Question & Answer
Question
Answer
Tab navigation
- About-selected tab,
- Installing a Content Pack
- Installing an Extension
iT-CUBE agileSI continuously extracts SAP security and audit events for QRadar to collect using the SMB Tail protocol. The iT-CUBE agileSI extension for QRadar adds functionality for SAP security by adding 62 new saved searches, 31 custom properties, 3 reference sets and 1 reference table, 78 custom rules, 2 event search groups, 5 rule groups, a report group, 20 report templates, and a logo.
Custom event properties added by the iT-Cube agileSI extension
Property name | Expression |
0-initial/1-known pass/2-expired | siKey_Value_..=PWDINITIAL=(\S*) |
Account Information | siMessage=(.*\S)\s+siCustom1 |
Action | siMessage=(.*\S)\s+siCustom1 |
Action_ | cat=(.*\S)\s+siInstance |
Changed by | usrName=(\S*) |
Current Value | siCustom2=(\S+) |
CurrentValue | siCustom2=(-?\d+) |
Failed login by | usrName=(\S*) |
From value | siCustom1=(.*\S)\s+siCustom2 |
ICF-Active | siKey_Value_03=ICFACTIVE=(\S*) |
ICF-Service | siKey_Value_01=ICF_NAME=(\S*) |
Parameter Name | IT-CUBE\|agileSI\|1.2\|(.*)\|sev= |
SAP Client | siClient=(\S*) |
SAP System (SID) | domain=(\S*) |
Source of Log | siExtr=(\S*) |
Target Account | siAffected_Object=(\S*) |
To value | siCustom3=(.*\S)\s+siCustom4 |
Transaction code | siTCode=(\S*) |
User | siKey_Value_02=BNAME=(\S*) |
User lock status:0 means not locked | siKey_Value_..=UFLAG=(\S*) |
User lock status:0 not locked | siCustom1=(.*\S)\s+siCustom2 |
siAffected_Object | siAffected_Object=(\S*) |
siCat | cat=(.*\S)\s+siInstance |
siClient | siClient=(\S*) |
siCustom2 | siCustom2=(.*\S)\s+siCustom3 |
siDomain | domain=(\S*) |
siEventId | IT-CUBE\|agileSI\|1.2\|(.*)\|sev= |
siExtr | siExtr=(\S*) |
siReport | siReport=([^\t]+) |
siTCode | siTCode=(\S*) |
siUse_Case | siUse_Case=([^\t]+) |
Saved searches added by the agileSI content extension
Search name |
agileSI - SAP* activity |
agileSI - Changes to User Master Records |
agileSI - Remote Services active [per system] |
agileSI - Standard User Activity (Security Audit Log Events) |
agileSI - Failed Logins(Top Failed Logins by User) |
agileSI - Top Severe Message Types per System |
agileSI - SAP Application Area - ICM/ICF |
agileSI - SAP Application Area - Message server |
agileSI - Access Control Violations: separation of duties (per system) |
agileSI - Standard user accounts per system(T) |
agileSI - Standard User Activity ( Security Audit Log Events ) |
agileSI - SAP Application Area - Logon |
agileSI - SAP* activity(T) |
agileSI - Access Control Violations: separation of duties (user list) |
agileSI - Systems with Violations |
agileSI - Top Severe Message Types per System (standard user accounts) |
agileSI - Standard User Activity (System Log Events) |
agileSI - Standard User Activity (SYSLOG) - Top Severity per System. |
agileSI - SAP Application Area - General system |
agileSI - Remote SOAP Service active |
agileSI - SAP Application Area - Database |
agileSI - User Authorization - OS Commands |
agileSI - Debugging Authorizations per System |
agileSI - Standard User Activity (System Log) |
agileSI - Standard User Activity (System Log Events). |
agileSI - SAP Application Area - Authentication |
agileSI - Changes user master records security audit information |
agileSI - Change Documents User Master Records: Top Categories of changes per System |
agileSI - Change documents user master records |
agileSI - Severe Message Types (SAL and Syslog) |
agileSI - Standard user login activity per system |
agileSI - Failed Logins(Failed Logins [last 7 days]) |
agileSI - Debugging Enabled Systems. |
agileSI - User Authorization - OS Commands [per system] |
agileSI - Debugging Activity per System |
agileSI - Debugging Authorizations per System(T) |
agileSI - Debugging Activity by System and User |
agileSI - Standard User Activity (SAL) - Top Severity per System |
agileSI - Changes to User Master Records. |
agileSI - Standard User Activity (SYSLOG) - Top Severity per System |
agileSI - Severe Message Types (SAL and Syslog) (standard user accounts) |
agileSI - Role Assignment Activities per System |
agileSI - SAP Application Area - Dispatcher and Task Handler |
