Question & Answer
Question
The IBM QRadar Content Extension for Compliance Theme adds rules, building blocks, report, reference data, flow searches, event searches, and custom event property content to QRadar. This extension enhances the base compliance content set for administrators who have new QRadar installations.
Answer
Tab navigation
- About the Compliance Theme Extension-selected tab,
- Installing an Extension
Change list for the Compliance Extension V1.0.3
Rule and building block updated in app version V1.0.3
Type | Name | Change description |
Rule | Compliance: Traffic from Untrusted Network to Trusted Network | The rule test for this rule now triggers when a flow or event matches BB:NetworkDefinition: Untrusted Network Segment plus any of the following rules: BB:NetworkDefinition: Trusted Source Network Segment |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added the following QIDs:
|
Change list for the Compliance Extension V1.0.2
Building blocks updated in app version V1.0.2
Type | Name | Change description |
Building Block | BB:Suspicious: Remote: Unidirectional UDP or Misc Flows | The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows. |
Building Block | BB:Suspicious: Local: Unidirectional UDP or Misc Flows | The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows. |
Change list for the Compliance Extension V1.0.1
Compliance rules and building blocks updated in app version V1.0.1
Type | Name | Change description |
Building Block | BB:NetworkDefinition: Trusted Destination Network Segment* | New building block |
Building Block | BB:NetworkDefinition: Trusted Source Network Segment* | Updated the building block name to include 'Source Network'. |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added QID 5000475: Failure Audit: An account failed to log on. |
Building Block | BB:CategoryDefinition: Authentication to Expired Account | Added the following two QIDs: 5001653: An account failed to log on. The specified account's password has expired. 5001654: The domain controller failed to validate the credentials for an account. |
Rule | Compliance: Traffic from Untrusted Network to Trusted Network | Added new BB:NetworkDefinition: Trust Destination Network Segment |
Rule | Compliance: Traffic from DMZ to Internal Network* | Added a new rule test: BB:DeviceDefinition: FW/Router/Switch |
Building Block | BB:DeviceDefinition: FW / Router / Switch | No updates. Dependent on another rule and must be included in the extension framework. |
* denotes that this rule building block references the default network hierarchy. Update this rule or building block if you are using a different network hierarchy.
QRadar content added in Compliance Extension V1.0.0
The Compliance Theme extension adds the following compliance related content to new installations of QRadar V7.2.6:
- 4 custom event properties that look for variations in Account Name payloads.
- 42 event searches related to monitoring compliance.
- 7 flow searches related to monitoring compliance.
- 153 reports related to monitoring compliance.
- 140 rules and building blocks related to monitoring compliance.
- 10 reference data sets related to monitoring server types for compliance purposes.
Type | Name | Category |
Custom Event Property | Account Name | The 'Account Name' custom event property includes four variations to capture different payload values and usages. |
Event search | VPN Activity by Log Source | Authentication, Identity and User Activity |
Event searches | VPN Activity by event | Authentication, Identity and User Activity |
Event searches | Admin Logout by IP | Authentication, Identity and User Activity |
Event searches | User Account Removed by User | Authentication, Identity and User Activity |
Event searches | Top Authentication Failures by User | Authentication, Identity and User Activity |
Event searches | User Account Modified by User | Authentication, Identity and User Activity |
Event searches | Top Authentications by User | Authentication, Identity and User Activity |
Event searches | Groups Changed from Remote Hosts | Authentication, Identity and User Activity |
Event searches | VPN Activity by Category | Authentication, Identity and User Activity |
Event searches | User Account Added by User | Authentication, Identity and User Activity |
Event searches | Remote Access Success (VPN and Other) | Authentication, Identity and User Activity |
Event searches | Web Requests by Source | Network Monitoring and Management |
Event searches | Web Requests by Destination | Network Monitoring and Management |
Event searches | Web Requests by Log Source | Network Monitoring and Management |
Event searches | Web Requests by Source | Usage Monitoring |
