IBM Support

IBM QRadar Content Extension for Compliance (Theme)

Question & Answer


Question

The IBM QRadar Content Extension for Compliance Theme adds rules, building blocks, report, reference data, flow searches, event searches, and custom event property content to QRadar. This extension enhances the base compliance content set for administrators who have new QRadar installations.

Answer

Tab navigation

Change list for the Compliance Extension V1.0.3

Rule and building block updated in app version V1.0.3

Type Name Change description
Rule Compliance: Traffic from Untrusted Network to Trusted Network The rule test for this rule now triggers when a flow or event matches BB:NetworkDefinition: Untrusted Network Segment plus any of the following rules:

BB:NetworkDefinition: Trusted Source Network Segment
BB:NetworkDefinition: Trusted Destination Network Segment

Building Block BB:CategoryDefinition: Authentication to Disabled Account Added the following QIDs:
  • 5001948: Failure Audit: An account failed to log on: Account Disabled
  • 5001959: An account failed to log on: Account Disabled
  • 5001954: Failure Audit: An account failed to log on: User Locked Out
  • 5001965: An account failed to log on: User Locked Out
  • 5001949: Failure Audit: An account failed to log on: Account Expired
  • 5001960: An account failed to log on: Account Expired
  • 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time
  • 5001962: An account failed to log on: Logon Outside Normal Time

Change list for the Compliance Extension V1.0.2

Building blocks updated in app version V1.0.2

Type Name Change description
Building Block BB:Suspicious: Remote: Unidirectional UDP or Misc Flows The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows.
Building Block BB:Suspicious: Local: Unidirectional UDP or Misc Flows The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows.

Change list for the Compliance Extension V1.0.1

Compliance rules and building blocks updated in app version V1.0.1

Type Name Change description
Building Block BB:NetworkDefinition: Trusted Destination Network Segment* New building block
Building Block BB:NetworkDefinition: Trusted Source Network Segment* Updated the building block name to include 'Source Network'.
Building Block BB:CategoryDefinition: Authentication to Disabled Account Added QID 5000475:
Failure Audit: An account failed to log on.
Building Block BB:CategoryDefinition: Authentication to Expired Account Added the following two QIDs:
5001653: An account failed to log on. The specified account's password has expired.

5001654: The domain controller failed to validate the credentials for an account.
Rule Compliance: Traffic from Untrusted Network to Trusted Network Added new BB:NetworkDefinition: Trust Destination Network Segment
Rule Compliance: Traffic from DMZ to Internal Network* Added a new rule test:
BB:DeviceDefinition: FW/Router/Switch
Building Block BB:DeviceDefinition: FW / Router / Switch No updates. Dependent on another rule and must be included in the extension framework.

* denotes that this rule building block references the default network hierarchy. Update this rule or building block if you are using a different network hierarchy.

QRadar content added in Compliance Extension V1.0.0

The Compliance Theme extension adds the following compliance related content to new installations of QRadar V7.2.6:

