Question & Answer
Question
This article outlines the contents of the Payment Card Industry (PCI) report and rule extension add-on for QRadar. Administrators with new installations can download this extension to add PCI reports and compliance rules to QRadar.
Answer
Tab navigation
- About the PCI Extension-selected tab,
- Installing an Extension
The Payment Card Industry (PCI) report and rule extension add-on for QRadar provides 47 reports, 30 saved searches, 13 rules/building blocks, 16 groups, and 2 custom event property to new QRadar installations.
Reports added by the PCI Extension v1.0.0
Report Description |
PCI Compliance Failures |
Network Traffic Volume |
Network Traffic Volume |
Top Users by Remote Access Activity |
Weekly PCI Compliance Failures |
PCI 1.2.1a - Internal Network (not DMZ) to Internet |
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Monthly) |
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Weekly) |
PCI 1.2.1b - Inbound and Outbound Traffic |
PCI 1.2.1b - Inbound and Outbound Traffic (Monthly) |
PCI 1.2.1b - Inbound and Outbound Traffic (Weekly) |
PCI 1.3 - Traffic Summaries (Details) |
PCI 1.3 - Traffic Summaries (Monthly) |
PCI 1.3 - Traffic Summaries (Time Series) |
PCI 1.3 - Traffic Summaries (Weekly) |
PCI 2.1 - Vendor Defaults |
PCI 2.1 - Vendor Defaults (Monthly) |
PCI 2.2 - Server Function |
PCI 2.3 - Traffic to Trusted Segments |
PCI 2.3 - Traffic to Trusted Segments (Monthly) |
PCI 2.3 - Traffic to Trusted Segments (Weekly) |
PCI 4.1 - Traffic to Trusted Segments from Untrusted Segments |
PCI 4.1 - Traffic to Trusted Segments from Untrusted Segments (Monthly) |
PCI 4.1 - Traffic to Trusted Segments from Untrusted Segments (Weekly) |
PCI 5.2 - Malware |
PCI 5.2 - Malware (Monthly) |
PCI 5.2 - Malware (Weekly) |
PCI 5.2 - Malware or Virus Clean Failed |
PCI 5.2 - Top Malware Activity |
PCI 6.1 - Vulnerabilities |
PCI 6.6 - Attacks against Public Facing Applications or Services |
PCI 6.6 - Attacks against Public Facing Applications or Services (Monthly) |
PCI 6.6 - Attacks against Public Facing Applications or Services (Weekly) |
PCI 7.1 - Access to Cardholder and Trusted Systems |
PCI 7.1 - Access to Cardholder and Trusted Systems (Monthly) |
PCI 7.1 - Access to Cardholder and Trusted Systems (Weekly) |
PCI 8.1 - User Account Additions and Changes |
PCI 8.1 - User Account Additions and Changes (Monthly) |
PCI 8.1 - User Account Additions and Changes (Weekly) |
PCI 10 - Audit of Data |
PCI 10 - Audit of Data (Monthly) |
PCI 10 - Audit of Data (Weekly) |
PCI 10.2 - User Accounts Additions by Admin |
PCI 10.2 - User Accounts Additions by Admin (Monthly) |
PCI 10.2 - User Accounts Additions by Admin (Weekly) |
PCI 11.3/11.2 Vulnerability Report |
PCI 12.9 Incident Response (Offense Summary) - Weekly |
Building blocks added by the PCI Extension v1.0.0
Rules or Building Block Description | Type |
Device Stopped Sending Events | Rule |
Malware or Virus Clean Failed | Rule |
BB:DeviceDefinition: AntiVirus | Building Block |
BB:DeviceDefinition: IDS / IPS | Building Block |
BB:CategoryDefinition: Authentication Failures | Building Block |
BB:CategoryDefinition: Authentication Success | Building Block |
BB:CategoryDefinition: Firewall or ACL Accept | Building Block |
BB:CategoryDefinition: Firewall or ACL Denies | Building Block |
BB:CategoryDefinition: Superuser Accounts | Building Block |
BB:NetworkDefinition: Inbound Communication from Internet to Local Host | Building Block |
BB:NetworkDefinition: Trusted Network Segment* | Building Block |
BB:NetworkDefinition: Untrusted Local Networks* | Building Block |
BB:NetworkDefinition: Untrusted Network Segment | Building Block |
* denotes that this building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.
Searches added by the PCI Extension v1.0.0
Search name |
Link Utilization |
Malware Clean Failed |
Malware Events by IP |
Malware Events by Name |
Remote Access Failures (VPN and Others) |
Top Destination Networks - Internal |
Top Source Networks |
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Accepted) |
PCI 1.2.1a - Internal Network (not DMZ) to Internet (All) |
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Denied) |
PCI 1.2.1b - Inbound Allowed Traffic |
PCI 1.2.1b - Outbound Allowed Traffic |
PCI 1.3.1 - Allowed Traffic Into DMZ from Internal |
PCI 1.3.2 - Allow Traffic from Internet to Internal Networks (Not DMZ) |
PCI 1.3.3 - Traffic Between Internet and Cardholder Data |
PCI 1.3.5 - Traffic Between Cardholder Data and Internet (Not DMZ) |
PCI 2.1 - Vendor Supplied Defaults Accepted |
PCI 2.2.1 - Primary Function Per Server |
PCI 2.3 - Protocols to Trusted Network Zones |
PCI 4.1 - Protocols to Trusted Network Zones |
PCI 5.2 - Malware Events by Event Name or Action |
PCI 6.1 - Vulnerabilities Discovered |
PCI 6.6 - Attacks against Public Facing Applications and Servies |
PCI 7.1 - Access to CardHolder and Trusted System |
PCI 8.1 - User Account Added By User |
PCI 8.1 - User Account Modified By User |
PCI 10.2 - PCI 8.1 - User Account Added By Admin User |
PCI 10.5.4 Verification of Logs Recieved |
PCI 10.6 SIEM Audit Overview |
PCI 10.7 SIEM Backup Activity |
Custom Properties added by the PCI Extension v1.0.0
Custom event property name |
AccountName |
VirusName |
Where do you find more information?
Installing a QRadar Extension
The Extensions Management window in QRadar is used to add applications or content extensions to your deployment to improve the functionality of QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards. Extensions can also install applications that deliver specific new functionality to QRadar. The About tab outlines the contents of the extension that are being added to QRadar. Content extensions that are installed do not disrupt QRadar user activity and do not restart services.
Procedure
- Log in to the QRadar Console as an administrator.
- Download the file to your laptop or workstation from the X-Force App Exchange: https://exchange.xforce.ibmcloud.com/.
- Click the Admin tab, then click Extensions Management in the System Configuration section.
- To upload an extension, click Add and select the extension to upload.
- To install the extension immediately, select the Install immediately check box and then click Add.
A preview of the content is displayed before the extension is installed, and the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data. If you choose to keep the existing data, no updated content extension items are installed. - Select Overwrite when prompted to add the new data to your QRadar appliance.
- The installation is complete and the status is displayed in QRadar.
Note: The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console.
Results
If a yellow caution icon is displayed in the Status column there might be potential issues with the digital signature or installation. Hover over the icon for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
If you are installing an updated version of an extension, review the change list to determine if you need to update any rules. When the extension is applied to QRadar, administrator or user rules are not modified by QRadar; instead, the base enterprise template is updated. If a rule change includes a new building block update, performance change, or new rule tests, consider updating or recreating your existing rule from the rule template.
For more information about Custom Event Properties, see QRadar: Creating a Report that Uses a Custom Event Property (http://www.ibm.com/support/docview.wss?uid=swg21690785).
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21988118