IBM Support

QRadar Security Content Pack: iT-Cube agileSI

Question & Answer


Question

A new security content pack is available for iT-Cube agileSI . This tech note outlines the changes and provides installation instructions for administrators.

Answer

Tab navigation

 

iT-CUBE agileSI continuously extracts SAP security and audit events for QRadar to collect using the SMB Tail protocol. The iT-CUBE agileSI extension for QRadar adds functionality for SAP security by adding 62 new saved searches, 31 custom properties, 3 reference sets and 1 reference table, 78 custom rules, 2 event search groups, 5 rule groups, a report group, 20 report templates, and a logo.

Custom event properties added by the iT-Cube agileSI extension

Property name Expression
0-initial/1-known pass/2-expired siKey_Value_..=PWDINITIAL=(\S*)
Account Information siMessage=(.*\S)\s+siCustom1
Action siMessage=(.*\S)\s+siCustom1
Action_ cat=(.*\S)\s+siInstance
Changed by usrName=(\S*)
Current Value siCustom2=(\S+)
CurrentValue siCustom2=(-?\d+)
Failed login by usrName=(\S*)
From value siCustom1=(.*\S)\s+siCustom2
ICF-Active siKey_Value_03=ICFACTIVE=(\S*)
ICF-Service siKey_Value_01=ICF_NAME=(\S*)
Parameter Name IT-CUBE\|agileSI\|1.2\|(.*)\|sev=
SAP Client siClient=(\S*)
SAP System (SID) domain=(\S*)
Source of Log siExtr=(\S*)
Target Account siAffected_Object=(\S*)
To value siCustom3=(.*\S)\s+siCustom4
Transaction code siTCode=(\S*)
User siKey_Value_02=BNAME=(\S*)
User lock status:0 means not locked siKey_Value_..=UFLAG=(\S*)
User lock status:0 not locked siCustom1=(.*\S)\s+siCustom2
siAffected_Object siAffected_Object=(\S*)
siCat cat=(.*\S)\s+siInstance
siClient siClient=(\S*)
siCustom2 siCustom2=(.*\S)\s+siCustom3
siDomain domain=(\S*)
siEventId IT-CUBE\|agileSI\|1.2\|(.*)\|sev=
siExtr siExtr=(\S*)
siReport siReport=([^\t]+)
siTCode siTCode=(\S*)
siUse_Case siUse_Case=([^\t]+)

Saved searches added by the agileSI content extension

Search name
agileSI - SAP* activity
agileSI - Changes to User Master Records
agileSI - Remote Services active [per system]
agileSI - Standard User Activity (Security Audit Log Events)
agileSI - Failed Logins(Top Failed Logins by User)
agileSI - Top Severe Message Types per System
agileSI - SAP Application Area - ICM/ICF
agileSI - SAP Application Area - Message server
agileSI - Access Control Violations: separation of duties (per system)
agileSI - Standard user accounts per system(T)
agileSI - Standard User Activity ( Security Audit Log Events )
agileSI - SAP Application Area - Logon
agileSI - SAP* activity(T)
agileSI - Access Control Violations: separation of duties (user list)
agileSI - Systems with Violations
agileSI - Top Severe Message Types per System (standard user accounts)
agileSI - Standard User Activity (System Log Events)
agileSI - Standard User Activity (SYSLOG) - Top Severity per System.
agileSI - SAP Application Area - General system
agileSI - Remote SOAP Service active
agileSI - SAP Application Area - Database
agileSI - User Authorization - OS Commands
agileSI - Debugging Authorizations per System
agileSI - Standard User Activity (System Log)
agileSI - Standard User Activity (System Log Events).
agileSI - SAP Application Area - Authentication
agileSI - Changes user master records security audit information
agileSI - Change Documents User Master Records: Top Categories of changes per System
agileSI - Change documents user master records
agileSI - Severe Message Types (SAL and Syslog)
agileSI - Standard user login activity per system
agileSI - Failed Logins(Failed Logins [last 7 days])
agileSI - Debugging Enabled Systems.
agileSI - User Authorization - OS Commands [per system]
agileSI - Debugging Activity per System
agileSI - Debugging Authorizations per System(T)
agileSI - Debugging Activity by System and User
agileSI - Standard User Activity (SAL) - Top Severity per System
agileSI - Changes to User Master Records.
agileSI - Standard User Activity (SYSLOG) - Top Severity per System
agileSI - Severe Message Types (SAL and Syslog) (standard user accounts)
agileSI - Role Assignment Activities per System
agileSI - SAP Application Area - Dispatcher and Task Handler
agileSI - OS Command Execution(SI_SAL)(T).
agileSI - OS Commands per System(SI_SAL)
agileSI - SAP* activity(SID)
agileSI - Debugging Enabled Systems
agileSI - OS Commands per System(SI_SYSLOG)
agileSI - SAP Application Area - Gateway
agileSI - OS Command Execution(SI_SAL)(T)
agileSI - SAP Application Area - SNC - Secure network communication
agileSI - Top authorization assignment activity per system.
agileSI - Top authorization assignment activity per system
agileSI - Role and Profile Assignment per system
agileSI - SAP Application Area - ABAP
agileSI - Standard user accounts per system
agileSI - Critical Transactions [Customer defined list]
agileSI - Overview of Users that are not in Corporate Directory
agileSI - Standard User Logon Activity (event list)
agileSI - OS Command Execution(SI_SYSLOG)(T)
agileSI - Active Users that are not in Corporate Directory per System
agileSI - Critical Role and Profile Assignments (SAP_ALL)

