Question & Answer
Question
The 'Threat Collection Rules' extension adds baseline rule content for companies in the "Ready for IBM Security Intelligence" program to create rules that leverage information from threat data feeds or online content collections.
Answer
Tab navigation
The QRadar Ready for IBM Security Intelligence (RFISI) adds 6 new rules for in the Threats rule group. This extension enhances QRadar's base rule set to collect data from threat feeds to populate reference sets that can be leveraged in rules. For more information, see the IBM Ready for Security Intelligence page here: https://ibm.biz/rfisi_threat_intel.
Before you begin
This extension is intended for members of the Ready for IBM Security Intelligence partner program. To search for these rules in QRadar, administrators can search the rules interface for the term 'RFISI' or sort rules by category and review rules in the 'Threat' group.
Rules added by the RFISI Threat extension
| Rule Name | Description |
| RFISI: Internal Communication with a Malware URL | This rule adds URLs from content collections to a Malware URLs reference set. |
| RFISI: Internal Connection to Address Hosting Malware | This rule adds the destination IP address from content collections to a Malware IPs reference set. |
| RFISI: Internal Connection with Botnet Command and Control | This rule adds the destination IP address from content collections to a Botnet C&C IPs reference set. |
| RFISI: Internal Hosts Communicating with Anonymizer Host | This rule adds the destination IP address from content collections to an Anonymizer IPs reference set. |
| RFISI: Mail Server Sending Mail to SPAM Servers | This rule adds the source IP address from content collections to an Spam Senders IPs reference set and compares source IP values to the BB:Mail Servers and a Mail Server IPs reference set. |
| RFISI: Phishing Email sent to Internal Mail Server | This rule adds the source IP address from content collections to an Phishing Senders IPs reference set and compares source IP values to the BB:Mail Servers and a Mail Server IPs reference set. |
Installing a QRadar Extension
The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.Procedure
- Log in to the QRadar Console as an administrator. If you have not downloaded the extension yet, you can download files from http://apps.xforce.ibmcloud.com/.
- Click the Admin tab.
- Click the Extension Management icon.
- To upload an extension, click Add and select the extension to upload.
- Note:The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.
- To install the extension immediately, select the Install immediately check box and then click Add.
- A preview of the application content is displayed. You can choose how existing content items are handled.
- To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.
- Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.
Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 April 2020
UID
swg21986719