サポート対象の QRadar コンテンツ

いくつかのルールは、他のアプリケーションから QRadar® User Entity Behavior Analytics (UEBA) にイベントをフィードするように設計されています。 これらのルールでは、他のアプリケーションのコンテンツのインストールが必要になります。

コンテンツの依存関係

サポートされるその他の QRadar コンテンツおよび必須アプリケーションについて詳しくは、以下の表を参照してください。 表にリストされているルールは、アプリケーションによってスコアリングされます。
ヒント: スコアを調整するには、 IBM® QRadar Use Case Manager アプリケーションまたは UEBA アプリケーションの「ルールおよびチューニング」ページでスコアを変更する必要があります。
必須アプリ サポートされるルール
IBM QRadar DNS Analyzer QRadar DNS Analyzer
  • QNI: Confidential Content Being Transferred to Foreign Geography
  • QNI : Access to Improperly Secured Service - Certificate Expired
  • QNI : Access to Improperly Secured Service - Certificate Invalid
  • QNI : Potential Spam/Phishing Subject Detected from Multiple Sending ServersQNI : Observed File Hash Seen Across Multiple Hosts
  • QNI : Observed File Hash Associated with Malware Threat
  • QNI : Potential Spam/Phishing Attempt Detected on Rejected Email Recipient
  • QNI : Access to Improperly Secured Service - Self Signed Certificate
  • QNI : Access to Improperly Secured Service - Weak Public Key Length
IBM Security Reconnaissance コンテンツ
  • Local L2L TCP Scanner
  • Local L2L Windows Server Scanner
  • Local L2L Game Server Scanner
  • Local L2L DNS Scanner
  • Local L2L Mail Server Scanner
  • Local L2L Proxy Server Scanner
  • Local L2L IM Server Scanner
  • Local L2L Web Server Scanner
  • Local L2L P2P Server Scanner
  • Local L2L SNMP Scanner
  • Local L2L RPC Server Scanner
  • Local L2L UDP Scanner
  • Local L2L DHCP Scanner
  • Local L2L ICMP Scanner
IBM QRadar Sysmon のコンテンツ
  • Detected a Possible Keylogger
  • Detected a New Unseen Process Started with a System User Privileges
  • Detected a Remotely Executed Process over Multiple Hosts
  • 通常ではないディレクトリーから開始されたプロセス (リサイクル.bin, ..)
  • A Hidden Network Share Has Been Added
  • Powershell Malicious Usage Detected
  • Powershell Malicious Usage Detected with Encoded Command
  • 異常なプロセス (例: word、iexplore、AcroRd ..)
  • Launched a Command Shell
  • Command Shell Started With a System Privileges
  • Detected a Successful Login From a Compromised Host Into Other Hosts
  • Detected a Possible Credential Dumping Tool
  • Childless Process Launched/Spawned a Process
  • Process Launched From Temp Directory
  • Abnormal Parent for a System Process
  • Detected a Suspicious Svchost Process
  • A Network Share Has Been Accessed From a Compromised Host
  • An Administrative share Has Been Accessed
  • An Administrative share Has Been Accessed From a Compromised Machine
  • Process Launched From a Shared Folder and Created Thread into Another Process
  • Detected Excessive Usage of System Tools From a Single Machine
  • Excessive Failed Attempts to Access a Network Shared Resource From a Compromised Host
  • Excessive Failed Attempts to Access an Administrative Share From a Single source
  • Powershell Has Been Launched in a Compromised Host
  • PsExec Has Been Launched From a Compromised Host
  • Detected SMB Traffic From a Compromised Host Into Other Hosts
  • A Command Shell or Powershell Has been Launched From a Remote System
  • A Scheduled Task Has Been Created in a Compromised Host
  • A Malicious Service Has Been Installed in a System
  • Detected a Service Configured to Use Powershell
  • Detected a Service Configured to Use a Pipe
IBM QRadar アマゾンのコンテンツ拡張 AWS
  • AWS Cloud: Cloud activity by root user
  • AWS Cloud: Critical EC2 Instance Has Been Stopped OR Terminated
  • AWS Cloud: Detected A Successful Login To AWS Console From Different Geographies
  • AWS Cloud: Logs Have Been Deleted / Disabled or Stopped
  • AWS Cloud: Multiple Console Login Failures From Different Source IPs
  • AWS Cloud: Multiple Console Login Failures from Same Source IP
  • AWS Cloud: Multiple Failed API Requests From Different Source IPs
  • AWS Cloud: Multiple Failed API Requests From Same Source IP
  • AWS Cloud: Multiple Failed API Requests From The Same Username