Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
IBM QRadar Network InsightsVersion 7.3.1
User Guide
IBM
NoteBefore you use this information and the product that it supports, read the information in “Notices” on page 17.
Product information
This document applies to IBM QRadar Security Intelligence Platform V7.3.1 and subsequent releases unlesssuperseded by an updated version of this document.
© Copyright IBM Corporation 2017.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.
Contents
Introduction to installing QRadar Network Insights . . . . . . . . . . . . . . . . . v
1 QRadar Network Insights . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What's new in QRadar Network Insights V7.3.1 . . . . . . . . . . . . . . . . . . . . . . . 1
2 QRadar Network Insights use cases . . . . . . . . . . . . . . . . . . . . . . . 3
3 QRadar Network Insights content . . . . . . . . . . . . . . . . . . . . . . . . 5
4 QRadar Network Insights content extensions . . . . . . . . . . . . . . . . . . 11Content extension V1.1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Content extension V1.2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Content extension V1.3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Content extension V1.4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Terms and conditions for product documentation. . . . . . . . . . . . . . . . . . . . . . . 18IBM Online Privacy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19General Data Protection Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
© Copyright IBM Corp. 2017 iii
iv QRadar Network Insights User Guide
Introduction to installing QRadar Network Insights
This guide contains information about analyzing network data in real-time by using IBM® QRadar®
Network Insights.
Intended audience
Investigators extract information from the network traffic and focus on security incidents, and threatindicators.
Technical documentation
To find IBM Security QRadar product documentation on the web, including all translated documentation,access the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).
For information about how to access more technical documentation in the QRadar products library, seeAccessing IBM Security Documentation Technical Note (www.ibm.com/support/docview.wss?rs=0&uid=swg21614644).
Contacting customer support
For information about contacting customer support, see the Support and Download Technical Note(http://www.ibm.com/support/docview.wss?uid=swg21616144).
Statement of good security practices
IT system security involves protecting systems and information through prevention, detection andresponse to improper access from within and outside your enterprise. Improper access can result ininformation being altered, destroyed, misappropriated or misused or can result in damage to or misuse ofyour systems, including for use in attacks on others. No IT system or product should be consideredcompletely secure and no single product, service or security measure can be completely effective inpreventing improper use or access. IBM systems, products and services are designed to be part of alawful comprehensive security approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be most effective. IBM DOES NOTWARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKEYOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Please Note:
Use of this Program may implicate various laws or regulations, including those related to privacy, dataprotection, employment, and electronic communications and storage. IBM Security QRadar may be usedonly for lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, andassumes all responsibility for complying with, applicable laws, regulations and policies. Licenseerepresents that it will obtain or has obtained any consents, permissions, or licenses required to enable itslawful use of IBM Security QRadar.
© Copyright IBM Corp. 2017 v
vi QRadar Network Insights User Guide
1 QRadar Network Insights
IBM QRadar Network Insights provides in-depth visibility into network communications on a real-timebasis to extend the capabilities of your IBM Security QRadar deployment.
Through the deep analysis of network activity and application content, QRadar Network Insightsempowers QRadar Sense Analytics to detect threat activity that would otherwise go unnoticed.
QRadar Network Insights provides in-depth analysis of both network metadata and application contentto detect suspicious activity that is hidden among normal traffic and extract content to provide QRadarwith visibility into network threat activity. The intelligence that is provided by QRadar Network Insightsintegrates seamlessly with traditional data sources and threat intelligence to extend QRadar detection,analysis, and threat detection capabilities.
QRadar Network Insights provides visibility across a range of use cases, including:v Malware detection and analysisv Phishing email and campaign detectionv Insider threatsv Lateral movement attack detectionv Data exfiltration protectionv Identify compliance gaps
Benefits of QRadar Network Insights
The following list highlights some of the benefits of using QRadar Network Insights:v Uses in-depth packet inspection to identify advanced threats and malicious content.v Extends the capabilities of QRadar to detect phishing attacks, malware intrusions, lateral movement,
and data exfiltration.v Records application activities, captures key artifacts, and identifies assets, applications, and users that
participate in network communications.v Applies Layer 7 content analysis for advanced security insights.v File analytics analyzes and enables tracking of files.
