Usenet Usage	Compliance
Remote: SSH or Telnet Detected on Non-Standard Port	Compliance
Remote: Local P2P Client Detected	Compliance
Remote: Local P2P Client Connected to more than 100 Servers	Compliance
Remote: Local P2P Server connected to more than 100 Clients	Compliance
Remote: Hidden FTP Server	Compliance
Communication with a website known to be involved in botnet activity	Threats
Local: Hidden FTP Server	Threats
Local: SSH or Telnet Detected on Non-Standard Port	Threats
Remote: Local P2P Client Detected	Threats
Connection to a Remote Proxy or Anonymization Service (Outbound)	Threats
Communication with a website known to be associated with the Russian business network	Threats
Communication with a website known to aid in distribution of malware	Threats
Potential Botnet Connection (DNS)	Threats
Remote: IM/Chat	Threats
Potential Botnet Events Become Offenses	Threats
Remote: Hidden FTP Server	Threats
Potential Honeypot Access	Threats
Successful Inbound Connection from a Known Botnet CandC	Threats
Remote: Local P2P Server Detected	Threats
Remote: Local P2P Server connected to more than 100 Clients	Threats
Remote: SMTP Mail Sender	Threats
Remote: SSH or Telnet Detected on Non-Standard Port	Threats
Communication with a site that has been involved in previous SQL injection	Threats
Potential Connection to a Known Botnet CandC	Threats
Local host on Botnet CandC List (SRC)	Threats
Local host on Botnet CandC List (DST)	Threats
Communication with a website known to be delivering code which may be a trojan	Threats
Communication with a website known to be a phishing or fraud site	Threats
Communication with a site that is listed on a known blacklist or uses fast flux	Threats
Connection to a Remote Proxy or Anonymization Service (Inbound)	Threats
Remote: Local P2P Client Connected to more than 100 Servers	Threats
Remote: IRC Connections	Botnet
Potential Botnet Connection (DNS)	Botnet
Potential Botnet Events Become Offenses	Botnet
Successful Inbound Connection from a Known Botnet CandC	Botnet
Potential Connection to a Known Botnet CandC	Botnet
Local host on Botnet CandC List (SRC)	Botnet
Local host on Botnet CandC List (DST)	Botnet

Building blocks added by the threat extension

Name	Category
BB:ProtocolDefinition: Windows Protocols	Port\Protocol Definition
BB:PortDefinition: Database Ports	Port\Protocol Definition
BB:PortDefinition: FTP Ports	Port\Protocol Definition
BB:PortDefinition: IRC Ports	Port\Protocol Definition
BB:PortDefinition: Windows Ports	Port\Protocol Definition
BB:PortDefinition: SNMP Ports	Port\Protocol Definition
BB:PortDefinition: RPC Ports	Port\Protocol Definition
BB:PortDefinition: Syslog Ports	Port\Protocol Definition
BB:PortDefinition: SSH Ports	Port\Protocol Definition
BB:PortDefinition: LDAP Ports	Port\Protocol Definition
BB:PortDefinition: Mail Ports	Port\Protocol Definition
BB:PortDefinition: DNS Ports	Port\Protocol Definition
BB:PortDefinition: DHCP Ports	Port\Protocol Definition
BB:PortDefinition: Web Ports	Port\Protocol Definition
BB:PortDefinition: Common Worm Ports	Port\Protocol Definition
BB:HostReference: LDAP Servers	Host Definitions
BB:HostDefinition: Virus Definition and Other Update Servers	Host Definitions
BB:HostDefinition: FTP Servers	Host Definitions
BB:HostDefinition: DMZ Assets	Host Definitions
BB:HostReference: Web Servers	Host Definitions
BB:HostDefinition: Windows Servers	Host Definitions
BB:HostDefinition: Servers	Host Definitions
BB:HostReference: FTP Servers	Host Definitions
BB:HostDefinition: SSH Servers	Host Definitions
BB:HostDefinition: Database Servers	Host Definitions
BB:HostDefinition: LDAP Servers	Host Definitions
BB:HostDefinition: Web Servers	Host Definitions
BB:HostDefinition: Syslog Servers and Senders	Host Definitions
BB:HostDefinition: Mail Servers	Host Definitions
BB:HostDefinition: DNS Servers	Host Definitions
BB:HostReference: Windows Servers	Host Definitions
BB:HostDefinition: VoIP PBX Server	Host Definitions
BB:HostReference: DNS Servers	Host Definitions
BB:HostReference: Database Servers	Host Definitions
BB:HostDefinition: RPC Servers	Host Definitions
BB:HostReference: SSH Servers	Host Definitions
BB:HostReference: Mail Servers	Host Definitions
BB:HostDefinition: Network Management Servers	Host Definitions
BB:HostDefinition: DHCP Servers	Host Definitions
BB:HostDefinition: Proxy Servers	Host Definitions
BB:HostReference: Proxy Servers	Host Definitions
BB:HostDefinition: SNMP Sender or Receiver	Host Definitions
BB:HostReference: DHCP Servers	Host Definitions
BB:Policy Violation: IRC IM Policy Violation: IRC Connection to Internet	Policy
BB:Policy Violation: Mail Policy Violation: Outbound Mail Sender	Policy
BB:Policy Violation: IRC IM Policy Violation: IM Communications	Policy
BB:Policy Violation: Application Policy Violation: NNTP to Internet	Policy
BB:CategoryDefinition: IRC Detection based on Firewall Events	Category Definitions
BB:CategoryDefinition: Firewall or ACL Accept	Category Definitions
BB:CategoryDefinition: Any Flow	Category Definitions
BB:CategoryDefinition: Successful Communication	Category Definitions
BB:CategoryDefinition: IRC Detected based on Event Category	Category Definitions
BB:CategoryDefinition: IRC Detected based on Application	Category Definitions
BB:CategoryDefinition: Firewall or ACL Denies	Category Definitions
BB:Suspicious: Remote: Unidirectional UDP or Misc Flows	Category Definitions
BB:Suspicious: Local: Unidirectional UDP or Misc Flows	Category Definitions
BB:NetworkDefinition: Honeypot like Addresses	Network Definition
BB:Threats: DoS: Potential Multihost Attack	Threats