IBM Support

QRadar: Using the Threat Monitoring and the Sysmon Content extensions in multi-tenanted environments

Troubleshooting


Problem

Users who installed IBM-provided content packs and have multi-tenanted environments might need to modify the reference data collection in installed rules to work properly in their environment.

Symptom

In multi-tenanted QRadar installations, Source and Destination private IP addresses can be duplicated for each tenant and the system differentiates them by the additional tenant tag added to each payload.

This can lead to a scenario where the behavior of 'tenant A' local IP address can cause 'tenant B' to start generating incidents within QRadar. It can happen whenever both hosts are using the same local IP address. When an IP is marked, it is added to the 'compromised hosts' reference data set installed by default with the extensions, but not the tenant tag.
This data set is then used as a fundamental part of another set of rules to potentially create new subsequent incidents. The newly created incidents might originate from the 'Compromised Hosts' IPs Reference Set. If there is only a single tenant within QRadar or a unique local IP address, this implementation works as it is supposed to. If, in a multi-tenant environment, there are some duplicated local IP addresses; the deny-listed private IPs of 'tenant A' can start generating incidents for the hosts with the same private IPs within 'tenant B', which are false positives. It is because only the host within 'tenant A' is compromised and the other tenants remain unaffected. 
The rules that generate entries within the 'Compromised Hosts' reference set: (The rules are all located within the 'IBM® QRadar® Sysmon Content' extension):
  • Excessive System Tools Usage from a Single Host
  • Suspicious Svchost Process
  • Process Launched from Unusual Directory
  • PsExec Process Masquerading
  • Potential Keylogger Detected
  • Rundll32 with qwerty Argument Usage
  • Mimikatz IMP Hash Observed
  • Malicious Service Installed
The rules that use the 'Compromised Hosts' reference set to evaluate new potential incidents: (The rules are either located in the 'IBM Security QRadar Threat Monitoring Content' or the 'IBM® QRadar® Sysmon Content' extension):
 
  • Powershell Process Observed on a Compromised Host
  • Service Installed on a Compromised Host
  • Network Share Accessed from a Compromised Host
  • Powershell Process Observed on a Compromised Host
  • Successful Login From a Compromised Host
  • Excessive System Tools Usage from a Single Host
  • Scheduled Task Created on a Compromised Host
  • Successful Login From a Compromised Host
  • Service Installed on a Compromised Host
  • Administrative Share Accessed from a Compromised Host
  • SMB Traffic Permitted From a Compromised Host
  • Administrative Share Accessed from a Compromised Host
  • Network Share Added to a Compromised Host
  • Excessive Denied SMB Traffic From a Compromised Host
  • PsExec Process Observed on a Compromised Host
  • Excessive Network Share Access Failures from a Compromised Host
  • Network Share Accessed from a Compromised Host

Cause

The single Reference Set solution provided out of the box is designed for single tenant installations. A Reference Map of Sets is required for these rules to be effective in a multi-tenant environment.

Resolving The Problem

In a multi-tenant environment, the single Reference Set has to be modified and replaced by the reference map of sets, where:

< Tenant A, <compromised host list for tenant A > >, 
< Tenant B, <compromised host list for tenant B > >, 
etc

Configure each rule to match the tenant ID and source or destination host against the entries in the reference map of sets.

It protects the system from the problem where the compromised host in the 'tenant A' environment is valid for 'tenant B' though both use the same private IP.

After any extension upgrade, you might need to again modify the rules from a single Reference Set to a Reference Map of sets

For better management of the Reference map of sets, it is suggested to install the additional QRadar extension Reference Data Management.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS012789601","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 February 2024

UID

ibm16988519

Page Feedback