IBM Support

QRadar: X-Force Rules Missing After a New Console Install

Question & Answer


Question

When I installed QRadar from the ISO and enabled X-Force, I noticed that the XForce rules are missing from the Rule Wizard even though the system is licensed properly. How do I install X-Force Rules?

Cause

X-Force Premium rules need to be installed on the Console appliance using the Threat Content Theme.

Answer

In QRadar 7.2.6 and above, administrators have the option to install rule content that is pertinent to them, instead of taking a default rule set. This allows administrators to install content extensions to expand the base rule set of QRadar, including X-Force Premium Rules.

NOTE: QRadar support suggests that administrators be on QRadar 7.2.4 Patch 4 or later before installing extensions on your QRadar Console.

To add content themes to new QRadar Console installs, the administrator must download content extensions for different types of data, such as Threat, Recon, Anomaly, Intrusion, and more. These content extensions add rules, building blocks, reports, and other types of data to build off of the baseline QRadar rule set. After completing a new install of QRadar, administrators are encouraged to review and install these extensions from the IBM X-Force Exchange.

If you are missing X-Force Rules from the QRadar Rules Wizard
To add X-Force Rules to QRadar, administrators must download and install the QRadar Threat Content Extension. You must sign-up using your IBM.com ID to download any extensions or apps from the X-Force Exchange.
  • Procedure
    1. Download the QRadar Threat Content Extension: Threat Content Extension
    2. Log in to the QRadar Console as an administrator.
    3. Click the Admin tab.
    4. Click the Extension Management icon.
    5. Click Add to upload your extension.
    6. Select the check box for Install Immediately.
    7. Click OK.
    8. Review the contents of the app.
    9. Click OK to install.
    10. Clear your browser cache.

      Results
      The app is installed. After the app install completes, administrators and users should clear their browser cache to prevent any user interface display issues.
       
Verify that X-Force Rules are Installed
  1. Click the Offenses tab.
  2. From the left-hand navigation menu, select Rules.
  3. From the Group drop-down, select X-Force Premium.
  4. A list of Enhanced X-Force rules are displayed.

    For example:


    NOTE: It is not recommended that administrators enable any of the Legacy X-Force Rules as they have been deprecated and replaced by more optimized X-Force Enhanced Rule set.

    Results
    The Threat Extension rules are installed. A number of rule extensions exist for QRadar, such as rule sets for Recon, Anomaly, Compliance, Intrusion, ISO 27001, baseline maintenance packs, and more. To review or download these extensions for QRadar, see the X-Force Exchange site.
     



For more information

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Rules","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 January 2020

UID

swg21993302