Security Analytics Self Monitoring
Use the IBM® QRadar® Security Analytics Self Monitoring Content Extension to closely monitor your QRadar deployment.
This content extension includes one or more Pulse dashboards. For more information about Pulse dashboards, see QRadar Pulse app.
IBM Security QRadar Security Analytics Self Monitoring Content Extension
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.2
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.1
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.0
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.1.0
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.0.1
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.0.0
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.2.0
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.1.1
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.1.0
- IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.0.0
IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.2
The following table shows the rules that are new in IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.2.
| Type | Name | Description |
|---|---|---|
| Rule | A Custom Property has been Disabled | Triggers when a custom property expression is disabled due to performance problems.
Note: This rule can be tuned to enable email notifications.
|
IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.1
The following Pulse widgets are new or updated in IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.1.
- QRadar Monitoring
- QRadar Monitoring - Offenses
IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.0
The following table shows the rules that are new in IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.0.
| Type | Name | Description |
|---|---|---|
| Rule | QRadar Audit: Expensive CRE Rules | Triggers when QRadar rules are expensive. Optimize those rules to reduce load in CRE and reduce a chance that some events will not be correlated by CRE. |
| Rule | QRadar Audit: Expensive Custom Properties | Triggers when QRadar custom properties are expensive. Optimize those custom properties to reduce load in parsing and reduce a chance of unparsed events. |
| Rule | QRadar Audit: Expensive Log Sources | Triggers when QRadar log sources are expensive. Optimize those log sources / log source extensions to reduce load in parsing and reduce a chance of unparsed events. |
| Rule | QRadar Audit: High CRE Utilization | Triggers when high CRE utilization is reached. If CRE load continues growing then a saturation point will be reached and some events will not be correlated by CRE. |
| Rule | QRadar Audit: High Parsing Utilization | Triggers when high parsing utilization is reached. If Parsing load continues growing then a saturation point will be reached and some events will not be parsed and normalized. |
The following table shows the custom properties that are new in IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Element | Yes | 1 | Element=(\S+) |
| Metric ID | Yes | 1 | MetricID=(\S+) |
A pulse dashboard named Parsing and CRE Monitoring has been added to the IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.2.0. This dashboard is a visual representation of the CRE and Parsing utilization by hosts.
IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.1.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.1.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Offense ID | Yes | 1 | offense:(\d+) |
| Offense Owner | No | 1 | User:\s(.*?)\shas\sbeen |
- Offense Assigned
- Offense ID column was added to the Offense Closed Reason widget
IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.0.1
The following table shows the custom properties in IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| CRE Name | Yes | 1 | Rule Name=\"([^\\\"]+) |
| Total Events Dropped | No | 1 | Total Events Dropped:\s+(\d+) |
| Total Events Forwarded | No | 1 | Total Events Forwarded:\s+(\d+) |
| Total Events Not Correlated | No | 1 | Total Events Not Correlated:\s+(\d+) |
- Audit - Routing Rules - Events Dropped
- Audit - Routing Rules - Events Forwarded
- Audit - Routing Rules - Events not correlated
IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.0.0
The following table shows the custom properties in IBM Security QRadar Security Analytics Self Monitoring Content Extension 2.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Agent Version | No | 1 | IBM\|WinCollect\|([^\.]+) |
| Agent Version Major | No | 1 | IBM\|WinCollect\|([^\.]+) |
| Machine ID | Yes | LEEF | src |
| OS Name | No | LEEF | os |
- EPS Event Rate Average
- EPS Event Rate Max
- Events generated by CRE Doughnut
- Events generated by CRE Table
- WinCollect Agent Major Versions
- WinCollect Agent Version
- WinCollect Operating System Versions
IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.2.0
The QID was updated for the Authentication Failure Pulse widget.
The Host status custom property is removed and replaced by the System Status custom property.
The following table shows the custom properties in IBM Security QRadar Security Analytics Self Monitoring Content Extension V1.2.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Previous Rule Filters | No | 1 | Previous Rule Description="([^"]+) |
| Previous Rule Notes | No | 1 | Previous Rule Notes="([^"]+) |
| QidMap Description | No | 1 | qDescription="([^"]+) qdescription=(.*?)\scatpipename |
| QidMap ID | No | 1 | qId="(\d+)" qid=(\d+) |
| QidMap Name | No | 1 | qName="([^"]+) qname=(.*?)\srateshortwindow |
| Rule Filters | No | 1 | Updated Rule Description="([^\"]+) Rule Description="([^"]+) |
| Rule ID | No | 1 | id="(\d+)" ruleId="(\d+)" |
| Rule Notes | No | 1 | Updated Rule Notes="([^"]+) Rule Notes="([^"]+) |
| System Status | No | 1 | Sent\supdate\sstatus\sof\shost\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\sto\s([^$]+) |
The following table shows the rules that are updated in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.2.0.
| Type | Name | Description |
|---|---|---|
| Rule | QRadar Audit: QRadar Host Unavailable | Updated to use the System Status custom property instead of Host status. |
The following table shows the saved searches that are new in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.2.0.
| Name | Description |
|---|---|
| Custom Rule Modification Details | Retrieves modification made to custom rules (creation, update, deletion) and displays the relevant before/after information. |
IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.1.1
The QID was updated for the QRadar Audit: Multiple Login Failures from the Same Source custom rule, and the Audit - Authentication Failure by Username saved search.
IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.1.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.1.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Command | Yes | 1 | CommandExecuted\]\s\:\s+([^\r\n]+) |
| CRE Name | Yes | 1 2 |
Rule Name="([^\"]+) (\s+|Updated\s+)Rule Name="([^\"]+) |
| Host Status | Yes | 1 | Sent\supdate\sstatus\sof\shost\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\sto\s([^$]+) |
| Offense Closed Comment | Yes | 1 | Notes:\s((?:[^(\s+]|\s(?!\s*\())*) |
| Offense Closed Reason | Yes | 1 | This offense was closed with reason:\s([^.]*) |
| Offense ID | Yes | 1 | Properties\([\s]id="(\d+)" Properties\s\([\s]id="(\d+)" |
| Previous CRE Name | Yes | 1 | Previous Rule Name="([^\"]+) |
The following table shows the rules that are new or updated in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.1.0.
| Type | Name | Description |
|---|---|---|
| Rule | QRadar Audit: Unusual Number of Offenses Created | Triggers when the number of offenses created is either higher or lower by a difference of 40% over a period of 24 hours. The difference can be tuned to match desired threshold. |
The following table shows the reports that are new or updated in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.1.0.
| Report Name | Search Name and Dependencies |
|---|---|
| Qradar Audit - Offense Closure Report | This report shows the reason offenses were closed on QRadar. The report content is collated
using the following Log Activity and Network Activity searches:
Note: Edit this search and any relevant search dependencies to refine the results.
|
The following table shows the new or updated reference data in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.1.0.
| Type | Name | Description |
|---|---|---|
| Reference Data | pulse_imports | Part of the Pulse dashboard. |
The following table shows the saved searches that are new or updated in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.1.0.
| Name | Description |
|---|---|
| Number of Offenses Created | Search retrieving the total number of offenses closed within a time frame of 24 Hours. |
| Qradar Audit : Offenses Closed Reason | Search retrieving the reason why offenses have been closed on QRadar. |
| Qradar Audit : Top Offenses Closed Reason | Search grouped by the reason why offenses have been closed. |
IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.0.0
The following table shows the custom properties n IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| CRE Name | Yes Yes |
1 2 |
Rule Name="([^\"]+) (\s+|Updated\s+)Rule Name="([^\"]+) |
| Previous CRE Name | Yes | 1 | Previous Rule Name="([^\"]+) |
| Command | Yes | 1 | CommandExecuted\]\s\:\s+([^\r\n]+) |
| Host status | Yes | 1 | Sent\supdate\sstatus\sof\shost\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\sto\s([^$]+) |
| API search ID | Yes | 1 | PathInfo=\/ariel\/searches\/(\S{36})\/results |
| Search executed | Yes | 1 | Filters:(.*?)\,\s+Columns |
The following table shows the rules in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.0.0.
| Type | Name | Description |
|---|---|---|
| Rule | QRadar Audit: Payload deleted or modified | Detects when a command might modify log files. |
| Rule | QRadar Audit: Multiple Login Failures from the Same Source | Detects repeated authentication failures from the same source IP address on the QRadar web interface or the CLI. |
| Rule | QRadar Audit: Potential sensitive file modification | Detects when a sensitive file is accessed with a text editor, or is moved or removed through the QRadar CLI. Edit this rule to monitor sensitive files and devices. |
| Rule | QRadar Audit: QRadar Hosts | Adds QRadar IP addresses to the QRadar Deployment – IP reference set. |
| Rule | QRadar Audit: Shared Account | Detects when there is a potential shared account that is connected to QRadar. Add QRadar IP addresses to the QRadar Deployment – IP reference set to exclude them as source IP addresses. |
| Rule | QRadar Audit: QRadar Host Unavailable | Monitors the QRadar Managed hosts status. |
The following table shows the reports in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.0.0.
| Report Name | Search Name and Dependencies |
|---|---|
| QRadar Audit - Modifications overview | Saved Searches: SIEM Audit - Custom Rule Modification and SIEM Audit - Configuration Modification |
| QRadar Audit - User Authentication Activity | Saved Searches: SIEM Audit - Authentication Success by Username, SIEM Audit - Authentication Failure by Username, and SIEM Audit - User Authentication Activity |
| QRadar Audit - System warnings and errors | Saved Search: SIEM Audit - System Notifications |
| QRadar Audit - Searches Executed | Saved Searches: Audit - User Processing Activities and Audit - User Processing Activities through API. |
The following table shows the reference data in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.0.0.
| Type | Name | Description |
|---|---|---|
| Reference Set | QRadar Deployment | List of QRadar IP addresses, from SIEM Audit: QRadar Hosts. Used in SIEM Audit: Shared Account. This list also contains 127.0.0.1 by default, and the range assigned to apps (169.254.3.1 to 169.254.3.10). Edit this list as needed. |
The following table shows the saved searches in IBM Security QRadar Security Analytics Self Monitoring Content Extension 1.0.0.
| Name | Description |
|---|---|
| Audit - User Authentication Activity | This search shows the authentication events on the QRadar system (Web and SSH). |
| Audit - Authentication Success by Username | This search shows the authentication successes on the QRadar system (Web and SSH). |
| Audit - Authentication Failure by Username | This search shows the authentication failures on the QRadar system (Web and SSH). |
| Audit - Configuration Modification | This search shows the configuration updates that have been made on the QRadar system. |
| Audit - System Notifications | This search shows the warnings and errors on the QRadar system. |
| Audit - User Processing Activities | This search shows the searches executed by users. |
| Audit - User Processing Activities through API | This search shows the searches executed against /ariel/searches. |