SysFlow
The IBM Security QRadar Content Extension adds new custom properties, custom rules, and
reference set for SysFlow.
The following table shows the custom properties in SysFlow Content Extension V1.0.1.
| Name | Optimized | JSON expression |
|---|---|---|
| BytesReceived | False | /"flow"/"rbytes" |
| BytesSent | False | /"flow"/"wbytes" |
| Container Entry | True | /"proc"/"entry" |
| Container ID | True | /"container"/"id" |
| Container Image | True | /"container"/"image" |
| Container Image ID | True | /"container"/"imageid" |
| Container Name | False | /"container"/"name" |
| Container Type | False | /"container"/"type" |
| File Directory | True | /"file"/"directory" |
| Filename | True | /"file"/"name" |
| File Open Flags | False | /"file"/"openflags"[] |
| File Open with Read Permission | False | /"file"/"is_open_read" |
| File Open with Write Permission | True | /"file"/"is_open_write" |
| File Path | True | /"file"/"path" |
| File Type | False | /"file"/"type" |
| GroupID | True | /"proc"/"gid" |
| Group Name | True | /"proc"/"group" |
| Hostname | True | /"node"/"id" |
| New File Directory | False | /"file"/"newdirectory" |
| New File Name | True | /"file"/"newname" |
| New File Path | True | /"file"/"newpath" |
| Parent Process ID | False | /"pproc"/"pid" |
| Parent Process Name | True | /"pproc"/"name" |
| Parent Process Path | True | /"pproc"/"exe" |
| Parent Process User ID | False | /"pproc"/"uid" |
| Parent Process User Name | False | /"pproc"/"user" |
| Privileged Container | True | /"container"/"privileged" |
| Process CommandLine | True | /"proc"/"cmdline" |
| Process Id | True | /"proc"/"pid" |
| Process Name | True | /"proc"/"name" |
| Process Path | True | /"proc"/"exe" |
| User ID | True | /"proc"/"uid" |
The following table shows the custom rules in SysFlow Content Extension V1.0.1.
| Type | Name | Description |
|---|---|---|
| Rule | Command Execution to Install or Modify Kernel Module | Detects execution of commands to install or modify kernel modules. An adversary might add a kernel module to achieve stealthy persistence or to run commands in the kernel mode. |
| Rule | Command Execution to Search For SUID or SGID Binaries | Detects execution of a command to search for SUID or SGID binaries and might exploit to escalate user privileges. |
| Rule | Command Execution to Update RootCA | Detects when a user runs update-ca-certificates command to update Certificate Authority list. |
| Rule | Container Accessing or Modifying Firewall Rules | Detects when a container accesses or modifies firewall rules. An adversary might add or delete firewall rules to allow malicious acts. Note: Nothing is stored on disk for iptables until the user saves the rules by running commands iptables-save and then iptables-restore. |
| Rule | Container Accessing SSH related file | Detects when a container accesses the SSH-related files under /$HOME/.ssh or /etc/ssh. |
| Rule | Container Communicating with Cloud Meta Data Servers | Detects when a container communicates with cloud meta data server. The Cloud meta data server returns meta data that usually includes the token. The cloud metadata ip is static and changed by multiple different cloud vendors. Change the IP address to suit your environment. |
| Rule | Container Communicating with Malicious IP Addresses | Detects when a container communicates with malicious IP addresses. |
| Rule | Container Created with Highest Privileges | Detects when a container is created with privilege flag. Creating a container that has the white-list image hash Rules value is valid, but creating a container that triggers the container event and process creation event is suspicious. |
| Rule | Container Creating or Modifying Scheduled Task | Detects when a container that has file modification event creates or updates any scheduled task. |
| Rule | Container Creating or Updating Files in Unusual Critical System Directories | Detects when a container creates or updates a file in an unusual critical system directory such as /, /root, /proc, /bin, /sbin, /usr/bin, /usr/sbin, /lib, /usr/lib or /dev. |
| Rule | Container Modifying Critical Authentication File | Detects when a container modifies critical authentication-related files regardless of the used process, such as adduser or any other process. |
| Rule | Container Modifying SELinux Configuration | Detects when a container modifies SELinux Configurations. An adversary might disable SELinux or change its operational mode. |
| Rule | Container Running Network Management or Discovery Utilities | Detects when a container runs suspicious network management or discovery behavior, such as nc, namp, and tcpdump |