Event searches | VPN Activity by Log Source | Usage Monitoring |
Event searches | Web Requests by Destination | Usage Monitoring |
Event searches | VPN Activity by event | Usage Monitoring |
Event searches | IDP Activity by Event | NetScreenIDP |
Event searches | IDP Activity by Category | NetScreenIDP |
Event searches | IDP Activity by Log Source | NetScreenIDP |
Event searches | Event Category Distribution | System Monitoring (Information, Failures and Errors) |
Event searches | User Account Modified by User | Compliance |
Event searches | Log Failures to Expired or Disabled Accounts | Compliance |
Event searches | User Account Removed by User | Compliance |
Event searches | Groups Changed from Remote Hosts | Compliance |
Event searches | Daily Policy Violation Summary | Compliance |
Event searches | User Account Added by User | Compliance |
Event searches | Remote Access Failures (VPN and Others) | Compliance |
Event searches | DOS Attacks by Destination IP | Security (Malware, Exploit and other Risks) |
Event searches | Exploit by Source | Security (Malware, Exploit and other Risks) |
Event searches | Top IDS/IPS Alerts by Destination IP | Security (Malware, Exploit and other Risks) |
Event searches | By Host Virus Summary | Security (Malware, Exploit and other Risks) |
Event searches | Top IDS/IDP/IPS Rules | Security (Malware, Exploit and other Risks) |
Event searches | VPN Activity by Log Source | Security (Malware, Exploit and other Risks) |
Event searches | DOS Attack by Type | Security (Malware, Exploit and other Risks) |
Event searches | Exploits by Type | Security (Malware, Exploit and other Risks) |
Event searches | VPN Activity by event | Security (Malware, Exploit and other Risks) |
Event searches | DOS Attack by Source IP | Security (Malware, Exploit and other Risks) |
Event searches | By User Virus Summary | Security (Malware, Exploit and other Risks) |
Event searches | Exploits by Destination | Security (Malware, Exploit and other Risks) |
Event search | Top IDS/IPS Alert by Country/Region | Security (Malware, Exploit and other Risks) |
Flow search | Top Source Networks | Network Monitoring and Management |
Flow search | Bytes in by Destination ASN | Network Monitoring and Management |
Flow search | Bytes in by Source IF Index | Network Monitoring and Management |
Flow search | Top Destination Networks - Internal | Network Monitoring and Management |
Flow search | Bytes in by Source ASN | Network Monitoring and Management |
Flow search | Link Utilization | Network Monitoring and Management |
Flow search | Bytes in by Destination IF Index | Network Monitoring and Management |
Reference set | Database Servers | N/A |
Reference set | DHCP Servers | N/A |
Reference set | DNS Servers | N/A |
Reference set | FTP Servers | N/A |
Reference set | LDAP Servers | N/A |
Reference set | Mail Servers | N/A |
Reference set | Proxy Servers | N/A |
Reference set | SSH Servers | N/A |
Reference set | Web Servers | N/A |
Reference set | Windows Servers | N/A |
Reports | Weekly Group Changes from Remote Hosts | Compliance |
Reports | Network Traffic Volume | Compliance |
Reports | Last 20 Logoffs | Compliance |
Reports | Last 20 Successful Logins | Compliance |
Reports | Weekly Login Failures to Disabled or Enabled Accounts | Compliance |
Reports | Last 20 Failed Logins | Compliance |
Reports | Monthly ASN Traffic Summary | Compliance |
Reports | Daily Log/Event Distribution by Category | Compliance |
Reports | Monthly VPN Activity Summary | Compliance |
Reports | Daily User Account Activity Summary | Compliance |
Reports | Weekly Category Distribution | Compliance |
Reports | Monthly User Account Activity Summary | Compliance |
Reports | Weekly Web Access Summary | Compliance |
Reports | Weekly Policy Violation Summary | Compliance |
Reports | Daily IfIndex Traffic Summary | Compliance |
Reports | Weekly Network DOS Summary | Compliance |
Reports | Daily ASN Traffic Summary | Compliance |
Reports | Monthly Network Exploit Summary | Compliance |
Reports | Daily Category Distribution | Compliance |
Reports | Monthly Web Access Summary | Compliance |
Reports | Weekly Virus Summary | Compliance |
Reports | Monthly IDP-IDS Activity Summary | Compliance |
Reports | Monthly Virus Summary | Compliance |
Reports | Weekly ASN Traffic Summary | Compliance |
Reports | Weekly Network Exploit Summary | Compliance |
Reports | Daily Web Access Summary | Compliance |
Reports | Monthly IfIndex Traffic Summary | Compliance |
Reports | Monthly Network DOS Summary | Compliance |
Reports | Daily Network DOS Summary | Compliance |
Reports | Daily Attacker and Target Summary | Compliance |
Reports | Weekly IDP-IDS Activity Summary | Compliance |
Reports | Weekly VPN Activity Summary | Compliance |
