Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

QRadar Network Insights Content Extension

 

The IBM QRadar Network Insights Content Extension provides additional QRadar rules, reports, searches, and custom properties for administrators. This custom rule engine content focuses on providing analysis, alerts, and reports for QRadar Network Insight deployments.

QRadar Network Insights provides in-depth visibility into network communications on a real-time basis to extend the capabilities of your QRadar deployment. Through the deep analysis of network activity and application content, QRadar Network Insights empowers QRadar Sense Analytics to detect threat activity that would otherwise go unnoticed.

The following QRadar Network Insights content extensions are available:

IBM QRadar Network Insights Content Extension V1.5.0

IBM QRadar Network Insights Content Extension V1.5.0 supports QRadar Network Insights V7.3.2 and later.

The following table shows the custom properties that are removed in IBM QRadar Network Insights Content Extension V1.5.0.

Table 1: Custom Properties Removed in IBM QRadar Network Insights Content Extension V1.5.0

Name

Optimized

Capture Group

Regex

Reject Code

Yes

1

Reject=([0-9]+)

Recipient User

Yes

1

<([A-Za-z0-9._+\-]+@[A-Za-z0-9.\-]+)>

The isReply custom AQL functions is removed in IBM QRadar Network Insights Content Extension V1.5.0.

The following table shows the rules and building blocks in IBM QRadar Network Insights Content Extension V1.5.0.

Table 2: Rules and Building Blocks in IBM QRadar Network Insights Content Extension V1.5.0

Type

Name

Description

Rule

QNI : Access to Improperly Secured Service - Certificate Expired

Removed UBA elements from rule response, changed response limiter and updated the low level category of the dispatched event.

Rule

QNI : Access to Improperly Secured Service - Certificate Invalid

Removed UBA elements from rule response, changed response limiter and updated the low level category of the dispatched event.

Rule

QNI : Access to Improperly Secured Service - Self Signed Certificate

Removed UBA elements from rule response, changed response limiter and updated the low level category of the dispatched event.

Rule

QNI : Access to Improperly Secured Service - Weak Public Key Length

Removed UBA elements from rule response, changed response limiter and updated the low level category of the dispatched event.

Rule

QNI : Confidential Content Being Transferred to Foreign Geography

Removed UBA elements from rule response and changed response limiter.

Rule

QNI : File Extension / Content Type Verification

This rule triggers on cases where a file extension is in disagreement with the usually accepted Content-Type for the extension.

Rule

QNI : Observed File Hash Associated with Malware Threat

Removed UBA elements from rule response and changed response limiter.

Rule

QNI : Same Threat Detected on Multiple Hosts

Renamed from QNI : Observed File Hash Seen Across Multiple Hosts, removed UBA elements from rule response and changed response limiter.

Rule

QNI : Suspicious Website Access

This rule triggers when a website categorized as suspicious by X-Force has been accessed.

The following table shows the rules and building blocks that are removed in IBM QRadar Network Insights Content Extension V1.5.0.

Table 3: Rules and Building Blocks Removed in IBM QRadar Network Insights Content Extension V1.5.0

Type

Name

Building Block

BB:CategoryDefinition: Rejected Email Recipient

Building Block

BB:HostDefinition: Mail Servers

Building Block

BB:HostReference: Mail Servers

Building Block

BB:PortDefinition: Mail Ports

Rule

UBA : QNI - Confidential Content Being Transferred to Foreign Geography

Rule

UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers

Rule

UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email Recipient

Rule

UBA : QNI - Observed File Hash Associated with Malware Threat

Rule

UBA : QNI - Observed File Hash Seen Across Multiple Hosts

Rule

UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length

Rule

UBA : QNI - Access to Improperly Secured Service - Certificate Invalid

Rule

UBA : QNI - Access to Improperly Secured Service - Certificate Expired

Rule

UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate

Rule

QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers

Rule

QNI : Potential Spam/Phishing Attempt Detected on Rejected Email Recipient

The following table shows the reports in IBM QRadar Network Insights Content Extension V1.5.0.

Table 4: Reports in IBM QRadar Network Insights Content Extension V1.5.0

Report Name

Search Name and Dependencies

User File Transfer by Content Type (QNI)

Updated container size limits.

Top Phishing Subjects by Recipient User (QNI)

Added description.

Top Malware by Asset (QNI)

Added description and unchecked run report now in wizard.