What's new in QRadar Network Insights V7.3.1IBM QRadar Network Insights provides improved analytics capabilities by exposing more flow data.
Enriched content in IBM QRadar Network Insights V7.3.1 Patch 5
IBM QRadar Network Insights V7.3.1 Patch 5 provides improved analytics capabilities by extracting thefollowing flow data when the HTTP protocol is detected:v HTTP methodv Last Proxy Basisv Last Proxy IPv4v Last Proxy IPv6v SSL / TLS version
Also in this release, QRadar Network Insights extracts the IP type of service, and provides more granularDNS data by extracting the DNS results into multiple fields.
© Copyright IBM Corp. 2017 1
Learn more about QRadar Network Insights content.
2 QRadar Network Insights User Guide
2 QRadar Network Insights use cases
QRadar Network Insights provides in-depth visibility into network communications and applicationcontent to empower QRadar Sense Analytics to detect threat activity. You can use QRadar NetworkInsights to detect and analyze malware, phishing, insider threats, lateral movement attacks, dataexfiltration, and compliance gaps.
Malware detection and analysis
Malware frequently morphs to avoid detection. You can use QRadar Network Insights to detect malwarebased on file hashes and file activity, and observe and analyze artifacts such as:v Namesv Propertiesv Movementv Suspicious content
Phishing email and campaign detection
Phishing can hide in plain sight by disguising its activity within the volumes of normal emails. You canprepare for and react to malicious emails by using QRadar Network Insights to analyze:v Sourcesv Targetsv Subjectv Content
Insider threats
You can integrate QRadar Network Insights with the User Behavior Analytics app to improve threatdetection. Use the QRadar Network Insights analytics to recognize:v High-risk usersv Potential targets of phishingv Negative sentimentv Suspicious behaviors
Lateral movement attack detection
QRadar Network Insights can trace anomalous communications:v Reconnaissancev Data transfersv Rogue and malicious actors
Data exfiltration protection
Data can be exfiltrated through many methods. Use QRadar Network Insights to identify and tracksuspicious files such as:v DNS abnormalitiesv Sensitive contentv Aberrant connections
© Copyright IBM Corp. 2017 3
v Aliases
Identify compliance gaps
QRadar Network Insights allows for continuous monitoring of enterprise, industry, and regulatorycompliance.
4 QRadar Network Insights User Guide
3 QRadar Network Insights content
The QRadar Network Insights content that is populated depends on the inspection level and whether thedata is available in the source system.
For example, some content is populated by the X-Force® Threat Intelligence feed, but the field mayappear empty in QRadar if the information is not available in X-Force.
To include the content in searches, select the fields in the Column Definition section of the QRadarquery builder. For more information about creating searches, seec_event_flow_search.dita#c_event_flow_search.
You can also include the content in advanced searches. For more information about creating advancedsearches, see the IBM Security QRadar Ariel Query Language Guide.
Basic inspection level content
When the inspection level is set to Basic, QRadar Network Insights populates these fields:
Table 1. Content that is populated with Basic inspection level
Query builder name Advanced search name Data source
Source IP address sourceip IPv4 or IPv6 header of the flow packet.
Source port sourceport TCP or UDP header of the flow packet.
Destination IP address destinationip IPv4 or IPv6 header of the flow packet.
Destination port destinationport TCP or UDP header of the flow packet.
IP protocol protocolid IPv4 or IPv6 header of the flow .
Flow ID flowid Assigned by QRadar Network Insights.
Total Packets sourcepackets, destinationpackets Assigned and maintained by QRadarNetwork Insights*.
Total bytes per packet sourcebytes, destinationbytes Assigned and maintained by QRadarNetwork Insights*.
First Packet Time firstpackettime Assigned by QRadar Network Insights.
Last Packet Time lastpackettime Assigned by QRadar Network Insights.
Source DSCP sourcedscp IP quality of service derived from the IPv4 orIPv6 header of the flow packet*.
Destination DSCP destinationdscp IP quality of service derived from the IPv4 orIPv6 header of the flow packet*.
VLAN Tag "vlan tag" Populated only when the flow source ordestination address came from 802.1q VLANheader data.