agileSI - OS Command Execution(SI_SAL)(T). |
agileSI - OS Commands per System(SI_SAL) |
agileSI - SAP* activity(SID) |
agileSI - Debugging Enabled Systems |
agileSI - OS Commands per System(SI_SYSLOG) |
agileSI - SAP Application Area - Gateway |
agileSI - OS Command Execution(SI_SAL)(T) |
agileSI - SAP Application Area - SNC - Secure network communication |
agileSI - Top authorization assignment activity per system. |
agileSI - Top authorization assignment activity per system |
agileSI - Role and Profile Assignment per system |
agileSI - SAP Application Area - ABAP |
agileSI - Standard user accounts per system |
agileSI - Critical Transactions [Customer defined list] |
agileSI - Overview of Users that are not in Corporate Directory |
agileSI - Standard User Logon Activity (event list) |
agileSI - OS Command Execution(SI_SYSLOG)(T) |
agileSI - Active Users that are not in Corporate Directory per System |
agileSI - Critical Role and Profile Assignments (SAP_ALL) |
Reference data added by the agileSI content extension
Reference set name | Type |
agileSI - Profile Parameter Violation | Reference table |
agileSI - Standard users | Reference set |
agileSI - Users in Corporate Directory | Reference set |
agileSI - blocklist of TCodes | Reference set |
Rules added by the agileSI content extension
Rule name |
agileSI - Execution of critical transaction |
agileSI - OS Commands per System(SI_SAL) |
agileSI - Profile Parameter Violation:abap/ext_debugging_possible |
agileSI - Profile Parameter Violation:auth/object_disabling_active |
agileSI - Profile Parameter Violation:auth/rfc_authority_check |
agileSI - Profile Parameter Violation:auth/tcodes_not_checked |
agileSI - Profile Parameter Violation:gw/accept_remote_trace_level |
agileSI - Profile Parameter Violation:gw/acl_mode |
agileSI - Profile Parameter Violation:gw/logging |
agileSI - Profile Parameter Violation:gw/monitor |
agileSI - Profile Parameter Violation:gw/sim_mode |
agileSI - Profile Parameter Violation:icm/accept_remote_trace_level |
agileSI - Profile Parameter Violation:is/HTTP/show_detailed_errors |
agileSI - Profile Parameter Violation:is/HTTP/show_server_header |
agileSI - Profile Parameter Violation:login/create_sso2_ticket |
agileSI - Profile Parameter Violation:login/disable_multi_gui_login |
agileSI - Profile Parameter Violation:login/fails_to_session_end |
agileSI - Profile Parameter Violation:login/fails_to_user_lock |
agileSI - Profile Parameter Violation:login/min_passworkd_digits |
agileSI - Profile Parameter Violation:login/min_password_letters |
agileSI - Profile Parameter Violation:login/min_password_Ing |
agileSI - Profile Parameter Violation:login/min_password_lowercase |
agileSI - Profile Parameter Violation:login/min_password_uppercase |
agileSI - Profile Parameter Violation:login/no_automatic_user_sapstar |
agileSI - Profile Parameter Violation:login/password_change_waittime |
agileSI - Profile Parameter Violation:login/password_charset |
agileSI - Profile Parameter Violation:login/password_compliance_to_current_policy |
agileSI - Profile Parameter Violation:login/password_downwards_compatibility |
agileSI - Profile Parameter Violation:login/password_expiration_time |
agileSI - Profile Parameter Violation:login/password_history_size |
agileSI - Profile Parameter Violation:login/password_max_idle_initial |
agileSI - Profile Parameter Violation:login/passwo_max_idle_productive |
agileSI - Profile Parameter Violation:login/ticket_only_by_https |
agileSI - Profile Parameter Violation:ms/monitor |
agileSI - Profile Parameter Violation:rdisp/gui_auto_logout |
agileSI - Profile Parameter Violation:rdisp/j2ee_start |
agileSI - Profile Parameter Violation:rdisp/TRACE |
agileSI - Profile Parameter Violation:rec/client |
agileSI - Profile Parameter Violation:rfc/disable_debugger_command_field |
agileSI - Profile Parameter Violation:rfc/ext_debugging |
agileSI - Profile Parameter Violation:rfc/reject_expired_passwd |
agileSI - Profile Parameter Violation:rsau/enable |
agileSI - Profile Parameter Violation:service/protectedwebmethods |
agileSI - Profile Parameter Violation:snc/accept_insecure_epic |
agileSI - Profile Parameter Violation:snc/accept_insecure_gui |
agileSI - Profile Parameter Violation:snc/accept_insecure_rfc |
