IBM Support

IBM QRadar Content Extension for NIST

Question & Answer


The IBM QRadar Content Extension for NIST helps you to meet National Institute of Standards and Technology (NIST) control requirements.


Use the IBM QRadar Content Extension for NIST to meet NIST control requirements. The NIST RMF 800-53 content extension includes reports, rules, and saved searches. QRadar also includes some features that meet NIST control requirements, such as offenses and data obfuscation.

Change list for the NIST RMF 800-53 content extension V1.0.0

The following table describes the reports, rules, and saved searches that are included in IBM QRadar Content Extension for NIST V1.0.0.

NIST Control Description
AC-6 Least Privilege
  • Report: NIST RMF (AC-6) Least Privilege
  • Saved Search: Privileged Escalations
  • Saved Search: Privileged Activities
  • Rule: BB:CategoryDefinition: Privileged Activities
  • Rule: BB:CategoryDefinition: Privileged Escalations
AC-7 Unsuccessful Logon Attempts
  • Report: NIST RMF (AC-7) Unsuccessful Logon Attempts
  • Saved Search: Login Failures By Low Level Category
  • Saved Search: Login Failures By User
  • Rule: BB:CategoryDefinition: Authentication Failures
AC-20 Use of External Information Systems
  • Report: NIST RMF (AC-20) Use of External Information Systems
  • Saved Search: Direct Remote Connection
CA-3 System Interconnections
  • Report: NIST RMF (CA-3) System Interconnections
  • Saved Search: Non-Filtered Internet Connection
CM-2 Baseline Configuration
  • Report: NIST RMF (CM-2) Baseline Configuration
  • Saved Search: Automated Assets Management
CP-2-8 Contingency Plan - Identify Critical Assets
  • Report: NIST RMF (CP-2-8) Contingency Plan - Identify Critical Assets
  • Saved Search: Critical Assets Management
  • Saved Search: Non Success Backup events on Critical Assets
IR-4 Incident Handling Report: NIST RMF (IR-4) Incident Handling
PM-12 Insider Threat Program
PM-5 System Inventory Report: NIST RMF (PM-5) System Inventory
RA-5 Vulnerability Scanning
SC-28-1 Protection of Information at Rest Data obfuscation (…)
SC-5 Denial of Service Protection 
  • Report: Daily Network DOS Summary
  • Report: Weekly Network DOS Summary
  • Report: Monthly Network DOS Summary
  • Rule: DDoS Attack Detected
  • Rule: DDoS Events with High Magnitude Become Offenses
  • Rule: DoS Events with high Magnitude Become Offenses
  • Rule: Network DoS Attack Detected
  • Rule: Potential DDoS Against single host (TCP)
  • Rule: Service DoS Attack Detected
SI-2 Flaw Remediation Report: Missing Patches
SI-3 Malicious Code Protection
  • Report: NIST RMF (SI-3) Malicious Code Protection
  • Saved Search: ISO 27001 (11.4) - Malicious Attacks
  • Rule: BB:Malicious Attacks
SI-4-11 Information System Monitoring - Analyze Communications Traffic Anomalies
  • Report: Remote Recon Survey
  • Rule: Large Outbound Transfer Slow Rate of Transfer
  • Rule: Large Outbound Transfer High Rate of Transfer
  • Rule: Remote: Long Duration Flow Detected
  • Rule: Local: SSH or Telnet Detected on Non-Standard Port
  • Rule: Remote: SSH or Telnet Detected on Non-Standard
  • Rule: BB:CategoryDefinition: Recon Events
  • Rule: BB:CategoryDefinition: Recon Flows
  • Rule: BBCategoryDefinition: Suspicious Events
  • Rule: BB:CategoryDefintion: Suspicious Flows
SI-4-16 Information System Monitoring - Correlate Monitoring Information

Where do you find more information?

Installing a QRadar Extension

The Extensions Management window in QRadar is used to add applications or content extensions to your deployment to improve the functionality of QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards. Extensions can also install applications that deliver specific new functionality to QRadar. The About tab outlines the contents of the extension that are being added to QRadar. Content extensions that are installed do not disrupt QRadar user activity and do not restart services.


  1. Log in to the QRadar Console as an administrator.
  2. Download the file to your laptop or workstation from the X-Force App Exchange:
  3. Click the Admin tab, then click Extensions Management in the System Configuration section.
  4. To upload an extension, click Add and select the extension to upload.
  5. Note: The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console.

  6. To install the extension immediately, select the Install immediately check box and then click Add.
    A preview of the content is displayed before the extension is installed, and the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data. If you choose to keep the existing data, no updated content extension items are installed.
  7. Select Overwrite when prompted to add the new data to your QRadar appliance.
  8. The installation is complete and the status is displayed in QRadar.


If a yellow caution icon is displayed in the Status column there might be potential issues with the digital signature or installation. Hover over the icon for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.

If you are installing an updated version of an extension, review the change list to determine if you need to update any rules. When the extension is applied to QRadar, administrator or user rules are not modified by QRadar; instead, the base enterprise template is updated. If a rule change includes a new building block update, performance change, or new rule tests, consider updating or recreating your existing rule from the rule template.

For more information about Custom Event Properties, see QRadar: Creating a Report that Uses a Custom Event Property (

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Content Extensions","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3;7.2.8","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018