Malware Distribution by File (QNI)

Added description and unchecked run report now in wizard.

The following table shows the reference data in IBM QRadar Network Insights Content Extension V1.5.0.

Table 5: Reference Data in IBM QRadar Network Insights Content Extension V1.5.0

Type

Name

Description

Reference Map of Sets

QNI-Extension-ContentType-Pairs

Maps a given file extension to its expected content types. This reference map of sets comes pre-populated with 1218 entries. (ex. .html maps to text/html.)

The following table shows the saved searches in IBM QRadar Network Insights Content Extension V1.5.0.

Table 6: Saved Searches in IBM QRadar Network Insights Content Extension V1.5.0

Name

Description

File Transfer by Originating User and Content Type

Updated search parameters (removed HTTP Response Code check), shared by default.

File Transfer by Source IP and Content Type

Updated search parameters (removed HTTP Response Code check and Originating User check), shared by default.

Malware by Hash and Source Asset

Updated result limit number.

Malware Traffic Summary

Updated rule name referenced in AQL query,

Phishing Subjects by Recipient User

Search now shared by default.

IBM QRadar Network Insights Content Extension V1.4.0

IBM QRadar Network Insights Content Extension V1.4.0 supports QRadar Network Insights V7.3.0 and later.

The following table shows the custom AQL functions in IBM QRadar Network Insights Content Extension V1.4.0.

Table 7: Custom AQL Functions in IBM QRadar Network Insights Content Extension V1.4.0

Name

Description

isReply

Returns true or false if a string is the typical subject line of a response email.

The following table shows the rules and building blocks in IBM QRadar Network Insights Content Extension V1.4.0.

Table 8: Rules and Building Blocks InIBM QRadar Network Insights Content Extension V1.4.0

Type

Name

Description

Building Block

BB: Category Definition: Countries/Regions with Restricted Access

Edit this building block to include any geographic location that typically would not be allowed to access the enterprise. After it is configured, you can enable the Confidential Content Being Transferred to Foreign Geography rule.

Rule

QNI: Confidential Content Being Transferred to Foreign Geography

Detects confidential content that is being transferred to countries/regions with restricted access.

Rule

UBA : QNI - Confidential Content Being Transferred to Foreign Geography

Sends events to the User Behavior Analytics app based on the QNI: Confidential Content Being Transferred to Foreign Geography rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user.

Rule

UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers

Sends events to the User Behavior Analytics app based on the QNI: Potential Spam/Phishing Subject Detected from Multiple Sending Servers rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user.

Rule

UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Email Recipient

Sends events to User Behavior Analytics app based on the QNI: Potential Spam/Phishing Attempt Detected on Rejected Email Recipient rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user.

Rule

UBA : QNI - Observed File Hash Associated with Malware Threat

Sends events to the User Behavior Analytics app based on the QNI: Observed File Hash Associated with Malware Threat rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user.

Rule

UBA : QNI - Observed File Hash Seen Across Multiple Hosts

Sends events to the User Behavior Analytics app based on the QNI: Observed File Hash Seen Across Multiple Hosts rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user.

Rule

UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length

Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Weak Public Key Length rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user.

Rule

UBA : QNI - Access to Improperly Secured Service - Certificate Invalid

Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Certificate Invalid rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user.

Rule

UBA : QNI - Access to Improperly Secured Service - Certificate Expired

Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Certificate Expired rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user.

Rule

UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate

Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Self Signed Certificate rule, with a senseValue assigned to it. This senseValue is used when the User Behavior Analytics app calculates a risk score for a user.

The following table shows the report in IBM QRadar Network Insights Content Extension V1.4.0.

Table 9: Report in IBM QRadar Network Insights Content Extension V1.4.0

Report Name

Search Name and Dependencies

User File Transfer by Content Type

Saved Searches: File Transfer by Originating User and Content Type And File Transfer by Source IP and Content Type

The following table shows the saved searches in IBM QRadar Network Insights Content Extension V1.4.0.

Table 10: Saved Searches in IBM QRadar Network Insights Content Extension V1.4.0

Name

Description

File Transfer by Originating User and Content Type

This log and network activity search matches file transfers by their originating users and content types.

File Transfer by Source IP and Content Type

This log and network activity search matches file transfers by their source IP addresses and content types.