Reports | Daily VPN Activity Summary | Compliance |
Reports | Weekly IfIndex Traffic Summary | Compliance |
Reports | Monthly Category Distribution | Compliance |
Reports | Daily IDP-IDS Activity Summary | Compliance |
Reports | Daily Virus Summary | Compliance |
Reports | Monthly Policy Violation Summary | Compliance |
Reports | Daily Policy Violation Summary | Compliance |
Reports | Weekly User Account Activity Summary | Compliance |
Reports | Daily Network Exploit Summary | Compliance |
Reports | Network Traffic Volume | Usage Monitoring |
Reports | Weekly Web Access Summary | Usage Monitoring |
Reports | Daily Attacker and Target Summary | Usage Monitoring |
Reports | Daily Policy Violation Summary | Usage Monitoring |
Reports | Weekly IfIndex Traffic Summary | Usage Monitoring |
Reports | Weekly User Account Activity Summary | Usage Monitoring |
Reports | Weekly Category Distribution | Usage Monitoring |
Reports | Monthly IDP-IDS Activity Summary | Usage Monitoring |
Reports | Daily Category Distribution | Usage Monitoring |
Reports | Monthly Network Exploit Summary | Usage Monitoring |
Reports | Monthly Policy Violation Summary | Usage Monitoring |
Reports | Monthly User Account Activity Summary | Usage Monitoring |
Reports | Weekly VPN Activity Summary | Usage Monitoring |
Reports | Daily IDP-IDS Activity Summary | Usage Monitoring |
Reports | Weekly Policy Violation Summary | Usage Monitoring |
Reports | Daily Network DOS Summary | Usage Monitoring |
Reports | Monthly ASN Traffic Summary | Usage Monitoring |
Reports | Daily Network Exploit Summary | Usage Monitoring |
Reports | Weekly Virus Summary | Usage Monitoring |
Reports | Daily Log/Event Distribution by Category | Usage Monitoring |
Reports | Weekly Network Exploit Summary | Usage Monitoring |
Reports | Weekly IDP-IDS Activity Summary | Usage Monitoring |
Reports | Daily Virus Summary | Usage Monitoring |
Reports | Daily IfIndex Traffic Summary | Usage Monitoring |
Reports | Daily User Account Activity Summary | Usage Monitoring |
Reports | Monthly Network DOS Summary | Usage Monitoring |
Reports | Monthly Virus Summary | Usage Monitoring |
Reports | Daily VPN Activity Summary | Usage Monitoring |
Reports | Daily ASN Traffic Summary | Usage Monitoring |
Reports | Monthly Category Distribution | Usage Monitoring |
Reports | Weekly Network DOS Summary | Usage Monitoring |
Reports | Daily Web Access Summary | Usage Monitoring |
Reports | Weekly ASN Traffic Summary | Usage Monitoring |
Reports | Monthly VPN Activity Summary | Usage Monitoring |
Reports | Monthly IfIndex Traffic Summary | Usage Monitoring |
Reports | Monthly Web Access Summary | Usage Monitoring |
Reports | Daily ASN Traffic Summary | Executive |
Reports | Daily IfIndex Traffic Summary | Executive |
Reports | Weekly IfIndex Traffic Summary | Executive |
Reports | Weekly ASN Traffic Summary | Executive |
Reports | Monthly IfIndex Traffic Summary | Executive |
Reports | Daily Policy Violation Summary | Executive |
Reports | Weekly Virus Summary | Executive |
Reports | Daily Web Access Summary | Executive |
Reports | Weekly IDP-IDS Activity Summary | Executive |
Reports | Daily User Account Activity Summary | Executive |
Reports | Daily Network DOS Summary | Executive |
Reports | Monthly Category Distribution | Executive |
Reports | Daily IDP-IDS Activity Summary | Executive |
Reports | Weekly Network Exploit Summary | Executive |
Reports | Daily Category Distribution | Executive |
Reports | Daily Virus Summary | Executive |
Reports | Daily Network Exploit Summary | Executive |
Reports | Monthly ASN Traffic Summary | Executive |
Reports | Weekly Web Access Summary | Executive |
Reports | Monthly Network Exploit Summary | Executive |
Reports | Monthly Web Access Summary | Executive |
Reports | Monthly User Account Activity Summary | Executive |
Reports | Weekly Policy Violation Summary | Executive |
Reports | Weekly Category Distribution | Executive |
Reports | Weekly Network DOS Summary | Executive |
Reports | Monthly Network DOS Summary | Executive |
Reports | Monthly Virus Summary | Executive |
Reports | Monthly VPN Activity Summary | Executive |
Reports | Daily VPN Activity Summary | Executive |
Reports | Weekly VPN Activity Summary | Executive |
Reports | Daily Attacker and Target Summary | Executive |
Reports | Monthly Policy Violation Summary | Executive |
Reports | Weekly User Account Activity Summary | Executive |
Reports | Monthly IDP-IDS Activity Summary | Executive |
Reports | Network Traffic Volume | Executive |
Reports | Daily Log/Event Distribution by Category | Executive |
Reports | Network Traffic Volume | Network Management |
Reports | Daily Virus Summary | Network Management |
Reports | Weekly ASN Traffic Summary | Network Management |