agileSI - Profile Parameter Violation:snc/data_protection/max |
agileSI - Profile Parameter Violation:snc/data_protection/min |
agileSI - Profile Parameter Violation:snc/enable |
agileSI - Profile Parameter Violation:snc/permit_insecure_start |
agileSI - Profile Parameter Violations |
agileSI - SAP Application Area - ABAP |
agileSI - SAP Application Area - Authentication |
agileSI - SAP Application Area - Database |
agileSI - SAP Application Area - Dispatcher and Task Handler |
agileSI - SAP Application Area - Gateway |
agileSI - SAP Application Area - General system |
agileSI - SAP Application Area - ICM/ICF |
agileSI - SAP Application Area - Logon |
agileSI - SAP Application Area - Message server |
agileSI - SAP Application Area - SNC - Secure network communication |
Reports added by the agileSI content extension
Groups |
agileSI - Change Documents User Master Records#1 |
agileSI - Change Documents User Master Records#2 |
agileSI - Change of critical data |
agileSI - Changes to User Master Records (SAL, CHGDOC_UR) |
agileSI - Data integrity / Principle of non-changeability#1 |
agileSI - Data integrity / Principle of non-changeability#2 |
agileSI - Data integrity / Principle of non-changeability#3 |
agileSI - Failed Logins |
agileSI - High privileged accounts |
agileSI - OS-Commands#1 |
agileSI - OS-Commands#2 |
agileSI - OS-Commands#3 |
agileSI - Remote Function Call |
agileSI - SAP* activity |
agileSI - separation of Duties (per system) |
agileSI - Standard Users#1 |
agileSI - Standard Users#2 |
agileSI - Standard Users#3 |
agileSI - Standard Users#4 |
agileSI - Synchronisation of user accounts |
Rule Groups added by the agileSI content extension
Groups |
agileSI - Security |
agileSI - Top 25 Use Cases |
agileSI - Profile Parameter Violations |
agileSI - Compliance |
agileSI - Overall system health |
Procedure
- Download the ITCube agileSI content pack from the IBM Fix Central website for your QRadar version:
- For QRadar 7.1: Link to all QRadar 7.1 Security Content Packs
- For QRadar 7.2: Link to all QRadar 7.2 Security Content Packs
- Using SSH, log in to your Console as the root user.
- Copy the security content pack to the /tmp directory on the QRadar Console.
- Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
- To install the security content pack, type one the following command:
- For QRadar 7.1, type: rpm -Uvh ContentPackage-PartnerIntegration-agileSI-7.1-1418149270.x86_64.rpm
- For QRadar 7.2, type: rpm -Uvh ContentPackage-PartnerIntegration-agileSI-7.2-1418149270.x86_64.rpm
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Before you continue: Restarting the web server restarts the user interface and load the new custom event properties. This action logs out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.
- Click Advanced > Restart Web Server.
- Click OK to restart the QRadar user interface.
Results After the user interface restarts, the installation is complete. The administrator should review the Bit9 Security Platform custom event properties to determine if any of the values need to be enabled, disabled, or optimized in the QRadar interface.
Installing a QRadar Extension
The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customized content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article outlines the contents of the extension being added to QRadar.Procedure
- Log in to the QRadar Console as an administrator. If you have not downloaded the extension yet, you can download files from http://apps.xforce.ibmcloud.com/.
- Click the Admin tab.
- Click the Extension Management icon.
- To upload an extension, click Add and select the extension to upload.
- Note:The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.
- To install the extension immediately, select the Install immediately check box and then click Add.
- A preview of the application content is displayed. You can choose how existing content items are handled.
- To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.
- Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.
Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
Was this topic helpful?
Document Information
Modified date:
20 September 2022
UID
swg21971464