© Copyright IBM Corp. 2017 5
Enriched inspection level attributes
When the inspection level is set to Enriched, QRadar Network Insights populates these fields:
Table 2. Content that is populated with Enriched inspection level
Query Builder name Advanced Search name Data source
Application applicationid Multiple sources, such as Inspectors and X-Force.
The attribute is populated by default.
Action action Populated when the flow analysis indicates an actionon a HTTP flow. Possible values for the action are:
v Write/Post/Chat
v Stream/Download
v Share
v Start App
v Audio Chat/Video Chat
v Software/AV Updates
The flow analysis is based on X-Force data, and thefield is populated only when the X-Force data isavailable.
Content subject "content subject" If populated, extracted from the subject field of theflow content.
For example, the subject might come from an email orit could be embedded in the metadata.
Content Type "content type" HTTP, Content Inspector
Populated only when the file type is not recognized.
Destination DSCP
(IBM QRadar NetworkInsights V7.3.1.6 only)
destinationdscp Descriptive name for the type of service, asdetermined by the IPv4 header.
DNS Query "dns query" Populated only if the flow has data on a DNS query.
DNS Response "dns response" Populated only if the flow has data on a DNSresponse.
DNS Query ID
(IBM QRadar NetworkInsights V7.3.1.6 only)
"dns query id" Populated only if the flow contains information abouta DNS request or response.
DNS Domain Name
(IBM QRadar NetworkInsights V7.3.1.6 only)
"dns domain name" Populated only if the flow contains information abouta DNS request.
DNS Request Type
(IBM QRadar NetworkInsights V7.3.1.6 only)
"dns request type" Populated only if the flow contains information abouta DNS request.
DNS Response Code
(IBM QRadar NetworkInsights V7.3.1.6 only)
"dns response code" Populated only if the flow contains information abouta DNS response.
6 QRadar Network Insights User Guide
Table 2. Content that is populated with Enriched inspection level (continued)
Query Builder name Advanced Search name Data source
DNS Flags
(IBM QRadar NetworkInsights V7.3.1.6 only)
"dns flags" Populated only if the flow contains information abouta DNS request.
DNS Answers
(IBM QRadar NetworkInsights V7.3.1.6 only)
"dns answers" All DNS fields (formatted list).
Populated only if the flow contains information abouta DNS response.
DNS Raw Answer
(IBM QRadar NetworkInsights V7.3.1.6 only)
"dns raw answer" All DNS fields (binary format).
Populated only if the flow contains information abouta DNS response.
File Entropy "file entropy" Populated only when a complete file is foundembedded in the flow data.
File Hash "file hash" Populated only when a complete file is foundembedded in the flow data.
For example, the file hash might be SHA256, MD5, orSHA1.
File Name "file name" Populated only when a named file is found embeddedin the flow data.
File Size "file size" Populated only when a complete file is foundembedded in the flow data.
HTTP Host "http host" Host field in the HTTP request.
Populated only if HTTP protocol is used.
HTTP Method
(IBM QRadar NetworkInsights V7.3.1.6 only)
"http method" Method in the HTTP request, indicating the desiredaction to be performed.
Populated only if the HTTP protocol is used.
HTTP Referrer "http referrer" Referrer field in the HTTP request.
Populated only if HTTP protocol is used.
HTTP Response Code "http response code" Response from the HTTP request.
Populated only if HTTP protocol is used.
HTTP Server "http server" Server field in the HTTP request.
Populated only if HTTP protocol is used.
HTTP User Agent "http user agent" User Agent field in the HTTP request.
Populated only if HTTP protocol is used.
HTTP Version "http version" Version field in the HTTP request.
Populated only if HTTP protocol is used.
3 QRadar Network Insights content 7
Table 2. Content that is populated with Enriched inspection level (continued)
Query Builder name Advanced Search name Data source
Last Proxy Basis
(IBM QRadar NetworkInsights V7.3.1.6 only)
"last proxy basis" Where an HTTP request was found to be explicitlyforwarded, the type of HTTP header which directedthe forwarding.
The Last Proxy Basis attribute may include one of thefollowing values:
v RFC 7239 forwarding header
v X-Forwarded-For header
v Akamai True-Client-IP header
Last Proxy IPv4
(IBM QRadar NetworkInsights V7.3.1.6 only)
"last proxy ipv4" The final forwarded destination shown as an IPv4address.