Reports | Monthly VPN Activity Summary | Network Management |
Reports | Daily IfIndex Traffic Summary | Network Management |
Reports | Weekly Category Distribution | Network Management |
Reports | Weekly Web Access Summary | Network Management |
Reports | Weekly Network DOS Summary | Network Management |
Reports | Daily Category Distribution | Network Management |
Reports | Weekly Network Exploit Summary | Network Management |
Reports | Daily ASN Traffic Summary | Network Management |
Reports | Weekly Policy Violation Summary | Network Management |
Reports | Monthly Network DOS Summary | Network Management |
Reports | Monthly ASN Traffic Summary | Network Management |
Reports | Weekly IDP-IDS Activity Summary | Network Management |
Reports | Monthly IfIndex Traffic Summary | Network Management |
Reports | Weekly IfIndex Traffic Summary | Network Management |
Reports | Daily Web Access Summary | Network Management |
Reports | Monthly User Account Activity Summary | Network Management |
Reports | Daily Network DOS Summary | Network Management |
Reports | Daily Network Exploit Summary | Network Management |
Reports | Daily User Account Activity Summary | Network Management |
Reports | Monthly Category Distribution | Network Management |
Reports | Monthly IDP-IDS Activity Summary | Network Management |
Reports | Daily Policy Violation Summary | Network Management |
Reports | Daily Log/Event Distribution by Category | Network Management |
Reports | Daily VPN Activity Summary | Network Management |
Reports | Daily IDP-IDS Activity Summary | Network Management |
Reports | Weekly VPN Activity Summary | Network Management |
Reports | Monthly Web Access Summary | Network Management |
Reports | Monthly Network Exploit Summary | Network Management |
Reports | Monthly Virus Summary | Network Management |
Reports | Daily Attacker and Target Summary | Network Management |
Reports | Monthly Policy Violation Summary | Network Management |
Reports | Weekly User Account Activity Summary | Network Management |
Reports | Weekly Virus Summary | Network Management |
Rules and building blocks added by the compliance extension
Type | Name | Category |
Rules | Remote: IRC Connections | Botnet |
Rules | Remote Inbound Communication from a Foreign Country/Region | Anomaly |
Rules | Remote Access from Foreign Country/Region | Anomaly |
Rules | Login Failure to Disabled Account | Authentication |
Rules | Multiple Login Failures for Single Username | Authentication |
Rules | Login Failure to Expired Account | Authentication |
Rules | Multiple Login Failures from the Same Source | Authentication |
Rules | Possible Shared Accounts | Authentication |
Rules | Multiple Login Failures to the Same Destination | Authentication |
Rules | Auditing Services Changed on Compliance Host | Compliance |
Rules | Remote: Clear Text Application Usage based on Flows | Compliance |
Rules | Remote Access from Foreign Country/Region | Compliance |
Rules | Remote: Local P2P Server Detected | Compliance |
Rules | Possible Local IRC Server | Compliance |
Rules | Configuration Change Made to Device in Compliance network | Compliance |
Rules | Create Offenses for All Porn Usage | Compliance |
Rules | Create Offenses for All Policy Events | Compliance |
Rules | Create Offenses for All P2P Usage | Compliance |
Rules | Host Based Failures | Compliance |
Rules | Remote: Usenet Usage | Compliance |
Rules | Traffic from Untrusted Network to Trusted Network | Compliance |
Rules | Local: Clear Text Application Usage | Compliance |
Rules | Remote: Remote Desktop Access from the Internet | Compliance |
Rules | Connection to Internet on Unauthorized Port | Compliance |
Rules | No Activity for 60 Days | Compliance |
Rules | Multiple Failed Logins to a Compliance Asset | Compliance |
Rules | Remote: Hidden FTP Server | Compliance |
Rules | Remote: VNC Access from the Internet to a Local Host | Compliance |
Rules | New Service Discovered in DMZ* | Compliance |
Rules | New Host Discovered in DMZ* | Compliance |
Rules | Create Offenses for All Instant Messenger Traffic | Compliance |
Rules | Excessive Failed Logins to Compliance IS | Compliance |
Rules | Multiple System Errors | Compliance |
Rules | Remote: SSH or Telnet Detected on Non-Standard Port | Compliance |
Rules | Service Stopped and not Restarted | Compliance |
Rules | Database Groups Changed from Remote Host | Compliance |
Rules | New Service Discovered | Compliance |
Rules | New Host Discovered | Compliance |
Rules | Create Offenses for All Chat Traffic based on Flows | Compliance |
Rules | New DHCP Server Discovered | Compliance |
Rules | Remote: Local P2P Client Detected | Compliance |
Rules | Critical System Events | Compliance |
