IBM Support

QRadar: Understanding changes made to the rule modification audit events in 7.5.0 UP4 and above

Question & Answer


Question

How are the Sim Audit events for changes to custom rules structured after 7.5.0 UP4?

Cause

In 7.5.0 UP4 to resolve IJ40516 and to improve auditing for changes to custom rules, enhancements were added to the relevant messages logged to SIM Audit

Answer

Previously, a modification to a rule was logged as follows:

May 13 20:14:05 127.0.0.1 Thread-19364111 | [Configuration] [CRE] [RuleModified] CustomRule( id="100367", originString="OVERRIDE", ruleType="COMMON", modificationDate="Wed May 13 20:14:05 EST 2020", createDate="Thu Apr 07 14:47:57 EST 2016", capacityTimestamp="0", ruleData="[binary data]", baseHostId="0", averageCapacity="0", baseCapacity="0", uuid="f72c7cfd-22da-4e04-9a34-dfa29369f42e", linkUuid="SYSTEM-1151" ) ... ( Rule Name="BB:HostDefinition: VA Scanner Source IP", Updated Rule Description="Apply on events and flows detected by the 'LOCAL' system 'and NOT' when the destination IP is one of the following 'x.x.x.x, x.x.x.x' 'and' when the source IP is one of the following x.x.x.x, x.x.x.x", Previous Rule Description="Apply on events and flows detected by the 'LOCAL' system 'and NOT' when the destination IP is one of the following 'x.x.x.x, x.x.x.x' 'and NOT' when the source IP is one of the following 'x.x.x.x' 'and' when the source IP is one of the following 'x.x.x.x, x.x.x.x'" )
When a rule is modified, the rule data is now presented in the audit as a parameter with name "xml". The line of changes is split into 724 character "chunks" and logged as follows:

...[Configuration] [CRE] [Rule...] CustomRule( FIELDS ) ... ( xml 000="CHUNK 1"  )
...[Configuration] [CRE] [Rule...] CustomRule( FIELDS ) ... ( xml 001="CHUNK 2"  )
...
...[Configuration] [CRE] [Rule...] CustomRule( FIELDS ) ... ( xml end="CHUNK N"  )
If the first "chunk is less than 724 characters the audit log shows only 1 line.
For example: xml="CHUNK 1" ).
The Rule Name is always included in the first line. If the Rule Name is changed the change is included in the xml section.

...Name="A_TEST1", Name Changed="yes"...
Example:
When a rule is modified and the changes are greater than 724 characters:

