Troubleshooting
Problem
Users who installed IBM-provided content packs and have multi-tenanted environments might need to modify the reference data collection in installed rules to work properly in their environment.
Symptom
In multi-tenanted QRadar installations, Source and Destination private IP addresses can be duplicated for each tenant and the system differentiates them by the additional tenant tag added to each payload.
This can lead to a scenario where the behavior of 'tenant A' local IP address can cause 'tenant B' to start generating incidents within QRadar. It can happen whenever both hosts are using the same local IP address. When an IP is marked, it is added to the 'compromised hosts' reference data set installed by default with the extensions, but not the tenant tag.
This data set is then used as a fundamental part of another set of rules to potentially create new subsequent incidents. The newly created incidents might originate from the 'Compromised Hosts' IPs Reference Set. If there is only a single tenant within QRadar or a unique local IP address, this implementation works as it is supposed to. If, in a multi-tenant environment, there are some duplicated local IP addresses; the deny-listed private IPs of 'tenant A' can start generating incidents for the hosts with the same private IPs within 'tenant B', which are false positives. It is because only the host within 'tenant A' is compromised and the other tenants remain unaffected.
The rules that generate entries within the 'Compromised Hosts' reference set: (The rules are all located within the 'IBM® QRadar® Sysmon Content' extension):
- Excessive System Tools Usage from a Single Host
- Suspicious Svchost Process
- Process Launched from Unusual Directory
- PsExec Process Masquerading
- Potential Keylogger Detected
- Rundll32 with qwerty Argument Usage
- Mimikatz IMP Hash Observed
- Malicious Service Installed
The rules that use the 'Compromised Hosts' reference set to evaluate new potential incidents: (The rules are either located in the 'IBM Security QRadar Threat Monitoring Content' or the 'IBM® QRadar® Sysmon Content' extension):
- Powershell Process Observed on a Compromised Host
- Service Installed on a Compromised Host
- Network Share Accessed from a Compromised Host
- Powershell Process Observed on a Compromised Host
- Successful Login From a Compromised Host
- Excessive System Tools Usage from a Single Host
- Scheduled Task Created on a Compromised Host
- Successful Login From a Compromised Host
- Service Installed on a Compromised Host
- Administrative Share Accessed from a Compromised Host
- SMB Traffic Permitted From a Compromised Host
- Administrative Share Accessed from a Compromised Host
- Network Share Added to a Compromised Host
- Excessive Denied SMB Traffic From a Compromised Host
- PsExec Process Observed on a Compromised Host
- Excessive Network Share Access Failures from a Compromised Host
- Network Share Accessed from a Compromised Host
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS012789601","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
01 February 2024
UID
ibm16988519