| Rule | Container Running Package Management Utilities | Detects when a container runs package management utilities during its runtime. Containers are immutable objects, and running a package management is suspicious, because an adversary might install additional tools in the compromised container. |
| Rule | Container Running Remote File Transfer Utility | Detects when a container runs a remote file transfer utility, such as wget, curl, and sftp. |
| Rule | Container Running User Enumeration or Management Utilities | Detects when a container runs suspicious user enumeration or management behavior, such as id, groups, and useradd |
| Rule | Container Searching Private Keys or Security Tokens | Detects when a user searches for password files or private keys in the container. |
| Rule | Container Sending or Receiving Data over SSH | Detects when a container sends or receives data over SSH. An adversary might use the compromised container to move laterally to another container or to exfiltrate data over the SSH port 22. |
| Rule | Creation of Soft or Hard link over Sensitive or Critical Files | Detects the creation of Soft or Hard link over sensitive or critical files such as /etc/passwd, /etc/group, /etc/shadow, /etc/gshadow, /etc/sudoers. |
| Rule | File Activities to Install or Modify Kernel Module | Detects when a kernel module is created or modified by inspecting file modifications to a .ko file under /lib/modules. |
| Rule | Hash Dumping: Unusual Process Accessed the Linux Shadow File | Detects hash dumping activity in Linux-based systems, where /etc/shadow file is accessed by an unusual process. |
| Rule | Detected Reverse or Bind Shell: Linux Shell Created a Network Connection | Detects when a network connection is initiated for a Linux shell, which can result in reverse or bind shell. |
| Rule | RootCA Created or Uploaded | Detects when a user creates files in or uploads files to a folder used for Certificate Authority. |
| Rule | Unusual Process Creating Outbound Network Connections by using the SSH Port | Detects when an unusual process starts to create outbound network connections by using the SSH port 22. An adversary might use this technique to bypass defense mechanisms, and to exfiltrate data using a well-known port. |
| Rule | Unusual Process Modifying Critical Authentication File | Detects when an unusual process modifies critical authentication-related files such as /etc/passwd. |
| Building Block | BB:CategoryDefinition: Container Event | Defines container events. |
| Building Block | BB:CategoryDefinition: File Modification Event | Defines file modification events. |
| Building Block | BB:CategoryDefinition: Process Creation Event | Defines process creation events |
The following table shows the reference sets and reference data in SysFlow Content Extension V1.0.1.
| Type | Name | Description |
|---|---|---|
| Reference Set | Whitelisted Linux Processes that can Modify Critical Authentication Files | Lists identified whitelisted Linux processes that can modify critical authentication files, like: /etc/passwd, /etc/group, /etc/shadow, ... |
| Reference Set | Searching Binaries | Lists identified processes that can be used to search for files, like find, ... |
| Reference Set | Package Management Utilities | Lists identified processes that can be used to install, upgrade, uninstall, manage linux packages, like: apt-get, ... |
| Reference Set | Whitelisted Processes that can access /etc/shadow | Lists identified whitelisted Linux processes that can open or read Linux Shadow file /etc/shadow |
| Reference Set | Sensitive / Critical Files | Lists identified File paths for sensitive or critical files. |
| Reference Set | Remote File Copy Binaries | Lists identified processes that can be used to perform remote file transfer operators, like: scp, ... |
| Reference Set | Network Management or Discovery Utility | Lists identified processes that can be used to discover or manage the network, like nmap, tcpdump, ... |
| Reference Set | Linux Shells | Lists identified linux shell processes, like: bash, sh, .... |
| Reference Set | User Enum And Mgmt Binaries | Lists identified processes that can be used to enumerate or manage the users/groups, like: adduser, deluser, addgroup, ... |
| Reference Set | TLS Folders | Lists identified File paths for tls root certificates. |
| Reference Set | Container Image White List | List container images that can be whitelisted. |
| Reference Data | pulse_imports | Part of the Pulse dashboard. |