  • 4 custom event properties that look for variations in Account Name payloads.
  • 42 event searches related to monitoring compliance.
  • 7 flow searches related to monitoring compliance.
  • 153 reports related to monitoring compliance.
  • 140 rules and building blocks related to monitoring compliance.
  • 10 reference data sets related to monitoring server types for compliance purposes.
Type Name Category
Custom Event Property Account Name The 'Account Name' custom event property includes four variations to capture different payload values and usages.
Event search VPN Activity by Log Source Authentication, Identity and User Activity
Event searches VPN Activity by event Authentication, Identity and User Activity
Event searches Admin Logout by IP Authentication, Identity and User Activity
Event searches User Account Removed by User Authentication, Identity and User Activity
Event searches Top Authentication Failures by User Authentication, Identity and User Activity
Event searches User Account Modified by User Authentication, Identity and User Activity
Event searches Top Authentications by User Authentication, Identity and User Activity
Event searches Groups Changed from Remote Hosts Authentication, Identity and User Activity
Event searches VPN Activity by Category Authentication, Identity and User Activity
Event searches User Account Added by User Authentication, Identity and User Activity
Event searches Remote Access Success (VPN and Other) Authentication, Identity and User Activity
Event searches Web Requests by Source Network Monitoring and Management
Event searches Web Requests by Destination Network Monitoring and Management
Event searches Web Requests by Log Source Network Monitoring and Management
Event searches Web Requests by Source Usage Monitoring
Event searches VPN Activity by Log Source Usage Monitoring
Event searches Web Requests by Destination Usage Monitoring
Event searches VPN Activity by event Usage Monitoring
Event searches IDP Activity by Event NetScreenIDP
Event searches IDP Activity by Category NetScreenIDP
Event searches IDP Activity by Log Source NetScreenIDP
Event searches Event Category Distribution System Monitoring (Information, Failures and Errors)
Event searches User Account Modified by User Compliance
Event searches Log Failures to Expired or Disabled Accounts Compliance
Event searches User Account Removed by User Compliance
Event searches Groups Changed from Remote Hosts Compliance
Event searches Daily Policy Violation Summary Compliance
Event searches User Account Added by User Compliance
Event searches Remote Access Failures (VPN and Others) Compliance
Event searches DOS Attacks by Destination IP Security (Malware, Exploit and other Risks)
Event searches Exploit by Source Security (Malware, Exploit and other Risks)
Event searches Top IDS/IPS Alerts by Destination IP Security (Malware, Exploit and other Risks)
Event searches By Host Virus Summary Security (Malware, Exploit and other Risks)
Event searches Top IDS/IDP/IPS Rules Security (Malware, Exploit and other Risks)
Event searches VPN Activity by Log Source Security (Malware, Exploit and other Risks)
Event searches DOS Attack by Type Security (Malware, Exploit and other Risks)
Event searches Exploits by Type Security (Malware, Exploit and other Risks)
Event searches VPN Activity by event Security (Malware, Exploit and other Risks)
Event searches DOS Attack by Source IP Security (Malware, Exploit and other Risks)
Event searches By User Virus Summary Security (Malware, Exploit and other Risks)
Event searches Exploits by Destination Security (Malware, Exploit and other Risks)
Event search Top IDS/IPS Alert by Country/Region Security (Malware, Exploit and other Risks)
Flow search Top Source Networks Network Monitoring and Management
Flow search Bytes in by Destination ASN Network Monitoring and Management
Flow search Bytes in by Source IF Index Network Monitoring and Management
Flow search Top Destination Networks - Internal Network Monitoring and Management
Flow search Bytes in by Source ASN Network Monitoring and Management
Flow search Link Utilization Network Monitoring and Management
Flow search Bytes in by Destination IF Index Network Monitoring and Management
Reference set Database Servers N/A
Reference set DHCP Servers N/A
Reference set DNS Servers N/A
Reference set FTP Servers N/A
Reference set LDAP Servers N/A
Reference set Mail Servers N/A
Reference set Proxy Servers N/A
Reference set SSH Servers N/A
Reference set Web Servers N/A
Reference set Windows Servers N/A
Reports Weekly Group Changes from Remote Hosts Compliance
Reports Network Traffic Volume Compliance
Reports Last 20 Logoffs Compliance
Reports Last 20 Successful Logins Compliance
Reports Weekly Login Failures to Disabled or Enabled Accounts Compliance
Reports Last 20 Failed Logins Compliance
Reports Monthly ASN Traffic Summary Compliance
Reports Daily Log/Event Distribution by Category Compliance
Reports Monthly VPN Activity Summary Compliance
Reports Daily User Account Activity Summary Compliance
Reports Weekly Category Distribution Compliance
Reports Monthly User Account Activity Summary Compliance
Reports Weekly Web Access Summary Compliance
Reports Weekly Policy Violation Summary Compliance
Reports Daily IfIndex Traffic Summary Compliance
Reports Weekly Network DOS Summary Compliance
Reports Daily ASN Traffic Summary Compliance
Reports Monthly Network Exploit Summary Compliance
Reports Daily Category Distribution Compliance
Reports Monthly Web Access Summary Compliance
Reports Weekly Virus Summary Compliance
Reports Monthly IDP-IDS Activity Summary Compliance
Reports Monthly Virus Summary Compliance
Reports Weekly ASN Traffic Summary Compliance
Reports Weekly Network Exploit Summary Compliance
Reports Daily Web Access Summary Compliance
Reports Monthly IfIndex Traffic Summary Compliance
Reports Monthly Network DOS Summary Compliance
Reports Daily Network DOS Summary Compliance
Reports Daily Attacker and Target Summary Compliance
Reports Weekly IDP-IDS Activity Summary Compliance
Reports Weekly VPN Activity Summary Compliance