Populated only if HTTP protocol is used andforwarding was detected.
Last Proxy IPv6
(IBM QRadar NetworkInsights V7.3.1.6 only)
"last proxy ipv6" The final forwarded destination shown as an IPv6address.
Populated only if HTTP protocol is used andforwarding was detected.
Originating User "originating user" Populated from multiple sources when the origin usercan be detected, such as flow data for email or chatmessages.
Password password Populated only when a cleartext password exchange isdetected in the flow. For example, a cleartext passwordexchange in an FTP flow.
Recipient Users "recipient users" Populated if one or more destination users aredetected in the flow.
Request URL "request url" Populated only when a URL string is detected inHTTP flow data.
Search Arguments "search arguments" Populated only when the pattern of a search request isdetected in HTTP flow data.
SMTP Hello "smtp hello" Populated for flows that initiate an SMTP request.
Captures the data that follows the HELO command. Formore information, see Request for Comments (RFC)2821 and 1651.
Source DSCP
(IBM QRadar NetworkInsights V7.3.1.6 only)
sourcedscp Descriptive name for the type of service, asdetermined by the IPv4 header.
SSL/TLS Version
(IBM QRadar NetworkInsights V7.3.1.6 only)
"ssl/tls version" The version of SSL / TLS.
The following versions are detected:
v SSLv3
v TLSv1.0
v TLSv1.1
v TLSv1.2
8 QRadar Network Insights User Guide
Table 2. Content that is populated with Enriched inspection level (continued)
Query Builder name Advanced Search name Data source
Suspect ContentDescriptions
"suspect content descriptions" Populated from multiple sources when a suspiciousentity is detected. For example, the suspect contentmight come from the website category, embeddedlinks, or Yara rules.
For more information, see the Advanced inspectionlevel attributes.
Web Categories "web categories" Populated only when the HTTP URL / endpointmatches a known X-Force web category.
Advanced inspection level attributes
The Advanced inspection level captures the same content flow attributes as the Enriched inspection level.
However, when the inspection level is set to Advanced and the suspect content list identifies a suspiciousentity, the flows are subjected to more rigorous content extraction processes.
The suspect content list is populated under the following conditions:v The IP address reputation of one of the flow's endpoints is suspicious.v The category of a website is one of several suspicious entries.v Detected suspicious content in the transferred information.v Via scanning with user provided Yara rules.v Detected scripts in Office or PDF files.v Detected embedded links in PDF files.v Detected excessive numbers of items that were discovered through regular expression matching.v Detected credit card numbers, social security numbers, IP addresses, and email addresses.v Detected user-defined items that are discovered through regular expression matching that is marked as
suspicious.v Detected an identified protocol that runs on a non-standard port.v Detected an SSL/TLS certificate that is used outside of its valid dates.v Detected the use of a self-signed certificate in SSL/TLS.v Detected the use of a weak public key length in SSL/TLS.
3 QRadar Network Insights content 9
10 QRadar Network Insights User Guide
4 QRadar Network Insights content extensions
The IBM QRadar Network Insights content extension provides more QRadar rules, reports, searches, andcustom properties for administrators. This custom rule engine content focuses on providing analysis,alerts, and reports for QRadar Network Insights deployments.
Note: As of content extension V1.3.0, the QRadar Network Insights content extension is only supportedby QRadar V7.3.0 or later.
Content extension V1.1.0The IBM QRadar Network Insights content extension V1.1.0 adds rules, searches, reports, and customproperty extractions focus on providing analysis, alerts, and reports for QRadar Network Insights.
This extension is intended to add content for administrators who have QRadar Network Insightsappliances in their deployment (appliance type = 1901 or 1920). When an administrator installs thiscontent pack, they are prompted to overwrite existing content because some custom properties are beingupdated as part of this content pack.
Custom event properties added by content extension V1.1.0
The QRadar Network Insights content extension V1.1.0 includes new and updated custom eventproperties for capturing network content from events and flows, such as recipient users, file hash, filenames, content subject, and reject code.