Reference data added by the agileSI content extension

Reference set name Type
agileSI - Profile Parameter Violation Reference table
agileSI - Standard users Reference set
agileSI - Users in Corporate Directory Reference set
agileSI - blocklist of  TCodes Reference set

Rules added by the agileSI content extension

Rule name
agileSI - Execution of critical transaction
agileSI - OS Commands per System(SI_SAL)
agileSI - Profile Parameter Violation:abap/ext_debugging_possible
agileSI - Profile Parameter Violation:auth/object_disabling_active
agileSI - Profile Parameter Violation:auth/rfc_authority_check
agileSI - Profile Parameter Violation:auth/tcodes_not_checked
agileSI - Profile Parameter Violation:gw/accept_remote_trace_level
agileSI - Profile Parameter Violation:gw/acl_mode
agileSI - Profile Parameter Violation:gw/logging
agileSI - Profile Parameter Violation:gw/monitor
agileSI - Profile Parameter Violation:gw/sim_mode
agileSI - Profile Parameter Violation:icm/accept_remote_trace_level
agileSI - Profile Parameter Violation:is/HTTP/show_detailed_errors
agileSI - Profile Parameter Violation:is/HTTP/show_server_header
agileSI - Profile Parameter Violation:login/create_sso2_ticket
agileSI - Profile Parameter Violation:login/disable_multi_gui_login
agileSI - Profile Parameter Violation:login/fails_to_session_end
agileSI - Profile Parameter Violation:login/fails_to_user_lock
agileSI - Profile Parameter Violation:login/min_passworkd_digits
agileSI - Profile Parameter Violation:login/min_password_letters
agileSI - Profile Parameter Violation:login/min_password_Ing
agileSI - Profile Parameter Violation:login/min_password_lowercase
agileSI - Profile Parameter Violation:login/min_password_uppercase
agileSI - Profile Parameter Violation:login/no_automatic_user_sapstar
agileSI - Profile Parameter Violation:login/password_change_waittime
agileSI - Profile Parameter Violation:login/password_charset
agileSI - Profile Parameter Violation:login/password_compliance_to_current_policy
agileSI - Profile Parameter Violation:login/password_downwards_compatibility
agileSI - Profile Parameter Violation:login/password_expiration_time
agileSI - Profile Parameter Violation:login/password_history_size
agileSI - Profile Parameter Violation:login/password_max_idle_initial
agileSI - Profile Parameter Violation:login/passwo_max_idle_productive
agileSI - Profile Parameter Violation:login/ticket_only_by_https
agileSI - Profile Parameter Violation:ms/monitor
agileSI - Profile Parameter Violation:rdisp/gui_auto_logout
agileSI - Profile Parameter Violation:rdisp/j2ee_start
agileSI - Profile Parameter Violation:rdisp/TRACE
agileSI - Profile Parameter Violation:rec/client
agileSI - Profile Parameter Violation:rfc/disable_debugger_command_field
agileSI - Profile Parameter Violation:rfc/ext_debugging
agileSI - Profile Parameter Violation:rfc/reject_expired_passwd
agileSI - Profile Parameter Violation:rsau/enable
agileSI - Profile Parameter Violation:service/protectedwebmethods
agileSI - Profile Parameter Violation:snc/accept_insecure_epic
agileSI - Profile Parameter Violation:snc/accept_insecure_gui
agileSI - Profile Parameter Violation:snc/accept_insecure_rfc
agileSI - Profile Parameter Violation:snc/data_protection/max
agileSI - Profile Parameter Violation:snc/data_protection/min
agileSI - Profile Parameter Violation:snc/enable
agileSI - Profile Parameter Violation:snc/permit_insecure_start
agileSI - Profile Parameter Violations
agileSI - SAP Application Area - ABAP
agileSI - SAP Application Area - Authentication
agileSI - SAP Application Area - Database
agileSI - SAP Application Area - Dispatcher and Task Handler
agileSI - SAP Application Area - Gateway
agileSI - SAP Application Area - General system
agileSI - SAP Application Area - ICM/ICF
agileSI - SAP Application Area - Logon
agileSI - SAP Application Area - Message server
agileSI - SAP Application Area - SNC - Secure network communication

