Question & Answer
Question
The 'Content Extension for Intrusions' theme adds rule content, building blocks, and a reference data set to QRadar to focus on intrusion detection. This extension enhances QRadar's base rule set for administrators who have new QRadar installations.
Answer
Before you begin
This extension is intended to add rules for new appliance installations of QRadar 7.2.6. Administrators with new appliance installations should review this content extension to determine if the rules, building blocks, and related content for intrusion detection should be added to QRadar.
Administrators who have upgraded from QRadar 7.2.5 already have this intrusion content included in QRadar by default. Administrators who upgraded and want to install this extension can do so, however, the administrator will receive confirmation to overwrite or keep existing extension values.
Administrators who want to update values in QRadar should select the Overwrite option. This updates the rule template for rule and building block changes, not user defined rules. Reference data parameters are updated if any change in the new version of the content extension; however, reference data values are untouched so any existing data in the Database Servers reference data set will still be available.
Extension download: https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:IBMContentPackageInternalIntrusion
Rule and building blocks updated in the Intrusion Extension v1.0.1
Intrusion rules and building blocks updated in extension v1.0.1
Type | Description | Change |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added QID 5000475: Failure Audit: An account failed to log on. |
Rule | Exploit: Exploits Followed by Firewall Accepts | Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule |
Rule | Anomaly: DMZ Jumping | Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule |
Rule | Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination | Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule |
Rule | Exploit: Destination Vulnerable to Detected Exploit on a Different Port | Updated user interface name and rule text description. |
Building Block | BB:DeviceDefinition: FW / Router / Switch | No updates. Dependent on another rule and must be included in the extension framework. |
QRadar content added in the original Intrusion Extension (version 1.0.0)
The Intrusion Theme extension adds 20 intrusion rules, 52 building blocks, and one reference data set for a total of 73 content addons for QRadar.
Reference set added by the intrusion extension
Name | Type |
Database Servers | Reference set |
Rules and building blocks added by the intrusion extension
Name | Type |
Excessive Firewall Accepts From Multiple Sources to a Single Destination | Rule |
DMZ Jumping | Rule |
Source Vulnerable to this Exploit | Rule |
Destination Vulnerable to Detected Exploit | Rule |
Source Vulnerable to any Exploit | Rule |
Exploit/Malware Events Across Multiple Destinations | Rule |
Exploit Followed by Suspicious Host Activity | Rule |
Destination Vulnerable to Detected Exploit on a Different Port | Rule |
100% Accurate Events | Rule |
Multiple Vector Attack Source | Rule |
Remote: Remote Desktop Access from the Internet | Rule |
Exploits Followed by Firewall Accepts | Rule |
Remote: VNC Access from the Internet to a Local Host | Rule |
Malware or Virus Clean Failed | Rule |
Remote: VNC Access from the Internet to a Local Host | Rule |
Remote: Remote Desktop Access from the Internet | Rule |
Excessive Firewall Accepts From Multiple Sources to a Single Destination | Rule |
DMZ Jumping | Rule |
Remote: Possible Tunneling | Rule |
BB:Database: System Action Deny | Building block |
BB:HostDefinition: Database Servers | Building block |
BB:HostReference: Database Servers | Building block |
BB:PortDefinition: Database Ports | Building block |
BB:PortDefinition: Common Worm Ports | Building block |
BB:FalseNegative: Events That Indicate Successful Compromise | Building block |
BB:DeviceDefinition: Database | Building block |
BB:Threats: Scanning: Scan Medium | Building block |
BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts | Building block |
BB:Threats: Scanning: ICMP Scan Low | Building block |
BB:Threats: Scanning: ICMP Scan High | Building block |
BB:Threats: Scanning: Scan Low | Building block |
BB:Threats: Scanning: ICMP Scan Medium | Building block |
BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts | Building block |
BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets | Building block |
BB:Threats: Scanning: Empty Responsive Flows High | Building block |