Table 3. Custom event properties in content extension V1.1.0
Name Property Type Regular expression
Action Flow IBM\(APP_ACTION\)=([^;]+);
Content Subject Flow IBM\(SUBJECT\)=([^;]+);
Content_Type Flow IBM\(HTTP_CONT_TYPE\)=([^;]+);
DNS_Query_String Flow IBM\(DNS_QUERY_SDATA\)=\(([^)]+)\);
DNS_Response_String Flow IBM\(DNS_RESP_SDATA\)=\(([^)]+)\);
File Hash Flow IBM\(HTTP_FILES_CKSUM\)=0x([^;]+);
File Name Flow IBM\(CONTENT_FILE_NAME\)=([^;]+);
File_Size Flow IBM\(HTTP_FILES_SIZE\)=([^;]+);
HTTP Host Flow IBM\(HTTP_HOST\)=([^;]+);
HTTP Referrer Flow IBM\(HTTP_REFER\)=([^;]+);
HTTP Response Code Flow IBM\(HTTP_RETURN_CODE\)=([^;]+);
HTTP Server Flow IBM\(HTTP_SRV\)=([^;]+);
HTTP User-Agent Flow IBM\(HTTP_UA\)=([A-Za-z0-9\s\-_.,:;()/\\]+);
HTTP Version Flow IBM\(HTTP_VRS\)=HTTP/([^;]+);
IP_Dest_Reputation Flow IBM\(IP_DST_REP\)=([^;]+);
Originating_User Flow IBM\(ORIG_USER\)=([^;]+);
Password Flow IBM\(ACTPASSWD\)=([^;]+);
Recipient User Event Multiple Regex expressions for Microsoft Exchange, Linux OS,Solaris OS, and the Barracuda Spam and Virus Firewall.
© Copyright IBM Corp. 2017 11
Table 3. Custom event properties in content extension V1.1.0 (continued)
Name Property Type Regular expression
Recipient Users Flow IBM\(DEST_USER_LIST\)=\(([^)]+)\);
Reject Code Event Multiple Regex expressions for Microsoft Exchange, Linux OS,Solaris OS, and Barracuda Spam and Virus Firewall.
Request_URL Flow IBM\(REQ_URL\)=([^;]+);
Search_Arguments Flow IBM\(HTTP_SEARCH_ARGS\)=([^;]+);
SMTP HELO Flow IBM\(SMTPHELO\)=([^;]+);
Suspect_Content Flow IBM\(SUSPECT_CONT_LIST\)=\(([^)]+)\);
Web_Categories Flow IBM\(HTTP_CONT_CATEGORY_LIST\)=\(([^)]+)\);
Rules added by content extension V1.1.0
The QRadar Network Insights content extension V1.1.0 includes four new rules that trigger on file hashand potential spam/phishing attempts.
Table 4. Rules added in content extension V1.1.0
Rule Name Description
Observed File Hash Associatedwith Malware Threat
This rule triggers when flow content includes a file hash that matches knownbad file hashes included in a Threat Intelligence data feed. Indicates thatsomeone transferred malware over the network.
Observed File Hash Seen AcrossMultiple Hosts
This rule triggers when the same file hash that is associated with malware isseen being transferred to multiple destinations.
Potential Spam/Phishing AttemptDetected on Rejected EmailRecipient
This rule triggers when rejected email events sent to a non-existing recipientaddress are seen in the system. This might indicate a spam or phishing attempt.
Configure the BB:CategoryDefinition: Rejected Email Recipient building block toinclude QRadar IDs (QID) relevant to your organization. It is pre-populated withQIDs for monitoring Microsoft Exchange, Linux OS [running sendmail], SolarisOperating System Sendmail Logs, and the Barracuda Spam & Virus Firewall.
Potential Spam/Phishing SubjectDetected from Multiple SendingServers
This rule triggers when multiple servers send the same email subject in a period,which might indicate spam or phishing.
Searches added by content extension V1.1.0
The QRadar Network Insights content extension V1.1.0 includes four new searches. These searches aredesigned to help users sort malware and phishing content from flow data that uses file and hashinformation or content subject information from emails.
The following searches were added in content extension V1.1.0:v Malware Distribution by File and Hashv Malware by Hash and Source Assetv Malware Traffic Summaryv Phishing Subjects by Recipient User
12 QRadar Network Insights User Guide
Reports added by content extension V1.1.0
The QRadar Network Insights content extension V1.1.0 includes three new reports for security teams.These three new reports run searches that identify email phishing by subject content and malware thatuses file and hash information from flow data. These new reports run either weekly or daily.
