Suspect content descriptions derived from X-Force

New in 7.5.0

The IBM X-Force signature library includes descriptions for thousands of signatures.

At the enriched and advanced inspection level, QRadar Network Insights can detect suspicious content by using the X-Force signature library.

The signatures and issues are reported as suspect content on the Network Activity tab. The format for the suspect content description depends on the information that is available.
  • If the name of the detected issue ID is known, the suspect content description appears in the XForceIssue <Name> format.

    For example, a named issue might appear as XForceIssue Land_Attack.

  • If the name cannot be resolved for the detected issue, the issue ID appears in the suspect content description.

    For example, if the name cannot be identified, the issue might appear as XForceIssueID 2000001.

To learn more about the suspicious content, some fields on the Flow information window include direct links to view more information in X-Force Exchange.

Signature policies

Only signatures that are associated with a single connection are reported by QRadar Network Insights.

To view a complete list of issues that are supported for the current deployment, view the /opt/ibm/xforce/metadata/issues.csv file on the QRadar Network Insights appliance. Attack signatures are identified in the Is Attack column. By default, all attack signatures are reported. For audit-only signatures, as indicated in the Is Audit column, reporting is deactivated by default.

New in 7.5.0 Update Package 5

You can modify PAM configuration settings to change the way that the IBM X-Force Signatures are reported.

  • For more information about how to apply the following configuration snippets to PAM, see Configuring the Protocol Analysis Module.

    If no explicit policy is adopted, you can use the following configuration snippets to change the way that QRadar Network Insights reports on attacks and audits.
    Setting Default value Configuration snippet

    Report on attacks

    Activated

    To deactivate this setting, apply this snippet.

    <Pam reportAttacks="false">
    
    </Pam>

    Report on audits

    Deactivated

    To activate this setting, apply this snippet.

    <Pam reportAudits="true">
    
    </Pam>
    Alternatively, you can select a preconfigured policy. Preconfigured policies take precedence over individual attack and audit settings.
    Policy Description Configuration snippet

    Moderate

    Enables most attack events.

    Provides a good level of security detection with minimal chance of false alarms.

    <Pam policy="moderate">
    
    </Pam>

    Aggressive

    Enables a high percentage of attack events.

    Provides a high level of security detection with a chance of false alarms.

    <Pam policy="aggressive">
    
    </Pam>

    Paranoid

    Enables almost all attack events.

    Provides a very high level of security detection with significant chance of false alarms.

    <Pam policy="paranoid">
    
    </Pam>
    

    To determine which signatures are enabled in a specific policy, see the /opt/ibm/xforce/metadata/<policy>_issue_responses.csv file on your QRadar system.

    Regardless of the presence or absence of an overall policy setting, you can use the following configuration snippets to change the settings for individual signatures.
    Signature state Configuration snippet

    Deactivated

    Use this code snippet and replace 2101118 with the signature ID that you want to deactivate.

    <Pam>
        <TuningParameters>
            <pam.report.2101118 value="0" />
        </TuningParameters>
    </Pam>

    Activated

    Use this code snippet and replace 2101118 with the signature ID that you want to activate.

    <Pam>
        <TuningParameters>
            <pam.report.2101118 value="1" />
        </TuningParameters>
    </Pam>

Suspect content descriptions in rules

For signatures that present a greater risk to your environment, create rules and offense notifications to help you detect and investigate these threats.

To determine which signatures to prioritize in your own environment, consider the following information:
  • The use cases that are most relevant to your own environment.
  • The signature priority as determined by IBM X-Force.
  • The moderate, aggressive, and paranoid issue policies that are defined in the /opt/ibm/xforce/metadata directory after the upgrade is complete.
When you use suspect content descriptions in rules, be specific with the signatures that you want to detect. This image shows an example rule that uses a suspect content description in the test criteria:
If you want to detect multiple signatures with a single rule, use a reference set.