Reports Daily VPN Activity Summary Compliance
Reports Weekly IfIndex Traffic Summary Compliance
Reports Monthly Category Distribution Compliance
Reports Daily IDP-IDS Activity Summary Compliance
Reports Daily Virus Summary Compliance
Reports Monthly Policy Violation Summary Compliance
Reports Daily Policy Violation Summary Compliance
Reports Weekly User Account Activity Summary Compliance
Reports Daily Network Exploit Summary Compliance
Reports Network Traffic Volume Usage Monitoring
Reports Weekly Web Access Summary Usage Monitoring
Reports Daily Attacker and Target Summary Usage Monitoring
Reports Daily Policy Violation Summary Usage Monitoring
Reports Weekly IfIndex Traffic Summary Usage Monitoring
Reports Weekly User Account Activity Summary Usage Monitoring
Reports Weekly Category Distribution Usage Monitoring
Reports Monthly IDP-IDS Activity Summary Usage Monitoring
Reports Daily Category Distribution Usage Monitoring
Reports Monthly Network Exploit Summary Usage Monitoring
Reports Monthly Policy Violation Summary Usage Monitoring
Reports Monthly User Account Activity Summary Usage Monitoring
Reports Weekly VPN Activity Summary Usage Monitoring
Reports Daily IDP-IDS Activity Summary Usage Monitoring
Reports Weekly Policy Violation Summary Usage Monitoring
Reports Daily Network DOS Summary Usage Monitoring
Reports Monthly ASN Traffic Summary Usage Monitoring
Reports Daily Network Exploit Summary Usage Monitoring
Reports Weekly Virus Summary Usage Monitoring
Reports Daily Log/Event Distribution by Category Usage Monitoring
Reports Weekly Network Exploit Summary Usage Monitoring
Reports Weekly IDP-IDS Activity Summary Usage Monitoring
Reports Daily Virus Summary Usage Monitoring
Reports Daily IfIndex Traffic Summary Usage Monitoring
Reports Daily User Account Activity Summary Usage Monitoring
Reports Monthly Network DOS Summary Usage Monitoring
Reports Monthly Virus Summary Usage Monitoring
Reports Daily VPN Activity Summary Usage Monitoring
Reports Daily ASN Traffic Summary Usage Monitoring
Reports Monthly Category Distribution Usage Monitoring
Reports Weekly Network DOS Summary Usage Monitoring
Reports Daily Web Access Summary Usage Monitoring
Reports Weekly ASN Traffic Summary Usage Monitoring
Reports Monthly VPN Activity Summary Usage Monitoring
Reports Monthly IfIndex Traffic Summary Usage Monitoring
Reports Monthly Web Access Summary Usage Monitoring
Reports Daily ASN Traffic Summary Executive
Reports Daily IfIndex Traffic Summary Executive
Reports Weekly IfIndex Traffic Summary Executive
Reports Weekly ASN Traffic Summary Executive
Reports Monthly IfIndex Traffic Summary Executive
Reports Daily Policy Violation Summary Executive
Reports Weekly Virus Summary Executive
Reports Daily Web Access Summary Executive
Reports Weekly IDP-IDS Activity Summary Executive
Reports Daily User Account Activity Summary Executive
Reports Daily Network DOS Summary Executive
Reports Monthly Category Distribution Executive
Reports Daily IDP-IDS Activity Summary Executive
Reports Weekly Network Exploit Summary Executive
Reports Daily Category Distribution Executive
Reports Daily Virus Summary Executive
Reports Daily Network Exploit Summary Executive
Reports Monthly ASN Traffic Summary Executive
Reports Weekly Web Access Summary Executive
Reports Monthly Network Exploit Summary Executive
Reports Monthly Web Access Summary Executive
Reports Monthly User Account Activity Summary Executive
Reports Weekly Policy Violation Summary Executive
Reports Weekly Category Distribution Executive
Reports Weekly Network DOS Summary Executive
Reports Monthly Network DOS Summary Executive
Reports Monthly Virus Summary Executive
Reports Monthly VPN Activity Summary Executive
Reports Daily VPN Activity Summary Executive
Reports Weekly VPN Activity Summary Executive
Reports Daily Attacker and Target Summary Executive
Reports Monthly Policy Violation Summary Executive
Reports Weekly User Account Activity Summary Executive
Reports Monthly IDP-IDS Activity Summary Executive
Reports Network Traffic Volume Executive
Reports Daily Log/Event Distribution by Category Executive
Reports Network Traffic Volume Network Management
Reports Daily Virus Summary Network Management
Reports Weekly ASN Traffic Summary Network Management
Reports Monthly VPN Activity Summary Network Management
Reports Daily IfIndex Traffic Summary Network Management
Reports Weekly Category Distribution Network Management
Reports Weekly Web Access Summary Network Management
Reports Weekly Network DOS Summary Network Management
Reports Daily Category Distribution Network Management
Reports Weekly Network Exploit Summary Network Management
Reports Daily ASN Traffic Summary Network Management
Reports Weekly Policy Violation Summary Network Management
Reports Monthly Network DOS Summary Network Management
Reports Monthly ASN Traffic Summary Network Management
Reports Weekly IDP-IDS Activity Summary Network Management
Reports Monthly IfIndex Traffic Summary Network Management
Reports Weekly IfIndex Traffic Summary Network Management
Reports Daily Web Access Summary Network Management
Reports Monthly User Account Activity Summary Network Management
Reports Daily Network DOS Summary Network Management
Reports Daily Network Exploit Summary Network Management
Reports Daily User Account Activity Summary Network Management
Reports Monthly Category Distribution Network Management
Reports Monthly IDP-IDS Activity Summary Network Management
Reports Daily Policy Violation Summary Network Management
Reports Daily Log/Event Distribution by Category Network Management
Reports Daily VPN Activity Summary Network Management
Reports Daily IDP-IDS Activity Summary Network Management
Reports Weekly VPN Activity Summary Network Management
Reports Monthly Web Access Summary Network Management
Reports Monthly Network Exploit Summary Network Management
Reports Monthly Virus Summary Network Management
Reports Daily Attacker and Target Summary Network Management
Reports Monthly Policy Violation Summary Network Management
Reports Weekly User Account Activity Summary Network Management
Reports Weekly Virus Summary Network Management