IBM QRadar Network Insights Content Extension V1.3.0

The IBM QRadar Network Insights Content Extension V1.3.0 adds support for QRadar versions 7.3.0 and later. Custom properties from previous versions of the QRadar Network Insights Content Extension are now type-length-value (TLV) fields. Changes to these TLV fields come from QRadar updates, not from updating this content extension.

IBM QRadar Network Insights Content Extension V1.2.2

The IBM QRadar Network Insights Content Extension V1.2.2 provides performance improvements by setting the default categories for the existing custom flow properties. You can change the categories for the custom properties to suit your needs.

The following table shows the custom properties in IBM QRadar Network Insights Content Extension V1.2.2.

Table 11: Default Categories for Custom Properties

Custom property

Default categories

Content Subject

  • HTTP In Progress

  • Mail

File Hash

  • Chat

  • Data Transfer

  • HTTP In Progress

  • Mail

  • Web

File Name

  • Chat

  • Data Transfer

  • HTTP In Progress

  • Mail

  • Web

Recipient Users

  • Chat

  • HTTP In Progress

  • Mail

  • Remote Access

  • VoIP

Action

  • HTTP In Progress

  • Unknown

Content_Type

  • Chat

  • Data Transfer

  • HTTP In Progress

  • Mail

  • Web

DNS_Query_String

  • Data Transfer

  • Misc

DNS_Response_String

  • Data Transfer

  • Misc

File_Size

  • Chat

  • Data Transfer

  • HTTP In Progress

  • Mail

  • Web

HTTP Host

  • HTTP In Progress

  • Web

HTTP Referer

  • HTTP In Progress

  • Web

HTTP Response Code

  • HTTP In Progress

  • Web

HTTP Server

  • HTTP In Progress

  • Web

HTTP User-Agent

  • HTTP In Progress

  • Web

HTTP Version

  • HTTP In Progress

  • Web

IP_Dest_Reputation

  • HTTP In Progress

  • Misc

  • Web

Originating_User

  • Chat

  • HTTP In Progress

  • Mail

  • Remote Access

  • VoIP

Password

  • Data Transfer

  • Mail

Request_URL

  • HTTP In Progress

  • Web

SMTP HELO

Mail

Search_Arguments

  • HTTP In Progress

  • Web

Suspect_Content

  • HTTP In Progress

  • Inner System

  • Mail

  • Misc

  • VoIP

  • Web

Web_Categories

  • HTTP In Progress

  • Web

IBM QRadar Network Insights Content Extension V1.2.0

The following table shows the custom properties in IBM QRadar Network Insights Content Extension V1.2.0.

Table 12: Custom Properties in IBM QRadar Network Insights Content Extension V1.2.0

Name

Regex

File_Size

Updated the File_Size custom property to change the field type from alphanumeric to numeric. This update also optimizes the custom property for both Source Payloads and Destination Payloads.

The following table shows the rules in IBM QRadar Network Insights Content Extension V1.2.0.

Table 13: Rules in IBM QRadar Network Insights Content Extension V1.2.0

Type

Name

Description

Rule

Potential Spam/Phishing Attempt Detected on Rejected Email Recipient

Updated the rule action to select "Ensure the detected event is part of an offense". In V1.1.0, this check box was not selected and V1.2.0 corrects this to ensure that offenses are created.

Rule

Access to Improperly Secured Service - Certificate Invalid

Detects a SSL/TLS session that uses invalid certificates.

Rule

Access to Improperly Secured Service - Weak Public Key Length

Detects a SSL/TLS session that uses weak public key lengths.

Rule

Access to Improperly Secured Service - Certificate Expired

Detects a SSL/TLS session that uses expired certificates.

Rule

Access to Improperly Secured Service - Self Signed Certificate

Detects a SSL/TLS session that uses a self-signed certificate.

IBM QRadar Network Insights Content Extension V1.1.0

The following table shows the custom properties in IBM QRadar Network Insights Content Extension V1.1.0.

Table 14: Custom Properties in IBM QRadar Network Insights Content Extension V1.2.0

Name

Regex

Content Subject

IBM\(SUBJECT\)=([^;]+);

File Hash

IBM\(HTTP_FILES_CKSUM\)=0x([^;]+);

File Name

IBM\(CONTENT_FILE_NAME\)=([^;]+);

Reject_Code

Multiple Regex expressions for Microsoft Exchange, Linux OS, Solaris OS, and Barracuda Spam and Virus Firewall.

Recipient_User

Multiple Regex expressions for Microsoft Exchange, Linux OS, Solaris OS, and Barracuda Spam and Virus Firewall.