Rules | Remote: Local P2P Client Connected to more than 100 Servers | Compliance |
Rules | Remote Inbound Communication from a Foreign Country/Region | Compliance |
Rules | Remote: Local P2P Server connected to more than 100 Clients | Compliance |
Rules | Remote: VNC Access from the Internet to a Local Host | Intrusion Detection |
Rules | Remote: Remote Desktop Access from the Internet | Intrusion Detection |
Rules | Login Failure to Expired Account | Horizontal Movement |
Rules | Login Failure to Disabled Account | Horizontal Movement |
Rules | Database Groups Changed from Remote Host | Post-Intrusion Activity |
Rules | Multiple Login Failures for Single Username | Recon |
Rules | Potential P2P or VoIP Traffic Detected | Recon |
Rules | Excessive Failed Logins to Compliance IS | Recon |
Rules | Multiple Login Failures from the Same Source | Recon |
Rules | Multiple Failed Logins to a Compliance Asset | Recon |
Rules | Multiple Login Failures to the Same Destination | Recon |
Rules | Remote: IM/Chat | Threats |
Rules | Possible Shared Accounts | Threats |
Rules | Remote: Local P2P Server Detected | Threats |
Rules | Remote: SSH or Telnet Detected on Non-Standard Port | Threats |
Rules | Remote: Local P2P Client Detected | Threats |
Rules | Remote: Local P2P Client Connected to more than 100 Servers | Threats |
Rules | Remote: Local P2P Server connected to more than 100 Clients | Threats |
Rules | Remote: Hidden FTP Server | Threats |
Rules | Possible Local IRC Server | Threats |
Building Block | BB:NetworkDefinition: Trusted Network Segment | Network Definition |
Building Block | BB:NetworkDefinition: Inbound Communication from Internet to Local Host | Network Definition |
Building Block | BB:NetworkDefinition: Untrusted Local Networks* | Network Definition |
Building Block | BB:NetworkDefinition: Untrusted Network Segment | Network Definition |
Building Block | BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts | Threats |
Building Block | BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts | Threats |
Building Block | BB:ProtocolDefinition: Windows Protocols | Port\Protocol Definition |
Building Block | BB:PortDefinition: Database Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: FTP Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: IRC Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: Windows Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: SNMP Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: Web Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: SSH Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: RPC Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: Mail Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: DNS Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: DHCP Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: Authorized L2R Ports | Port\Protocol Definition |
Building Block | BB:PortDefinition: LDAP Ports | Port\Protocol Definition |
Building Block | BB:HostBased: Critical Events | Compliance |
Building Block | BB:ComplianceDefinition: PCI DSS Servers | Compliance |
Building Block | BB:ComplianceDefinition: SOX Servers | Compliance |
Building Block | BB:ComplianceDefinition: HIPAA Servers | Compliance |
Building Block | BB:ComplianceDefinition: GLBA Servers | Compliance |
Building Block | BB:Policy Violation: IRC IM Policy Violation: IRC Connection to Internet | Policy |
Building Block | BB:Policy Violation: Compliance Policy Violation: Clear Text Application Usage | Policy |
Building Block | BB:Policy Violation: IRC IM Policy Violation: IM Communications | Policy |
Building Block | BB:Policy Violation: Application Policy Violation: NNTP to Internet | Policy |
Building Block | BB:CategoryDefinition: Auditing Changed | Category Definitions |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Category Definitions |
Building Block | BB:CategoryDefinition: System or Device Configuration Change | Category Definitions |
Building Block | BB:CategoryDefinition: Successful Communication | Category Definitions |
Building Block | BB:CategoryDefinition: Authentication Success | Category Definitions |
Building Block | BB:CategoryDefinition: Authentication to Expired Account | Category Definitions |
Building Block | BB:CategoryDefinition: Countries/Regions with no Remote Access | Category Definitions |
Building Block | BB:CategoryDefinition: Service Stopped | Category Definitions |
Building Block | BB:CategoryDefinition: Firewall or ACL Accept | Category Definitions |
Building Block | BB:CategoryDefinition: IRC Detection Based on Firewall Events | Category Definitions |
Building Block | BB:CategoryDefinition: Service Started | Category Definitions |
Building Block | BB:CategoryDefinition: IRC Detected Based on Event Category | Category Definitions |