Table 5. Reports added in content extension V1.1.0
Report Name Report Schedule
Top Phishing Subjects byRecipient User (QNI)
Weekly
Top Malware by Asset (QNI) Daily
Malware Distribution by File(QNI)
Daily
Custom functions added by content extension V1.1.0
A custom AQL function EMAIL::ISREPLY for Content Subjects can be called that uses an advanced searchfrom the Network Activity tab. The purpose of this custom function is to identify email subjects that arereplies versus original emails. For example, an AQL query might allow administrators to search flow dataand return results for email subjects that are not null (no email subject) and email content subjects thatare not replies RE: [email subject content]. This allows users to sort for original phishing emails or locateemail responses that are replies (RE:) to phishing emails within your organization as the functionspecifically looks for when subject contains RE: as part of the email subject that is extracted from the flowdata.
Table 6. Custom functions added in content extension V1.1.0
Content Subject function name Description
Custom Function isReply()
Usage EMAIL::ISREPLY(Content_Subject)
Namespace Email
Name of function to execute isReply
Description This function checks if the property, Content_Subject, contains Re:.
Other reference content required by content extension V1.1.0
In most cases, these building blocks and reference data sets exist within QRadar, so no updates arerequired. However, this content is required for the rules, searches, reports, and custom propertiesincluded in the QRadar Network Insights content pack. If the content below does not exist in QRadar, itis created by this content pack.
Building blocks that are required by the QRadar Network Insights content extension:v BB:HostDefinition: Mail Serversv BB:HostReference: Mail Serversv BB:PortDefinition: Mail Ports
Reference data that is required by the QRadar Network Insights content extension:v Malware Hashes SHAv Malware Hashes MD5v Phishing Subjectsv Mail Servers
4 QRadar Network Insights content extensions 13
Content extension V1.2.0The IBM QRadar Network Insights content extension V1.2.0 adds rules and custom property extractionsthat focus on providing analysis, alerts, and reports for QRadar Network Insights.
This extension is intended to add content for administrators who have QRadar Network Insightsappliances in their deployment (appliance type = 1901 or 1920).
Note: Some custom properties are updated in this content pack; existing content might need to beoverwritten.When an administrator installs this content pack, they are prompted to overwrite existing content assome custom properties are being updated as part of this content pack.
Custom event properties and rules added by content extension V1.2.0
Table 7. Custom event properties and rules
Type Content updated Change description
Custom property File_Size (flows) Updated the ruleaction to select "Ensure the detectedevent is part of an offense". In V1.1.0,this check box was not selected andV1.2.0 corrects this to ensure thatoffenses are created.
Updated the File_Size (flows) custom propertyto change the field type from alphanumeric tonumeric. This update also optimizes the customproperty for both Source Payloads andDestination Payloads.
Rule Potential Spam/Phishing AttemptDetected on Rejected Email Recipient
Updated the rule action to select "Ensure thedetected event is part of an offense". In V1.1.0,this check box was not selected and V1.2.0corrects this to ensure offenses are created.
Rule Access to Improperly Secured Service -Certificate Invalid
New rule added for QRadar Network Insightsto detect a SSL/TLS session which uses invalidcertificates.
Rule Access to Improperly Secured Service -Weak Public Key Length
New rule added for QRadar Network Insightsto detect a SSL/TLS session which uses weakpublic key lengths.
Rule Access to Improperly Secured Service -Certificate Expired
New rule added for QRadar Network Insightsto detect a SSL/TLS session which uses expiredcertificates.
Rule Access to Improperly Secured Service -Self Signed Certificate
New rule added for QRadar Network Insightsto detect a SSL/TLS session which uses aself-signed certificate.
Content extension V1.3.0The IBM QRadar Network Insights content extension V1.3.0 adds support for QRadar versions 7.3.0 andlater.
This extension is intended to support for administrators who have QRadar Network Insights appliancesin their deployment (appliance type = 1901 or 1920). Custom properties from previous versions of theQRadar Network Insights content extension are now type-length-value (TLV) fields.