Nov 17 13:32:21 127.0.0.1 x.x.x.x@x.x.x.x (1785) /console/do/rulewizard | [Configuration] [CRE] [RuleModified] CustomRule( id="136302", uuid="e571a433-df5d-40d7-995d-195b5439f2f1", averageCapacity="null", baseCapacity="null", modificationDate="Fri Nov 17 13:32:21 EST 2023", ruleData="[binary data]", baseHostId="null", createDate="Fri Nov 17 13:20:08 EST 2023", originString="USER", linkUuid="null", flags="0", capacityTimestamp="null", ruleType="EVENT" ) ... ( xml 000="( Name="Test_Rule_1", Description="Apply on events detected by the 'LOCAL' system 'and' when the source IP is one of the following 'x.x.x.x' 'and' when the local port is one of the following '1234' 'and' when the destination IP is one of the following 'x.x.x.x' 'and' when the 'destination' asset has a weight 'greater than' '5 - Somewhat Important' 'and' when the local network is 'VPN_Addresses_Space.VPN_Addresses_Space' 'and' when the local IP is one of the following 'x.x.x.x' 'and' when the event severity is 'greater than' '5' 'and' when the event credibility is 'greater than' '5' 'and' when the event relevance is 'greater than' '5' 'and' when the source is 'Remote' 'and' when the destination is 'Remote' 'and' whe" )
Nov 17 13:32:21 127.0.0.1 x.x.x.x@x.x.x.x (1785) /console/do/rulewizard | [Configuration] [CRE] [RuleModified] CustomRule( id="136302", uuid="e571a433-df5d-40d7-995d-195b5439f2f1", averageCapacity="null", baseCapacity="null", modificationDate="Fri Nov 17 13:32:21 EST 2023", ruleData="[binary data]", baseHostId="null", createDate="Fri Nov 17 13:20:08 EST 2023", originString="USER", linkUuid="null", flags="0", capacityTimestamp="null", ruleType="EVENT" ) ... ( xml 002="EID (custom), Bytes Received (custom), Bytes Sent (custom)' is the key and 'any' of 'API Search ID (custom), Access Key ID (custom), Access Mask (custom), Accesses (custom), Account Name (custom), Action (custom), Affected Workload (custom), Anomaly Alert Value, Application (custom), Application Category (custom), Application Name (custom), Application Type (custom), Architecture (custom), Ariel Aggregates (custom), Ariel Cursor ID (custom), Associated With Offense, Audit Flags (custom), Audit ID (custom), Authentication Package (custom), BEID (custom), Bytes Received (custom), Bytes Sent (custom), CRE Description (custom), Call Trace (custom), Call Type (custom), Command (custom), Command Arguments (custom), Compl" )
Nov 17 13:32:21 127.0.0.1 x.x.x.x@x.x.x.x (1785) /console/do/rulewizard | [Configuration] [CRE] [RuleModified] CustomRule( id="136302", uuid="e571a433-df5d-40d7-995d-195b5439f2f1", averageCapacity="null", baseCapacity="null", modificationDate="Fri Nov 17 13:32:21 EST 2023", ruleData="[binary data]", baseHostId="null", createDate="Fri Nov 17 13:20:08 EST 2023", originString="USER", linkUuid="null", flags="0", capacityTimestamp="null", ruleType="EVENT" ) ... ( xml 001="n the local 'source' host destination port is open 'either actively or passively seen' 'and' when the local 'source' host exists 'either actively or passively seen' 'and' when the local 'source' host profile age is 'greater than' '1' 'hours' 'and' when 'any' of 'API Search ID (custom), Access Key ID (custom), Access Mask (custom), Accesses (custom), Account Name (custom), Action (custom), Affected Workload (custom), Anomaly Alert Value, Application (custom), Application Category (custom), Application Name (custom), Application Type (custom), Architecture (custom), Ariel Aggregates (custom), Ariel Cursor ID (custom), Associated With Offense, Audit Flags (custom), Audit ID (custom), Authentication Package (custom), B" )
Nov 17 13:32:21 127.0.0.1 x.x.x.x@x.x.x.x (1785) /console/do/rulewizard | [Configuration] [CRE] [RuleModified] CustomRule( id="136302", uuid="e571a433-df5d-40d7-995d-195b5439f2f1", averageCapacity="null", baseCapacity="null", modificationDate="Fri Nov 17 13:32:21 EST 2023", ruleData="[binary data]", baseHostId="null", createDate="Fri Nov 17 13:20:08 EST 2023", originString="USER", linkUuid="null", flags="0", capacityTimestamp="null", ruleType="EVENT" ) ... ( xml end=":'Anonymizer IPs'], Add to a Reference Map:[Key:'sourceIP', Filter:'sourceIP', Reference Map:'Reference Map 1'] ", Limiter=" Respond no more than '1' time(s) per '60' 'minute(s)' per 'ALL' " )" )

These changes are present in the following SIM Audit events:

  1. CRE Rule Modified with QID 28250030
  2. CRE Rule Enabled with QID 28250320
  3. CRE Rule Disabled with QID 28250319
  4. CRE Rule Added with QID 28250028
  5. CRE Rule Deleted with QID 28250029

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"},{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
22 December 2023

UID

ibm17084042