Rules and building blocks added by the compliance extension

Type Name Category
Rules Remote: IRC Connections Botnet
Rules Remote Inbound Communication from a Foreign Country/Region Anomaly
Rules Remote Access from Foreign Country/Region Anomaly
Rules Login Failure to Disabled Account Authentication
Rules Multiple Login Failures for Single Username Authentication
Rules Login Failure to Expired Account Authentication
Rules Multiple Login Failures from the Same Source Authentication
Rules Possible Shared Accounts Authentication
Rules Multiple Login Failures to the Same Destination Authentication
Rules Auditing Services Changed on Compliance Host Compliance
Rules Remote: Clear Text Application Usage based on Flows Compliance
Rules Remote Access from Foreign Country/Region Compliance
Rules Remote: Local P2P Server Detected Compliance
Rules Possible Local IRC Server Compliance
Rules Configuration Change Made to Device in Compliance network Compliance
Rules Create Offenses for All Porn Usage Compliance
Rules Create Offenses for All Policy Events Compliance
Rules Create Offenses for All P2P Usage Compliance
Rules Host Based Failures Compliance
Rules Remote: Usenet Usage Compliance
Rules Traffic from Untrusted Network to Trusted Network Compliance
Rules Local: Clear Text Application Usage Compliance
Rules Remote: Remote Desktop Access from the Internet Compliance
Rules Connection to Internet on Unauthorized Port Compliance
Rules No Activity for 60 Days Compliance
Rules Multiple Failed Logins to a Compliance Asset Compliance
Rules Remote: Hidden FTP Server Compliance
Rules Remote: VNC Access from the Internet to a Local Host Compliance
Rules New Service Discovered in DMZ* Compliance
Rules New Host Discovered in DMZ* Compliance
Rules Create Offenses for All Instant Messenger Traffic Compliance
Rules Excessive Failed Logins to Compliance IS Compliance
Rules Multiple System Errors Compliance
Rules Remote: SSH or Telnet Detected on Non-Standard Port Compliance
Rules Service Stopped and not Restarted Compliance
Rules Database Groups Changed from Remote Host Compliance
Rules New Service Discovered Compliance
Rules New Host Discovered Compliance
Rules Create Offenses for All Chat Traffic based on Flows Compliance
Rules New DHCP Server Discovered Compliance
Rules Remote: Local P2P Client Detected Compliance
Rules Critical System Events Compliance
Rules Remote: Local P2P Client Connected to more than 100 Servers Compliance
Rules Remote Inbound Communication from a Foreign Country/Region Compliance
Rules Remote: Local P2P Server connected to more than 100 Clients Compliance
Rules Remote: VNC Access from the Internet to a Local Host Intrusion Detection
Rules Remote: Remote Desktop Access from the Internet Intrusion Detection
Rules Login Failure to Expired Account Horizontal Movement
Rules Login Failure to Disabled Account Horizontal Movement
Rules Database Groups Changed from Remote Host Post-Intrusion Activity
Rules Multiple Login Failures for Single Username Recon
Rules Potential P2P or VoIP Traffic Detected Recon
Rules Excessive Failed Logins to Compliance IS Recon
Rules Multiple Login Failures from the Same Source Recon
Rules Multiple Failed Logins to a Compliance Asset Recon
Rules Multiple Login Failures to the Same Destination Recon
Rules Remote: IM/Chat Threats
Rules Possible Shared Accounts Threats
Rules Remote: Local P2P Server Detected Threats
Rules Remote: SSH or Telnet Detected on Non-Standard Port Threats
Rules Remote: Local P2P Client Detected Threats
Rules Remote: Local P2P Client Connected to more than 100 Servers Threats
Rules Remote: Local P2P Server connected to more than 100 Clients Threats
Rules Remote: Hidden FTP Server Threats
Rules Possible Local IRC Server Threats
Building Block BB:NetworkDefinition: Trusted Network Segment Network Definition
Building Block BB:NetworkDefinition: Inbound Communication from Internet to Local Host Network Definition
Building Block BB:NetworkDefinition: Untrusted Local Networks* Network Definition
Building Block BB:NetworkDefinition: Untrusted Network Segment Network Definition
Building Block BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts Threats
Building Block BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts Threats
Building Block BB:ProtocolDefinition: Windows Protocols Port\Protocol Definition
Building Block BB:PortDefinition: Database Ports Port\Protocol Definition
Building Block BB:PortDefinition: FTP Ports Port\Protocol Definition
Building Block BB:PortDefinition: IRC Ports Port\Protocol Definition