Note: Some custom properties are updates in this content pack; existing content might need to beoverwritten.
14 QRadar Network Insights User Guide
Content extension V1.4.0The IBM QRadar Network Insights content extension V1.4.0 adds rules, reports, saved searches, andbuilding blocks that focus on providing analysis, alerts, and reports for QRadar Network Insights.
The QRadar Network Insights content extension V1.4.0 adds new saved searches, reports, rules, andbuilding blocks, and adds integration between QRadar Network Insights and User Behavior Analyticsrules. The User Behavior Analytics rules are enabled by default, but if you are not using the UserBehavior Analytics app, you can disable them. The following table outlines the changes that are made inQRadar Network Insights content extension V1.4.0.
Table 8. Content updated by QRadar Network Insights V1.4.0
Type Content updated Change description
Saved Search File Transfer byOriginating User andContent Type
This log and network activity search matches file transfers bytheir originating users and content types.
Saved Search File Transfer by SourceIP and Content Type
This log and network activity search matches file transfers bytheir source IPs and content types.
Report User File Transfer byContent Type
Shows the top 20 user file transfers by content type, by collatingthe following log and network activity searches:
v File Transfer by Originating User and Content Type
v File Transfer by Source IP and Content Type
Rule QNI: ConfidentialContent BeingTransferred to ForeignGeography
Looks for confidential content that is being transferred tocountries/regions with restricted access.
Rule UBA : QNI -Confidential ContentBeing Transferred toForeign Geography
Sends events to the User Behavior Analytics app based on theQNI: Confidential Content Being Transferred to ForeignGeography rule. This rule is assigned a senseValue, which isused whenever the User Behavior Analytics app calculates a riskscore for a user.
Rule UBA : QNI - PotentialSpam/Phishing SubjectDetected from MultipleSending Servers
Sends events to the User Behavior Analytics app based on theQNI: Potential Spam/Phishing Subject Detected from MultipleSending Servers rule. This rule is assigned a senseValue, whichis used whenever the User Behavior Analytics app calculates arisk score for a user.
Rule UBA : QNI - PotentialSpam/Phishing AttemptDetected on RejectedEmail Recipient
Sends events to the User Behavior Analytics app based on theQNI: Potential Spam/Phishing Attempt Detected on RejectedEmail Recipient rule. This rule is assigned a senseValue, whichis used whenever the User Behavior Analytics app calculates arisk score for a user.
Rule UBA : QNI - ObservedFile Hash Associatedwith Malware Threat
Sends events to the User Behavior Analytics app based on theQNI: Observed File Hash Associated with Malware Threatrule, with a senseValue assigned to it. This senseValue is usedwhen the User Behavior Analytics app calculates a risk score fora user.
Rule UBA : QNI - ObservedFile Hash Seen AcrossMultiple Hosts
Sends events to the User Behavior Analytics app based on theQNI: Observed File Hash Seen Across Multiple Hosts rule,with a senseValue assigned to it. This senseValue is used whenthe User Behavior Analytics app calculates a risk score for a user.
4 QRadar Network Insights content extensions 15
Table 8. Content updated by QRadar Network Insights V1.4.0 (continued)
Type Content updated Change description
Rule UBA : QNI - Access toImproperly SecuredService - Weak PublicKey Length
Sends events to the User Behavior Analytics app based on theQNI: Access to Improperly Secured Service - Weak Public KeyLength rule. This rule is assigned a senseValue, which is usedwhenever the User Behavior Analytics app calculates a risk scorefor a user.
Rule UBA : QNI - Access toImproperly SecuredService - CertificateInvalid
Sends events to the User Behavior Analytics app based on theUBA : QNI - Access to Improperly Secured Service - CertificateInvalid rule. This rule is assigned a senseValue, which is usedwhenever the User Behavior Analytics app calculates a risk scorefor a user.
Rule UBA : QNI - Access toImproperly SecuredService - CertificateExpired
Sends events to the User Behavior Analytics app based on theQNI: Access to Improperly Secured Service - CertificateExpired rule. This rule is assigned a senseValue, which is usedwhenever the User Behavior Analytics app calculates a risk scorefor a user.