BB:Threats: Scanning: Scan High | Building block |
BB:Threats: Scanning: Empty Responsive Flows Low | Building block |
BB:Threats: Scanning: Empty Responsive Flows Medium | Building block |
BB:Threats: Port Scans: UDP Port Scan | Building block |
BB:Threats: Port Scans: Host Scans | Building block |
BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets | Building block |
BB:Threats: Scanning: Potential Scan | Building block |
BB:CategoryDefinition: Post Exploit Account Activity | Building block |
BB:CategoryDefinition: Recon Flows | Building block |
BB:CategoryDefinition: Successful Communication | Building block |
BB:CategoryDefinition: Firewall or ACL Denies | Building block |
BB:CategoryDefinition: Recon Events | Building block |
BB:CategoryDefinition: Mail Policy Violation | Building block |
BB:CategoryDefinition: Service DoS | Building block |
BB:CategoryDefinition: Worm Events | Building block |
BB:CategoryDefinition: Virus Detected | Building block |
BB:CategoryDefinition: Authentication to Expired Account | Building block |
BB:CategoryDefinition: Countries/Regions with no Remote Access | Building block |
BB:CategoryDefinition: Pre DMZ Jump | Building block |
BB:CategoryDefinition: Authentication to Disabled Account | Building block |
BB:CategoryDefinition: Network DoS Attack | Building block |
BB:CategoryDefinition: Recon Event Categories | Building block |
BB:CategoryDefinition: Firewall or ACL Accept | Building block |
BB:CategoryDefinition: Exploits Backdoors and Trojans | Building block |
BB:BehaviorDefinition: Compromise Activities | Building block |
BB:CategoryDefinition: Post DMZ Jump | Building block |
BB:CategoryDefinition: Authentication Failures | Building block |
BB:CategoryDefinition: Key Loggers | Building block |
BB:CategoryDefinition: Malware Annoyances | Building block |
BB:CategoryDefinition: DDoS Attack Events | Building block |
BB:CategoryDefinition: Database Access Denied | Building block |
BB:NetworkDefinition: DMZ Addresses* | Building block |
BB:NetworkDefinition: Honeypot like Addresses | Building block |
BB:NetworkDefinition: Undefined IP Space | Building block |
BB:NetworkDefinition: Darknet Addresses | Building block |
BB:NetworkDefinition: Watch List Addresses | Building block |
* denotes that this building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:
Installing a QRadar Extension
The Extensions Management window in QRadar is used to add applications or content extensions to your deployment to improve the functionality of QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards. Extensions can also install applications that deliver specific new functionality to QRadar. The About tab outlines the contents of the extension that are being added to QRadar. Content extensions that are installed do not disrupt QRadar user activity and do not restart services.
Procedure
- Log in to the QRadar Console as an administrator.
- Download the file to your laptop or workstation from the X-Force App Exchange: https://exchange.xforce.ibmcloud.com/.
- Click the Admin tab, then click Extensions Management in the System Configuration section.
- To upload an extension, click Add and select the extension to upload.
- To install the extension immediately, select the Install immediately check box and then click Add.
A preview of the content is displayed before the extension is installed, and the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data. If you choose to keep the existing data, no updated content extension items are installed. - Select Overwrite when prompted to add the new data to your QRadar appliance.
- The installation is complete and the status is displayed in QRadar.
Note: The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console.
Results
If a yellow caution icon is displayed in the Status column there might be potential issues with the digital signature or installation. Hover over the icon for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
If you are installing an updated version of an extension, review the change list to determine if you need to update any rules. When the extension is applied to QRadar, administrator or user rules are not modified by QRadar; instead, the base enterprise template is updated. If a rule change includes a new building block update, performance change, or new rule tests, consider updating or recreating your existing rule from the rule template.
For more information about Custom Event Properties, see QRadar: Creating a Report that Uses a Custom Event Property (http://www.ibm.com/support/docview.wss?uid=swg21690785).
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21973571