Reports added by the agileSI content extension

Groups
agileSI - Change Documents User Master Records#1
agileSI - Change Documents User Master Records#2
agileSI - Change of critical data
agileSI - Changes to User Master Records (SAL, CHGDOC_UR)
agileSI - Data integrity / Principle of non-changeability#1
agileSI - Data integrity / Principle of non-changeability#2
agileSI - Data integrity / Principle of non-changeability#3
agileSI - Failed Logins
agileSI - High privileged accounts
agileSI - OS-Commands#1
agileSI - OS-Commands#2
agileSI - OS-Commands#3
agileSI - Remote Function Call
agileSI - SAP* activity
agileSI - separation of Duties (per system)
agileSI - Standard Users#1
agileSI - Standard Users#2
agileSI - Standard Users#3
agileSI - Standard Users#4
agileSI - Synchronisation of user accounts

Rule Groups added by the agileSI content extension

Groups
agileSI - Security
agileSI - Top 25 Use Cases
agileSI - Profile Parameter Violations
agileSI - Compliance
agileSI - Overall system health
 

To install a security content pack, an administrator must download the RPM from IBM Fix Central, then install the content pack on the Console appliance. The Console replicates the changes from the install of the content pack to all managed hosts in the deployment.

Procedure

  1. Download the ITCube agileSI content pack from the IBM Fix Central website for your QRadar version:
  2. Using SSH, log in to your Console as the root user.

  3. Copy the security content pack to the /tmp directory on the QRadar Console.

  4. Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.

  5. To install the security content pack, type one the following command:
    • For QRadar 7.1, type: rpm -Uvh ContentPackage-PartnerIntegration-agileSI-7.1-1418149270.x86_64.rpm
    • For QRadar 7.2, type: rpm -Uvh ContentPackage-PartnerIntegration-agileSI-7.2-1418149270.x86_64.rpm

  6. Log in to the QRadar Console as an administrator.

  7. Click the Admin tab.

  8. Before you continue: Restarting the web server restarts the user interface and load the new custom event properties. This action logs out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.

  9. Click Advanced > Restart Web Server.

  10. Click OK to restart the QRadar user interface.





    11.  


Results After the user interface restarts, the installation is complete. The administrator should review the Bit9 Security Platform custom event properties to determine if any of the values need to be enabled, disabled, or optimized in the QRadar interface.

Installing a QRadar Extension

The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customized content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article outlines the contents of the extension being added to QRadar.

Procedure

  1. Log in to the QRadar Console as an administrator. If you have not downloaded the extension yet, you can download files from http://apps.xforce.ibmcloud.com/.

  2. Click the Admin tab.

  3. Click the Extension Management icon.

  4. To upload an extension, click Add and select the extension to upload.

  5. Note:The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.

  6. To install the extension immediately, select the Install immediately check box and then click Add.

  7. A preview of the application content is displayed. You can choose how existing content items are handled.

  8. To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.

  9. Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.

    Results
    After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - 3rd Party","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
20 September 2022

UID

swg21971464

Page Feedback