Rule UBA : QNI - Access toImproperly SecuredService - Self SignedCertificate
Sends events to the User Behavior Analytics app based on theQNI: Access to Improperly Secured Service - Self SignedCertificate rule. This rule is assigned a senseValue, which isused whenever the User Behavior Analytics app calculates a riskscore for a user.
Building Block BB: CategoryDefinition:Countries/Regions withRestricted Access
Edit this building block to include any geographic location thattypically would not be allowed to access the enterprise. After itis configured, you can enable the Confidential Content BeingTransferred to Foreign Geography rule.
16 QRadar Network Insights User Guide
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply thatonly that IBM product, program, or service may be used. Any functionally equivalent product, program,or service that does not infringe any IBM intellectual property right may be used instead. However, it isthe user's responsibility to evaluate and verify the operation of any non-IBM product, program, orservice.
IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:
Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOTLIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you provide in any way it believes appropriate withoutincurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:
© Copyright IBM Corp. 2017 17
IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US
Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.
The licensed program described in this document and all licensed material available for it are providedby IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement orany equivalent agreement between us.
The performance data and client examples cited are presented for illustrative purposes only. Actualperformance results may vary depending on specific configurations and operating conditions..
Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.
Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.
This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to actual people or business enterprises isentirely coincidental.
TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the following terms and conditions.
Applicability
These terms and conditions are in addition to any terms of use for the IBM website.
Personal use
You may reproduce these publications for your personal, noncommercial use provided that allproprietary notices are preserved. You may not distribute, display or make derivative work of thesepublications, or any portion thereof, without the express consent of IBM.
18 QRadar Network Insights User Guide
Commercial use
You may reproduce, distribute and display these publications solely within your enterprise provided thatall proprietary notices are preserved. You may not make derivative works of these publications, orreproduce, distribute or display these publications or any portion thereof outside your enterprise, withoutthe express consent of IBM.
Rights
Except as expressly granted in this permission, no other permissions, licenses or rights are granted, eitherexpress or implied, to the publications or any information, data, software or other intellectual propertycontained therein.
IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use ofthe publications is detrimental to its interest or, as determined by IBM, the above instructions are notbeing properly followed.
You may not download, export or re-export this information except in full compliance with all applicablelaws and regulations, including all United States export laws and regulations.
IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THEPUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OFMERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
IBM Online Privacy StatementIBM Software products, including software as a service solutions, (“Software Offerings”) may use cookiesor other technologies to collect product usage information, to help improve the end user experience, totailor interactions with the end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offerings can help enable you tocollect personally identifiable information. If this Software Offering uses cookies to collect personallyidentifiable information, specific information about this offering’s use of cookies is set forth below.
Depending upon the configurations deployed, this Software Offering may use session cookies that collecteach user’s session id for purposes of session management and authentication. These cookies can bedisabled, but disabling them will also eliminate the functionality they enable.
If the configurations deployed for this Software Offering provide you as customer the ability to collectpersonally identifiable information from end users via cookies and other technologies, you should seekyour own legal advice about any laws applicable to such data collection, including any requirements fornotice and consent.
For more information about the use of various technologies, including cookies, for these purposes, SeeIBM’s Privacy Policy at http://www.ibm.com/privacy and IBM’s Online Privacy Statement athttp://www.ibm.com/privacy/details the section entitled “Cookies, Web Beacons and OtherTechnologies” and the “IBM Software Products and Software-as-a-Service Privacy Statement” athttp://www.ibm.com/software/info/product-privacy.
General Data Protection RegulationClients are responsible for ensuring their own compliance with various laws and regulations, includingthe European Union General Data Protection Regulation. Clients are solely responsible for obtainingadvice of competent legal counsel as to the identification and interpretation of any relevant laws andregulations that may affect the clients’ business and any actions the clients may need to take to complywith such laws and regulations. The products, services, and other capabilities described herein are not
Notices 19
suitable for all client situations and may have restricted availability. IBM does not provide legal,accounting or auditing advice or represent or warrant that its services or products will ensure that clientsare in compliance with any law or regulation.
Learn more about the IBM GDPR readiness journey and our GDPR capabilities and Offerings here:https://ibm.com/gdpr
20 QRadar Network Insights User Guide
Notices 21
IBM®
Printed in USA