Building Block BB:PortDefinition: Windows Ports Port\Protocol Definition
Building Block BB:PortDefinition: SNMP Ports Port\Protocol Definition
Building Block BB:PortDefinition: Web Ports Port\Protocol Definition
Building Block BB:PortDefinition: SSH Ports Port\Protocol Definition
Building Block BB:PortDefinition: RPC Ports Port\Protocol Definition
Building Block BB:PortDefinition: Mail Ports Port\Protocol Definition
Building Block BB:PortDefinition: DNS Ports Port\Protocol Definition
Building Block BB:PortDefinition: DHCP Ports Port\Protocol Definition
Building Block BB:PortDefinition: Authorized L2R Ports Port\Protocol Definition
Building Block BB:PortDefinition: LDAP Ports Port\Protocol Definition
Building Block BB:HostBased: Critical Events Compliance
Building Block BB:ComplianceDefinition: PCI DSS Servers Compliance
Building Block BB:ComplianceDefinition: SOX Servers Compliance
Building Block BB:ComplianceDefinition: HIPAA Servers Compliance
Building Block BB:ComplianceDefinition: GLBA Servers Compliance
Building Block BB:Policy Violation: IRC IM Policy Violation: IRC Connection to Internet Policy
Building Block BB:Policy Violation: Compliance Policy Violation: Clear Text Application Usage Policy
Building Block BB:Policy Violation: IRC IM Policy Violation: IM Communications Policy
Building Block BB:Policy Violation: Application Policy Violation: NNTP to Internet Policy
Building Block BB:CategoryDefinition: Auditing Changed Category Definitions
Building Block BB:CategoryDefinition: Authentication to Disabled Account Category Definitions
Building Block BB:CategoryDefinition: System or Device Configuration Change Category Definitions
Building Block BB:CategoryDefinition: Successful Communication Category Definitions
Building Block BB:CategoryDefinition: Authentication Success Category Definitions
Building Block BB:CategoryDefinition: Authentication to Expired Account Category Definitions
Building Block BB:CategoryDefinition: Countries/Regions with no Remote Access Category Definitions
Building Block BB:CategoryDefinition: Service Stopped Category Definitions
Building Block BB:CategoryDefinition: Firewall or ACL Accept Category Definitions
Building Block BB:CategoryDefinition: IRC Detection Based on Firewall Events Category Definitions
Building Block BB:CategoryDefinition: Service Started Category Definitions
Building Block BB:CategoryDefinition: IRC Detected Based on Event Category Category Definitions
Building Block BB:CategoryDefinition: IRC Detected Based on Application Category Definitions
Building Block BB:CategoryDefinition: Failure Service or Hardware Category Definitions
Building Block BB:CategoryDefinition: Authentication Failures Category Definitions
Building Block BB:HostReference: LDAP Servers Host Definitions
Building Block BB:HostDefinition: Virus Definition and Other Update Servers Host Definitions
Building Block BB:HostDefinition: FTP Servers Host Definitions
Building Block BB:HostReference: Web Servers Host Definitions
Building Block BB:HostDefinition: Windows Servers Host Definitions
Building Block BB:HostDefinition: Servers Host Definitions
Building Block BB:HostDefinition: RPC Servers Host Definitions
Building Block BB:HostDefinition: SSH Servers Host Definitions
Building Block BB:HostDefinition: Database Servers Host Definitions
Building Block BB:HostDefinition: LDAP Servers Host Definitions
Building Block BB:HostDefinition: Web Servers Host Definitions
Building Block BB:HostDefinition: Mail Servers Host Definitions
Building Block BB:HostDefinition: DNS Servers Host Definitions
Building Block BB:HostReference: Windows Servers Host Definitions
Building Block BB:HostReference: DNS Servers Host Definitions
Building Block BB:HostReference: Database Servers Host Definitions
Building Block BB:HostReference: FTP Servers Host Definitions
Building Block BB:HostReference: SSH Servers Host Definitions
Building Block BB:HostReference: Mail Servers Host Definitions
Building Block BB:HostDefinition: Network Management Servers Host Definitions
Building Block BB:HostDefinition: DHCP Servers Host Definitions
Building Block BB:HostDefinition: Proxy Servers Host Definitions
Building Block BB:HostReference: Proxy Servers Host Definitions
Building Block BB:HostDefinition: SNMP Sender or Receiver Host Definitions
Building Block BB:HostReference: DHCP Servers Host Definitions
Building Block BB:DeviceDefinition: IDS / IPS Log Source Definitions
Building Block BB:DeviceDefinition: VPN Log Source Definitions

