Suspect content descriptions derived from X-Force
The IBM X-Force signature library includes descriptions for thousands of signatures.
At the enriched and advanced inspection level, QRadar Network Insights can detect suspicious content by using the X-Force signature library.
- If the name of the detected issue ID is known, the suspect content description appears in the
XForceIssue <Name> format.
For example, a named issue might appear as XForceIssue Land_Attack.
- If the name cannot be resolved for the detected issue, the issue ID appears in the suspect
content description.
For example, if the name cannot be identified, the issue might appear as XForceIssueID 2000001.
To learn more about the suspicious content, some fields on the Flow information window include direct links to view more information in X-Force Exchange.
Signature policies
Only signatures that are associated with a single connection are reported by QRadar Network Insights.
To view a complete list of issues that are supported for the current deployment, view the /opt/ibm/xforce/metadata/issues.csv file on the QRadar Network Insights appliance. Attack signatures are identified in the Is Attack column. By default, all attack signatures are reported. For audit-only signatures, as indicated in the Is Audit column, reporting is deactivated by default.
New in 7.5.0 Update Package 5You can modify PAM configuration settings to change the way that the IBM X-Force Signatures are reported.
For more information about how to apply the following configuration snippets to PAM, see Configuring the Protocol Analysis Module.
If no explicit policy is adopted, you can use the following configuration snippets to change the way that QRadar Network Insights reports on attacks and audits.Setting Default value Configuration snippet Report on attacks
Activated
To deactivate this setting, apply this snippet.
<Pam reportAttacks="false"> </Pam>Report on audits
Deactivated
To activate this setting, apply this snippet.
<Pam reportAudits="true"> </Pam>Alternatively, you can select a preconfigured policy. Preconfigured policies take precedence over individual attack and audit settings.Policy Description Configuration snippet Moderate
Enables most attack events.
Provides a good level of security detection with minimal chance of false alarms.
<Pam policy="moderate"> </Pam>Aggressive
Enables a high percentage of attack events.
Provides a high level of security detection with a chance of false alarms.
<Pam policy="aggressive"> </Pam>Paranoid
Enables almost all attack events.
Provides a very high level of security detection with significant chance of false alarms.
<Pam policy="paranoid"> </Pam>To determine which signatures are enabled in a specific policy, see the /opt/ibm/xforce/metadata/<policy>_issue_responses.csv file on your QRadar system.
Regardless of the presence or absence of an overall policy setting, you can use the following configuration snippets to change the settings for individual signatures.Signature state Configuration snippet Deactivated
Use this code snippet and replace 2101118 with the signature ID that you want to deactivate.
<Pam> <TuningParameters> <pam.report.2101118 value="0" /> </TuningParameters> </Pam>Activated
Use this code snippet and replace 2101118 with the signature ID that you want to activate.
<Pam> <TuningParameters> <pam.report.2101118 value="1" /> </TuningParameters> </Pam>
Suspect content descriptions in rules
For signatures that present a greater risk to your environment, create rules and offense notifications to help you detect and investigate these threats.
- The use cases that are most relevant to your own environment.
- The signature priority as determined by IBM X-Force.
- The moderate, aggressive, and paranoid issue policies that are defined in the /opt/ibm/xforce/metadata directory after the upgrade is complete.