Recipient Users

IBM\(DEST_USER_LIST\)=\(([^)]+)\);

Action

IBM\(APP_ACTION\)=([^;]+);

Content_Type

IBM\(HTTP_CONT_TYPE\)=([^;]+);

DNS_Query_String

IBM\(DNS_QUERY_SDATA\)=\(([^)]+)\);

DNS_Response_String

IBM\(DNS_RESP_SDATA\)=\(([^)]+)\);

File_Size

IBM\(HTTP_FILES_SIZE\)=([^;]+);

HTTP Host

IBM\(HTTP_HOST\)=([^;]+);

HTTP Referer

IBM\(HTTP_REFER\)=([^;]+);

HTTP Response Code

IBM\(HTTP_RETURN_CODE\)=([^;]+);

HTTP Server

IBM\(HTTP_SRV\)=([^;]+);

HTTP User-Agent

IBM\(HTTP_UA\)=([A-Za-z0-9\s\-_.,:;()/\\]+);

HTTP Version

IBM\(HTTP_VRS\)=HTTP/([^;]+);

IP_Dest_Reputation

IBM\(IP_DST_REP\)=([^;]+);

Originating_User

IBM\(ORIG_USER\)=([^;]+);

Password

IBM\(ACTPASSWD\)=([^;]+);

Request_URL

IBM\(REQ_URL\)=([^;]+);

SMTP HELO

IBM\(SMTPHELO\)=([^;]+);

Search_Arguments

IBM\(HTTP_SEARCH_ARGS\)=([^;]+);

Suspect_Content

IBM\(SUSPECT_CONT_LIST\)=\(([^)]+)\);

Web_Categories

IBM\(HTTP_CONT_CATEGORY_LIST\)=\(([^)]+)\);

The following table shows the rules and building blocks in IBM QRadar Network Insights Content Extension V1.1.0.

Table 15: Building Blocks and Rules in IBM QRadar Network Insights Content Extension V1.1.0

Type

Name

Description

Building Block

BB:HostDefinition: Mail Servers 

 

Building Block

BB:HostReference: Mail Servers

 

Building Block

BB:PortDefinition: Mail Ports

 

Building Block

BB:CategoryDefinition: Rejected Email Recipient

 

Rule

Observed File Hash Associated with Malware Threat

Detects when flow content includes a file hash that matches known bad file hashes included in a Threat Intelligence data feed. Indicates that someone has transferred malware over the network.

Rule

Observed File Hash Seen Across Multiple Hosts

Detects when the same file hash associated with malware is seen being transferred to multiple destinations.

Rule

Potential Spam/Phishing Attempt Detected on Rejected Email Recipient

Detects when rejected email events sent to a non-existing recipient address are seen in the system. This may indicate a spam or phishing attempt. Configure the BB:CategoryDefinition: Rejected Email Recipient building block to include QIDs relevant to your organization. We have pre-populated it with QIDs for monitoring: Microsoft Exchange; Linux OS (running sendmail); Solaris Operating System Sendmail Logs and Barracuda Spam &amp; Virus Firewall.

Rule

Potential Spam/Phishing Subject Detected from Multiple Sending Servers

Detects when multiple sending servers send the same email subject in a period of time which may indicate spam or phishing.

The following table shows the saved searches in IBM QRadar Network Insights Content Extension V1.1.0.

Table 16: Saved Searches in IBM QRadar Network Insights Content Extension V1.1.0

Name

Description

Malware Distribution by File and Hash

 

Malware by Hash and Source Asset

 

Malware Traffic Summary

 

Phishing Subjects by Recipient User

 

The following table shows the reports in IBM QRadar Network Insights Content Extension V1.1.0.

Table 17: Reports in IBM QRadar Network Insights Content Extension V1.1.0

Report Name

Search Name and Dependencies

Top Phishing Subjects by Recipient User (QNI) - Weekly

Saved Searches:

Top Malware by Asset (QNI) - Daily

 

Malware Distribution by File (QNI) - Daily

 

The following table shows the reference data in IBM QRadar Network Insights Content Extension V1.1.0.

Table 18: Reference Data in IBM QRadar Network Insights Content Extension V1.1.0

Type

Name

Description

Reference Set

Malware Hashes SHA

 

Reference Set

Malware Hashes MD5

 

Reference Set

Phishing Subjects

 

Reference Set

Mail Servers