Question & Answer
Question
The 'Extension for VMware Theme' adds rule content to QRadar that focus on data related to VMware products, such as vCenter, vCloud, vShield, and vApp. This extension enhances QRadar's base rule set for administrators who use VMware products.
Answer
Tab navigation
- About the VMware Extension-selected tab,
- Installing an Extension
The QRadar extension for VMware adds 11 new rules for administrators who leverage VMware products in their networks. This extension enhances QRadar's base rule set for administrators who use VMware products. such as vCenter, vCloud, vShield, and vApp.
Before you begin
This extension is intended to add several VMware product rules to new appliance installations of QRadar 7.2.6. Administrators who do not install this extension will not have these VMware rules included in their QRadar system as these rules are not in the default ruleset for QRadar 7.2.6. It is recommended that administrators using VMware products, such as vCenter, vCloud, vShield, and vApp. Administators who want to view VMWare rules can do so by sorting for the VMware Virtual Infrastructure rule group.
Rules added by the VMware extension
| Rule Name | Description | Response |
| VMware: vCenter Destroy Events and Tasks Notification | This rule notifies about destroy tasks in VMware Virtual Environment. | Dispatch new event |
| VMware: VM Relocate Notification | This rule notifies about VM Migrate Events in VMware Virtual Environments. | Dispatch new event |
| VMware: vApp Create Notification | This rule notifies about creation of vApp in VMware vCloud Environment. | Dispatch new event |
| VMware: vApp Activities Notification | This rule notifies activities relating to vApps in VMware vCloud Environment. | Dispatch new event |
| VMware: VM Create Notification | This rule notifies about VM creation events in VMware Virtual Infrastructure. | Dispatch new event |
| VMware: VM Delete Notification | This rule notifies about VM delete events in VMware vCloud Virtual Infrastructure. | Dispatch new event |
| VMware: Snapshot Notification | This rule notifies about Snapshots created in the VMware Virtual Environment. | Dispatch new event |
| VMware: VM Failure/ Warning Notification | This rule notifies about VM Failure and Warning Events in VMware Virtual Environment. | Dispatch new event |
| VMware: vApp Delete Notification | This rule notifies about deletion of vApp in VMware vCloud Environment. | Dispatch new event |
| VMware: vShield Manager, Virtual Datacenter, Organization Create Notification | This rule notifies creation of Organization or Virtual datacenter or vShield Manager in VMware vCloud Environment. | Notification |
| VMware: vShield Manager, Virtual Datacenter, Organization Delete Notification | This rule notifies deletion of Organization or Virtual datacenter or vShield Manager in VMware vCloud Environment. | Notification |
Installing a QRadar Extension
The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.Procedure
- Log in to the QRadar Console as an administrator. If you have not downloaded the extension yet, you can download files from http://apps.xforce.ibmcloud.com/.
- Click the Admin tab.
- Click the Extension Management icon.
- To upload an extension, click Add and select the extension to upload.
- Note:The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.
- To install the extension immediately, select the Install immediately check box and then click Add.
- A preview of the application content is displayed. You can choose how existing content items are handled.
- To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.
- Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.
Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
06 April 2020
UID
swg21981518