Building Block | BB:CategoryDefinition: IRC Detected Based on Application | Category Definitions |
Building Block | BB:CategoryDefinition: Failure Service or Hardware | Category Definitions |
Building Block | BB:CategoryDefinition: Authentication Failures | Category Definitions |
Building Block | BB:HostReference: LDAP Servers | Host Definitions |
Building Block | BB:HostDefinition: Virus Definition and Other Update Servers | Host Definitions |
Building Block | BB:HostDefinition: FTP Servers | Host Definitions |
Building Block | BB:HostReference: Web Servers | Host Definitions |
Building Block | BB:HostDefinition: Windows Servers | Host Definitions |
Building Block | BB:HostDefinition: Servers | Host Definitions |
Building Block | BB:HostDefinition: RPC Servers | Host Definitions |
Building Block | BB:HostDefinition: SSH Servers | Host Definitions |
Building Block | BB:HostDefinition: Database Servers | Host Definitions |
Building Block | BB:HostDefinition: LDAP Servers | Host Definitions |
Building Block | BB:HostDefinition: Web Servers | Host Definitions |
Building Block | BB:HostDefinition: Mail Servers | Host Definitions |
Building Block | BB:HostDefinition: DNS Servers | Host Definitions |
Building Block | BB:HostReference: Windows Servers | Host Definitions |
Building Block | BB:HostReference: DNS Servers | Host Definitions |
Building Block | BB:HostReference: Database Servers | Host Definitions |
Building Block | BB:HostReference: FTP Servers | Host Definitions |
Building Block | BB:HostReference: SSH Servers | Host Definitions |
Building Block | BB:HostReference: Mail Servers | Host Definitions |
Building Block | BB:HostDefinition: Network Management Servers | Host Definitions |
Building Block | BB:HostDefinition: DHCP Servers | Host Definitions |
Building Block | BB:HostDefinition: Proxy Servers | Host Definitions |
Building Block | BB:HostReference: Proxy Servers | Host Definitions |
Building Block | BB:HostDefinition: SNMP Sender or Receiver | Host Definitions |
Building Block | BB:HostReference: DHCP Servers | Host Definitions |
Building Block | BB:DeviceDefinition: IDS / IPS | Log Source Definitions |
Building Block | BB:DeviceDefinition: VPN | Log Source Definitions |
* denotes that this rule building block references the default network hierarchy. Update this rule or building block if you are using a different network hierarchy.
Where do you find more information?
Installing a QRadar Extension
The Extensions Management window in QRadar is used to add applications or content extensions to your deployment to improve the functionality of QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards. Extensions can also install applications that deliver specific new functionality to QRadar. The About tab outlines the contents of the extension that are being added to QRadar. Content extensions that are installed do not disrupt QRadar user activity and do not restart services.
Procedure
- Log in to the QRadar Console as an administrator.
- Download the file to your laptop or workstation from the X-Force App Exchange: https://exchange.xforce.ibmcloud.com/.
- Click the Admin tab, then click Extensions Management in the System Configuration section.
- To upload an extension, click Add and select the extension to upload.
- To install the extension immediately, select the Install immediately check box and then click Add.
A preview of the content is displayed before the extension is installed, and the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data. If you choose to keep the existing data, no updated content extension items are installed. - Select Overwrite when prompted to add the new data to your QRadar appliance.
- The installation is complete and the status is displayed in QRadar.
Note: The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console.
Results
If a yellow caution icon is displayed in the Status column there might be potential issues with the digital signature or installation. Hover over the icon for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
If you are installing an updated version of an extension, review the change list to determine if you need to update any rules. When the extension is applied to QRadar, administrator or user rules are not modified by QRadar; instead, the base enterprise template is updated. If a rule change includes a new building block update, performance change, or new rule tests, consider updating or recreating your existing rule from the rule template.
For more information about Custom Event Properties, see QRadar: Creating a Report that Uses a Custom Event Property (http://www.ibm.com/support/docview.wss?uid=swg21690785).
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21973570