* denotes that this rule building block references the default network hierarchy. Update this rule or building block if you are using a different network hierarchy.

Where do you find more information?


Installing a QRadar Extension

The Extensions Management window in QRadar is used to add applications or content extensions to your deployment to improve the functionality of QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards. Extensions can also install applications that deliver specific new functionality to QRadar. The About tab outlines the contents of the extension that are being added to QRadar. Content extensions that are installed do not disrupt QRadar user activity and do not restart services.

Procedure

  1. Log in to the QRadar Console as an administrator.
  2. Download the file to your laptop or workstation from the X-Force App Exchange: https://exchange.xforce.ibmcloud.com/.
  3. Click the Admin tab, then click Extensions Management in the System Configuration section.
  4. To upload an extension, click Add and select the extension to upload.

    5. Note: The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console.

  5. To install the extension immediately, select the Install immediately check box and then click Add.
    A preview of the content is displayed before the extension is installed, and the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data. If you choose to keep the existing data, no updated content extension items are installed.
  6. Select Overwrite when prompted to add the new data to your QRadar appliance.
  7. The installation is complete and the status is displayed in QRadar.

Results

If a yellow caution icon is displayed in the Status column there might be potential issues with the digital signature or installation. Hover over the icon for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.

If you are installing an updated version of an extension, review the change list to determine if you need to update any rules. When the extension is applied to QRadar, administrator or user rules are not modified by QRadar; instead, the base enterprise template is updated. If a rule change includes a new building block update, performance change, or new rule tests, consider updating or recreating your existing rule from the rule template.

For more information about Custom Event Properties, see QRadar: Creating a Report that Uses a Custom Event Property (http://www.ibm.com/support/docview.wss?uid=swg21690785).

Where do you find more information?


[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3;7.2.8","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21973570

Page Feedback