Question & Answer
Question
Answer
Tab navigation
- About the Anomaly Theme Extension-selected tab,
- Installing an Extension
Before you begin
This extension is intended to add rules for fresh appliance installations of QRadar 7.2.6. Administrators who have upgraded from QRadar 7.2.5 already have this anomaly content included in QRadar by default. Administrators who upgraded and still want to install this extension can do so, however, the administrator will receive overwrite value notices for these rules and building blocks when they install the extension.
Rule and building blocks updated in the Anomaly Extension v1.0.1
Anomaly rules and building blocks updated in extension v1.0.1
| Type | Rule name | Description of change |
| Rule | Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination | Added a rule test to the rule: BB:DeviceDefinition: FW/Router/Switch |
| Rule | Anomaly: Systems using many different protocols | Added a rule test to the rule: BB:DeviceDefinition: FW/Router/Switch |
| Rule | Single IP with Multiple MAC Addresses | Added a rule test to the rule: BB:DeviceDefnition: DHCP Server |
| Building Block | BB:DeviceDefinition: FW / Router / Switch | No updates. Dependent on another rule and must be included in the extension framework. |
| Building Block | BB:HostDefinition: DHCP Servers | No updates. Dependent on another rule and must be included in the extension framework. |
| Building Block | BB:CategoryDefinition: Successful Communication | No updates. Dependent on another rule and must be included in the extension framework. |
QRadar content added in the original Anomaly Extension (version 1.0.0)
The Anomaly Theme extension adds 10 anomaly rules and 9 building blocks for a total of 19 content addons for QRadar.
Rules and building blocks added by the anomaly extension
| Category | Type | Rule or building block description |
| Post-Intrusion Activity | Rule | Excessive Firewall Accepts From Multiple Sources to a Single Destination |
| Post-Intrusion Activity | Rule | DMZ Reverse Tunnel |
| Compliance | Rule | Remote Inbound Communication from a Foreign Country/Region |
| Compliance | Rule | Remote Access from Foreign Country/Region |
| Horizontal Movement | Rule | DMZ Reverse Tunnel |
| Anomaly | Rule | Remote Inbound Communication from a Foreign Country/Region |
| Anomaly | Rule | Excessive Firewall Accepts From Multiple Sources to a Single Destination |
| Anomaly | Rule | Remote Access from Foreign Country/Region |
| Anomaly | Rule | Single IP with Multiple MAC Addresses |
| Anomaly | Rule | Systems using many different protocols |
| Category Definitions | Building block | BB:CategoryDefinition: Pre Reverse DMZ Jump |
| Category Definitions | Building block | BB:CategoryDefinition: Authentication Success |
| Category Definitions | Building block | BB:CategoryDefinition: Countries/Regions with no Remote Access |
| Category Definitions | Building block | BB:CategoryDefinition: Firewall or ACL Accept |
| Category Definitions | Building block | BB:CategoryDefinition: Reverse DMZ Jump |
| Category Definitions | Building block | BB:CategoryDefinition: Successful Communication |
| Category Definitions | Building block | BB:CategoryDefinition: Pre DMZ Jump |
| Category Definitions | Building block | BB:CategoryDefinition: Post DMZ Jump |
| Network Definition | Building block | BB:NetworkDefinition: DMZ Addresses* |
* denotes that this building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:
- Online QRadar Customer Forums
- Submit and manage your support tickets online 24x7 using IBM Service Request
- QRadar Downloads are available on IBM Fix Central
- IBM Security Support videos - Youtube channel
Installing a QRadar Extension
The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.
Procedure
- Download the Anomaly extension from the IBM X-Force App Exchange: https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:IBMContentPackageInternalAnomaly
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Click the Extension Management icon.
- To upload an extension, click Add and select the extension to upload.
Note: The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.
- To install the extension immediately, select the Install immediately check box and then click Add.
A preview of the application content is displayed. You can choose how existing content items are handled.
- To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.
Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.
Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
If you are installing an updated version of an extension, administrators should review the change list to determine if they need to update any rules. When the extension is applied to QRadar, administrator or user rules are not modified by QRadar, instead the base enterprise template is updated. If a rule change includes a new building block update, performance change, or new rule tests, then administrators should consider updating or recreating their existing rule from the rule template.
Was this topic helpful?
Document Information
Modified date:
02 April 2020
UID
swg21973565